Imagine holding a mysterious black box in your hands, its internal workings a mystery locked behind layers of silicon, solder, and software. This is the essence of hardware reverse engineering – a fascinating blend of curiosity, technical skill, and detective work. Whether you’re delving into automotive electronics, consumer gadgets, or industrial systems, understanding the basics is essential for success. Let’s take a dive into Hardware Reverse Engineering 101, unraveling the first steps and fundamental concepts through the lens of a car’s Electronic Control Unit (ECU).
First Impressions: An Engineer’s Intuition
The first glance at a circuit board is like the opening scene of a mystery novel. What secrets does it hold? Reverse engineering begins with observation and deduction. Start by identifying the obvious:
- Connectors: Large, populated connectors often signal interfaces like CAN (Controller Area Network) for in-vehicle communications. Unpopulated connectors might hide debug interfaces like JTAG, waiting to spill their secrets if probed correctly.
- Markings and Layouts: Silkscreen markings, pin labels, and the layout itself often hint at functionality. A densely populated region may contain power management, while grouped pins might belong to communication interfaces.

Power Supply Circuitry: The Heart of the Board

The power circuitry is the lifeline of any PCB (Printed Circuit Board). In automotive ECUs, DC-DC buck regulators are the norm, managed by System Basis Chips (SBCs) that often handle multiple power domains. Spot the power circuitry by locating:
- Large Inductors: These components dominate power supply areas. Inductors are used both for filtering the input supply current and as a component in buck regulator circuits.
- Large Capacitors: Electrolytic Capacitors are put on every supply rail to smooth out the voltage. Typically, the largest ones are found connected to the input pin and to the output of voltage regulators.
- Protection Diodes: Series or parallel (usually both) configurations ensure voltage surges don’t fry the electronics. A TVS Zener diode in parallel with the supply shorts any anomalous voltage opening a resettable fuse and protecting the ECU, while a rectifier diode in series with the supply wire prevents current flow in the wrong direction.

Knowing where to connect power is crucial, especially if you’re experimenting with an unknown ECU purchased second-hand without accompanying schematics or hardware. The power pin is typically larger and is connected to thicker trace than other ones. The ground pin usually connects directly to the ground region which floods the surrounding of the PCB.

Note how the ground pin on the top left is missing the darker ring which insulates it from the ground flood and how the battery power pin on the bottom left is connected to a thick trace (and shows continuity when probed to the large input protection diodes).
Transformers
Transformers on automotive PCBs typically take the role of signal filters rather than power management. Transformers of different kinds are usually easily visible on the PCB. Finding transformers used in communications is useful to trace which pins the relative interfaces must be connected to.
The most common type of transformer you’ll find on an ECU is the Common-mode choke, a 4-pin transformer with an equal number of turns on the two sides. It is used for rejecting noise in protocols with differential signals, such as CAN, FlexRay, and Automotive Ethernet. These common-mode chokes are connected to two differential pairs: one connected to the outer connector, and the other connected to the corresponding transceiver.

Sometimes you’ll also find regular Ethernet transformers on the PCB. These are not automotive Ethernet, but instead standard IEEE 802.3 Ethernet, usually found on gateway ECUs connected to the OBD connector.

Decoding Integrated Circuits (ICs): The Brain of the System
ICs hold the key to functionality but identifying them requires patience and ingenuity. Here’s how to tackle the task:
- Part Numbers: Search for printed part numbers or markings online. Try various combinations of strings if direct matches don’t yield results.
- Errata Documents: Even when the actual part number is not written on the chip, the batch number is, which can sometimes be reported in errata sheets, which then reveal the real part number
- Proprietary Components: Some ICs, like automotive Microcontrollers (MCUs), are custom-designed for car manufacturers. For these, open datasheets may not exist, but tracing connections can reveal their role.
Transceivers: Translators of Communication
Transceivers (a.k.a. PHY) translate signals between logic levels and bus protocols. Here are common types found in automotive systems:
CAN Transceivers
These bridge logic-level signals (RX, TX) to differential bus signals (High, Low). Popular examples include:
- Microchip MCP2551: 8-pin High-Speed CAN Transceiver found in many old ECUs and Arduino/Raspberry Pi CAN shields. Up to 1Mbps baud rate.
- NXP TJA1441: CAN FD (Flexible Data rate) transceiver, supports baud rates up to 5 Mbps. The pinout is the same as the MCP2551.
- NXP TJA1059: Two CAN transceivers in the same 14-pin package, found in most German ECUs.

Other Protocols
- Automotive Ethernet: identical to Ethernet on the MAC layer, but with a different physical interface with only 2 wires for increased reliability. Speeds up to 1000 Mbps in either half-duplex or full-duplex, depending on the configuration.
- FlexRay: differential protocol meant to replace CAN, in reality, it just complements it in applications where some extra speed is required. Speed is up to 10 Mbps.
- LIN: single line bus protocol, usually used by simple sensors and actuators. Extremely similar to UART on the logic-level side. Speed is around 20 Kbps.
- SWCAN: single wire, slower version of CAN, found mostly in GM cars. Speed is usually 33.3 Kbps. A special SWCAN transceiver can send 12V spikes to wake up ECUs. Other than that, a normal CAN transceiver can be used for communicating SWCAN (CAN Low is connected to the ground signal, and CAN High is connected to the bus).

Non-Volatile Memories
Memory chips on PCBs store the firmware and configurations. Identifying and interacting with these components can unlock valuable insights:
- NAND flash memories are sometimes found on some modern ECUs to store the firmware for some Systems on Chip (SoC). Typically, this is done in high-power processors which run multi-user operating systems such as Android or QNX. These are easy to dump by soldering some wires to the board and using the SDIO protocol. More modern ECUs use UFS flash chips which require a specialized dumper.
- EEPROM memories offer less storage but more write cycles and reliability than NAND flash memories. These are typically used for storing configurations of ECUs or logging data (also the odometer value). Personal footnote: it can be fun to fuzz the data in the EEPROM and see how the ECU reacts.

System Basis Chips (SBC): Multitasking Marvels
SBCs integrate multiple automotive features into a single chip. Some examples of the integrated features are:
- Power management (e.g. DC-DC regulation, Voltage regulation for low power domain, multiple power domains)
- Communication transceivers (LIN, CAN): when the SBC is used as a transceiver, it is usually connected to a common-mode choke just like any other transceiver.
- Hardware watchdogs (Reset the MCU if it is behaving incorrectly)
While some SBCs are off-the-shelf components (e.g. TLE9461ES), others are custom-made for specific applications. A thorough examination of these chips can provide a roadmap of the ECU’s functionality.

Conclusion
Reverse engineering hardware is like peeling layers off an onion, revealing a network of interconnections, components, and design philosophies. With the right tools, curiosity, and knowledge, even the most daunting PCB can become an open book.
If you encounter challenges, our specialized trainings and workshops can provide the expertise and support you need to navigate reverse engineering with confidence.
Do you have questions or need support?
We’re here to help! Reach out to us if you have and questions regarding dissecto HydraVision or our other services: