|
Title: MPPS- EDC17C46 Read log Post by: nihalot on June 19, 2017, 12:40:43 AM Attached is
-read log with MPPS -ECU ID in generic mode with MPPS https://drive.google.com/file/d/0B6S55hndsVcLVHMtM0lCQTBpMzA/view?usp=sharing (Cant upload anything over 2MB?!) Does anyone have any info about TPROT patch on this ecu? Or a write log over CAN with another tool? I am also making a RAM logger for this ECU, so any info on seed/key algo will be helpful I am using an Arduino UNO+MCP2515/MCP2551 I intend to make everything open source, so please share only if you are okay with this... 03L 906 018 AB CFFB SW: 9041 HW: H27 TPROT- V7.00.01 Title: Re: MPPS- EDC17C46 Read log Post by: aef on June 19, 2017, 02:39:24 AM Dont you have KTAG, they have a build in patcher for tprot.
At least for EDC17C14, thats what i did lately. Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on June 19, 2017, 02:58:41 AM Dont you have KTAG, they have a build in patcher for tprot. At least for EDC17C14, thats what i did lately. I have clone version 2.13/6.070 I can't see the option anywhere... Title: Re: MPPS- EDC17C46 Read log Post by: aef on June 19, 2017, 02:59:29 AM Checked my file from the EDC17CP14 and what KTAG did is this:
http://nefariousmotorsports.com/forum/index.php?topic=2550.msg65485#msg65485 :D Title: Re: MPPS- EDC17C46 Read log Post by: aef on June 19, 2017, 03:05:02 AM The message body was left empty.
Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on June 19, 2017, 03:06:33 AM can you post your file? I would like to investigate the change in IDA
Title: Re: MPPS- EDC17C46 Read log Post by: aef on June 19, 2017, 03:19:50 AM PM'd you the files.
dont remember where the button was in ktag. Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on June 19, 2017, 03:30:43 AM Thanks!
So it's not the 1st "3C 2B"... In your file it's 3rd and the same code is at the 2nd "3C 2B" pattern in my edc17c46... Will test if the solution works :D Although I must investigate further, the consequences of this change :) Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on June 19, 2017, 06:23:12 AM Ok, so TPROT is patched :D
But MPPS can't flash it on the bench over OBD... NRC 7F 10 22 in the log I took Thats conditions not correct... Could be a lot of things from what I'm told... I'm guessing its missing CAN gateway/cluster Voltage is 12 using a SMPS Any ideas? Should I try emulating the cluster using the arduino? Or emulating the gateway? Title: Re: MPPS- EDC17C46 Read log Post by: cherry on June 19, 2017, 04:44:31 PM You cannot flash EDC17 OBD on bench with any tool because of active immo. Disable immo in eeprom or flash. No gateway needed.
Title: Re: MPPS- EDC17C46 Read log Post by: aef on June 19, 2017, 10:10:43 PM ...and voltage should be above 12v.
Title: Re: MPPS- EDC17C46 Read log Post by: prj on June 20, 2017, 12:33:09 AM ...and voltage should be above 12v. It will flash even with 8V. There is no voltage check and never has been.Title: Re: MPPS- EDC17C46 Read log Post by: aef on June 20, 2017, 12:39:01 AM Hmm, so you only attach a charger while in car flashing because of all the electrical loads?
Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on June 20, 2017, 12:41:36 AM Yes, even I thought the same. On edc16 too, as far as I looked in the asm code, lot of things are checked but no voltage check...
