Analyzing reflash routines Part 1 (Jaguar AJ27 specific)
In the last post, we created a Motorola BDM interface to extract code/data from both processors TPU EEPROM, SLIM area (overall processor configuration), and ...
Posts by Year
2025
Extracting firmware code part 2
In order to operate the BDM interface via an Arduino, as introduced in the previous post, there are a number of processes that need to be coded. To recall, v...
Extracting firmware code part 1
Whilst analyzing an ECU is important, it is of limited value without the ability to modify code and data. Most ECUs can be re-programmed, but the procedure i...
Diagnostic Trouble Codes (DTCs)
Tracing the code supporting the OBD2 Diagnostic Trouble Codes (DTCs) can help provide more insights on which DTCs are supported, and also on the identity of ...
2024
Ghidra code emulation for mass air flow sensor analysis
From the previous post, we know from analysis of UDS service 22 that the Mass airflow sensor voltage reading is stored in variable 0xb0ad0 on IC501 (for firm...
OBD2 and UDS services over Canbus
A canbus message (ignoring for a moment multi-frame messages) can transmit/receive 8 data bytes. When requesting OBD2/UDS services over canbus the request...
Analyzing Canbus operation
Looking into the OBD2 implementation at an early stage is beneficial, since it can help identify key variables in the code. Mode 1 for reading current data w...
Analyzing a new firmware file - getting started
In this post, we will start to analyze an AJ27 CPU firmware file.
Annotating a firmware file in Ghidra
In this post, we will look into more detail of an AJ27 CPU firmware file. We will review how to add appropriate memory blocks and address labels to make the ...
Writing a Ghidra Loader
To create a loader in Ghidra, we will need to use the Eclipse IDE with GhidraDev installed (see post on “Writing a Ghidra processor specification part 1” for...
AJ27 Firmware Files
There are a few ways of obtaining a copy of the firmware from an ECU. One is to extract it directly from the ECU hardware, and there several techniques to do...
Writing a Ghidra processor specification part 3
More on addressing modes
Writing a Ghidra processor specification part 2
Following on from part1 of creating a Sleigh spec for 68HC16, the next task is the representation of the CPU instruction set.
Writing a Ghidra processor specification part 1
To analyze 68HC16 code using Ghidra, we need to write a processor specification in Ghidra’s SLEIGH language. The first step is to assemble to software tools ...
AJ27 Firmware Introduction
In order to analyze the firmware stored in the ECU, there are few things that have to be done Obtain a copy of the firmware code Use a tool to analyze t...
AJ27 ECU Hardware Schematic
In this post I will take a quick tour around the hardware schematic of the Jaguar AJ27 ECU to investigate some of the features, and provide a view of a mid/l...