- ECU part number - 33921-65J1
- Chip model - 64F7058F80
- OS - Ho7058 Operating System, Version 1.0.00.000 by Hitachi
- Get a KESS V2 device
- In their app, use Subaru's protocol 482 to read the rom
- Download and install Ghidra
- Open the binary dump
- Add SH7058 config from here, (use the generic 7058 configs, not the Nissan specific ones).
- Put this manual in
C:\Users\$USER\Downloads\ghidra_10.3.1_PUBLIC\Ghidra\Processors\SuperH4\data\manuals\rej09b0318_sh_4sm.pdf
- SH7058 datasheet
- Nisprog for reading/flashing Nissans - https://github.com/fenugrec/nisprog/blob/master/SubaruSIDs.txt
- Immo disable
- Maps change:
- Use ScoobyRom to find maps definitons. These can be exported for use in RomRaider.
- https://diysubaru.org/HowTo/using-scoobyrom
- https://nissanecu.miraheze.org/wiki/Tools
- https://evoscan.com/tech-articles/#Articles
- Get started with IDA and disassembly SH7058
- open port logging
- https://netcult.ch/elmue/hud%20ecu%20hacker/
- https://www.drive2.ru/l/567012375081779941/
canable.io or PCAN.
# If using SLCAN
sudo slcand -o -c -s6 /dev/ttyACM0 can0
sudo ip link set can0 up
sudo ip link set can0 txqueuelen 1000
# If using PCAN
sudo ip link set can0 up type can bitrate 500000
# Dump from CAN
candump -l can0
# Play to CAN
canplayer -I dashboardonoff-2023-6-9_9531.loghciconfig -a
sudo hciconfig hci0 up
sudo rfcomm bind rfcomm0 AA:BB:CC:11:22:33 # The address of your dongleListen to traffic
sudo socat -v /dev/rfcomm0,raw,echo=0,b38400 SYSTEM:'socat - "PTY,link=/dev/ttyS5,raw,echo=0,waitslave"'
# or
sudo socat -dddd /dev/rfcomm0,raw,echo=0 SYSTEM:'tee in.txt | socat - "PTY,link=/dev/ttyS3,raw,echo=0,waitslave" | tee out.txt'