s60rawr
Full Member
Karma: +18/-814
 Offline
Posts: 148
|
 |
« Reply #1815 on: November 04, 2022, 09:32:22 AM »
|
|
|
this is happening because the checksum is being checked while downloading the bin for some reason, this code can be easily bypassed for now
also to answer previous questions the can speed is determined automatically when you click the connect button, and it appears the checksum is updated automatically when loading a bin to send to the car, there's no manual process for this
were you able to start the car after you flashed? i have a sneaky suspicion the checksum code is incorrect, and theres a chance its incorrectly 'fixing' the checksum before flashing to the car
it's old code probably using the old checksum code prometey fixed it ( https://github.com/prometey1982/VolvoME7ChecksumUpdater/tree/asm_checksum_fix ) regardless it should be doing the checksum on the flash/ write not the read debug and debug away! |
|
|
|
|
Logged
|
|
|
|
Dudde
Newbie
Karma: +1/-0
Offline
Posts: 14
|
|
« Reply #1816 on: November 04, 2022, 12:19:40 PM »
|
|
|
were you able to start the car after you flashed? i have a sneaky suspicion the checksum code is incorrect, and theres a chance its incorrectly 'fixing' the checksum before flashing to the car
Yes but i only flashed files with checksum corrected before, i had in mind trying to flash a modified file and let the software correct the checksum. But first im trying to find my parameter file from my computers so i can test the logging before i unstrap the car from the dyno.. |
|
|
|
|
Logged
|
|
|
|
dikidera
Full Member
Karma: +7/-6
Offline
Posts: 131
|
|
« Reply #1817 on: November 04, 2022, 03:21:59 PM »
|
|
|
After writing some ugly code I managed to dump the flash via CAN. # import the library
import can
import time
# create a bus instance
# many other interfaces are supported as well (see documentation)
bus = can.Bus(interface='socketcan',
channel='can0',
receive_own_messages=False)
# send a message
message = can.Message(arbitration_id=0x000ffffe, is_extended_id=True,
data=[0xFF, 0x86, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00])
bus.send(message)
# iterate over received messages
address = 0x00000000
msgdata1_template = [0x7A, 0x9C, 0x00, 0x00, 0x00, 0x00]
msgdata2_template = [0x7A, 0xB4, 0x00, 0x00, 0x00, 0x00]
computedAddress = bytearray(address.to_bytes(4, 'big'))
msgdata1_template[2] = computedAddress[0]
msgdata1_template[3] = computedAddress[1]
msgdata1_template[4] = computedAddress[2]
msgdata1_template[5] = computedAddress[3]
address = address + 1
computedAddress = bytearray(address.to_bytes(4, 'big'))
msgdata2_template[2] = computedAddress[0]
msgdata2_template[3] = computedAddress[1]
msgdata2_template[4] = computedAddress[2]
msgdata2_template[5] = computedAddress[3]
message = can.Message(arbitration_id=0x000ffffe, is_extended_id=True,
data=msgdata1_template)
bus.send(message)
message = can.Message(arbitration_id=0x000ffffe, is_extended_id=True,
data=msgdata2_template)
bus.send(message)
f = open('my_file', 'a+b')
for msg in bus:
if msg.arbitration_id == 0x00000021:
if address >= 0x7FFFF:
break
if(msg.data[1] != 0xB1):
continue
f.write(bytearray(int(msg.data[2]).to_bytes(1, 'big')))
computedAddress = bytearray(address.to_bytes(4, 'big'))
msgdata1_template[2] = computedAddress[0]
msgdata1_template[3] = computedAddress[1]
msgdata1_template[4] = computedAddress[2]
msgdata1_template[5] = computedAddress[3]
address = address + 1
computedAddress = bytearray(address.to_bytes(4, 'big'))
msgdata2_template[2] = computedAddress[0]
msgdata2_template[3] = computedAddress[1]
msgdata2_template[4] = computedAddress[2]
msgdata2_template[5] = computedAddress[3]
message = can.Message(arbitration_id=0x000ffffe, is_extended_id=True,
data=msgdata1_template)
bus.send(message)
message = can.Message(arbitration_id=0x000ffffe, is_extended_id=True,
data=msgdata2_template)
bus.send(message)
#time.sleep(0.002)
print(hex(address - 2) + ': ' + hex(msg.data[2]))
f.close()
As you might imagine this is from python-can, using SocketCAN. I ran into an issue where the TX buffer of the socket was getting full(common issue) so I did txqueuelen 1000 on the interface. But the process was mighty slow, took me like half an hour to dump it all. |
|
|
|
|
Logged
|
|
|
|
t6
Full Member
Karma: +0/-5
Offline
Posts: 54
|
|
« Reply #1818 on: November 05, 2022, 07:25:03 AM »
|
|
|
this file will cross flash into your car. export this as a binary and flash into your car and ignore your original. then start using this file
Hi, I tried this soft but the engine does not start. S60R 2003, original: QGHJ |
|
|
|
|
Logged
|
|
|
|
s60rawr
Full Member
Karma: +18/-814
Offline
Posts: 148
|
|
« Reply #1819 on: November 05, 2022, 08:48:42 AM »
|
|
|
Hi,
I tried this soft but the engine does not start. S60R 2003, original: QGHJ
thats an ols project file. did you take the bin data from the ols project? here xD file says qhhj and looks like it lines up with my ghhj xdf |
|
|
|
|
Logged
|
|
|
|
Dudde
Newbie
Karma: +1/-0
Offline
Posts: 14
|
|
« Reply #1820 on: November 05, 2022, 09:29:52 AM »
|
|
|
Free the moose
Reading stock file works.