Also, I have the ecu on bench with SMPS like I said in my post so no worries about other electrical loads Title: Re: MPPS- EDC17C46 Read log Post by: overspeed on June 20, 2017, 10:05:03 AM Just to help (if it does)
MED17.5.2 with Tprot10, read in boot, made OBD unlock and write, then tried to write another file by OBD and MPPS canĀ“t, takes only about 10 seconds and no start (Fans ON), had to recover with original KESS and original file... Title: Re: MPPS- EDC17C46 Read log Post by: prj on June 20, 2017, 10:55:14 AM Hmm, so you only attach a charger while in car flashing because of all the electrical loads? I only attach a charger on those cars that turn fans on. And only because otherwise the car won't after. In fact the fan will cycle on/off due to the low voltage, and it will drop to even 8V but the ECU will not fail the flash.The ECU has very good voltage conditioning, you might want to read up on the ISO standards governing this. All this "must have x volts" is complete and utter bullshit repeated ad nauseum. Title: Re: MPPS- EDC17C46 Read log Post by: vwaudiguy on June 20, 2017, 12:26:50 PM All this "must have x volts" is complete and utter bullshit repeated ad nauseum. When using Nefmoto's flasher on certain cars, it will repeatedly fail to read/write until a battery charger is in place, then it's rock solid. Seen this many many times. Title: Re: MPPS- EDC17C46 Read log Post by: chli1976 on June 20, 2017, 01:57:18 PM You cannot flash EDC17 OBD on bench with any tool because of active immo. Disable immo in eeprom or flash. No gateway needed. For me it works only if immo is off in eeprom Title: Re: MPPS- EDC17C46 Read log Post by: prj on June 20, 2017, 03:40:29 PM When using Nefmoto's flasher on certain cars, it will repeatedly fail to read/write until a battery charger is in place, then it's rock solid. Seen this many many times. The reason for that is the power supply in the cable you are using to r/w it.Title: Re: MPPS- EDC17C46 Read log Post by: vwaudiguy on June 20, 2017, 08:35:39 PM The reason for that is the power supply in the cable you are using to r/w it. Thanks for the tip. I'll try and keep track what cables this happens on. Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on June 20, 2017, 09:56:00 PM Even with the TPROT patch I'm getting only calibration area read over OBD. I assume even writes will be for calibration area. The FR mentions a memory protection module, "AccPr"
Does anyone have mpre info on this? I would like full r/w access over OBD Title: Re: MPPS- EDC17C46 Read log Post by: prj on June 20, 2017, 10:56:52 PM Even with the TPROT patch I'm getting only calibration area read over OBD. I assume even writes will be for calibration area. The FR mentions a memory protection module, "AccPr" You can do full write with and without TPROT on.Does anyone have mpre info on this? I would like full r/w access over OBD TPROT never stops you writing, it stops the RSA check from passing post write. Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on June 20, 2017, 11:05:44 PM You can do full write with and without TPROT on. TPROT never stops you writing, it stops the RSA check from passing post write. Thanks!! The FR doesn't have a lot of info on TPROT. Where did you read about this? Can you share the document? Title: Re: MPPS- EDC17C46 Read log Post by: aef on June 21, 2017, 01:52:26 AM Does this mean you can write tprot patched file via obd?
No need to do the patching on the bench with ktag? Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on June 21, 2017, 01:54:16 AM Does this mean you can write tprot patched file via obd? No need to do the patching on the bench with ktag? I think not, as the original code is still going to RSA the new uploaded binary EDIT: How does flashing over OBD work on these ECUs? Is the flashing+TPROT code copied to RAM first? Or is this area not written(OTP)? Also in my CAN read log, some of the multiframe messages are missing some sequences, example: Code: 70.5250 7E8 20 00 00 00 00 00 00 00 In above log, 21,25,28,2A,2D are missing... Is the arduino too slow to handle logging? Or am i missing something in the protocol?? Title: Re: MPPS- EDC17C46 Read log Post by: jcsbanks on June 21, 2017, 08:19:27 AM The ECU ID in Generic mode log I recognise as CCP 2.1 with a variety of single byte downloads to the ECU. I don't know if this constitutes a loader of some kind in RAM that then gets executed? What is the functional purpose of obtaining the ECU ID? Is it later used in a flash protocol to bypass RSA checks?
Title: Re: MPPS- EDC17C46 Read log Post by: jcsbanks on June 21, 2017, 08:22:30 AM You cannot flash EDC17 OBD on bench with any tool because of active immo. Disable immo in eeprom or flash. No gateway needed. Does this mean disable immo through an OBD flash and then bench flashes are possible? Is MED17 different? MEVD17 is. Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on June 21, 2017, 08:32:30 AM The ECU ID in Generic mode log I recognise as CCP 2.1 with a variety of single byte downloads to the ECU. I don't know if this constitutes a loader of some kind in RAM that then gets executed? What is the functional purpose of obtaining the ECU ID? Is it later used in a flash protocol to bypass RSA checks? AFAIK, it is to obtain TPROT version and what MPPS says as " checking presence of DS check routine" <-- what is this?? Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on June 21, 2017, 01:08:30 PM So...
