Видео

I am trying to start the process of hacking into another aisin control module. For the Nissan titan xd with the A446ND transmission. I was hoping you could give some advice on where to begin?

Thanks for the tutorial, it's greatly appreciated. Any scripts, tips, or hints to help out with the learning curve would also be welcomed.

Does GHIDRA work with all ECU for car?

Have you ever worked on an older Bosch ME2.8.1?

You can avoid generating code in a calibration area by correctly settup up memory blocks, even roughly. Set cal block as not executable (untick X).

good job! Ive used Ghidra for a while now. I used to do stupid 5,000 hour long quests to find parameters or the use of them in the structure. I simply create a new project and run the map through AS MANY languages as you can, dont change languages. import and ID as many that will work. I find the ARM and some RISC work well for finding all the vortex, command ID, ISO tp and all the entry maps, but Nothing much else, but thats well more than enough to finish up in OLS, I haven't used your repo yet but I'll set it up later today. I Mainly waste time on 8102f m32r lang is similar and, mh8115f, SH2a lang which is simply the FFF* headers and 2x the wasted space. Ghidra is fantastic for finding the missing links where OLS wont ID the run patterns or xrefs or those pesky single value maps Xref'd to 0x67ff when the majority are all in the 0x3000 range.. The way the structure on the mitsu based ecus is quite simple, yours looks to have a more denso look, but its damn damn similar.. they all still use the 02/03 for map struct which You mentioned, but in any 2d map editor, its quite obvious what is what. Super easy way I, ID all the axis values get it done in FRACTION of the time like 20 seconds. Create a script that finds the common word patterns used, 8115f is easy as they all begin with fff8xxxxfff8xxxx0015(placeholder for column length) first is the column ID next is the ROW ID. for older 8102f or M32r based use OLS and create a list and add them all to axis maps in a folder. then export all the data from axis map folders,, locate start addresses. you know all the structure x-y values and layout, do the conversions which are usually very basic for those like rpm can be x/256, 7500/x 3500/x, 2 Dec. 0.00 =rpmx10k, , script a directory link to the file. done. search for each Found value as a column and each as a row. I also have it pick all ascii chains out Word length and above checksums which is generally always 03ffc0 or 0x3ffff pending rom size. once you know what your looking for. find them all. Great way as well to incorporate iso tp into this with a very short py program using a 30.00 can2usb device and run a 0x23 (RDBA) 0x12 0x34 0x56 0x78 address 123456788 0x04 which is the data length 4 bytes long. you can then PID all of it until the processor overheats! also great to watch the ram address being written to so you know what the raw traffic and source is, which makes finding hidden values a snap. You ever need any sample Roms. for whatever I have quite an extensive stash. /n

hey , what processor language used in gen1 (76F0085) toyota denso ? ChatGpt suggest me this " The 76F0085 is believed to be based on the 8051 architecture, a widely used 8-bit microcontroller core. Familiarity with the 8051 instruction set and architecture will be beneficial. "

bud, your videos are being awesome, can I make an honest question, I'm working on reversing a ME9.7 with a MPC563 processor, I'm pretty well positioned right now but I'm needing an eye opener on two things that I'm having a hard time to identify a starting point. I want to patch the UDS security level so I don't ever get an access denied (as I'm working on an ecu on the bench that I'm using as a dev platform and reading ram with 0x23 would be pretty handy, I do have the ways to move through the sec levels but I keep getting access denied when using 0x23) and the other thing I'm trying to understand are can structures, and how to use them as a departing point to find functions

Very useful information! Recently, I have been trying to disassemble the Mazda diesel ECU myself. Where do you find information about available PID's. Specifically, I want to change the boost diag limit. Currently the ECU shows up to 255kpa, but after a remap I pass this limit. I measure the real pressure with the voltage of the sensor which is visible through the forscan. The sensor can measure up to 300kpa, but I don't know why the diagnostic limit is up to 255kpa. I would appreciate it if you could give me some pointers on how to search for this limit .The car has the same sh7058 processor. Mazda 6 2.2 R2A-ECU

hi could you drop a discord invite? previous one is expired/invalid

Did you come across any PowerPC instructions Ghidra doesn't implement? If so, what did you do about these?

...........................................

Great video man I'm a beginer in term of ECU tuning so i want to ask what can i do with the DTC that has been found like shawn in the video ?? Thanks a lot for your content

hey do you have plans on showing how to find checksum function? you probably use tools that already do it automatically but i think it could be interesting

Thanks for making me feel extra dumb today. Love the content.

newbie here, how did you know that it was PowerPC ISA?

