RomRaider

Hi,
well, it took me > 2 years, and I didn't expect to spend so much time on this, but I finally wrote a reflashing kernel for Consult-II (approx MY99 - MY10, maybe even later too?) ECUs that communicate through the OBD K line.
I literally spent thousands of hours reverse engineering stock ROMs to figure out the steps required to transfer and execute code on the ECU, without needing to open the case. Of course everyone who followed the >10 page thread ( viewtopic.php?f=45&t=10897 ) is now well aware of the process.

Then I wrote a kernel for reflashing - something I really wanted to avoid, from the beginning - and I think it could be a tremendous help to the tuning community. As Shuher and AK_Eyes can confirm, writing a kernel is not trivial P-)

Because of the ridiculous, insane amount of work that I've put in this (see that thread; the commit logs of freediag since 2014; the wiki @ https://nissanecu.miraheze.org/wiki/Main_Page , etc), I just can't give away my kernel for free. What I want to do however is release it under GPL3, including
- complete source code of course
- linker script and Makefile ( a lot of trial and error went into these for reliable compilation !!)
- startup asm code that makes the kernel 100% independant of the location in RAM where it gets copied (this varies between ROMs)

The project is designed to be compiled with a GNU gcc-sh toolchain (free, crossplatform, OSS), instead of Renesas' "shc" compiler which is not cross-platform, and a bit finnicky to get working reliably.

The kernel uses a mostly iso14230-compliant protocol, which is well defined and pretty simple. So far I have added a few "nisprog" commands to freediag for this. kernel SIDs include
-reset ECU
-read from ROM/RAM/external EEPROM (standard SID 0x23, and faster SID 0xBD @5.4kB/s !)
-write to RAM (SID 0x3D)
-erase FLASH block
-write FLASH chunk

So, the deal is :
- I have kernel code that can save everybody a *lot* of work
- I'm not giving it away for free

so, I want to set up some kind of crowdsourcing (maybe with "stretch goals" ? I have a few ideas). I may post it in the classified section to respect this forum's rules.

Or, if I suddenly get a few generous donations, the project might just appear on github P-)

Following
Really appreciate the enormous work you have done on this, and will donate when you get all the finale details in place.
Don't know if you have had time to look at my dump but do you think the kernel should work on it ?
or did nissan do something special to protect this ecu ?

You should put a link / comment in the other thread pointing to this, took me a while to notice it

Regards
Spawn

Hey fenugrec,

I've been lurking on the forums watching the progress. I'll gladly chip in to support your hard work.

Some background on me. I make open source hardware for CAN hacking and just picked up another Z and would like to do some ecu hacking!

Sounds promising - what tool are you referring to? Is there git repo with FW/schematics?

Actually, the hardest part is already done by fenugrec and shared with all who is interested with - the way to upload and execute your custom code on the ECU.
The rest is a typical boot-loader creation task, quite common for the guy with embedded programming experience Or you may encourage fenugrec financially to share his product (I won't be sharing mine because it's just ugly )

BTW, does this mean that your car's ECU is not K-Line but CAN-type (I mean the interface which responds to OBD diagnostics requests)? If so - there is still much to figure out, the way to upload and execute code for CAN-type ECUs is not found yet - we just looking for the solution here at the moment.

Nissan-like Subaru ecu's allow the kernel to be downloaded since 2008.
I suppose this is the same for Nissan's unit.

Sasha_A80 Yes, if you know the proper SID command sequence for it. For K-Line ECUs fenugrec have figured this out and there is at least 2 different kernels written, tested and used for reflash via K-Line. But this doesn't work for CAN-type Nissan ECUs.

And, as for the moment it seems that the only person interested with CAN kernel upload is me, and as you can remember from my research of EEPROM code inside Nissan ROMs - I am kind of a noob in IDA analysis (even though I made a big progress since then) - the solution will not come soon...

!!!!! !!!!! I never thought I'd see the day that this could get released! Haha jk. I will be donating regardless of whether or not I ever get my kernel to do something. I know how much time fenugrec has spent on this (easily > 2000 hours....) and how much progress he has made for the open source community. Firmware analysis is not an easy task at all!

As far as the kernel goes... I had a little previous experience writing code in high level languages and didn't really have any low level/embedded systems experience before this project. I've found that writing a kernel even when you know the location of everything is NOT EASY! (also take into consideration this is an "easier" task than accessing RAMJump)

If you have a lot of experience with low level programming (i.e. Shuher) than its probably doable, but from my experience I have spent hours and hours learning about how MCU's work and still haven't been successful in writing a useful kernel.

Awesome Job!!!

@Shuher You are not alone my friend!

I really wish I had a device like Osirus or Ecutek handy so I could log and reverse engineer the flashing process.

Hi,
just a small update, I've had encouraging discussions with the people @ https://www.crowdsupply.com/
so that's probably where I'll host this. I'll post the link here when the "campaign" gets started. I first need to kick myself and prepare screenshots and other "visual support", otherwise it'll look pretty boring P-)

I have a commercial software package that I'd be willing to log for someone. However I'm a bit green when it comes to that.

It will be really cool if you'll manage to get CAN-type Nissan ECU reflash process logged (I can suggest some if you tell me the ECU IDs of ones that you have or share some FW dumps so I can check it inside ROM).

As for logging - try this tool, section Used like a PassThru vehicle interface https://code.google.com/archive/p/j2534-logger/
There is a pre-compiled package available http://j2534-logger.googlecode.com/files/j2534-logger.msi

Just post somewhere here resulting log file.

I'm working on getting this compiled to work with the software that I'm using, however I'm going to need some help. We'll see what happens.

All right, things are happening real soon - the pre-launch page is up now on CrowdSupply :
https://www.crowdsupply.com/nisprog/reflashing-kernel

The actual campaign should be up within a few days, stay tuned !

Nice

Subscribed @ CrowdSupply...

/Spawn

Subscribed!