Puma ECU, how hard can it be?

[FridgeFreezer]

Looks like hex coding to me, similar to what is in a BIOS chip on a PC. Knowledge, end of.

You can view anything as a hex dump though - it could be a picture of a kitten viewed in hex...

[CwazyWabbit]

I'd say they are the maps, there's another more populated one further up in the code.

There are just shy of 1400 functions in the code when disassembled.

[CwazyWabbit]

You can view anything as a hex dump though - it could be a picture of a kitten viewed in hex...

That kitten would be mostly black ......

[elbekko]

Interesting that function names seem to be preserved.

Which program are you using for looking at that? Just a hex editor?

[CwazyWabbit]

I think that's just a text label for the map, I've had a browse in a hex editor which reveals a few things however if you chuck it in IDA Pro and disassemble it with a target processor of Siemens Super10 it seems to do a particularly good job of disassembly. It shows 1360 functions but without preserved naming.

There's a copyright statement in there dated 2001 which strikes me as quite old.

EDIT: I see what you mean about function naming now, that's just IDA Pro trying to make an informative label to the text string.

[CwazyWabbit]

The VIN for the vehicle this came from seems to be plastered all over the place in the data dump, having also read the information that BAS posted on Defender2 it seems it's also stored in the instrument cluster. That's at least two more places the police can look to identify a stolen vehicles real identity.

[elbekko]

Interesting. I loaded it up in TunerPro, using the 3D graph tool I can't really see any areas that look like a fuel map. Is there another memory chip on the board?

Is it 16 bit or 32 bit? Couldn't really find much about a Siemens Super10 in a quick Google search.

[CwazyWabbit]

The actual chip is an ST10F276 which I've stuck a link to the datasheet of on post 23. It's a 16 bit CPU with DSP capabilities apparently.

The content of the dump contains the actual firmware that is running on the CPU as well as what I believe to be the MAPS. Give us a minute and I'll split the maps out into seperate files if that helps.

[CwazyWabbit]

This link might contain one of the maps https://drive.google.com/file/d/0B6XKpDGw3BjiOHBkcUt4Q0VsVzA/view?usp=sharing or I may have clipped it in the wrong place so who knows. Eventually I'll find some references in the code to actually define them properly

[CwazyWabbit]

I forgot to add the ECU is made by this lot 'Copyright 2001 Visteon Corporation'

[simonr]

i know a man who probably can, who is currently re writing the rule book on how to map TD5s & finding new limits, Unfortunatley he isnt on here

He's one of the few people who made me feel a bit 'hard of thinking'! Despite that - I liked him a lot!

Well done Barry - this is a great endeavor. While Puma's are too expensive for the likes of us at the moment, it will not always be the case. I love the idea of a vehicle that is hackable from both a Software & Mechanical point of view.

Most of my reverse engineering has ended up with getting frustrated then 'reverse engineering' it with a hammer!

Si

[Happyoldgit]

Great to see this here, I'll be following it with interest. As you know I've had several Puma's since owning an early 2007 one from new and currently have a 2.2.

[CwazyWabbit]

I'll be honest and say I have no idea where this will lead to, however I have access to tools that aren't cheaply available to everyone (through work) so I will try my best to set the information free.

[elbekko]

I'm very interested in the process! Obtaining the tools isn't that hard on "the internet" (the software side, at least), but knowing how to use them is a different thing altogether.

[CwazyWabbit]

If you were perchance to have access to IDA Pro which supports what appears to be this processor you can in this case just open the binary and choose the correct processor type, it will then ask a load of other questions which in this case you can leave the default answers to (normally on a binary dump that doesn't often work, on 'normal' executables IDA works out everything for you).

Anyway it will then whizz off and start the disassembly, IDA works by actually following all the possible execution paths to disassemble the code and to avoid attempting to disassemble data, this can result in it missing a few parts, it is however the best disassembler out there and is pretty much the industry standard for this work.

It will then probably ask if you want to use proximity view (dependent on age of your version), say no to that, graph view is handy though (which it should default to). Another tip is under general settings turn on auto comments, it will then tell you what each mnemonic actually means which is useful if you aren't familiar with that processor type.

[CwazyWabbit]

PS A good way to learn IDA is to write something very simple in C and compile it, then disassemble it and you can begin to see how your program looks in assembly language and start to match up the constructs.

[elbekko]

If you were perchance to have access to IDA Pro which supports what appears to be this processor you can in this case just open the binary and choose the correct processor type, it will then ask a load of other questions which in this case you can leave the default answers to (normally on a binary dump that doesn't often work, on 'normal' executables IDA works out everything for you).

Anyway it will then whizz off and start the disassembly, IDA works by actually following all the possible execution paths to disassemble the code and to avoid attempting to disassemble data, this can result in it missing a few parts, it is however the best disassembler out there and is pretty much the industry standard for this work.

It will then probably ask if you want to use proximity view (dependent on age of your version), say no to that, graph view is handy though (which it should default to). Another tip is under general settings turn on auto comments, it will then tell you what each mnemonic actually means which is useful if you aren't familiar with that processor type.

I tried that yesterday, in IDA Pro 6.5, but it just told me it couldn't find an entry point, even after selecting the Siemens Super 10. Apart from a few tiny bits, not much readable assembly code.

I've done some x86 assembly before, so I do somewhat know what it looks like

[CwazyWabbit]

Really? I'm currently running 6.8 but I'll dig out 6.5 and give it a go.

EDIT: Interestingly 6.6 and above seem to work correctly for this binary and result in finding 1360 functions as opposed to 6.5 that stalls after finding 38 functions

[elbekko]

Ah, that explains. I'll have to have a look around then

[Nigelw]

I keep reading through this thread, after page 1 it gets blurry, but so long as you have the tools and skills, crack on, I, in the mean time, will stick to welding

[retromatic]

Hey guys where did you get to in this endeavor? 

[CwazyWabbit]

This unfortunately stalled, most likely because of some other project getting in the way. 

I may take another look ar it, see what has changed in the world of IDA Pro in the last 8 years (currently it's at version 8.3)