hinxx
Newbie
Karma: +1/-0
 Offline
Posts: 11
|
 |
« on: July 28, 2012, 01:13:47 PM »
|
|
|
Hi, I was going through EDC15C2 dumps - comparing, trying to understand bits and bytes beyond the map data and found about what you guys are doing. Great knowledge base you have here!  EDC15C2 uses the same Infenion CPU as does ME7.1 - 16bit Infineon B59233. ECU has Am29F400BT mounted instead of Am29F800BB. Has anyone done any of this with EDC15C2? I will probably need IROM contents that matches my ECU to do some stuff in IDA. I guess I can't use what ME7.1 has, or? |
|
|
|
|
Logged
|
|
|
|
hinxx
Newbie
Karma: +1/-0
Offline
Posts: 11
|
|
« Reply #1 on: July 29, 2012, 11:54:43 AM »
|
|
|
I've played around with the me7.1 IROM and my ECU bin. Some addresses are missing especially stuff in 0x8200000.. I guess it is time to lookup the DPP values and get the real EDC15C2 IROM..
Here's a tiny IDC script I used to get all the functions.
|
|
|
|
|
Logged
|
|
|
|
hinxx
Newbie
Karma: +1/-0
Offline
Posts: 11
|
|
« Reply #2 on: August 05, 2012, 04:56:23 PM »
|
|
|
Did some more work on this.
There are pictures floating around with EDC15C2 with B59233 CPU marking. Today I've opened up my ECU and found out that the marking is B59388.
In my effort I've identified both, in fact they are the "same" Infineon CPU.
Bosch Siemens/Infineon
name name
B59388 SAK-C167CR-4RM (GA) EDC15C2
B59233 SAK-C167CR-4RM (FA) EDC15C2
B00017 SAK-C167CR-4RM (HA) ME7.5/ME7.1 ??
Can someone confirm these findings?
Further, I'm expecting to find IROM in the same place you guys have it in ME7.5.
Thank you!
|
|
|
|
|
Logged
|
|
|
|
ne0h
Newbie
Karma: +1/-0
Offline
Posts: 18
|
|
« Reply #3 on: March 05, 2013, 04:23:27 AM »
|
|
|
Hi guys, I'm new to this forum and I'm very happy to find some guys interested in reverse engineering as I'm not new to this on embedded systems... Regarding to EDC15, I've a Golf mk4 with EDC15P+ 22.3.2, I really want to start reversing the flash code but I've no idea on how I can dump the CPU ROM code, I've read that on ME 7.xx ECUs it is possible to read the IROM with Minimon in bootmode... So having the EDC15P the same Infineon C167 processor can I dump the code this way?? Just in case using Minimon what cable can I use for that?? I've a Galletto 1260, Mpps v12, Vag.com 10.6 hex and a Vag KKL cable... Thanks you and sorry for my bad english  |
|
|
|
|
Logged
|
|
|
|
hinxx
Newbie
Karma: +1/-0
Offline
Posts: 11
|
 |
« Reply #4 on: March 05, 2013, 05:45:48 AM »
|
|
|
IMO, it should be possible. Since my post here, I've managed to get the C167 ROM out of my EDC15C2, since there was no interest in the topic here I never put any effort to post my findings.. lazy.. i know.
I used minimon and KKL like cable, built on my breadbord. Just connect with the minimon, and set the address range, and then do the upload (i thinks)..
If you need minimon settings let me know, I have some that worked with my EDC15C2.
Cheers!
|
|
|
|
|
Logged
|
|
|
|
ne0h
Newbie
Karma: +1/-0
Offline
Posts: 18
|
|
« Reply #5 on: March 05, 2013, 07:26:12 AM »
|
|
|
Thank you very much!! |
|
|
|
|
Logged
|
|
|
|
ne0h
Newbie
Karma: +1/-0
Offline
Posts: 18
|
|
« Reply #6 on: March 05, 2013, 09:06:30 AM »
|
|
|
Nevermind, I've figured out how Minimon works and then I'm pretty sure it can only run in bootmode... Thanks  |
|
|
|
|
Logged
|
|
|
|
hinxx
Newbie
Karma: +1/-0
Offline
Posts: 11
|
|
« Reply #7 on: March 05, 2013, 11:18:57 AM »
|
|
|
Yep, you need to put the ECU in the bootmode for Minicom.
