RomRaider

RWD files are partial firmware updates (no bootloader probably to help prevent bricking the ECU if flashing is interrupted).
The firmware start address and length contained in the rwd file is kicked out by rwd-xray
I have the rwd file layout documented pretty well here (see firmware section for 0x5a specifically for the start address and length):
https://github.com/gregjhogan/rwd-xray#z-0x5a-format

Dont suppose you have any idea about the reading of the rom using 0x23(readAddressByMemory)
I wrote something that should do so. But i tried all 3 diagnostic modes, and can't get it to accept it. -.-
normal mode,
programming mode,
and extended diagnostic modes.
I get 0x23 0x33 for exended diag(Which i believe means security access denied) but im sending it 10ms after getting my unlock ack back.
Have any idea Greg?

Turns out that the 0x27 0x01 is incorrect to be able to use a SID23
You have to do 0x27 0x41 for that level of security to be opened.
Which the algorithm is entirely different.

I got that worked out earlier this evening and once i have writing figured out it will be time to start doing rom definitions.

If anyone is interested in helping with them please let me know.
i plan on making this all opensource soon

Here is a preview of some definitions for the 2008/2009 SI binaries.
Working hard on bringing this out. But still could use some help guys.

Pumping away at more binaries.
Today is S2000 day.
Should be compatible with All the AP2 ecus.


Next i need to look into the checksumming for the ecus i currently have.
So I will be attempting a write on the early ecus.

Got the files loading in the software we are writing this for.
Easily exports to Romraider definitions as well.

https://gyazo.com/16bf9f3d2963c1377663869e09c63271
^Gif

Here are a couple roms i have pulled or found online.

Now the only thing preventing me from writing back modified files, is the lack of encryption on the calibration files to send back.
I have the cipher that decodes them thanks to Greg, but no way to re-encrypt modified files.
This is literally the last thing i need. ( I already figured out the checksum algo for them)

And sorted it out. Now can officially read write 8th gen civics
https://m.facebook.com/story.php?story_ ... 4247490718

More coming sooooon

Hey, thanks for posting those binaries. Is there any information posted to help get setup with disassembly of the ROM for figuring out map logic? Per your note, I was able to get Ghidra to disassemble the S2000 bin by selecting the SH-2 variant. The decompiler is also a really nice luxury I'm not used to

Got any tips on which functions are used to look up table axis, values, etc.?

I realize I am way behind on this.



I assume the first 3 dwords are a 32-bit addresses for a 3D table? Is the rest of it to convert from hex to human-readable?

To be honest im not quite sure. I can't find the functions to look up tables i have data for.
You can look for a couple of my known tables.
All values are ushort Big Endian
Spark Advance VTEC OFF 0* VTC 14684 2D Inverse table 20x10 Multiply by .1 to get values
Map and RPM are at the end of all timing tables MAP is 10 long @ 15674 multiply by 0.013334 to get map values in KPA
Low Cam RPM 20 long @ 15624 no factor needed.

http://puu.sh/EXOow.png


Take a gander if you wish. i can't find the MAP scalar in the A140 calibration yet either.
The Checksum for the a140 roms are located at 0x8400(I can't find a reference for that in the roms either. I can find stuff near it, but not that value itself)

I guess an A140 rom would help as well.

All of this may have been mentioned earlier, so apologize for any repeats:

It seems even some functions are called by pointers.

And there are pointers to a group of 6 pointers which lead to tables. But it seems most of them are 'dormant'?

Attaching a screenshot (mostly for my own notes).

Yeah its super weird. Still trying to get a handle on things. i am just about done writing definitions for the A140 rom(Since its the latest updatable calibration for a majority of the USDM SI ecus.)

Glad to see this post being added to still! I've been following it since last year while doing a J32a2 v6 swap into my 2008 Honda Element and looking into options for tuning it (it is a 5-spd awd and the engine/ecu are from a base TL auto). I have been able to solve for that by acquiring an RDB ecu from a 2008 TL-TypeS (auto) and flashing the RDB 6-speed program onto it using a K-Tuner. The hardware is identical, so where before it would code for missing auto transmission sensors etc, once flashed with the 6-speed firmware it no longer looked for them.

Now that decoding firmwares from rwd files using rwd-xray is more and more possible, could that potentially lead to finding Honda/Acura specific PIDs for reading/writing data over the can bus?

To make a long story short, I've had to swap out parts from an Acura TL into the Honda Element. Some sensors are wired to devices that then broadcast the values over the can bus for things like the gauge cluster to pick up. My idea was to read things like the ambient temperature sensor using an arduino, and the broadcasting the values over the canbus to see if the cluster would go from "error" to showing the actual temperature. Additionally, since the TPMS system in my 08 Element is different than the 08 TL ECU and associated hardware, they dont talk. So i'd like to apply the same approach to reading the values of the Element TPMS hardware and broadcasting it over the canbus for the gauge cluster to pick up.

However - that would require me to know the PIDs associated with those values. Does anyone know where those might be in the firmwares?

I have a large amount of honda specific PGMFI PIDs. If you go into the disassembly check SID22 then the specific packets inside them.
in the SI 8th gens, its sent like 18,da,10,f1,22,26,10 gives you back a 57 byte packet that contains stuff like RPM, Final Timing, Map, Battery Voltage, IAT, ECT, AFM in G/rev

there is a lot of them that can be found. too bad you are using ktuner already, i am trying to get my hands on some J ecus so i can start writing definitions for them.