Pages: [1]
Author Topic: Concept of bootloader JTag BDM  (Read 4317 times)
devy
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


« on: September 09, 2020, 01:31:35 PM »

Hello!

Can somebody explain to me what bootloading means and how it works?

There are tools that can read e.g. Renesas SH705x chips. But this is limited to certain car manufacturers and/or ECU brands? Why?

If bootloading means uploading a code to the ram of chip which allows to read the flash content....this should work always? regardless of what the data is on the chip and what brand it is?

Okay some use CAN protocol and some dont. Or is there a unique security wall that has to be cracked for each type?

I mean a SH705x can be found in hitachi ECU, denso ECUs, keihin ECUs, and much more.... 
Logged
xXxCryxXx
Full Member
***

Karma: +3/-17
Offline Offline

Posts: 157


« Reply #1 on: September 09, 2020, 01:33:46 PM »

With Bootloader aka Bootmode you dont increase the Flash Counter while OBD2 Flash doese increase your Flashcounter and if the Flashcounter Limit is Reachd you wont be able to upload a file anymore

Gesendet von meinem SM-N975F mit Tapatalk

Logged
xXxCryxXx
Full Member
***

Karma: +3/-17
Offline Offline

Posts: 157


« Reply #2 on: September 09, 2020, 02:18:23 PM »

Hello!

Can somebody explain to me what bootloading means and how it works?

There are tools that can read e.g. Renesas SH705x chips. But this is limited to certain car manufacturers and/or ECU brands? Why?

If bootloading means uploading a code to the ram of chip which allows to read the flash content....this should work always? regardless of what the data is on the chip and what brand it is?

Okay some use CAN protocol and some dont. Or is there a unique security wall that has to be cracked for each type?

I mean a SH705x can be found in hitachi ECU, denso ECUs, keihin ECUs, and much more.... 
Bootmode works as his name is you trigger the Mikroprozessor Startup and after that it starts to flash your Maps inside the ecu in you flash or what ever you get.... after a successful writing it reboots your ECU with a crc Command like "trigger signal" then the whole ECU is starting up till your Programmcode is loaded ..... it is like Windows First -> BIOS , then -> Systemparameters, -> then load all maps and sensors then -> init Sensor's and Actors and wait for response thats the ecu startup work i know that happens in microseconds but just to discribe how .... and the bootmode is the bios in this case

Gesendet von meinem SM-N975F mit Tapatalk

Logged
d3irb
Full Member
***

Karma: +134/-1
Offline Offline

Posts: 195


« Reply #3 on: September 09, 2020, 05:52:36 PM »

Very broad question but I see where you're going.

With older CPUs when you see the ability to write a CPU family for one vendor and not others, usually the issue is simply that the pins or memory layout need to be adapted to the different ECU brands, or that not all of the "same CPU" are the exact same CPU - for example, if a different flash chip is used or different pins are used to bring up a part of the board. In the case of "SH705x" I think this is what's going on for you, depending on the vendor and chip revision, different pins are used for serial comms (I think some chips use UART0 and some use UART1 for example?) and there are different flash sizes / layouts at play.

With some newer CPUs, yes, sometimes the mask ROM is customized by manufacturer, and even the first stage of the bootloader / Mask ROM or SBOOT has some kind of security system that needs to be cracked on a per-manufacturer basis.

And in some cases with BDM, which is a bit of a different beast because it's generally handled by a monitor firmware that runs on the application CPU, the application software itself can actually tamper with the interface and prevent or alter its use.
Logged
devy
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


« Reply #4 on: September 09, 2020, 11:39:54 PM »

Very broad question but I see where you're going.

With older CPUs when you see the ability to write a CPU family for one vendor and not others, usually the issue is simply that the pins or memory layout need to be adapted to the different ECU brands, or that not all of the "same CPU" are the exact same CPU - for example, if a different flash chip is used or different pins are used to bring up a part of the board. In the case of "SH705x" I think this is what's going on for you, depending on the vendor and chip revision, different pins are used for serial comms (I think some chips use UART0 and some use UART1 for example?) and there are different flash sizes / layouts at play.

With some newer CPUs, yes, sometimes the mask ROM is customized by manufacturer, and even the first stage of the bootloader / Mask ROM or SBOOT has some kind of security system that needs to be cracked on a per-manufacturer basis.

And in some cases with BDM, which is a bit of a different beast because it's generally handled by a monitor firmware that runs on the application CPU, the application software itself can actually tamper with the interface and prevent or alter its use.

Hey thanks for info!

okay this would explain why many flashing tools are so limited.

I found a flasher that claims to read and write SH705x on board / in circuit with 512kb or 1064kb memory size. Manufacturer says Hitachi ECU work but has no info for other brands. With a look on what you wrote above I think that this flasher will probably not work e.g. on a Denso ECU with SH705x, even if the pinout is done correctly...?
Logged
devy
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


« Reply #5 on: September 09, 2020, 11:58:41 PM »

Bootmode works as his name is you trigger the Mikroprozessor Startup and after that it starts to flash your Maps inside the ecu in you flash or what ever you get.... after a successful writing it reboots your ECU with a crc Command like "trigger signal" then the whole ECU is starting up till your Programmcode is loaded ..... it is like Windows First -> BIOS , then -> Systemparameters, -> then load all maps and sensors then -> init Sensor's and Actors and wait for response thats the ecu startup work i know that happens in microseconds but just to discribe how .... and the bootmode is the bios in this case

Gesendet von meinem SM-N975F mit Tapatalk

thats a good comparison! So you think the same SH7055 hardware can have various "bios-codes" and therefore every version of it needs an extra bootloader code...?
Logged
xXxCryxXx
Full Member
***

Karma: +3/-17
Offline Offline

Posts: 157


« Reply #6 on: September 10, 2020, 12:07:41 AM »

thats a good comparison! So you think the same SH7055 hardware can have various "bios-codes" and therefore every version of it needs an extra bootloader code...?
Sorry thats a thing that i dont know
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.017 seconds with 16 queries. (Pretty URLs adds 0s, 0q)