pcmhacking.net

Gatecrasher wrote:Mine wasn't obvious. I traced the pins back to vias and soldered wires to those. My chip was a QFP package, so I was able to trace the pins out. I didn't have to remove any resistors to make it work.

That unpopulated 14 pin pad near the main connector looks promising.

any tips on finding the right pads?

I checked a few I thought were right...but just checking with a DMM I'm not exactly sure what I'm looking for. I have a 4 channel scope, but again I'm not exactly sure how to confirm a pad or via is a function.

JTAG is always in the same order correct?
TCK
TDI
TDO
TMS
TRST?

thinking I could reflow the board and pluck the BGA chip off. Then map out the board to find the pad locations or vias that will work that way....on another unmodified board.

edit- can probably just grind/sand the chip off carefully. map out what I need to on the 'throw away' board. then hookup on a good board and dump it- hopefully, and if those ball numbers are correct.

BUT I would need the pinout of the chip. All I can find on this specific chip is this-

https://www.ti.com/lit/ds/symlink/tms47 ... 470R1VF67A

so if we believe those ball numbers are correct than maybe that will work???

The TI sheet was spot on for my chip. I don't see why that one would be inaccurate.

I'd use heat to pull the chip. If you're going to sacrifice the board anyway, just use a regular heat gun. Blast the chip for a minute or two and then just pluck it off.

Curious as to what temperature one would use ??

Gampy wrote:Curious as to what temperature one would use ??

low setting on my heat gun got it up.

mapping pins out now.

here we are.

The only strange thing is when this board was running I investigated these pads and found CPU voltage (3.2volts) at TMS and TDI and I found 40k ohms to ground at TDO and TCK and 8k ohms to ground at TRST. With the CPU removed from the board(and a few resistors, whoops) I no longer have ground at any of the pins. I'll keep investigating but I guess my concern is the board or CPU has something configured to disable the JTAG pins by bringing them high or low...but I'm not sure what the JTAG pins should be at in a 'normal' or 'idle' state.

Gatecrasher wrote:The TI sheet was spot on for my chip. I don't see why that one would be inaccurate.

I'd use heat to pull the chip. If you're going to sacrifice the board anyway, just use a regular heat gun. Blast the chip for a minute or two and then just pluck it off.

bootloader attached. [edit- removed as it was missing a byte.]

The chip accepts mode23 requests after you gain control with device control seed/key. Found device control seed/key by dumping the EEPROM(also attached). Verified that at 0x4000 the OS starts coming out and at 0x70000 is the cal. So this should complete the whole chip dump.

Hopefully this checksum can be mapped???

Ooooooooooooo This is exciting!!
Interesting to hear you were able to read quite a bit of memory with mode23 after using the engineering seed/key unlock, thats certainly a game changer on alot of modules.

Tazzi wrote:Ooooooooooooo This is exciting!!
Interesting to hear you were able to read quite a bit of memory with mode23 after using the engineering seed/key unlock, thats certainly a game changer on alot of modules.

it really is exciting. Any address within the CPU was able to be read. It's just really slow so I just dumped the area I needed after verifying the addresses lined up and such. It makes me want to pull back out some other modules I've messed with in the past and see how they operate under the service device unlock...but then you have to know the key to the seed as well. Got lucky here, but all I know so far is the algo for device control seed/key isn't one of the ones used for the normal security that was hacked from the tech2. and every device may be different. I couldn't be sure without trying more stuff.

I'm going to continue the path of getting JTAG setup though. My hope is to get that running and use it as a backup as I'm fairly sure the checksum won't even matter if I go in thru JTAG. I still want to get the checksum figured out to prevent any potential issues after several run cycles and such like I've seen happen with the volkswagen crowd, but at least I can confirm my byte location for the change I need to make. And I can confirm this in parallel while hopefully finding some help in assembly for the algo. Really hoping the bootloader is the missing piece and now the assembly makes sense and has completed routines.

Also, with the TMS chip off the board, I confirmed the CAN transceivers only talk with the TMS chip. and the wheel speed sensors only talk with the Infineon chip. So the infineon is definitely handling the lower level more maintenance items while the TMS chip is the brains of the operation. This has me confident the data I need to change to make my truck work is in fact located in the TMS chip and not the infineon.

My next EBCM sample/victim doesn't come in until next Monday so I'm kind of dead in the water until then, unless the checksum algo is figured out before. But hopefully by Monday or Tuesday I'll have JTAG running.

RADustin wrote: Got lucky here, but all I know so far is the algo for device control seed/key isn't one of the ones used for the normal security that was hacked from the tech2.

Was this 2byte or 5byte?