|
|
|
|
|
Logged
|
|
|
|
ne0h
Newbie
Karma: +1/-0
Offline
Posts: 18
|
|
« Reply #8 on: March 07, 2013, 11:21:16 AM »
|
|
|
Hi, I've managed to read the ecu IROM with Minimon but I was wondering is possible to read the 24c04 eeprom (immo\vin etc) and the 29F400bt flash through Minimon... I've seen the external bus is disabled by default therefore I presume I have to build my own firmware to read\write the 24c04 or there is another way?? I'm trying to clone my ECU but I miss read\write access on the 24c04... Thank you!! |
|
|
|
|
Logged
|
|
|
|
hinxx
Newbie
Karma: +1/-0
Offline
Posts: 11
|
|
« Reply #9 on: March 07, 2013, 02:03:20 PM »
|
|
|
I'm it worked for you too! It should be possible to read the 24c04, too. I believe it is a matter of setting up the C167 to use I2C/SPI through the Minimon. I had made a stab at my eeprom 95sp08 readout some time ago, but I have not succeeded. For the flash, I think it is possible to read it - it was almost a year since I've done it and I'm quite sure what was the Minimon setup exactly. You need to tell the Minimon to use external bus in the preferences IIRC, OTOH you can always try to read flash and compare the results with the galletto dump. |
|
|
|
|
Logged
|
|
|
|
ne0h
Newbie
Karma: +1/-0
Offline
Posts: 18
|
|
« Reply #10 on: March 07, 2013, 02:37:51 PM »
|
|
|
I've been able to read the flash reading the datasheet that the extmemory is mapped from 0x80000 (finally I've found a 464 pages pdf, I've had a 74 pages before). I've been wondering on how the EEPROM could be read then thanks for the tip (SPI), I'll investigate on this!! |
|
|
|
|
Logged
|
|
|
|
ne0h
Newbie
Karma: +1/-0
Offline
Posts: 18
|
|
« Reply #11 on: March 15, 2013, 03:25:53 AM »
|
|
|
Just to update the thread, I've successful read and written the 24c04 I2C e2p creating a custom loader\driver in bootmode, I thought it was the simplest way... I haven't tried to read/write via obd "normal" KWP mode, I'll try it asap... Thank you |
|
|
|
« Last Edit: March 16, 2013, 04:15:54 AM by ne0h »
|
Logged
|
|
|
|
hinxx
Newbie
Karma: +1/-0
Offline
Posts: 11
|
|
« Reply #12 on: March 17, 2013, 08:45:32 AM »
|
|
|
Just to update the thread, I've successful read and written the 24c04 I2C e2p creating a custom loader\driver in bootmode, I thought it was the simplest way... I haven't tried to read/write via obd "normal" KWP mode, I'll try it asap... Thank you Great m8!!! Care to share the i2c driver  |
|
|
|
|
Logged
|
|
|
|
ne0h
Newbie
Karma: +1/-0
Offline
Posts: 18
|
|
« Reply #13 on: January 24, 2014, 06:15:39 AM »
|
|
|
Hi, I've been able to read the 24c04 via OBD on a EDC15P ECU but I encountered the WFS (Immo) protection, reading the software manual logins from 0-9999 are Immo-related so I think there is a way to disable the WFS protection, asap I'll try some login pass I've found in the file... Relating to map finding on a Vag EDC15P, I'm usually pretty good at reversing, analyzing or cracking code on any platform but this time I can't find any map reference in the code...  The frustrating thing is that there's no output reference as usual to start with, except made from DTCs or Maps Addresses but everything seems to be "dinamically" referenced (due to the 3 Codeblocks available I think)... I've also determined the DPPs settings from the IROM dump but it's difficult to know if they're right... In the meantime I'm writing a program to read the RAM and so try to find some "easy" references... So has anyone succeded on finding maps refs on a EDC15?? I'll attach the IDA idb file I'm working on as soon as I'm at home! Thank you guys!! |
|
|
|
|
Logged
|
|
|
|
Brumbassen
Newbie
Karma: +1/-0
Offline
Posts: 18
|
|
« Reply #14 on: January 31, 2014, 01:47:11 AM »
|
|
|
Hi, I've been able to read the 24c04 via OBD on a EDC15P ECU but I encountered the WFS (Immo) protection, reading the software manual logins from 0-9999 are Immo-related so I think there is a way to disable the WFS protection, asap I'll try some login pass I've found in the file... Relating to map finding on a Vag EDC15P, I'm usually pretty good at reversing, analyzing or cracking code on any platform but this time I can't find any map reference in the code... The frustrating thing is that there's no output reference as usual to start with, except made from DTCs or Maps Addresses but everything seems to be "dinamically" referenced (due to the 3 Codeblocks available I think)... I've also determined the DPPs settings from the IROM dump but it's difficult to know if they're right... In the meantime I'm writing a program to read the RAM and so try to find some "easy" references... So has anyone succeded on finding maps refs on a EDC15?? I'll attach the IDA idb file I'm working on as soon as I'm at home! Thank you guys!! just a question when you do changes what program do you use to correct the checksum ?? |
|
|
|
|
Logged
|
|
|
|
|
