NefMoto

Technical => Reverse Engineering => Topic started by: john9357 on September 21, 2013, 03:50:02 PM



Title: Disassembling my edc15p
Post by: john9357 on September 21, 2013, 03:50:02 PM
Hello, I introduce myself, my name is jonathan. I am passionate chiptuning and I am also moderator in chiptuners.fr where i work a lot.
I'm a french who does not speak English so excuse me in advance for my bad English. (Google traduction!!)
I am currently working on a TDI edc15p but I do not have as much knowledge as some here.
I would disassemble the program in my ecu to learn more.
I have not managed to connect the C167 with MINIMON and Galetto or kkl.
I connected directly the C167 with a ftdi on rx and tx pins and I used flashit to extract the file. (Minimon logs on but doesn't work to download irom).
With FLASHit I can also read flash. Reading the irom gives me the same file with or without the flash.

Here is some information that I found in my ecu :
The C167 operates at 16mhz (has checked the oscilloscope).
The pin / ae is connected to 5v so the presence of a irom.
The connections between the flash and the C167:

Code:
29f400 <-> c167
A0 <-> A1
A1 <-> A2
A2 <-> A3
A3 <-> A4
A4 <-> A5
A5 <-> A6
A6 <-> A7
A7 <-> A8
A8 <-> A9
A9 <-> A10
A10 <-> A11
A11 <-> A12
A12 <-> A13
A13 <-> A14
A14 <-> A15
A15 <-> A16
A16 <-> A17
A17 <-> A18

Q0 <-> AD0
Q1 <-> AD1
Q2 <-> AD2
Q3 <-> AD3
Q4 <-> AD4
Q5 <-> AD5
Q6 <-> AD6
Q7 <-> AD7
Q8 <-> AD8
Q9 <-> AD9
Q10 <-> AD10
Q11 <-> AD11
Q12 <-> AD12
Q13 <-> AD13
Q14 <-> AD14
Q15 <-> AD15

/WE <-> /CS4
/OE <-> /CS0
vss <-> /CE
vdd <-> /BYTE

How to know the address of the external ram, and the address of the flash?
which chip on the pcb is the ram?
I give you the file in the internal rom and the external rom my ecu.

Thank you in advance for your help.


Title: Re: Disassembling my edc15p
Post by: john9357 on September 21, 2013, 04:05:18 PM
When I disassemble the internal rom in my EDC15 and in a me7, I realize that the structure is totally different.
At the init of the EDC15 dpp0=0 dpp1=1 dpp2=2 dpp3=3, different from me7.


Title: Re: Disassembling my edc15p
Post by: john9357 on November 24, 2013, 03:43:51 PM
for information, I've written a driver for minimon to erase and write the 29F400 in boot mode in my edc15p+
http://www.youtube.com/watch?v=RL79P5YnF5s


Title: Re: Disassembling my edc15p
Post by: mtx-electronics on November 25, 2013, 11:23:20 AM
Nice work, keep on going :) A few years ago I worked on this ecu to extract the checksum algos and a few months ago in collaboration with Dilemma while he was working on the EDC15Suite software I put toghether a small opensource program for checksum calculation so that he could add it to is application. You might find this code usefull for your current adventure. I'll attach it here for reference.

Some notes:

- The VAG 4.1 checksum is not compatible with all files, Dilemma has made some fixes that are included in the EDC15Suite source;
- The VAG 4.1-2002 checksum is working fine;
- The code is a ASM to C convertion and can be optimized but I had little time to work on it and probably will won't update it any time soon.


Title: Re: Disassembling my edc15p
Post by: john9357 on November 25, 2013, 03:37:12 PM
Thank you verry.
I build a new version:
-bug solved
-read an write at 0x80000 (not write at 80000 and read at 100000)
-no configuration for ADDRSEL3 and BUSCON3 (just BUSCON0=04AD and SYSCON=E404)

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=4677.0;attach=7800)


Title: Re: Disassembling my edc15p
Post by: dream3R on December 09, 2013, 02:53:48 AM
Pretty cool!

I take it you've got this figured out then, or do you want me to see if I can find the settings?


Title: Re: Disassembling my edc15p
Post by: dragon187 on March 26, 2017, 11:11:07 AM
Where can I get this minimon?
Thanks


Title: Re: Disassembling my edc15p
Post by: nihalot on March 26, 2017, 10:00:56 PM
Where can I get this minimon?
Thanks

http://www.infineon.com/cms/en/product/microcontroller/legacy-products-c500-c166-xc166-audo1-family/c166/xc166-development-tools-software-and-kits/software-downloads/channel.html?channel=ff80808112ab681d0112ab6b50fe07c9


Title: Re: Disassembling my edc15p
Post by: badger on March 28, 2017, 08:54:13 AM
Hello!

I'm looking into reverse engineering the EDC15P for a few reasons.

- Disable reading through OBD by disabling the 'download allowed' return that the ECU sends before transmitting the data.
- Multimap Switching (understand there is a way already however, I don't have $$$ to buy the code so I'm learning how it's done)

I've managed to download my EEPROM dump (IRAM etc...) using MiniMon and managed to finally get it to load in IDA Pro.

Issues I'm having is how to link the documentation and maps contained within :/


Title: Re: Disassembling my edc15p
Post by: prj on March 28, 2017, 09:10:25 AM
- Disable reading through OBD by disabling the 'download allowed' return that the ECU sends before transmitting the data.
There is a ROM function to download, good luck disabling that lol.


Title: Re: Disassembling my edc15p
Post by: badger on March 28, 2017, 11:16:05 AM
There is a ROM function to download, good luck disabling that lol.

So maybe this method won't work?

When using a ECU Programming tool (MPPS etc...) I'm trying to understand the process the ECU goes through to allow the EEPROM read. I've read the Functionscreiben for the EDC15+ and it talks about download access and data access.


Title: Re: Disassembling my edc15p
Post by: prj on March 29, 2017, 12:15:38 AM
Already told you, this functionality on EDC15 is present in the processor ROM.
Unless you want to change the processor, as the ROM is OTP.


Title: Re: Disassembling my edc15p
Post by: naach_ on March 30, 2017, 04:05:31 AM
Very interested in this topic, I'm trying to figure out how to make a codeblock change by time, let's say a "trial version". Good post guys


Title: Re: Disassembling my edc15p
Post by: nihalot on March 30, 2017, 05:23:37 AM
Very interested in this topic, I'm trying to figure out how to make a codeblock change by time, let's say a "trial version". Good post guys

Have done the trial version but for a different purpose... automatic codeblock change after warmup time(15minutes)


Title: Re: Disassembling my edc15p
Post by: naach_ on March 30, 2017, 08:27:21 AM
Have done the trial version but for a different purpose... automatic codeblock change after warmup time(15minutes)
There would be some post where you explain the way to get ideas?


Title: Re: Disassembling my edc15p
Post by: nihalot on March 30, 2017, 11:54:08 AM
There would be some post where you explain the way to get ideas?

I have made a post for checksum disable and i was supposed to make one for multimap too, but im busy with my internship now. Not many people seemed interested, so i never bothered(lazy, I know)

Anyway, you can pm me if youre interested and have done some work on edc15, i might be able to guide you