AJ27 Firmware Patching (Jaguar AJ27 specific)
Simple modifications to an AJ27 ECU firmware file can be made using Ghidra. Modification of target instructions or memory values can be identified, and alter...
Posts by Tag
ECU
AJ27 Reflash Tool Part 2 (Jaguar AJ27 specific)
This post complements the previous post on an Arduino canbus adaptor for Jaguar AJ27 ECU, and describes a Java implementation of the following processes: ...
AJ27 Reflash Tool Part 1 (Jaguar AJ27 specific)
As analyzed in previous posts, the Jaguar AJ27 ECU can be reflashed using Canbus commands. In order to send these commands and receive the responses, a canbu...
Analyzing reflash routines Part 4 (Jaguar AJ27 specific)
The previous two posts analyzed the canbus commands implemented by CPU1 TPU bootcode, and how to use them to load the 5k byte “MainBoot” program into CPU1 R...
Analyzing reflash routines Part 3 (Jaguar AJ27 specific)
In the last post we analyzed the behavior of the TPU bootcode for both processors, and the procedure to ‘unlock’ CPU1 phase 2 canbus commands, using a securi...
Analyzing reflash routines Part 2 (Jaguar AJ27 specific)
In the last post we established that CPUs boot into the TPU EEPROM area on reset, and then continue to execute if the flash communications port and flash pro...
Analyzing reflash routines Part 1 (Jaguar AJ27 specific)
In the last post, we created a Motorola BDM interface to extract code/data from both processors TPU EEPROM, SLIM area (overall processor configuration), and ...
Extracting firmware code part 2
In order to operate the BDM interface via an Arduino, as introduced in the previous post, there are a number of processes that need to be coded. To recall, v...
Extracting firmware code part 1
Whilst analyzing an ECU is important, it is of limited value without the ability to modify code and data. Most ECUs can be re-programmed, but the procedure i...
Diagnostic Trouble Codes (DTCs)
Tracing the code supporting the OBD2 Diagnostic Trouble Codes (DTCs) can help provide more insights on which DTCs are supported, and also on the identity of ...
Ghidra code emulation for mass air flow sensor analysis
From the previous post, we know from analysis of UDS service 22 that the Mass airflow sensor voltage reading is stored in variable 0xb0ad0 on IC501 (for firm...
OBD2 and UDS services over Canbus
A canbus message (ignoring for a moment multi-frame messages) can transmit/receive 8 data bytes. When requesting OBD2/UDS services over canbus the request...
Analyzing Canbus operation
Looking into the OBD2 implementation at an early stage is beneficial, since it can help identify key variables in the code. Mode 1 for reading current data w...
Analyzing a new firmware file - getting started
In this post, we will start to analyze an AJ27 CPU firmware file.
Annotating a firmware file in Ghidra
In this post, we will look into more detail of an AJ27 CPU firmware file. We will review how to add appropriate memory blocks and address labels to make the ...
Writing a Ghidra Loader
To create a loader in Ghidra, we will need to use the Eclipse IDE with GhidraDev installed (see post on “Writing a Ghidra processor specification part 1” for...
AJ27 Firmware Files
There are a few ways of obtaining a copy of the firmware from an ECU. One is to extract it directly from the ECU hardware, and there several techniques to do...
AJ27 Firmware Introduction
In order to analyze the firmware stored in the ECU, there are few things that have to be done Obtain a copy of the firmware code Use a tool to analyze t...
AJ27 ECU Hardware Schematic
In this post I will take a quick tour around the hardware schematic of the Jaguar AJ27 ECU to investigate some of the features, and provide a view of a mid/l...
Jaguar
AJ27 Firmware Patching (Jaguar AJ27 specific)
Simple modifications to an AJ27 ECU firmware file can be made using Ghidra. Modification of target instructions or memory values can be identified, and alter...
AJ27 Reflash Tool Part 2 (Jaguar AJ27 specific)
This post complements the previous post on an Arduino canbus adaptor for Jaguar AJ27 ECU, and describes a Java implementation of the following processes: ...
AJ27 Reflash Tool Part 1 (Jaguar AJ27 specific)
As analyzed in previous posts, the Jaguar AJ27 ECU can be reflashed using Canbus commands. In order to send these commands and receive the responses, a canbu...
Analyzing reflash routines Part 4 (Jaguar AJ27 specific)
The previous two posts analyzed the canbus commands implemented by CPU1 TPU bootcode, and how to use them to load the 5k byte “MainBoot” program into CPU1 R...
