NefMoto

Technical => Reverse Engineering => Topic started by: hidalga on September 02, 2022, 10:03:51 AM



Title: Getting started with ECU ROM disassembly (SH7058) and seed/key algorithm search
Post by: hidalga on September 02, 2022, 10:03:51 AM
Hello to every one,

I'm trying to find the security request 0x27 seed/key algorithm by looking by disassembling the ROM in IDA of a Nissan Micra/March Renesas SH7058, found a repo on GitHub which contains a device variant file, this was very helpful since works specifically for the processor I'm working with, it automatically defines the intro vectors and labels such as Poweron_reset and also defined an interrupt request (INT_IRQ7).

It's a good start but it's my first time disassembling and I'm also on my way to learning about it, any suggestion or recommendation about the process will be greatly appreciated (I know that this process is way different for every manufacturer and processor but there might be some common knowledge needed to start working with general disassembly)

The main questions I have

Does the poweron_reset link directly to the bootloader? Where can I find it?

Is there a common structure that seed/key algorithms follow?

Do I need an a2l file to start looking for it? If so, where can I look online for a2l files?

Is there a methodology to start analyzing ECU ROM disassembly?

Also the one I'm more interested
Any educational resource such as links or books recommendation that might help me for getting started for specifically ECU ROM disassembly will be greatly appreciated.


Title: Re: Getting started with ECU ROM disassembly (SH7058) and seed/key algorithm search
Post by: prj on September 02, 2022, 02:55:28 PM
Find the UDS stack. To find the UDS stack you can try to search for NRC literals in the binary.
Once you have that, find the routine that does security access and reverse it.

Pretty basic shit, if you've never done any reversing before then good luck lol.


Title: Re: Getting started with ECU ROM disassembly (SH7058) and seed/key algorithm search
Post by: mdccode5150 on September 22, 2022, 05:38:27 PM
There is a lot of work done on that processor in the Mitsubishi EVO community which seems to be disappearing. I down loaded a lot off of Evoscan website, and I believe that they were using the tactrix cable hardware etc.

Here's the site: https://www.tactrix.com/index.php?option=com_content&view=category&layout=blog&id=36&Itemid=58

I think this site is another you might find answers: https://www.romraider.com/