JTAG(ish) access to IPC V850
- Gatecrasher
- Posts: 285
- Joined: Sat Apr 25, 2020 6:09 am
JTAG(ish) access to IPC V850
I can't believe this worked. My pinout was right and my horrible ghetto wiring actually worked. I've got full flash, memory and CPU register access. It dumps the full flash in seconds.
This is a donor board from a GM 8 inch LCD cluster. I don't know if this can be done with generic JTAG or not. Everything I'm using right now is the proprietary Renesas tools. I think my next step is going to be to rebuild this around a nicer jig that can be used with an intact cluster, and then see about getting JTAG access to the IMX processor that runs the LCD. I think that can be done with a Segger J-link.
This is a donor board from a GM 8 inch LCD cluster. I don't know if this can be done with generic JTAG or not. Everything I'm using right now is the proprietary Renesas tools. I think my next step is going to be to rebuild this around a nicer jig that can be used with an intact cluster, and then see about getting JTAG access to the IMX processor that runs the LCD. I think that can be done with a Segger J-link.
Re: JTAG(ish) access to IPC V850
Its actually nice seeing a decompile of the V850e2 that doesnt have errors/missing opcodes! Does it allow you to debug the processor and step through the opcodes 1 by 1?Gatecrasher wrote:I can't believe this worked. My pinout was right and my horrible ghetto wiring actually worked. I've got full flash, memory and CPU register access. It dumps the full flash in seconds.
This is a donor board from a GM 8 inch LCD cluster. I don't know if this can be done with generic JTAG or not. Everything I'm using right now is the proprietary Renesas tools. I think my next step is going to be to rebuild this around a nicer jig that can be used with an intact cluster, and then see about getting JTAG access to the IMX processor that runs the LCD. I think that can be done with a Segger J-link.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
- Gatecrasher
- Posts: 285
- Joined: Sat Apr 25, 2020 6:09 am
Re: JTAG(ish) access to IPC V850
Yep! I haven't figured out exactly how to do that yet, but the step and breakpoint functions are all there.
Ghidra has been pretty damn close so far. I've been working off of recombined SPS files up to now. This will let me double check Ghidra and give me access to the memory and registers as well. I've got the boot block now too.
I wonder just how interchangable all these Visteon clusters are at a hardware level. It looks like they used the same basic hardware for every 2014-2019 Global A cluster with an 8" LCD in it.
Ghidra has been pretty damn close so far. I've been working off of recombined SPS files up to now. This will let me double check Ghidra and give me access to the memory and registers as well. I've got the boot block now too.
I wonder just how interchangable all these Visteon clusters are at a hardware level. It looks like they used the same basic hardware for every 2014-2019 Global A cluster with an 8" LCD in it.
Re: JTAG(ish) access to IPC V850
The renesas chip is basically the CANbus parser. It finds all required canbus information and also writes frames when requested from the iMX processor. So I believe they used fairly standardised firmware between them as it would simply need to be told to search for specific CAN ids and ability to send off frames when requested.Gatecrasher wrote:Yep! I haven't figured out exactly how to do that yet, but the step and breakpoint functions are all there.
Ghidra has been pretty damn close so far. I've been working off of recombined SPS files up to now. This will let me double check Ghidra and give me access to the memory and registers as well. I've got the boot block now too.
I wonder just how interchangable all these Visteon clusters are at a hardware level. It looks like they used the same basic hardware for every 2014-2019 Global A cluster with an 8" LCD in it.
I had a hell of a time trying to write a bootloader to custom read/write to some of the renesas chip sets. Since the newer ones have no datasheet to go off of, so you kinda need to step through the code until you see it fire off a CAN frame to find the required registers, and start mapping addresses to previous v850 series to identify what they are.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
- Gatecrasher
- Posts: 285
- Joined: Sat Apr 25, 2020 6:09 am
Re: JTAG(ish) access to IPC V850
The V850 does CAN, power control, backlighting, and the analog gauges and indicators. The IMX handles the LCD, MOST, LIN bus, and HUD.
