I'm new to this, and I know I can simply clone the firmware using any tuning hardware e.g. KTAG. However, I want to do it using Arduino and the CAN module, I have the MCP2515 CAN Bus Driver Module Board with the TJA1050 Receiver.

I already opened the ECU and I have the pinout, I know where the boot pin is, the gpt0 and gpt1, the CAN-H and CAN-L, and the +12V pin terminals. And I know that the gpt0 is the CMP signal and gpt1 is the vehicle speed input, and I have to simulate those analog inputs. But since Arduino doesn't have true analog output signals, I'm going to use 2 channel function generator.

First, dumping the firmware :

I was thinking, that I can just simply generate analog signals to gpt0 and gpt1, then boot the MCU (TC1762), and read data through the CAN bus by using a CAN library in Arduino studio. Is it like that? Or do I have to write commands so I can let the MCU send the firmware? and how can I know what kind of instructions I need to provide if that's the case? I also need to know at what address the EEPROM starts and its' size so I can read it right? However, I'm not sure how I can know what the start address is.

Second, writing the firmware to another ECU:

I also need to know how can I write to the MCU EEPROM using the CAN bus, do I simply run the processor in boot mode and then simply write the dumped firmware? or there're instructions I need to provide first so I can write the new firmware?

Thanks, that's pretty helpful information,

So I assume when I enter boot mode, if it's protected, then that means it will asks me for a password right? probably a hash BCrypt or something similar that I need either find, or bypass by an exploit.

Is my hardware tools sufficient for this though? and the rest of the job is just software? or there're other hardware I need to have

sweet, I'm only asking for guidance, if there're books or other helpful resources e.g. websites it would be great. Or perhaps some other prior projects I need to engage with first before dumping a protected firmware.

Also, I came to know that the gpt signals are there to trick the ECU into providing access to the eeprom and flash, that would be an exploit I think, however, you mentioned the PWM, but in Arduino I don't believe we can change the frequency to the match the input signals.

No worries, I have a degree in computer science, this would be a piece of cake, I just need to catch up with some knowledge and I need resources.

Anyways, I might need to move this post somewhere else, maybe reverse engineering or CAN communication.

Read the first paragraphs in my write-up here:

https://github.com/bri3d/simos18_sboot

Keep in mind that the SBOOT itself in MEG17.9.12 is completely different from the Simos one in my writeup, but the concept is the same. If you can't understand concepts, you will struggle with this.

The analog frequencies are not an "exploit," they are just a signal to tell the ECU to stop at the supplier bootloader instead of continuing to CBOOT. Also, being able to upload your own bootstrap loader is not an "exploit," it's just a standard feature in Tricore.

You are trying to bypass an internal protection: when you enter the hardware bootstrap loader by manipulating the HWCFG/"boot" pin configuration, the Tricore Boot ROM locks the internal Flash controller using passwords. These passwords are just arbitrary values which are set when the ECU is provisioned. They are stored in "user configuration blocks" inside the Flash. You can read all about this in the Tricore user's manual, which you need to read if you are going to do this kind of work on Tricore.

The actual exploit is in the supplier bootloader and you will not find it without reversing the bootloader (or stealing it, but that's boring as hell).

Also, is easily the funniest thing I've read in years.