pgmfi.org

Hacking up Honda's ECU
It is currently Sun Jul 22, 2018 6:40 am

All times are UTC - 5 hours [ DST ]





Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: RWD Info
PostPosted: Fri Aug 03, 2007 3:27 pm 
I have not been able to post this thread in the proper forum, if it proves useful I'm sure it will be used.

Additionally I have been continually frustrated by the forum's forbidden word filter. I have gone over the list twice and cannot find what word I am using in my post that is forbidden.

This is incredibly aggravating. I am trying to post newly uncovered information concerning the format of the RWD file headers and at every turn I am being prevented from doing so.


Top
  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 03, 2007 6:06 pm 
About the 2006 model year ECUs:

A backdoor is NOT possible. Why you might ask? Well before I tackled the ungodly mess that Teradyne calls a Diagnostic System I tried to get an idea of the hardware I was dealing with. Remember I chose to be a Computer Engineer instead of a Computer Scientist, I like working with micro controllers. Well guess what, the ECUs in the FG1 and FG2 Civics are now sealed shut with an epoxy with similar characteristics to JB Weld. I broke my favorite screwdriver trying to pry the two halves apart. The strength of the epoxy is actually greater than that of the aluminum the case is made out of. What progress I did make in trying to remove the cover was mostly from deforming the metal. I stopped short of cutting the ECU open with an abrasion wheel because I would still like to drive my car when all this is done.

Time to break down the front door:

With the back door securely barricaded I think it is high time we kicked in the front door. Being a Free Software Foundation zealot (I should show you all my pictures of me protesting the launch of Vista) I am more than willing to put in the time and effort necessary to free ourselves of corporate software.

I am not focusing on the inner workings of HIM or of any other interface device because we already have a universal data transmission protocol in J2534. Additionally, my research so far has uncovered that the HIM is actually a J2534 compliant device and J2534 API dlls are included in the HDS install. My goal is to reverse engineer Honda's proprietary system for distributing ECU firmware updates. As some have already discovered, this is done through the .rwd file type. Reverse engineering these files will allow us instant access to firmware for all Honda ECUs. It will also allow us to use Honda's software to help us speed up the development process. If we can create our own .rwd files, then we can use the existing libraries and hardware to transfer these changes to the ECU.

How the .rwd system works:


Honda distributes their firmware in what they call "Program File Databases". Each database contains several master database files that contain listings of each "Program File" (a .rwd file) and information concerning its intended application. This includes car model, year, engine, transmission, ECU revision, etc. To be honest I have spent very little time studying the master database files so far. Once I fully crack the .rwd format I will spend more time looking at them.

The .rwd headers:


There are two types of .rwd files handled by the software. One appears to be a legacy version and the other a more recent version. I have only focused on the more recent version for now.

As of this week I have successfully identified the format of most of the .rwd file headers for the more recent version. It is as follows:

Code:
All newer .rwd begin with the same three byte magic number:

0x5A, 0x0D, 0x0A

Following these three bytes are exactly 7 structures of the following format:

Byte 0: Number of structure members
Byte 1: Size of first member
Byte 2,x: Data of first member
Byte x+1: Size of second member
Byte (x+1),y: Data of second member
...etc.

Each of the 7 structures carries a specific set of data. I am not sure as to the exact contents of each at this time as not all of them are referenced by the software but these are my best guesses:

Structure 1: 1 member of null length (reserved or not used at this time)
Structure 2: 1 member of length 0x04 (unknown)
Structure 3: 1 member of length 0x01 (unknown)
Structure 4: multiple members of length 0x10 (ProgramIDs *char)
Structure 5: multiple members of length 0x06 (SystemIDs int)
Structure 6: 1 member of length 0x03 (RevisionID? *char)
Structure 7: null

There are always the same number of ProgramIDs and SystemIDs. They are the only two values I have seen referenced by the software so far and are used to ensure that the proper Program File has been selected.


This is where my knowledge of the .rwd format comes to an end. In the headers there are two more values that are common to all files of the newer type but I have not yet identified their use. The two vales are both QUADWORDS that begin with 0x8000. The first QUADWORD is usually 0x8000000F but I have also seen 0x80000007. The second QUADWORD is different for every file but always begins with 0x8000. An example value is 0x80006E4E. There is a possibility that these are encryption keys or file offsets. Which brings me to my final point.

Encrypted or not encrypted:

When I first began working on these files I immediately dismissed the claims that these files were encrypted in any way. Having dabbled in cryptography and read several books on the subject I knew that files were not encrypted in a modern form of cryptography because too many patterns were easily visible. However, the most recent batch of code I have looked at has made me changed my mind. I'm still working on exactly what it does, but it appears to take data from the file heap and process it in a very simple way. The code contains a large number of compiler optimizations and advanced opcodes that I have to look up so it could take some time to completely decipher, but there is the possibility that the .BIN is encrypted with a basic substitution cypher (like a Cesarean shift).

More to come. Any input is greatly appreciated.


Top
  
Reply with quote  
 Post subject: Re: RWD Info
PostPosted: Fri Nov 06, 2009 11:23 am 
Offline

Joined: Fri Aug 14, 2009 6:20 pm
Posts: 2
Has there been any further development or discover on this? I have been doing research as well on 09+ .RWD files.


Top
 Profile  
Reply with quote  
 Post subject: Re: RWD Info
PostPosted: Thu Feb 26, 2015 3:52 pm 
Offline

Joined: Thu Feb 12, 2015 4:24 pm
Posts: 1
I know this is a dead topic, but I've been looking at this lately. Here's my observations:

The RWD has a text header (0x0D, 0x0A is newline - return aka \r\n). The header contains some part numbers, and some other stuff I haven't really paid much attention to.
The text section ends with a NULL character (\0). After that is the ROM image with some sort of encryption/encoding.

It looks like each byte of the image is represented by 4 bytes. I tried some simple XORing of the 4 bytes but have yet to come out with a correct output.

I'm focusing on the 1st gen RSX's PRB ROM. The RWD is just over 512K. The amount of flash present in the RSX ECU is 192K, and I believe the upper 64K is used for holding tables (or possibly not even used), while the lower 128K is the program/ODB code. This matches up the 4 encoded bytes for every actual byte. (128K * 4 = 512K).

I suspect there are other RWDs for programming the tuning tables based on specific models differences (ie different headers, cams etc), but they may share the same program code.

From staring at the ROM for hours, you can see the first 76H(*4) bytes are the vector jump tables of the MCU.

That's about as far as I got.

I'm pretty sure there's people on this forum who have cracked this puzzle. I'd love to hear from any of you. Even a PM would be nice.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Baidu [Spider] and 11 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron


Powered by phpBB® Forum Software © phpBB Group