Pages: [1]
Author Topic: Getting started with ECU ROM disassembly (SH7058) and seed/key algorithm search  (Read 341 times)
hidalga
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5



Hello to every one,

I'm trying to find the security request 0x27 seed/key algorithm by looking by disassembling the ROM in IDA of a Nissan Micra/March Renesas SH7058, found a repo on GitHub which contains a device variant file, this was very helpful since works specifically for the processor I'm working with, it automatically defines the intro vectors and labels such as Poweron_reset and also defined an interrupt request (INT_IRQ7).

It's a good start but it's my first time disassembling and I'm also on my way to learning about it, any suggestion or recommendation about the process will be greatly appreciated (I know that this process is way different for every manufacturer and processor but there might be some common knowledge needed to start working with general disassembly)

The main questions I have

Does the poweron_reset link directly to the bootloader? Where can I find it?

Is there a common structure that seed/key algorithms follow?

Do I need an a2l file to start looking for it? If so, where can I look online for a2l files?

Is there a methodology to start analyzing ECU ROM disassembly?

Also the one I'm more interested
Any educational resource such as links or books recommendation that might help me for getting started for specifically ECU ROM disassembly will be greatly appreciated.
Logged
prj
Hero Member
*****

Karma: +523/-155
Offline Offline

Posts: 4742



Find the UDS stack. To find the UDS stack you can try to search for NRC literals in the binary.
Once you have that, find the routine that does security access and reverse it.

Pretty basic shit, if you've never done any reversing before then good luck lol.
Logged

PM's will not be answered, so don't even try.
mdccode5150
Full Member
***

Karma: +5/-3
Offline Offline

Posts: 91



There is a lot of work done on that processor in the Mitsubishi EVO community which seems to be disappearing. I down loaded a lot off of Evoscan website, and I believe that they were using the tactrix cable hardware etc.

Here's the site: https://www.tactrix.com/index.php?option=com_content&view=category&layout=blog&id=36&Itemid=58

I think this site is another you might find answers: https://www.romraider.com/

Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.013 seconds with 16 queries. (Pretty URLs adds 0s, 0q)