RomRaider

Hello all!

Is there any tunability when it comes to EEPROM? So I did an EEPROM dump (accidentally made it like 1500x larger than it needed to be, but it just kept dumping the same data over and over again so no big deal lol) and all I can see really is the VIN. I think I remember seeing people say some immobilizer stuff is there too (probably keys?) but is there anyway to flash the EEPROM? I have the VIN write RAM parameters defined, and I know that consult can rewrite the VIN as well. So it would seem that you would somehow be able to rewrite / reflash the EEPROM. Just maybe not in the typical fashion? It would make sense to ME if you just had to specify the eep write port (if that’s even a thing ) But I know that the EEPROM crap is complex. I do have an Arduino UNO, but all I can remember is potentially seeing people bench flash the EEPROM on other ECU's.

On top of this, what’s the actual size of the EEPROM that we should be dumping? When I started at 0x0000, it dumped three lines of weird code and missed the first three lines that the repeated blocks had. So I’m not quite sure what size I should specify normally.

Lastly, I made an oopsie and set the eepr location to the FUNCTION location instead of the eepr location, and this resulted in the kernel failing from a rxr dump thing. It was weird because it immediately killed the fans and everything. What would cause the kernel to seemingly fault out rather than just throw an error and keep running? Every other flash / dump failure I've encountered has resulted in Nisprog just throwing an error and the kernel to keep functioning as usual. So for the fans to cut out due to setting the eepr address to the function itself instead of the right address is quite interesting.

Multiple ways indeed.

- direct write to the IC, by desoldering or with a clip / adapter; while probably holding the mcu in reset

- for certain parameters (like VIN and immo keys), AFAIK the factory tools do this via certain SIDs, I have in mind 0x31 "startRoutine" etc. Only briefly looked a while ago and didn't find out much. I haven't heard of any generic "write raw data to eeprom" SID in the stock ROMs.

- via npkern, conditional to some very minor code additions that I vaguely recall Shuher had done and tested at one point ? basically implementing the converse of "eep_read" where the kernel calls the low-level function, provided by the ROM, that does the actual writing to the eeprom IC. Of course this method requires to know where the _read and _write functions are in the ROM.



Depends on the ECU, they use different EEPROM ICs. A few variants are shown https://nissanecu.miraheze.org/wiki/Ecu_hw


npkern has no way of knowing if you gave it a wrong address... it'll just call whatever function you give it ; if you get it wrong all bets are off.

Interesting. NDS2 is great for the key reprogramming, but the VIN reprogramming is definitely quite intriguing. But that's good to know that the VIN can be written through a SID parameter!