|
Title: M3.8.x Memory Map for IDA / GHIDRA Post by: ecuprog7 on June 26, 2023, 05:21:22 AM Hi, i am trying to reverse parts of the k-line comm on these old ecus but i can´t figure out the memory mapping. As i understand the external Memory needs to be paged with additional Port pins to access more than 64kB. As far i see write commands to 0xcxxx and 0xexxx. Can someone please help on these paging? A Schematic would also be cool!
thanks in advance ecuprog Title: Re: M3.8.x Memory Map for IDA / GHIDRA Post by: elias on June 26, 2023, 01:54:23 PM I have no idea about the M3.8.x but i can tell you how MED9.1 deals with KWP2000 and what to look for.
You would expect something like a "if SID==1 then <process service1>, elseif SID == 2 then <process service2>". However in MED9, the whole process is done via a "map". So basically there is a array of structs which looks like this: Code: struct{There is a for loop, which loops over this structs and then executes the code. I think it has been done to allow new services to be added later without much "rewriting" of the code. Have a look in your binary if you can find such maps. Look for common SIDs like startDiagnosticSession,ecuReset etc. The list of SIDs is well defined and you try out which one your ECU supports. Title: Re: M3.8.x Memory Map for IDA / GHIDRA Post by: prj on June 26, 2023, 02:36:21 PM I have no idea about the M3.8.x but i can tell you how MED9.1 deals with KWP2000 and what to look for. KWP2000 in a 1995 ecu? Dude... nope. The ECU is KW1281. KWP2000 wasn't even invented yet. Title: Re: M3.8.x Memory Map for IDA / GHIDRA Post by: ecuprog7 on June 27, 2023, 04:31:15 AM Yeah, its KW1281, i´m trying to find out if (and how) its possible to write to Ram over obd.
I added the wiring diagram reversed so far. Title: Re: M3.8.x Memory Map for IDA / GHIDRA Post by: ecuprog7 on July 05, 2023, 04:34:04 AM I think i got it.
The paging is done with the PLCC-68 S9652AD SCL4402-V4. This stone is a parallel memory mapped I/O expander. Code: ************************************************************* For now i guess page 3 is Rom 0xc000 - 0xffff, 4 is the next (0x10000-14000) and so on. I need to prove this with some test. The instructions are always fetched from Rom, read/write to 0xc000-0xffff are on RAM and expander asic. I guess this is done with INST pin, needs also testing. Title: Re: M3.8.x Memory Map for IDA / GHIDRA Post by: biela on December 26, 2023, 09:33:19 AM Hello
Did you manage to load M3.8 file in IDA? I have tried with values in ds and wsr segments registers. Thanks Title: Re: M3.8.x Memory Map for IDA / GHIDRA Post by: ecuprog7 on December 27, 2023, 04:41:14 AM I never tried IDA, started with GHidra but was not successful until now to get the jumps to paged memory done from the analyze funcs.
I do not understand the concept of context variables in SLEIGH. I tried to integrate the external port expander into the processor model to get a 24 bit address range, but until now Sleigh is too much of black magic for me. Title: Re: M3.8.x Memory Map for IDA / GHIDRA Post by: prj on December 27, 2023, 06:44:07 AM 80C196 is an abomination, I do not understand why anyone would want to waste their time on it in 2023.
Title: Re: M3.8.x Memory Map for IDA / GHIDRA Post by: ecuprog7 on February 19, 2024, 02:30:53 AM got the Xor key for the seed-Key algo of M38/M59 bootloader. Key is 0x18932250, algo is described here: http://nefariousmotorsports.com/forum/index.php?topic=4983.0 (http://nefariousmotorsports.com/forum/index.php?topic=4983.0).
Has someone managed to read out the boot-Rom? |