Analyzing reflash routines Part 3 (Jaguar AJ27 specific)
In the last post we analyzed the behavior of the TPU bootcode for both processors, and the procedure to ‘unlock’ CPU1 phase 2 canbus commands, using a securi...
Analyzing reflash routines Part 2 (Jaguar AJ27 specific)
In the last post we established that CPUs boot into the TPU EEPROM area on reset, and then continue to execute if the flash communications port and flash pro...
Analyzing reflash routines Part 1 (Jaguar AJ27 specific)
In the last post, we created a Motorola BDM interface to extract code/data from both processors TPU EEPROM, SLIM area (overall processor configuration), and ...
Extracting firmware code part 2
In order to operate the BDM interface via an Arduino, as introduced in the previous post, there are a number of processes that need to be coded. To recall, v...
Extracting firmware code part 1
Whilst analyzing an ECU is important, it is of limited value without the ability to modify code and data. Most ECUs can be re-programmed, but the procedure i...
Diagnostic Trouble Codes (DTCs)
Tracing the code supporting the OBD2 Diagnostic Trouble Codes (DTCs) can help provide more insights on which DTCs are supported, and also on the identity of ...
Ghidra code emulation for mass air flow sensor analysis
From the previous post, we know from analysis of UDS service 22 that the Mass airflow sensor voltage reading is stored in variable 0xb0ad0 on IC501 (for firm...
OBD2 and UDS services over Canbus
A canbus message (ignoring for a moment multi-frame messages) can transmit/receive 8 data bytes. When requesting OBD2/UDS services over canbus the request...
Analyzing Canbus operation
Looking into the OBD2 implementation at an early stage is beneficial, since it can help identify key variables in the code. Mode 1 for reading current data w...
Analyzing a new firmware file - getting started
In this post, we will start to analyze an AJ27 CPU firmware file.
Annotating a firmware file in Ghidra
In this post, we will look into more detail of an AJ27 CPU firmware file. We will review how to add appropriate memory blocks and address labels to make the ...
Writing a Ghidra Loader
To create a loader in Ghidra, we will need to use the Eclipse IDE with GhidraDev installed (see post on “Writing a Ghidra processor specification part 1” for...
AJ27 Firmware Files
There are a few ways of obtaining a copy of the firmware from an ECU. One is to extract it directly from the ECU hardware, and there several techniques to do...
AJ27 Firmware Introduction
In order to analyze the firmware stored in the ECU, there are few things that have to be done Obtain a copy of the firmware code Use a tool to analyze t...
AJ27 ECU Hardware Schematic
In this post I will take a quick tour around the hardware schematic of the Jaguar AJ27 ECU to investigate some of the features, and provide a view of a mid/l...
AJ27
AJ27 Firmware Patching (Jaguar AJ27 specific)
Simple modifications to an AJ27 ECU firmware file can be made using Ghidra. Modification of target instructions or memory values can be identified, and alter...
AJ27 Reflash Tool Part 2 (Jaguar AJ27 specific)
This post complements the previous post on an Arduino canbus adaptor for Jaguar AJ27 ECU, and describes a Java implementation of the following processes: ...
AJ27 Reflash Tool Part 1 (Jaguar AJ27 specific)
As analyzed in previous posts, the Jaguar AJ27 ECU can be reflashed using Canbus commands. In order to send these commands and receive the responses, a canbu...
Analyzing reflash routines Part 4 (Jaguar AJ27 specific)
The previous two posts analyzed the canbus commands implemented by CPU1 TPU bootcode, and how to use them to load the 5k byte “MainBoot” program into CPU1 R...
Analyzing reflash routines Part 3 (Jaguar AJ27 specific)
In the last post we analyzed the behavior of the TPU bootcode for both processors, and the procedure to ‘unlock’ CPU1 phase 2 canbus commands, using a securi...
Analyzing reflash routines Part 2 (Jaguar AJ27 specific)
In the last post we established that CPUs boot into the TPU EEPROM area on reset, and then continue to execute if the flash communications port and flash pro...
Analyzing reflash routines Part 1 (Jaguar AJ27 specific)
In the last post, we created a Motorola BDM interface to extract code/data from both processors TPU EEPROM, SLIM area (overall processor configuration), and ...
Extracting firmware code part 2
In order to operate the BDM interface via an Arduino, as introduced in the previous post, there are a number of processes that need to be coded. To recall, v...
