Pages: [1]
Author Topic: Which CPU in ECU for Remote Key Entry (like 3C0959433T or similar)  (Read 3822 times)
zxcv
Newbie
*

Karma: +2/-0
Offline Offline

Posts: 19



Hi All,

i am really new to the world of Cars but did quite some reversing project before.

in the last weeks i wrote decoding tools for .sgo and .frf files to decrypt/decode the Firmwares of the RKE ECU (3C0959433T)
But i dont have such an ECU in Hardware available.

So can anybody help me to indentify which CPU type is used in 3C0959433T (or any other Remote Key Entry ECU)
so i can start reversing in IDA.

I tried all Tricore types but no luck yet - code does not seem from Tricore CPU.

any hints ?
 Kind Regards and  Thank you in advance.
« Last Edit: January 30, 2018, 12:23:38 AM by zxcv » Logged
zxcv
Newbie
*

Karma: +2/-0
Offline Offline

Posts: 19


« Reply #1 on: January 28, 2018, 08:32:24 AM »

The section starts at 0xF80000.
the Bytes there are

FF01630F00F863F104F8636301F8000A001A07...

so if i regroup them like

FF01
630F00F8
63F104F8
636301F8
...000A001A07

this Looks like opcode (63) with an 3-byte address in the F80000 range

FF01
630F00F8 -> F8000F
63F104F8 -> F804F1
636301F8 -> F80163
...000A001A07

but no luck with tricore, C166, 8051 and Intel :-(





« Last Edit: January 28, 2018, 10:50:25 AM by zxcv » Logged
zxcv
Newbie
*

Karma: +2/-0
Offline Offline

Posts: 19


« Reply #2 on: January 28, 2018, 10:48:31 AM »

unpacked another RKE ECU 1K0959433CT_0218

this one starts at 0xFC0000 - identical code but assumed adresses fit to location F8 <-> FC

FF01
630F00FC
63F104FC
636301FC

000A001A0742036F146C62A150A134FC350351A16C42A1546F01719FFCFF1BFFFFFFFFF0071B0000....
« Last Edit: January 28, 2018, 10:51:52 AM by zxcv » Logged
zxcv
Newbie
*

Karma: +2/-0
Offline Offline

Posts: 19


« Reply #3 on: January 29, 2018, 01:08:59 PM »

searching and analyzing pictures of VAG RKE ECUs from Google picture search, i found
some custom chips with following part numbers (Quality of the Images was most of the time really bad - so no 100% sure)

Motorola: ZC410719CFU
Motorola: SC511081CFU
Motorola: ZC42486CFU
Motorola: ZC41 0795CFU or 0396CFU

but solves not the Problem - this are mostly Motorola CPUs (with their Logo) but custom (VW)
part numbers - so not really any further with cpu type...


Logged
Colt45
Jr. Member
**

Karma: +0/-1
Offline Offline

Posts: 36


« Reply #4 on: January 29, 2018, 08:13:37 PM »

How fancy chip is it. If simple, probably 9s12 or hc12, descendants of hc11, descendants of 6800, extended.

Otherwise fancier ones are either Motorola 68k descendants, or powerpc. I don't think I've ever seen PPC in ECU though.

So look at 6800 instruction set first, see any similarity. All the 6800 boot to 0xffff:fffe but backwards endianess from the rest of the CPU.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.015 seconds with 16 queries. (Pretty URLs adds 0s, 0q)