Reading modified file works without checksum check.
|
|
|
|
|
Logged
|
|
|
|
t6
Full Member
Karma: +0/-5
Offline
Posts: 54
|
|
« Reply #1821 on: November 05, 2022, 09:53:34 AM »
|
|
|
thats an ols project file. did you take the bin data from the ols project? here xD
file says qhhj and looks like it lines up with my ghhj xdf
I tried your bin but the same result - engine not starting. Dump from my car: |
|
|
|
|
Logged
|
|
|
|
dikidera
Full Member
Karma: +7/-6
Offline
Posts: 131
|
|
« Reply #1822 on: November 05, 2022, 10:58:15 AM »
|
|
|
I do not know if it will be useful, maybe for research purposes, but I am attaching a read from Denso HN.2 ECU for a S60 petrol 140hp from 2002 I think. I cannot guarantee the quality of the read, my first read had 4-5 added 00 bytes that I think I fixed in my second read and IDA was happy to disassemble the code. It's missing the last 00 byte to be full 512KB. I think I fixed my off by one. # import the library
import can
import time
###### BENCH READ #######
###### Set txqueuelen to
###### 1000 or 2000 on the can0 interface ######
# create a bus instance
# many other interfaces are supported as well (see documentation)
bus = can.Bus(interface='socketcan',
channel='can0',
receive_own_messages=False)
# send a message
message = can.Message(arbitration_id=0x000ffffe, is_extended_id=True,
data=[0xFF, 0x86, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00])
bus.send(message)
#sleep to ensure ECU got this message.
time.sleep(1)
# iterate over received messages
address = 0x00000000
msgdata1_template = [0x7A, 0x9C, 0x00, 0x00, 0x00, 0x00]
msgdata2_template = [0x7A, 0xB4, 0x00, 0x00, 0x00, 0x00]
computedAddress = bytearray(address.to_bytes(4, 'big'))
msgdata1_template[2] = computedAddress[0]
msgdata1_template[3] = computedAddress[1]
msgdata1_template[4] = computedAddress[2]
msgdata1_template[5] = computedAddress[3]
address = address + 1
computedAddress = bytearray(address.to_bytes(4, 'big'))
msgdata2_template[2] = computedAddress[0]
msgdata2_template[3] = computedAddress[1]
msgdata2_template[4] = computedAddress[2]
msgdata2_template[5] = computedAddress[3]
message = can.Message(arbitration_id=0x000ffffe, is_extended_id=True,
data=msgdata1_template)
bus.send(message)
time.sleep(1)
message = can.Message(arbitration_id=0x000ffffe, is_extended_id=True,
data=msgdata2_template)
bus.send(message)
time.sleep(1)
f = open('my_file', 'a+b')
for msg in bus:
if msg.arbitration_id == 0x00000021:
if address - 1 > 0x7FFFF:
break
if(msg.data[1] != 0xB1):
continue
f.write(bytearray(int(msg.data[2]).to_bytes(1, 'big')))
computedAddress = bytearray(address.to_bytes(4, 'big'))
msgdata1_template[2] = computedAddress[0]
msgdata1_template[3] = computedAddress[1]
msgdata1_template[4] = computedAddress[2]
msgdata1_template[5] = computedAddress[3]
address = address + 1
computedAddress = bytearray(address.to_bytes(4, 'big'))
msgdata2_template[2] = computedAddress[0]
msgdata2_template[3] = computedAddress[1]
msgdata2_template[4] = computedAddress[2]
msgdata2_template[5] = computedAddress[3]
message = can.Message(arbitration_id=0x000ffffe, is_extended_id=True,
data=msgdata1_template)
bus.send(message)
message = can.Message(arbitration_id=0x000ffffe, is_extended_id=True,
data=msgdata2_template)
bus.send(message)
#time.sleep(5)
#print(hex(address - 2) + ': ' + hex(msg.data[2]))
f.close()
Anyway this is step 1. Getting a read is all fine and dandy, but flashing is a whole different beast. I don't want to buy KESS,MPPS or whatever. I have an adequate device for this, which is my RPI. But...it's an ARM linux device so we need to make it a J2534 device. But here is where I see the first issue. For ME7 or ME9 you have bootloaders, anything for Denso? |
|
|
|
« Last Edit: November 05, 2022, 11:05:59 AM by dikidera »
|
Logged
|
|
|
|
|
prometey1982
|
|
« Reply #1823 on: November 05, 2022, 11:54:53 AM »
|
|
|
But here is where I see the first issue. For ME7 or ME9 you have bootloaders, anything for Denso?