As always, love the content. Always wanted to get into ECU reversing but always busy with job. Awesome once again brother

I've been working on disassembling a p12 for an 06 trailblazer and I have all the pids and dtc handlers mapped but I'm stumped on the fan selection logic. The PCM has 4 different ways to handle fan control - no fans, discreet, and 2 other pwm modes. I presume its handled by some kind of enum or bit map, or at least that is what it seems like it would be from HP Tuners... Anyways, I guess my question would be if you have any tricks for finding things like that where there are certain pcm features enabled by a toggle.

Thats great, have you done anything with TCU's I was teying to find out some stuff about 8hp can bus ids today but as first time ghidra user i was not very successful 😂

Sick

Hello. Is it possible to fix the speed limitation on cruise control of 110 km/h on a Japanese Toyota Crown 3.5 2014? Thanks for the answer

I have a problem with ram address Please help me.

Is ROP enabled by default on flash memory on the SH7055? I have a broken microscope I'm trying to fix but I need to dump the firmware to understand the error code it's showing. I'm curious what is the cheapest an easiest way to dump it provided that ROP isn't enabled on my chip.

thinking about this while sleeping rn

Thank you! I have learned more about programing basics and cpu structures with you than in school

I want to learn this!!!!

Your channel is a goldmine.. you have your videos saved somewhere else? In case this channel disappears

Still no luck dumping the eeprom. I didnt realize the part ecus i got were a different SH7058 than my stock SH705823N. They are 64F7058F80. But i flashed it and it ran fine. Speed limit removed. Might have to try the stock tune then eeprom dump so my pinout is correct. Awesome work btw.

Making progress. I reverted to an older tune with 122 defined tables but i pulled the head off a couple days ago to be decked so i can install am ebay turbo kit. Do the aisins have matching tables in the ecu? Does it follow your edits or do what it wants? IIRC the Jatcos have their own map and can weigh it over the nissan ecu table.

Great work man, just found your channel. Would love to see you drop a powerpc vid for a gm t43 controller to learn about the steps you take to go about getting a good decompile. Sub'd.

Can you share the discord link again please?

I watch your videos again and again to understand all the subtleties of these operations, I am making progress on the tables of my TCU ! I will keep you informed

i once hacked my sikimin UCU 3131 processor

Are the addresses listed in that data for a logging channel? If I wanted to log that load table output.

Hi,guy i'm not creat RAM sh7058

Continental M4C would be a gamechanger :)

Have 0 experience in any of this but the i8 13B rotary hybrid swap brought me here and it's interesting to try and understand.

Med9.1 next pls 🫡

The 8xxxxxxxx address space is managed trough the MMU. You need to find the respective TLB setup code. After that, the easiest way I found is to create a byte mapped region in ghidra. To find the entry point you just need to find the used RCHW.

I did it but there is no ghidrarun file.

Ascii is pronounced "As-Kee"

you are keeping moving brother I love that

Hell yeah. Awesome video. Love the work that you do

Hello, tell me what addresses and sizes of RAM for this processor?

I've been following your videos and have to say great job and thanks. Not sure what engine hilux this is from, but atleast in the case of the 1GD/2GD diesel, the MAF sensor signal is a frequency not a voltage. Which might explain why the values you were seeing were so large. It's a 5v square wave from 2khz to 12khz, and the actual mass flow to input frequency relationship is definitely non-linear, IE. It's NOT just a factor and offset to convert frequency to mass flow. There has to be either a lookup to convert it, or a complicated equation to model it. There's also often "corrected" data PIDS, that are the input after correction taking into account something, usually the sensor voltage when whatever it is in in a known state compared to what the sensor voltage is expected to be then. EG. There's a corrected DPF differential pressure value. When the key is first turned on and engine isn't running, ECU knows theres no difference in pressure, and takes note of current sensor reading. It might be very slightly different to what the sensor should read at zero pressure. And now ECU can correct for it. Maybe something like that is what you found with the MAP, rather than a smoothing function? I'm an auto electrician in Australia. I have a pretty accurate mapping of MAF frequency to MAF mass flow for the 1GB/2GD. Let me know if you want me to send you a copy if it could be any use.

I tried to clone my ecu 06 Altima to a used ecu, I can dump the entire rom 1mb SH7058 but doesnt include some required portion off the eeprom for the immobilizer. the main dump is good verified by pcmflash nisprog obd and bench... Rimwall on RR added a forked kernel and enhanced version of nisprog to compile that WILL dump this portion using SUBEEP function in his version. Do you know the memory mapping well enough to explain why the nis prog release 1-1.05 cant handle this? my cross compiking skills are nonexistent, arduino or marlin. Any clue what edits are needed to compile a version that will dump SUBEEP or why it wont now? Hvanet messaged the dev yet since post is 3 years old