Extracting firmware code part 1
Whilst analyzing an ECU is important, it is of limited value without the ability to modify code and data. Most ECUs can be re-programmed, but the procedure i...
Diagnostic Trouble Codes (DTCs)
Tracing the code supporting the OBD2 Diagnostic Trouble Codes (DTCs) can help provide more insights on which DTCs are supported, and also on the identity of ...
Ghidra code emulation for mass air flow sensor analysis
From the previous post, we know from analysis of UDS service 22 that the Mass airflow sensor voltage reading is stored in variable 0xb0ad0 on IC501 (for firm...
OBD2 and UDS services over Canbus
A canbus message (ignoring for a moment multi-frame messages) can transmit/receive 8 data bytes. When requesting OBD2/UDS services over canbus the request...
Analyzing Canbus operation
Looking into the OBD2 implementation at an early stage is beneficial, since it can help identify key variables in the code. Mode 1 for reading current data w...
Analyzing a new firmware file - getting started
In this post, we will start to analyze an AJ27 CPU firmware file.
Annotating a firmware file in Ghidra
In this post, we will look into more detail of an AJ27 CPU firmware file. We will review how to add appropriate memory blocks and address labels to make the ...
Writing a Ghidra Loader
To create a loader in Ghidra, we will need to use the Eclipse IDE with GhidraDev installed (see post on “Writing a Ghidra processor specification part 1” for...
AJ27 Firmware Files
There are a few ways of obtaining a copy of the firmware from an ECU. One is to extract it directly from the ECU hardware, and there several techniques to do...
AJ27 Firmware Introduction
In order to analyze the firmware stored in the ECU, there are few things that have to be done Obtain a copy of the firmware code Use a tool to analyze t...
AJ27 ECU Hardware Schematic
In this post I will take a quick tour around the hardware schematic of the Jaguar AJ27 ECU to investigate some of the features, and provide a view of a mid/l...
Ghidra
AJ27 Firmware Patching (Jaguar AJ27 specific)
Simple modifications to an AJ27 ECU firmware file can be made using Ghidra. Modification of target instructions or memory values can be identified, and alter...
Analyzing reflash routines Part 4 (Jaguar AJ27 specific)
The previous two posts analyzed the canbus commands implemented by CPU1 TPU bootcode, and how to use them to load the 5k byte “MainBoot” program into CPU1 R...
Analyzing reflash routines Part 3 (Jaguar AJ27 specific)
In the last post we analyzed the behavior of the TPU bootcode for both processors, and the procedure to ‘unlock’ CPU1 phase 2 canbus commands, using a securi...
Analyzing reflash routines Part 2 (Jaguar AJ27 specific)
In the last post we established that CPUs boot into the TPU EEPROM area on reset, and then continue to execute if the flash communications port and flash pro...
Analyzing reflash routines Part 1 (Jaguar AJ27 specific)
In the last post, we created a Motorola BDM interface to extract code/data from both processors TPU EEPROM, SLIM area (overall processor configuration), and ...
Extracting firmware code part 2
In order to operate the BDM interface via an Arduino, as introduced in the previous post, there are a number of processes that need to be coded. To recall, v...
Extracting firmware code part 1
Whilst analyzing an ECU is important, it is of limited value without the ability to modify code and data. Most ECUs can be re-programmed, but the procedure i...
Diagnostic Trouble Codes (DTCs)
Tracing the code supporting the OBD2 Diagnostic Trouble Codes (DTCs) can help provide more insights on which DTCs are supported, and also on the identity of ...
Ghidra code emulation for mass air flow sensor analysis
From the previous post, we know from analysis of UDS service 22 that the Mass airflow sensor voltage reading is stored in variable 0xb0ad0 on IC501 (for firm...
OBD2 and UDS services over Canbus
A canbus message (ignoring for a moment multi-frame messages) can transmit/receive 8 data bytes. When requesting OBD2/UDS services over canbus the request...
Analyzing Canbus operation
Looking into the OBD2 implementation at an early stage is beneficial, since it can help identify key variables in the code. Mode 1 for reading current data w...
Analyzing a new firmware file - getting started
In this post, we will start to analyze an AJ27 CPU firmware file.
Annotating a firmware file in Ghidra
In this post, we will look into more detail of an AJ27 CPU firmware file. We will review how to add appropriate memory blocks and address labels to make the ...
