General circuit reverse engineering section - Page 2

Chris31 · 05-11-2006, 02:10 PM

Quote: Originally Posted by archimense

I have already read the external ROM by socketing the chip. It contains code and data/maps, but not any code for flashing memory. HEX is not unworkable if you have a good dissambler like IDA Pro, and the instruction set manual.

The C167CR processor does not have it's internal flash read or write protected. The code in external ROM makes function calls into the code in internal ROM, this would not be allowed if the processor had memory protection enabled.

What I meant was, its pointless dissasembling HEX when its encrypted, but since you are sure its not then go ahead and see what you can make out of it.

I would have thought they would have something read protected/encrypted in the design. Its a common practice for me atleast to read protect and encrypt the flash data/file in my design just enough to put off the casual hacker.

But I think you already have everything to hack it. Good luck but let us know how it goes.

Chris31 · 05-11-2006, 02:13 PM

Quote: Originally Posted by archimense

It just means I have to desolder a few pins and not fry anything.

You wont fry anything if you are careful with your approach.

You only fry something when you get careless or lack of knowledge in circuit design.

archimense · 05-11-2006, 02:16 PM

Quote: Originally Posted by Chris31

What I meant was, its pointless dissasembling HEX when its encrypted, but since you are sure its not then go ahead and see what you can make out of it.

I would have thought they would have something read protected/encrypted in the design. Its a common practice for me atleast to read protect and encrypt the flash data/file in my design just enough to put off the casual hacker.

But I think you already have everything to hack it. Good luck but let us know how it goes.

So far I haven't seen anything in the code that would lead me to believe it is encrypted. The maps I have found also do not show any sort of encryption. So it looks like I am lucky.

I assume they just thought that it is sufficiently difficult to do that no one would bother. I know they couldn't use the hardware read/write protection on the processor due to the way the code is organized in memory.

I'll let you know if it works, or if I blow something up trying to get the internal ROM. At least I already have the external ROM.

BassBinDevil · 05-15-2006, 09:12 PM

Does this processor support JTAG or OSLINK?

Or could you just chuck the OEM computer and install a Megasquirt?
http://www.bgsoflex.com/megasquirt.html

archimense · 05-16-2006, 01:30 AM

It doesn't support either of those protocols. I wish it were that easy.

I could go stand alone, but part of the value of doing this is doing it to the stock computer. Since that is the one that is already in all of these cars.

BassBinDevil · 05-16-2006, 01:59 AM

Well, back to your original question... overpowering the address bus ~probably~ doesn't cause things to explode. I remember reading about a gizmo called something like the python that used a bunch of paralleled chips to override the address bus so the memory of a computer running copyprotected games could be dumped. This would have been in the Apple ][ days.
Then again, who else would be driving the address pins but the microprocessor? So it really should be safe.