ST publish a fork of OpenOCD that can interact with their SPC microcontrollers, commonly used in automotive ECUs. This can be used to dump the firmware, if the part has debug unlocked (which has been the case on both of the two dumped so far).
This has been tested with both an FX2LP board running ixo-usb-jtag, and a STM32 blue pill running USB-Blaster-GCC. It should work with any JTAG adapter supported by (this particular fork of) OpenOCD.
-
Check out this branch/repo off GitHub: https://github.com/STMicroelectronics/OpenOCD/tree/openocd-automotive-mcu-r2
git clone https://github.com/STMicroelectronics/OpenOCD.git -b openocd-automotive-mcu-r2 cd OpenOCD -
(Optionally) use a Docker container for building:
docker run -it --rm -v $PWD:/app -w /app ubuntu:22.04 bash apt update chown -R root:root /app(You may also need to install libusb/libftdi etc on the host too).
-
Compile OpenOCD
apt install -y build-essential libtool pkg-config git libusb-1.0-0-dev libftdi1-dev libhidapi-dev libgpiod-dev libjaylink-dev ./bootstrap ./configure make -j8
-
Check OpenOCD starts
cd tcl ../src/openocd -f interface/altera-usb-blaster.cfg -f target/spc564B.cfg -
Set up your interface if necessary
You may need to edit the interface file in
interface/to match your hardware (VID/PID etc). -
Work out which SPC target file you need (they're in
target/).For example, spc564B.cfg seems to work with SPC57 chips, and spc58xc.cfg with SPC58 chips (YMMV).
-
Create a dump of the flash memory
../src/openocd -f interface/altera-usb-blaster.cfg -f target/spc564B.cfg -c "init; halt; halt; dump_image 00000000 0x00000000 0x180000; exit"This will take a while! With some chips it can be very slow indeed. Check the part memory map for the memory address and length.
-
Dump the RAM
You can also dump the RAM to file which will help with reverse engineering:
../src/openocd -f interface/altera-usb-blaster.cfg -f target/spc564B.cfg -c "init; halt; halt; dump_image 40000000 0x40000000 0x18000; exit"Check the part memory map for the memory address and length.