Writing a Ghidra Loader
To create a loader in Ghidra, we will need to use the Eclipse IDE with GhidraDev installed (see post on “Writing a Ghidra processor specification part 1” for...
AJ27 Firmware Files
There are a few ways of obtaining a copy of the firmware from an ECU. One is to extract it directly from the ECU hardware, and there several techniques to do...
Writing a Ghidra processor specification part 3
More on addressing modes
Writing a Ghidra processor specification part 2
Following on from part1 of creating a Sleigh spec for 68HC16, the next task is the representation of the CPU instruction set.
Writing a Ghidra processor specification part 1
To analyze 68HC16 code using Ghidra, we need to write a processor specification in Ghidra’s SLEIGH language. The first step is to assemble to software tools ...
AJ27 Firmware Introduction
In order to analyze the firmware stored in the ECU, there are few things that have to be done Obtain a copy of the firmware code Use a tool to analyze t...
68HC16
Analyzing a new firmware file - getting started
In this post, we will start to analyze an AJ27 CPU firmware file.
Annotating a firmware file in Ghidra
In this post, we will look into more detail of an AJ27 CPU firmware file. We will review how to add appropriate memory blocks and address labels to make the ...
Writing a Ghidra Loader
To create a loader in Ghidra, we will need to use the Eclipse IDE with GhidraDev installed (see post on “Writing a Ghidra processor specification part 1” for...
AJ27 Firmware Files
There are a few ways of obtaining a copy of the firmware from an ECU. One is to extract it directly from the ECU hardware, and there several techniques to do...
Writing a Ghidra processor specification part 3
More on addressing modes
Writing a Ghidra processor specification part 2
Following on from part1 of creating a Sleigh spec for 68HC16, the next task is the representation of the CPU instruction set.
Writing a Ghidra processor specification part 1
To analyze 68HC16 code using Ghidra, we need to write a processor specification in Ghidra’s SLEIGH language. The first step is to assemble to software tools ...
AJ27 Firmware Introduction
In order to analyze the firmware stored in the ECU, there are few things that have to be done Obtain a copy of the firmware code Use a tool to analyze t...
Sleigh
Writing a Ghidra processor specification part 3
More on addressing modes
Writing a Ghidra processor specification part 2
Following on from part1 of creating a Sleigh spec for 68HC16, the next task is the representation of the CPU instruction set.
Writing a Ghidra processor specification part 1
To analyze 68HC16 code using Ghidra, we need to write a processor specification in Ghidra’s SLEIGH language. The first step is to assemble to software tools ...
AJ27 Firmware Introduction
In order to analyze the firmware stored in the ECU, there are few things that have to be done Obtain a copy of the firmware code Use a tool to analyze t...
Canbus
Diagnostic Trouble Codes (DTCs)
Tracing the code supporting the OBD2 Diagnostic Trouble Codes (DTCs) can help provide more insights on which DTCs are supported, and also on the identity of ...
OBD2 and UDS services over Canbus
A canbus message (ignoring for a moment multi-frame messages) can transmit/receive 8 data bytes. When requesting OBD2/UDS services over canbus the request...
Analyzing Canbus operation
Looking into the OBD2 implementation at an early stage is beneficial, since it can help identify key variables in the code. Mode 1 for reading current data w...
OBD2
Diagnostic Trouble Codes (DTCs)
Tracing the code supporting the OBD2 Diagnostic Trouble Codes (DTCs) can help provide more insights on which DTCs are supported, and also on the identity of ...
OBD2 and UDS services over Canbus
A canbus message (ignoring for a moment multi-frame messages) can transmit/receive 8 data bytes. When requesting OBD2/UDS services over canbus the request...
BDM
Extracting firmware code part 2
In order to operate the BDM interface via an Arduino, as introduced in the previous post, there are a number of processes that need to be coded. To recall, v...
Extracting firmware code part 1
Whilst analyzing an ECU is important, it is of limited value without the ability to modify code and data. Most ECUs can be re-programmed, but the procedure i...
Loader
Writing a Ghidra Loader
To create a loader in Ghidra, we will need to use the Eclipse IDE with GhidraDev installed (see post on “Writing a Ghidra processor specification part 1” for...
DTC
Diagnostic Trouble Codes (DTCs)
Tracing the code supporting the OBD2 Diagnostic Trouble Codes (DTCs) can help provide more insights on which DTCs are supported, and also on the identity of ...