NefMoto

Hi All,

i am really new to the world of Cars but did quite some reversing project before.

in the last weeks i wrote decoding tools for .sgo and .frf files to decrypt/decode the Firmwares of the RKE ECU (3C0959433T)
But i dont have such an ECU in Hardware available.

So can anybody help me to indentify which CPU type is used in 3C0959433T (or any other Remote Key Entry ECU)
so i can start reversing in IDA.

I tried all Tricore types but no luck yet - code does not seem from Tricore CPU.

any hints ?
 Kind Regards and  Thank you in advance.

The section starts at 0xF80000.
the Bytes there are

FF01630F00F863F104F8636301F8000A001A07...

so if i regroup them like

FF01
630F00F8
63F104F8
636301F8
...000A001A07

this Looks like opcode (63) with an 3-byte address in the F80000 range

FF01
630F00F8 -> F8000F
63F104F8 -> F804F1
636301F8 -> F80163
...000A001A07

but no luck with tricore, C166, 8051 and Intel :-(

unpacked another RKE ECU 1K0959433CT_0218

this one starts at 0xFC0000 - identical code but assumed adresses fit to location F8 <-> FC

FF01
630F00FC
63F104FC
636301FC

000A001A0742036F146C62A150A134FC350351A16C42A1546F01719FFCFF1BFFFFFFFFF0071B0000....

searching and analyzing pictures of VAG RKE ECUs from Google picture search, i found
some custom chips with following part numbers (Quality of the Images was most of the time really bad - so no 100% sure)

Motorola: ZC410719CFU
Motorola: SC511081CFU
Motorola: ZC42486CFU
Motorola: ZC41 0795CFU or 0396CFU

but solves not the Problem - this are mostly Motorola CPUs (with their Logo) but custom (VW)
part numbers - so not really any further with cpu type...

How fancy chip is it. If simple, probably 9s12 or hc12, descendants of hc11, descendants of 6800, extended.

Otherwise fancier ones are either Motorola 68k descendants, or powerpc. I don't think I've ever seen PPC in ECU though.

So look at 6800 instruction set first, see any similarity. All the 6800 boot to 0xffff:fffe but backwards endianess from the rest of the CPU.