There is Renesas High-performance Embedded Workshop for programming for such devices. So you can write own bootloader for SH705X processor. It will be fine due to SH7055 processors inside TCU units. |
|
|
|
|
Logged
|
|
|
|
s60rawr
Full Member
Karma: +18/-814
Offline
Posts: 148
|
|
« Reply #1824 on: November 05, 2022, 02:00:00 PM »
|
|
|
Free the moose
Reading stock file works.
Reading modified file works without checksum check.
there's a fix for it just gotta put it in gonna make a guithub page for it so it gets updated that way I have no dev skills personally |
|
|
|
|
Logged
|
|
|
|
rlinewiz
Jr. Member
Karma: +12/-1
Offline
Posts: 42
|
|
« Reply #1825 on: November 06, 2022, 08:21:38 AM »
|
|
|
for anyone who needs an XDF for GMHJ, with matching bin. not complete but its a start, confirmed enough for stage 1
[EDIT] added an updated XDF that includes all maps used by hilton stage 1
|
|
|
|
« Last Edit: November 06, 2022, 03:21:02 PM by rlinewiz »
|
Logged
|
2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
|
|
|
s60rawr
Full Member
Karma: +18/-814
Offline
Posts: 148
|
|
« Reply #1826 on: November 06, 2022, 09:53:54 AM »
|
|
|
for anyone who needs an XDF for GMHJ, with matching bin. not complete but its a start, confirmed enough for stage 1
nice! i was looking for one of them |
|
|
|
|
Logged
|
|
|
|
s60rawr
Full Member
Karma: +18/-814
Offline
Posts: 148
|
|
« Reply #1827 on: November 06, 2022, 09:56:09 AM »
|
|
|
|
|
|
|
« Last Edit: November 10, 2022, 12:14:16 PM by s60rawr »
|
Logged
|
|
|
|
dikidera
Full Member
Karma: +7/-6
Offline
Posts: 131
|
|
« Reply #1828 on: November 06, 2022, 10:58:37 AM »
|
|
|
One thing I always wondered for SH7055 and the map chip 29LV200BC is that people dumped only 256kb from the chip, but I have seen from the code that it's larger and could be up to 2 megabytes in size.  You can see CS0 could be up to 2 megabytes, from 00200000 to 003FFFFF. In the ROM I also found references to memory accesses above the 256kb map dumps I've seen. At first I thought hmm...could there be more memory chips on the board? CS0 corresponds to chip select 0 so only one chip for this whole address range. So I decided to dump the entire CS0 range and lo and behold there is data above 256kb range. EDIT: So while there is data, it seems to be a copy of the 256kb memory region. Either that or we wrap around when selecting the address.  Or...very unlikely, but several copies are held in the chip just in case one gets corrupted. |
|
|
|
« Last Edit: November 06, 2022, 11:23:01 AM by dikidera »
|
Logged
|
|
|
|
C30t
Newbie
Karma: +0/-0
Offline
Posts: 1
|
|
« Reply #1829 on: November 06, 2022, 10:02:39 PM »
|
|
|
Thanks for this. I am currently trying to figure out ME9 R/W through DiCE. |
|
|
|
|
Logged
|
|
|
|
|
