My bad, the FWE pin needs to be pulled low for write enable.
Attachment:
RTW-RWD-header.png
Here we have the header for a Honda J2534 reflash file.
I didn't mark all the areas, just enough to get across what to look for.
I'll be referring to sections by their hex addresses.
0x00 tells the reflash software what type of reflash this will be. 5A is for CAN based ECUs from what I can tell.
0x01 - 0x02 are a section boundary as far as I can see. 0D0A is used extensively in the K-Line reflash files, but only here on CAN reflash files.
From here to the flash start location at 0x8E each section has a two byte header.
The first byte is for how many objects are in this section, the second byte is for how many bytes(in hex) the next object is.
(Not sure what else to call them so I'll call them objects for now).
At 0x03 and 0x04 we have 01 and 01 so this section only contains one object at one byte long.
(I don't know the significance of the object and I've only ever seen 00 here.)
Section 2 (starts at 0x06) start with 01 and 04, so one object at 4 bytes long (01 F8 53 3E).
This is the CVN for this calibration.
Section 3 (0x0C) is the target CAN module address.
I've only had access to two different Honda ECUs but they both used 29bit CAN addresses(18DAF1XX), so the software will be looking for a module responding with 18DAF110.
Section 4 (0x0F) has all the Calibration versions in the program family up to this current version.
The program version shows up twice in a full dump as far as I've seen, once somewhere before 0x7FFF and once after.
The one before 0x7FFF will be of the initial program version, 37805-RTW-A010 in this case.
Section 5 (0x65) This one is an unknown but it does show up twice in a full dump, usually near the program version.
Maybe a hardware family identifier?
Section 6 (0x89) This is also an unknown but it gets passed over CAN just prior to "Request Download" as a "Write By Identifier" F101.
I have multiple traffic captures from third party software where the same calibration is being downloaded but this WBI is different and so are the scrambled bytes.
The Honda software doesn't do this though, it uses the same value each time and the scrambled calibration is the same each time.
This leads me to believe it is implicated in the scrambling process.
The next 8 bytes starting at 0x8E are the start address (0x00008000) and download size (0x000F8000) of the calibration.
These are used in the "Request Download" UDS message.
The rest of the file (0x96 and on) until the last 4 bytes are the scrambled calibration.
I'm unsure what the last 4 bytes are but they don't appear in the raw flash so maybe a checksum.
This probably won't be immediately useful as the meat of the J2534 reflashing still needs reversed (SID27 algo and what not) and also the calibration checksums.
If I get the calibration checksums and scrambling worked out I have half a mind to roll my own RWD reflash file as a POC before moving on to a from scratch reflash program.