tuj

A bunch of bytes of FF, with a strings of 20 bytes sprinkled at even spacings. That almost certainly isn't execution code as it would be a very unusual opcode. You'll notice that from 80xxxx on, there is a lot more repetition and a lot more strings of FF's and 00's. Make me think that its the data segment.

I was hoping there would be more debug symbols, but it looks like they stripped all of those out. That makes sense to save space. I ran a sh-2 disassembler on the whole thing, but the results don't looks so great. I get unrecognized about every 20 instructions or so.

I'm starting to wonder what the exe packaged with the flash does. I wonder if the flash file is packed, scrambled, or encrypted.

MrJynx

i doubt they'd encrypt the flash file. If they did you wouldn't be able to decipher anything from the hex code.

I have the rest of the week off so i'm gonna fool around with this for the rest of the week. I'm bored as hell and need a little home project


MrJynx

tuj

Yeah, I don't actually think its encrypted, but I haven't been able to get the offsets right to get a good dissassembly listing. What scares me tho, is that Renesas has a pdf on their site about their encryption and security technology for the sh processors, and how tamper-proof they are, etc. If they put a public key in ROM in the ecu and encrypted the flash with a private key, it would be game over for trying to hack the flash.

alnielsen

iTrader: (4)

20 is hex for a space. The FF would most likly be a blank spot. Nothing unusual.

MrJynx

if it was encrypted with something even as basic as RSA encryption we'll be screwed.. Lol,

anyone have access to a beowulf cluster


MrJynx

zoom44

i believe its the execution for loading itelf onto the WDS. the techs download the update onto a floppy then load the floppy into the wds and it loads into the wds.

tuj

Well it is rather. One byte by itself is meaningless, but long strings of FF for 20 or more bytes indicates that's its certainly not opcodes. The flash is compiled the c source, then optimized by the compiler, so there is a mix of data and execution code. I think the data segment is from 8xxxx to the end, based on how the patterns of hex look. If you haven't looked at it, its pretty meaningless to comment about one byte.

alnielsen

iTrader: (4)

FYI:
30 - 39 Hex would be 0 - 9
41 - 5A Hex would be A - Z
61 - 7A Hex would be a - z

tuj

Dude, the flash ain't all ascii. Hex <> ASCII.

tuj

So I tried various combinations of alignments, and I can't get a disassembly without an unrecognized opcode every 10 instructions or so. I'm using sh2d32 to disassemble, so someone with access to IDA Pro might have better luck.

zoom44

thats about where everyone else i have talked with got except the one i quoted earlier- and they aint sharing since they have a financial interest

tuj

The biggest problem is that debugging the SH2e requires the E6000 emulator, which is both hardware and software. I think with an emulator and an evaluation sh2e board, one could load the flash, and debug on-chip.

I'm still curious as to what the exe does. My take is that the flash is in some sort of intermediate format, but I wouldn't go so far as to say its encrypted. There are patterns that definitely aren't the pseudo-random noise that encryption would produce.

seikx8

I've been looking at this a long time ago, but never have time to follow up, however here is the info I found thus far:

There are offset and indicators separating the header and the binary data. There are patterns which one may be able to locate and figure out the data, etc.

In the binary data, there are 4 bytes significant indicator:
30 00 24 00 - begin after the header,
follow by: 3a 02 00 00 04 00 00 [1 byte value changes in decreasing order] 3a 02 00 00 02 00 00 fc
Then follow by 38 bytes datastream with format as follow:
3a 20 [1 function/address byte] [2 function address bytes] [32 bytes data] [check sum byte?]

This pattern repeat until end of file with the follow pattern:
3a 00 00 00 01 ff

The map most likely somewhere in the 32 bytes data at the end or near the last few block of the files. There are patten of 1, 2, 3 etc... which probably indicate timing, etc.

As for the entire file checksum? well, probably it's not that hard to figure out either.

I have access to the software to flash the ECM, but do not have the hardware to do so. If anyone have access to the SAE2534 library or other hardware might want to take a crack of reflashing the ECM?

I have a dump of the binary into hex value in text with block pattern formatted which I can't upload it because it's over 480k in size zipped.
PM me a location where I can attach the file if interest.

Here is an example of the pattern. Notice 01, 05, then ff, fe, which an indication of negative number, -1, -2, etc.
3a 20 23 00 00 01 01 01 01 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 01 01 01 01 01 01 01 01 01 01 01 01 01 61
3a 20 23 20 00 01 01 01 01 01 01 01 01 04 04 04 00 00 00 00 00 00 00 00 00 00 00 00 00 03 fc 03 fc ff fe ff fe 91
3a 20 23 40 00 ff fe ff fe ff fe ff fe ff fe 03 fc ff fe ff fe ff fe ff fe 03 fc ff fe ff fe ff fe ff fe ff fe a9

olddragger

iTrader: (3)

I will never understand this car.
olddragger

tuj

Come on, its just like a carb.

MazdaManiac

iTrader: (3)

You know, I might buy one of those. Anyone want to get in on a year's subscription? I'll buy the pass-through.

Sad thing is, back in the '80s I was pretty well versed in this kind of stuff. I could sit around and write machine code for my Z-80 based or 6055 based machines all day.
Now I have to use both hands and one foot to translate HEX to decimal.

TeamRX8

iTrader: (25)

the checksum is usually available on the web if you know where to look

zoom44

http://www.drewtech.com/products/index.html

drewtech makes several pass thru devices. the mongoose cable is a new stripped down version from them. its about $200 bucks and is fully compliant with j2354 and all the can and ISO protocols. its also USB which is nice. then all you need is the program on your laptop from mazdatechinfo.
there is also a api avaialble from them to program your own pass thru ap. its on their site under support

olddragger

iTrader: (3)

Like a carb!---I remember when some of the main tuning tools was a standard screwdriver, a timing light and a good ear!
I will leave all this up to you guys!
olddragger

TeamRX8

iTrader: (25)

ooooh, that's new since I was last on their site

Harrison was working on getting the CANScan to also operate as a PassThru device, haven't pinged him in a while though so I'm not sure where he stands on it

G0t m4xx 21

Ahh yes, this thread reminds me of the good 'ol days of Xboxhacker.net when Bunnie and everybody was tryin to crack the flash on the original Xbox. Now, they're all tryin to do the same thing on the Xbox 360, the latest development seems to be in hacking the firmware of the DVD drive.

Very similar stuff going on here, keep up the good work.

On the flash for the ECU, I doubt the security is very strong, since they aren't trying to prevent the piracy of video games or something like that, I would only expect to see a checksum in there, and not to prevent modifying the flash code, but simply to not execute corrupted code if the flash got messed up, to prevent engine damage.

Hskr8

iTrader: (1)

guys, I am amazed at the attention to detail and the desire to work together on this project...

I looked at it from a highly simplistic viewpoint, but being a programmer myself, I know that what can be done, can be undone...

What you guys have already uncovered has been nothing short of amazing...

What do you need? work together... and see if you can become the next RX-8 Idol!!!

MazdaManiac

iTrader: (3)

"Mushy mushy Stig Sam"?
I presume that is supposed to be "Moshi-Moshi Stig San!".

I'm really piqued by the possibility of doing my own PCM flashes - even if it is the OEM Mazda stuff. Just the idea of having my own WDS equivalent gives me goose-bumps.
But I'm a geek, so I digress...

Hskr8

iTrader: (1)

is that what the verbiage is on Top gear? damn.. you should have told me sooner dude...

MazdaManiac

iTrader: (3)

It means "Let's go, Mister Stig!" (sort of).