MicroHacker Forum

Are you sure that the VBF contains data up to FFFF_FFFF?
I have checked the 3 blocks in the VBF and they are only up to FFFE_0000 and the vector table is from FFFF_FFDC.
Below are the starting adresses + length of the block = ending address:
FFF4_0000 + 794D0 = FFFB_94D0
FFFB_9868 + 4B98 = FFFB_E400
FFFD_FFD8 + 28 = FFFE_0000

Anyway I was trying to load the bin in Ghidra but there is no support for the R32C.. I have found on github plugin for the M16C which should be the whole family including the R32C but it still did not recognize any code. Only programs that support it are IDA and Binary ninja but both paid

Here you are, mate. Attached the full readout of a FL BCM (XK-Type with full features).

DGAlexandru wrote: ↑17 Jan 2024, 17:11 Well... not exactly...
In the Data space most probabbly is also at least some part of the IMMO algorithm.

I see, very interesting!
If it's time i would love to talk with you about KVM keyless module.

Go4IT wrote: ↑17 Jan 2024, 22:26 Here you are, mate. Attached the full readout of a FL BCM (XK-Type with full features).

Thank you, I have loaded everything to IDA and it immediately disassembled (most of) the code but unfortunately there is no pseudocode decompiler for this architecture
The e2 and data flash does not seems to contain any code but in the main fw there is code + data past the FFFB_94D0 up to FFFF_FFFF.
There are also mapped the SFR so you can see those 3 CAN channels and each having 32 mailboxes and what code is using those registers but I dont know how to utilize that yet as the IDA interface is kind of cumbersome.
So the next step would be to find handling of something like UDS or usage of some other register that the algorithm needs?

Maybe if someone has code of the pre 2010 algorithm I might try to translate it to R32C assembly and then look for similar instruction sequence in the facelift FW.

Hey, what do you think about a shared/live hack session on my slack channel? Should i invite you and we arrange a date and time?