The Dx4 series has been close enough to the Fx4 series that I've been able to find all the registers I need. But obviously "close enough" won't cut it when you're trying to write something like a kernel.
CS+ ships with definition files for 77 different V850s. They're not in plain text, but they're close. It has register locations, along with a ton of other stuff I haven't figured out. I only just got it loaded up today, and I've barely glanced at this stuff. It was just dumb luck that I saw a reference to the file in the UI and decided to check it out.
Here's an example from DF3524.800. There's the register name in plain text FCN0GMCSPRE (FlexCAN0 global clock selection register) and then the register address a little later. FF480008.
These are installed at C:\Program Files (x86)\Renesas Electronics\CS+\CACX\Device\V850E2\Devicefile.
It might be worth figuring out how to parse those definition files and translate them into Ghidra scripts to label the registers.
The Dx4 series has been close enough to the Fx4 series that I've been able to find all the registers I need. But obviously "close enough" won't cut it when you're trying to write something like a kernel.
CS+ ships with definition files for 77 different V850s. They're not in plain text, but they're close. It has register locations, along with a ton of other stuff I haven't figured out. I only just got it loaded up today, and I've barely glanced at this stuff. It was just dumb luck that I saw a reference to the file in the UI and decided to check it out.
Here's an example from DF3524.800. There's the register name in plain text FCN0GMCSPRE (FlexCAN0 global clock selection register) and then the register address a little later. FF480008.
These are installed at C:\Program Files (x86)\Renesas Electronics\CS+\CACX\Device\V850E2\Devicefile.
It might be worth figuring out how to parse those definition files and translate them into Ghidra scripts to label the registers.
- Gatecrasher
- Posts: 285
- Joined: Sat Apr 25, 2020 6:09 am
Re: JTAG(ish) access to IPC V850
I got the breakpoints and stepping working. This is so cool.
Re: JTAG(ish) access to IPC V850
Your last two posts have made my day.Gatecrasher wrote:I got the breakpoints and stepping working. This is so cool.
I know what my next purchase is going to be
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
- Gatecrasher
- Posts: 285
- Joined: Sat Apr 25, 2020 6:09 am
Re: JTAG(ish) access to IPC V850
FYI, you can download and install CS+ without the hardware. If you just want the chip definition files. They mention licensing, but I haven't seen any prompts to enter anything. The debugger at least seems to just run without issue. I'll probably find out I'm running a 30 day trial right when I want to do something important.
https://www.renesas.com/us/en/software-tool/cs#download
CS+ for CA,CX v4.07
https://www.renesas.com/us/en/software-tool/cs#download
CS+ for CA,CX v4.07
Re: JTAG(ish) access to IPC V850
good stuff. v850 registers have been an excercise in frustration for me
- Gatecrasher
- Posts: 285
- Joined: Sat Apr 25, 2020 6:09 am
Re: JTAG(ish) access to IPC V850
Decided to make this a little less ghetto. I took some measurements and 3D printed a pogo pin jig that fits into the back of the cluster housing. I'm pretty sure this is how Visteon would have programmed these during manufacture. I was really lucky that the PCB contacts used exactly the same spacing as generic perfboard.
It was tedious as hell getting this thing assembled without breaking the pogo pins. I'm even worse at CAD than I am at writing code, and there's enough slop in my printer that everything was a really right fit. But somehow, miraculously, it actually works. I dumped another cluster without opening it. I've also got the serial console for the IMX chip hooked up and working. If I can get flash access to the IMX, this thing will be completely jailbroken.
It was tedious as hell getting this thing assembled without breaking the pogo pins. I'm even worse at CAD than I am at writing code, and there's enough slop in my printer that everything was a really right fit. But somehow, miraculously, it actually works. I dumped another cluster without opening it. I've also got the serial console for the IMX chip hooked up and working. If I can get flash access to the IMX, this thing will be completely jailbroken.