Finally got around to analyzing the seed key. It's same as on EDC16 for 03/04 seed/key... Key=Seed+0x2FC9 But MPPS always tries Key=Seed+0xA7C6 before trying the above(which is rejected), wonder why... Some more seed/key logs if anyone's interested: Code: 92.4929 7E0 02 27 03 01 FB 40 F0 Can anyone share an immo off solution? Would like to try the tougher seed/key for write... Title: Re: MPPS- EDC17C46 Read log Post by: aef on June 21, 2017, 11:42:13 PM This may help for future plans
http://nefariousmotorsports.com/forum/index.php?topic=3574.0 Title: Re: MPPS- EDC17C46 Read log Post by: prj on June 22, 2017, 12:46:10 AM Thanks!! The FR doesn't have a lot of info on TPROT. Where did you read about this? Can you share the document? There is no public document.Simply put TPROT software side is - every file you load to the ECU is signed, this digital signature is checked upon completion of the flash. If the signature does not match, the ECU will not go out of download mode. Bypassing this check is done by exploiting the bootloader. The hardware tprot password can also be bypassed using certain exploits, most notably voltage glitching on the flash power supply pin. Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on June 22, 2017, 01:34:50 AM Of course there's no public document... :D
Flash power supply on Tricore? I did read about clock glitching but not specific to Tricore In fact I haven't seen such an attack published on Tricore, if you have a source? Or personal experience? Title: Re: MPPS- EDC17C46 Read log Post by: aef on June 22, 2017, 02:29:27 AM If i remember correctly, he is talking about voltage glitching. (for dumping, not flashing)
Cant verify at the moment. https://www.youtube.com/watch?v=7t4paclIwuU Title: Re: MPPS- EDC17C46 Read log Post by: prj on June 22, 2017, 04:29:52 AM If i remember correctly, he is talking about voltage glitching. (for dumping, not flashing) Cant verify at the moment. https://www.youtube.com/watch?v=7t4paclIwuU If you can unprotect the flash you can both read and write it. Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on June 24, 2017, 03:56:30 AM Cant get it to work :/
So far I've tried -ReadMemoryByAddress- NRC 31 -ReadDataByIdentifier- NRC 11 -RequestUpload- NRC 11 I'm trying to log 0xD0000000 Any other ideas? Title: Re: MPPS- EDC17C46 Read log Post by: nubcake on June 24, 2017, 05:06:00 PM Cant get it to work :/ So far I've tried -ReadMemoryByAddress- NRC 31 -ReadDataByIdentifier- NRC 11 -RequestUpload- NRC 11 I'm trying to log 0xD0000000 Any other ideas? Find tester communication routines and see if they can be enabled/patched without too much hassle. Using KWP? Diag access? This thread (http://nefariousmotorsports.com/forum/index.php?topic=271.45) suggests that RequestUpload should work. Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on June 24, 2017, 08:53:50 PM On that thread the edc17 is KWP
But mine is based on UDS First DiagSession- 0x03 Then switched to 0x4F This is the way MPPS does it and then it uses ReadMemoryByAddress(0x20000-0x6FFFF is only accepted, all other addresses give NRC 31 or NRC 13) Title: Re: MPPS- EDC17C46 Read log Post by: jcsbanks on June 29, 2017, 01:55:43 AM You could try CCP to read. Or if you can already flash it you can unlock ranges.
Title: Re: MPPS- EDC17C46 Read log Post by: terminator on July 13, 2017, 01:07:00 AM I think for flash needs another seed key, level 3 is only for read.
