So this is my 1st legit contribution to the community.
This post is to gauge the interest of the community towards reversing edc15. If people are interested, I will post tutorials to add features such as multimap(not step by step though
)
link to my video:
https://www.youtube.com/watch?v=7tuTOx9vNXMBig thanks to @Tim and @nubcake for guiding me through my 1st RE project
So the 1st problem I faced while injecting code to the file was that the checksum would be incorrect and ecu would not boot. Tried several tools to correct checksum but it always resulted in bad checksum.
There is a function in IROM to calculate checksum of 0x10000-0x13FFF. I found this out by connecting a logic analyzer to the address pins of the flash chip and seeing the boot sequence.(@john9357 thanks for doing this for me
)
As its part of IROM, it cannot be disabled(due to IROM being a mask memory). So checksum of 0x10000-0x13FFF has to be correct no matter what
sub_1584 is the checksum calculation function. r3 points to 0x10000 (dpp's are set before this snippet of code)
r0 points to the end address of 0x14000. Just like the logic analyzer showed
0x10000-0x13FFF contains code to initialize ECU(check RAM,etc) and calculate checksum of the remaining flash and EEPROM, and if it is correct, then ecu executes "einit" command and ecu boots.
If there is a checksum fault, then ecu transmits a few bytes over k-line(if anyone is interested, i will post how this works) and stops booting.
As i knew that 0x10000-0x13FFF is a special area, I started analyzing it, and I found the remaining checksum functions also.
as flash is loaded at 0x80000, all addresses are offset by that much from the flash memory.
the conditional jump would only allow the ecu to boot, if the checksum result is 0, otherwise ecu jumps to location 2D6,which results in a software reset, as shown in the snippet.
all that was left was to change the conditional jumps to unconditional jumps, and the checksum function would be disabled
