Yeah, just skimmed the notes. Looks like the leak opens a door to the main ECU, then you hop through to the aux unit, and finally hit the door lock module. I can jump in and map out the exact jump points and give you a quick run‑through of the key pins. Just let me know where you want me to start—on the code side or the hardware side.

Here’s the clean cut from the ECU entry routine: - 0x0000: start routine - 0x0004: MOV R0, #0x01 - 0x0008: B 0x0100 ; **aux unit** - 0x000C: MOV R1, #0x02 - 0x0010: B 0x0200 ; back to main - 0x0014: NOP - 0x0018: B 0x0100 ; **aux unit** Jump addresses that hit the aux unit are 0x0100. That’s the only branch that leads into the aux chain. Once you’ve got that, we can overlay the pin mapping.

Pin map for 0x0100 – 0x01FF (aux unit range): - 0x0100: CAN_H, CAN_L (data bus) - 0x0104: AUX_PWR_EN (power enable) - 0x0108: AUX_CLK (clock) - 0x010C: AUX_DATA_OUT (serial output) - 0x0110: AUX_DATA_IN (serial input) - 0x0114: AUX_INT (interrupt) Key pins to tweak for the exploit chain: - AUX_PWR_EN (enable power to the unit) – toggle to trigger re‑initialisation - AUX_DATA_OUT – send a crafted payload that flips the internal state - AUX_INT – pulse to force the unit to re‑enter the service routine Check for any pull‑up/pull‑down resistors on those pins, they’re the usual culprits for side‑channel timing leaks. Let me know if anything looks off before we touch the lock module.

Got the resistors swapped out, pulled them up to 4.7 kΩ and the INT pull‑down is now 1 kΩ. The bus is humming clean, no watchdog chatter yet. Next step: fire the init payload and watch the lock module light up. I'll keep an eye on the log and ping you if anything slips.