I wonder why CMD and KESS do not read this ECU? What about EDC17CP20? It can be read this way too? About voltage... only some Hitachi ECUs will not allow read/write while low voltage... Other ECUs work fine even with 8v. Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on July 13, 2017, 02:30:39 AM Level 1/2 are also needed for the RAM log I suppose
So now I'm making an ECU simulator to get seed/key from MPPS Title: Re: MPPS- EDC17C46 Read log Post by: nihalot on July 13, 2017, 04:02:09 AM Just finished with EDC16 ECU simulator on Arduino(pretty easy to make, only need to respond ECU ident services and then respond with a key of your own- inspired by Basano's thread :))
Level1/2 is very similar to MED9 Left shift 5 times. If carry is set at any shift, XOR with 0x0A221289 Title: Re: MPPS- EDC17C46 Read log Post by: prj on August 09, 2017, 12:19:07 PM I think for flash needs another seed key, level 3 is only for read. I wonder why CMD and KESS do not read this ECU? What about EDC17CP20? It can be read this way too? About voltage... only some Hitachi ECUs will not allow read/write while low voltage... Other ECUs work fine even with 8v. Because there is in most cases no point to read any VAG ECU. Take the VAG flash db and unpack the frf/sgo, job done. I don't even read ME7/EDC15/EDC16, never mind the newer ones. There is simply no point to do so. Title: Re: MPPS- EDC17C46 Read log Post by: superglitch on August 21, 2017, 08:01:31 PM The read process is also very long, VR is much easier.
Title: Re: MPPS- EDC17C46 Read log Post by: aef on August 22, 2017, 02:41:38 AM Can you describe what Virtual Read technically does?
Is it, "hey give me your id and i will download stock file form my database", or what? Title: Re: MPPS- EDC17C46 Read log Post by: terminator on August 22, 2017, 04:44:28 AM Because there is in most cases no point to read any VAG ECU. I'm not agree, because sometimes car is already tuned and customer wants to add DPF, EGR etc. It was not quite so long ago, Porsche EDC17CP44 3.0TDI was tuned + DPF + EGR by someone for 1200eu. CMD doesn't read it, only VR. The client would like to know what for he paid 1200eu. The reason he asked me to check it was EGR's DTC and no gain. So I downloaded ori file from CMD server, tuned it and wrote back... and the client is happy now, but what if he wouldn't? I can write back only stock file. And this is a really big problem. Title: Re: MPPS- EDC17C46 Read log Post by: terminator on August 22, 2017, 04:48:55 AM Can you describe what Virtual Read technically does? Is it, "hey give me your id and i will download stock file form my database", or what? Exactly and this is done automatically. Sometimes there is no file on server and you have to read it in boot. Title: Re: MPPS- EDC17C46 Read log Post by: prj on August 22, 2017, 11:49:18 AM I'm not agree, because sometimes car is already tuned and customer wants to add DPF, EGR etc. It was not quite so long ago, Porsche EDC17CP44 3.0TDI was tuned + DPF + EGR by someone for 1200eu. CMD doesn't read it, only VR. The client would like to know what for he paid 1200eu. The reason he asked me to check it was EGR's DTC and no gain. So I downloaded ori file from CMD server, tuned it and wrote back... and the client is happy now, but what if he wouldn't? I can write back only stock file. And this is a really big problem. Just put it on bench and read it in boot if you want to know what is in it. Kinda funny to pay 1200 EUR for EDC17CP44 tuning though. A child can tune that. Title: Re: MPPS- EDC17C46 Read log Post by: terminator on August 23, 2017, 04:38:21 AM Just put it on bench and read it in boot if you want to know what is in it. Too lazy and not always have a lot of free time.Kinda funny to pay 1200 EUR for EDC17CP44 tuning though. A child can tune that. I wish I could set the same price)) Child would better tune it than it was.Title: Re: MPPS- EDC17C46 Read log Post by: minDark on December 07, 2017, 06:33:08 AM Because there is in most cases no point to read any VAG ECU. Hi! You talk about .db and .key files from project database? If so, that .db is password protected. Do you have more info on how to get the password?Take the VAG flash db and unpack the frf/sgo, job done. I don't even read ME7/EDC15/EDC16, never mind the newer ones. There is simply no point to do so. |