crystal_imprezav wrote:They power glitch 27 01 on the E41. So it would appear no need to try 27 03.
While you might get the ecu to accept unencryted/uncompressed, i would suspect that may take a lot of code change. IIRC everything but the bootloader is stored encrypted/compressed in the flash and is decoded in RAM. There is no way to send a loader to it in order to try and read and write therefore the only way you would probably be able to accomplish this is to spend even more time trying to glitch the unique BAM passwords but this wont work on MPC5777C ecu's like the E99. If anyone has a full global-a or global-b dump with the bootloader I could probably get a much better idea
The bootloader is the first part of code loaded. The CPUs do not support decryption on the fly from saved embedded memory, otherwise they would have done this with the entire operating system/calibrations. This kind of memory feature can be seen in things such as the ESP32 where they can actually decrypt the firmware/instructions from the saved flash on the fly, it does have a specific title but cannot remember exactly.
You can read the bootloader using basic commands, this region is not locked. Trying to read the shadow ram (Where the passwords are stored for locking the processor) are locked unfortunately.
Now, with this all said, things I would look into:
1) decompile bootloader to understand every single last routine. There will likely be engineering/admin based functions/commands to take advantage of (There will be 10s of thousands of opcodees to go though). This is where understanding the recovery methods have been taken advantage of so far.
2) Begin dumping RAM address and see if any look like functions being saved into ram. Reason for this, is if a routine is saved into ram, this can easily be overwritten with basic commands to have a custom routine injected, its just a matter of knowing what the routine is to trigger it.
3) Performing a 2703 and then testing out every single DID read, along with dumping RAM addresses (Including testing shadow) to see what else is unlocked.
Power glitching would have been the entry model if the passwords were all the same, but I believe this was also confirmed on the BAM series that the passwords differ each time. Making a perfect bench setup to attach a specific ecu every single time could potentially work, but if/when the CPU is put to the inside of the circuit board where it would require huge amount of work to get to, or sealing the units like they did with the E92... it no longer becomes viable.
Personally Id start with 2703, simply because it doesnt take much, and at least knocks one off the table