Vida CEM swapping

[oscilloscope]

Folks happy new year, I trust everyone sticking too there new years resolution

[oscilloscope]

I do not. I do have an oscilloscope, and I have noticed the WE pin going low every now and then when the ECU is operating normally. As soon as I start the SBL it remains HIGH, but that is because I have not issued any commands to it. I will have to solder a wire to it, but this time it will be thinner so if it decides to break, it won't take the pin off this time.

According too the Hitachi data sheet for SH7055, it suggests FWE pin needs to be in a reset state to allow for read/write enable. Which then places it in programmer mode. , I am assuming that Hitachi version of the sh7055 is the same as the renesas. Before there transition. Assuming that's the pin you mean ?

No that is a different pin. The WE pin belongs to the 29LV200BC flash chip. I've been away for a while due to personal issues and cannot come back to the project for a little while longer.

I'm analyzing TCM's SBL at the moment. It's definely work by same algorithm as ECM flashing process. CAN sequence looks like on 0xE6 TCM:
1. Shutdown everything by 0xFF 0x86 request
2. Send 0xE6 0xC0
3. Send 0xE6 0x9C 0xFF 0xFF 0x82 0x00 // jump to addr 0xFFFF8200
4. Send 0xE6 0xAE with bootloader as payload
5. Send 0xE6 0x9C 0xFF 0xFF 0x82 0x00 // jump to addr 0xFFFF8200
6. Send 0XE6 0xA0 to jump execution point to addr from pt 5.
7. Send 0xE6 0x9C 0x00 0x00 0x80 0x00 // jump to addr 0x8000
8. Send 0xE6 0xF8 // erase memory block
9. Send 0xE6 0x9C 0x00 0x00 0x80 0x00 // jump to addr 0x8000
10. Send 0xE6 0xAE with flash payload
11. Send 0xFF 0xC8 to start add ECUs in normal mode.

I omitted the checksum check because I don't know algorithm for TCM. In my TCM's flash this check just disabled.

I didn't find 0xAE command processing ATM. Maybe additional bootloader should be loaded. But next command looks like enabling of flashing:

Code: Select all

ROM:FFFF9666 flashing_FFFF9666:                      ; CODE XREF: sub_FFFF9596+C8j
ROM:FFFF9666                 mov.w   #PJDR_W, r2
ROM:FFFF9668                 mov.w   @r2, r0
ROM:FFFF966A                 xor     #h'40, r0
ROM:FFFF966C                 mov.w   r0, @r2
ROM:FFFF966E                 mov.w   #FLASH_FECS_B, r2
ROM:FFFF9670                 mov.b   @r2, r0
ROM:FFFF9672                 and     #h'FE, r0
ROM:FFFF9674                 mov.b   r0, @r2
ROM:FFFF9676                 mov.w   #FLASH_FPCS_B, r2
ROM:FFFF9678                 mov.b   @r2, r0
ROM:FFFF967A                 or      #1, r0
ROM:FFFF967C                 mov.b   r0, @r2
ROM:FFFF967E                 mov     #0, r1
ROM:FFFF9680                 mov.w   #FLASH_FTDAR_B, r2
ROM:FFFF9682                 mov.b   r1, @r2
ROM:FFFF9684                 mov.w   #h'A5, r0
ROM:FFFF9686                 mov.w   #FLASH_FKEY_B, r1
ROM:FFFF9688                 mov.b   r0, @r1
ROM:FFFF968A                 bra     loc_FFFF96A4
ROM:FFFF968C                 nop

The AE command(write) is from the ECM PBL. The SBL just adds a few more commands, more specifically just F8(delete sector or entire flash). So yeah SBL is just an extension to the PBL.

Here are the ECM SBL commands, some...don't do anything from what I've seen, they just send a CAN reply back but don't really do anything else, the rest is still hard to decipher their purpose. The behaviour depends on FFFFDFA0 and FFFFDFA8, which I am still unclear WHAT they represent.



But like I said, might take a while after some events happened, you just can't have the same trust in your partner when they've done something bad behind your back.

are you using Ghidra ?

[dikidera]

I am using both Ghidra and IDA Pro.

[oscilloscope]

I am using both Ghidra and IDA Pro.

looks very cool , i don't know enough to understand how it functions.

[dikidera]

So I had another unfortunate event...I fried my Raspberry Pi after I was so close to modifying the car. And I fried in the car just as I was powering it up. All the work for nothing.

So now I have to ask, which proprietary tool can I buy, clone or not that can read and write Denso ECUs without removing it from the car, from the obd port?
I am hoping for the tool to also allow me to use vida. If not I have to buy another RPI.

Mine is Le.2 2005 so 500kbps bus.

[oscilloscope]

So I had another unfortunate event...I fried my Raspberry Pi after I was so close to modifying the car. And I fried in the car just as I was powering it up. All the work for nothing.

So now I have to ask, which proprietary tool can I buy, clone or not that can read and write Denso ECUs without removing it from the car, from the obd port?
I am hoping for the tool to also allow me to use vida. If not I have to buy another RPI.

Mine is Le.2 2005 so 500kbps bus.

Iot terminal work well with these with the denso plugin sim.

[dikidera]

So I had another unfortunate event...I fried my Raspberry Pi after I was so close to modifying the car. And I fried in the car just as I was powering it up. All the work for nothing.

So now I have to ask, which proprietary tool can I buy, clone or not that can read and write Denso ECUs without removing it from the car, from the obd port?
I am hoping for the tool to also allow me to use vida. If not I have to buy another RPI.

Mine is Le.2 2005 so 500kbps bus.

Iot terminal work well with these with the denso plugin sim.

Quite a bit outside of my budget though.

[5ft24]

What about a DICE?

[oscilloscope]

So I had another unfortunate event...I fried my Raspberry Pi after I was so close to modifying the car. And I fried in the car just as I was powering it up. All the work for nothing.

So now I have to ask, which proprietary tool can I buy, clone or not that can read and write Denso ECUs without removing it from the car, from the obd port?
I am hoping for the tool to also allow me to use vida. If not I have to buy another RPI.

Mine is Le.2 2005 so 500kbps bus.

Iot terminal work well with these with the denso plugin sim.

Quite a bit outside of my budget though.

Maybe the clone kess might be able to do it.

[bosse]

Clone kess can't do it.
Clone mpps 22 can do lot's of volvo. Denso 500kbs included. Pinout on bench is best option.