wjhumphreys
10th February, 2018, 05:49 PM
Hi all,
I work with a lot of (non car) reverse engineering projects so I’m not a complete beginner as such. Saying that I only have basic knowledge about car electronics (so to speak), ECU’s etc.
I’ve decided for completely academic reasons to attempt to reverse and get working an ECU on a bench. There is no end use for this ECU accept as a practice tool.
I have chosen this particular ECU as it was very cheap on eBay, its older so shouldn’t be too heavily protected and hopefully has a little more info available.
I do have a few questions though after some very brief Googling that hopefully can be answered and save me a little time.
This is the ECU. All I know about it is that it came out of a Golf MK4 2.0L. (As written in white pen on the ECU). I know nothing more than this.
Photos:
https://i.imgur.com/i5UxWEv.jpg?1
https://i.imgur.com/N0dQUks.jpg?2
https://i.imgur.com/XpyNVLb.jpg?2
https://i.imgur.com/rV5A2w0.jpg?2
1. What is this ECU generally referred to as or named? I see lots of references to names like ECD15 and suchlike, but I don’t seem to be able to find any similar reference to this one. This is simply so its easier to Google for more information
2. Does a circuit diagram exist?
3. Does a pinout diagram exist?
4. There seem to be premade bench plugs on eBay for ECD15 etc. Is there one for this ‘model’?
5. Are there other types of document / info I should be aware of or need?
The circuit board contains among other things a AN87C196KR 16K 16 bit microcontroller
http://pdf.datasheetcatalog.com/datasheet_pdf/intel/AN87C196JQ_to_AN87C196KR.pdf
and a AM29F200 Flash Memory
https://www.mouser.com/ds/2/100/spansion%20inc_am29f200b_eol_21526d7-1161251.pdf
I’m assuming the flash memory is where the firmware is stored.
A 24c02 EEPROM
https://www.engineersgarage.com/sites/default/files/Serial%20EEPROM%2024C02.pdf
1. Can this firmware be read (or obtained else ware) through the OBD port or does the chip need to be removed a read in a reader.
2. Will IDA PRO read this image and if so what setting does IDA need as I assume you need to know some sort of mapping.
3. What ODB software and hardware are good (doesn’t have to be the best relative to price) for accessing this device. I keep seeing reference to a piece of software called MPPS and CmdFlash.
I figured a good first experiment would be to try and extract the key fob algorithm from the ECU as I already know mostly what it is so hopefully it should be an easy goal.
I have ordered “The car hackers handbook” from Amazon so hopefully that will help.
And basically, anything I’ve missed, or could do with knowing really.
If anybody can help it would be greatly appreciated.
I work with a lot of (non car) reverse engineering projects so I’m not a complete beginner as such. Saying that I only have basic knowledge about car electronics (so to speak), ECU’s etc.
I’ve decided for completely academic reasons to attempt to reverse and get working an ECU on a bench. There is no end use for this ECU accept as a practice tool.
I have chosen this particular ECU as it was very cheap on eBay, its older so shouldn’t be too heavily protected and hopefully has a little more info available.
I do have a few questions though after some very brief Googling that hopefully can be answered and save me a little time.
This is the ECU. All I know about it is that it came out of a Golf MK4 2.0L. (As written in white pen on the ECU). I know nothing more than this.
Photos:
https://i.imgur.com/i5UxWEv.jpg?1
https://i.imgur.com/N0dQUks.jpg?2
https://i.imgur.com/XpyNVLb.jpg?2
https://i.imgur.com/rV5A2w0.jpg?2
1. What is this ECU generally referred to as or named? I see lots of references to names like ECD15 and suchlike, but I don’t seem to be able to find any similar reference to this one. This is simply so its easier to Google for more information
2. Does a circuit diagram exist?
3. Does a pinout diagram exist?
4. There seem to be premade bench plugs on eBay for ECD15 etc. Is there one for this ‘model’?
5. Are there other types of document / info I should be aware of or need?
The circuit board contains among other things a AN87C196KR 16K 16 bit microcontroller
http://pdf.datasheetcatalog.com/datasheet_pdf/intel/AN87C196JQ_to_AN87C196KR.pdf
and a AM29F200 Flash Memory
https://www.mouser.com/ds/2/100/spansion%20inc_am29f200b_eol_21526d7-1161251.pdf
I’m assuming the flash memory is where the firmware is stored.
A 24c02 EEPROM
https://www.engineersgarage.com/sites/default/files/Serial%20EEPROM%2024C02.pdf
1. Can this firmware be read (or obtained else ware) through the OBD port or does the chip need to be removed a read in a reader.
2. Will IDA PRO read this image and if so what setting does IDA need as I assume you need to know some sort of mapping.
3. What ODB software and hardware are good (doesn’t have to be the best relative to price) for accessing this device. I keep seeing reference to a piece of software called MPPS and CmdFlash.
I figured a good first experiment would be to try and extract the key fob algorithm from the ECU as I already know mostly what it is so hopefully it should be an easy goal.
I have ordered “The car hackers handbook” from Amazon so hopefully that will help.
And basically, anything I’ve missed, or could do with knowing really.
If anybody can help it would be greatly appreciated.