DSM/ECU/Reverse Engineering
Jump to navigation
Jump to search
Example
Here is an example of record keeping of the components and PCB references I did on a 1.8l ECU I reversed as practice:
Exterior
-
ECU top -
ECU Exterior, Side
Top
MD159561 E2T33674E 0607 Mitsubishi Electric Corp. Japan
Side
9561 E2T33674E Mitsubishi Electric Corp. Japan
Interior
Processor
EPROM
- E924
PCB
BOM: DSM/ECU/JE331B988B
-
Board overview -
Copper traces of PCB -
Silkscreen -
Top layer photo -
Bottom layer photo
How-To
Hardware
- Obtain ECU
- Take external photographs
- Mostly for all the numbers and letters/the stickers
- Open ECU
- Remove PCB
- TAKE MORE PICTURES (before you touch anything else)
- The code on the plug socket
- The microprocessor
- The EPROM (if there is one)
- Any and all visible marking on components
- The ENTIRE board on BOTH sides
- RECORD all components with visible markings, decode resistor values
- This means a table with the PCB Silkscreen references and the components values
- ACETONE bath
- This is to remove all the conformal coating junk that interferes with reading markings AND the ability to probe, test, and desolder
- SCRUB with Toothbrush, Q-Tips
- PHOTOGRAPH and RECORD any newly visible information
- REMOVE any components with known values:
- Electrolytic capacitors can go first
- Then any ICs
- Resistors with the bands already decoded
- Connectors
- REMOVE components with unknown values ONE AT A TIME
- SMD Capacitors and Transistors are good examples
- Remove one, use the Multimeter and/or LCR meter to get values and RECORD them in the table
- Eventually you will be left with a BARE BOARD
- SPRAY and WIPE DOWN the bare PCB with WD-40 to clean up any remaining conformal coating and junk
- This preps the board for nice clear photographs
- PHOTOGRAPH both sides of the PCB
- Get ONE photo of EACH side of the PCB
- Flat
- In focus
- Dead-on photos with no perspective error
- Use a tripod
- Use lighting
- Use a remote shutter-release to eliminate shake from the image
Digitization
- Do color correction in darktable
- Import to GiMP and isolate the Silkscreen to generate a silkscreen layer
- Import into Inkscape to create a vector of the copper traces
- Use the last two steps to import into KiCad
- Recreate the PCB
- Create a schematic from the PCB
Result
- A BOM of sorts
- List of all the components, and their values and locations on the PCB
- A Schematic of the electrical connections
- A PCB layout
- Lots of photos
- ROM dumps of all ROM, Internal ROM and EPROM
- Disassembly of all ROM, Internal and External
Toolbox
Tools
- Screwdrivers
- Tweezers
- Solder
- Solder Sucker
- Solder Wick
- Soldering Iron
- SMD/Reflow Air Tool
- Chamois cloth
- Multimeter
- LCR Meter
Solvents
- Acetone
- 99% Isopropyl alcohol
- WD-40
- Flux
- Flux cleaner
- H2O
Camera
- DSLR
- Tripod
- Circular-polarized lens
- Remote shutter-release
- Lighting
Software
- Darktable
- GiMP
- Inkscape
- KiCad
| ' | MC09D | MB14B | EB23C | MB06B | Best Guess |
|---|---|---|---|---|---|
| FFAC | Instant return | Instant return | Entrypoint | Instant Return | |
| FFAE | RX_VECTOR | RX_VECTOR | Read SCI_CTL | RX vector | SCI_VECTOR |
| FFB0 | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFB2 | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFB4 | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFB6 | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFB8 | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFBA | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFBC | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFBE | SCI_TX | Instant return | Entrypoint | SCI_TX | ?RTI_VECTOR? |
| FFC0 | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFC2 | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFC4 | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFC6 | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFC8 | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFCA | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFCC | Instant return | Touches 0x0C | Entrypoint | Instant Return | T1_OUTCMP |
| FFCE | Reads 0x0E data register, manipulates PORT3 | Instant return | Entrypoint | 0x0E, Port3 | T1InputCapture |
| FFD0 | Also reads 0x0E data register, then a bunch of RAM stuff | Instant return | Peeks 0x0E, modified 0x0D, 0x0B, Ports | 0x0E, lots of RAM | T1InputCapture |
| FFD2 | Also reads 0x0E data register, and ands P3 with 0xFE | Touches 0x0E SCI_CTL and SCI_TX | Entrypoint | 0x0E, Port3 | T1InputCapture |
| FFD4 | Reads 0x0E, RAM stuff, Port3 | Touched 0x0E | Entrypoint | 0x0E, Port3 | T1InputCapture |
| FFD6 | Reads 0x0E, RAM stuff, Port3 | Touches 0x0E Port5 | Entrypoint | 0x0E, Port3 | T1InputCapture |
| FFD8 | Reads 0x0E, RAM stuff, Port3, Port1 | Touches 0x0E and 0x0C | Entrypoint | 0x0E, Port1, Port3 | T1InputCapture |
| FFDA | Reads 0x0E, RAM stuff, Port3, Port1 | Reads 0x0E P1 P5 stuff | Entrypoint | 0x0E, Port1, Port3 | T1InputCapture |
| FFDC | Reads 0x0E, RAM stuff, Port3, Port1 | Reads 0x0E | Entrypoint | 0x0E, Port1, Port3 | T1InputCapture |
| FFDE | Instant return | Instant return | Modifies 0x1A and 0x09 | Instant Return | T2CSR2 |
| FFE0 | Instant return | Instant return | Modifies 0x19 and 0x09 | Instant Return | T2CSR1 |
| FFE2 | Instant return | Instant return | Modifies 0x18 and 0x09 | Instant Return | T1CSR2 |
| FFE4 | Instant return | Instant return | Modifies 0x17 | Instant Return | ?? |
| FFE6 | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFE8 | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFEA | Instant return | Instant return | 0x0D 0x0B | Instant Return | OutCmp |
| FFEC | Instant return | Instant return | Peek 0x0D, handle 0x0B | Instant Return | OutCmp |
| FFEE | Reads 0x0D, modifies 0x0A | 0x0D, 0x0A | Peeks 0x0D | 0x0D, 0x0A | T1InputCapture |
| FFF0 | Reads 0x0D, modifies 0x0A | Instant return | Entrypoint | 0x0D, 0x0A | T1InputCapture |
| FFF2 | Reads 0x0D, modifies 0x0A | 0x0D, 0x0C | Entrypoint | 0x0D, 0x0A | T1InputCapture |
| FFF4 | Reads 0x0D, modifies 0x0A | ;0x0D | Entrypoint | 0x0D, 0x0A | T1InputCapture |
| FFF6 | Reads 0x0D, modifies 0x0A | 0x0D, 0x0C | Entrypoint | 0x0D, 0x0A | T1InputCapture |
| FFF8 | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFFA | Instant return | Instant return | Entrypoint | Instant Return | ? |
| FFFC | nNMI | nNMI | nNMI_VECTOR | nNMI | ?nNMI_VECTOR? |
| FFFE | Entrypoint | Entrypoint | Entrypoint | Entrypoint | RESET |