RomRaider

Hi Guys,

Im Dirk, new here

Im workng on a SH72546RFCC. trying to read it with AUD.

I also tried JTAG and Can-bus but Jtag is blocked with key code and CAN-bus does not cover all my needs.

I have a big problem. I cant get the AUD to work. Tried several commercial tools to read, none of them seem to work.

please trust me when i say i connected it in the right way

Can AUD be disabled in the MCU (some register perhaps) or this something hardcoded?

Can this be undone?

//Dirk

AUD may be routinely disabled inside the code.
Look section 29.3.1 Standby Control Register (STBCR) MSTP2 control bit.

Thanks for the tip!

So basically if the clock supply is halted to AUD-II there is no chance to communicate.

Is this realistic, did someone face this before on a OEM ecu?

Are these registers editable or only when you have access with AUD/JTAG/CAN or whatever?

//Dirk

Denso ecu code usually has AUD configurable and disabled in the engine code and enabled within primary CAN bootloader.

I cant really understand what you mean by that, can you clearify?

You are saying :

-Configurable and disabled in engine code. (what memory range do you refer to as engine code?)

-Enabled within primary CAN bootloader (I have both primary and secondary CAN bootloader, how can I verify this?)

What about the Standby control register H'FFFE0400? I will try to read this as well

//Dirk

Obsolete Denso ecu has

- primary CAN bootloader at 0x000:0xFFF with AUD enabled
- secondary k-line (up to MY06) or CAN ( MY07+ ) bootloader at 0x1000:0x1FFF with AUD disabled AUD
- ecu control code at 0x2000:0x7FFFF ( SH7055F and SH7055S ) or 0x2000:0xFFFFF ( SH7058 and SH7058S ) with AUD disabled

OK so its enabled in primary bootloader

and disabled in the other 2 parts normally for these subaru`s.

Whats the effect of this? Can one read by AUD or not in the above case?

Find the way to upload and start your own kernel for ecu dump.
This is the most common way to hack the hidden ecu code.

Yes I have succeeded that with SH72543R but not on SH72546RFCC

The SH7246RFCC Im working with does not acccept secondary bootloader and the whole calibration is signed with a complicate RSA.

Also the primary bootloader is not writeable by CAN-bus and like mentioned before AUD seems blocked, and JTAG has password.

In other words: im pretty stuck.

Can I somehow verify if AUD is really blocked? measure some voltage or clock frequency?

If the AUD clock is halted can I use another clock for reading? I see some tools use extra WDT signal, what is the theory behind that ?(besides the fact it seems to be against a sudden reset of ecu)

Verify whether or not AUD control pins are in high Z-state.
Most probably they are because AUD is stopped.
You can not activate AUD outside the chip.
WDT is for a supervisor circuit that resets the ecu otherwise.

If you have the way to modify and download the ecu code:
- add your own kernel and modify reset sequence to start your code or simply to configure AUD enabled.
- the same way you may deactivate RSA signature and modify ecu calibrations.

Thanks a lot!

I have done RSA deactivation in the past sucessfully with different ecus ,however this is not yet succeeded with this ecu.


Ok so i will try to check if pins are in high z state, which pins? any AUDdate line or MD or reset? Can I not just look with a scope at AUDCK?

Is this the same to check if Jtag is disabled?

Test TDO for JTAG, test AUDCK for AUD Trace Mode or AUData responce for RAM Monitoring Mode.
Try AUD with corrupt calibrations flashed. AUD may be enabled in primary bootloader.

Tnx mate!!!

I only tested with no calibration in it yet, I will test it with a full functional ECU as well.

//Dirk

I have another almost similar ECU of which I can read the Standby control register STBCR @ address H'FFFE04.

With this ECU its simply 0000 0000 0000 0000 , meaning nothing is blocked, which is good

STBCR location is FFFE0400 and should be read as a byte or a word.
Most probably your software returns 0 instead of any correct value.
Ecu code uses to shadow stack and register area.