|
Title: MED17.5 Immo Question Post by: de_F on December 04, 2018, 10:10:45 AM Like most, I'm trying to play around a bit with a bench ECU. I managed to get some basic things done like read a part of the ECU flash with KWP protocol. (wrote it up in the datalogging forum if anyone is interested)
I wanted to venture a bit further and try a download command. But sadly that doesn't work on a bench ECU with the Immo on. I found an example with Immo On and Immo Off in the e2p. But as written elsewhere here on this forum, without the calculation/algo behind it, it is pretty useless to try and disable the IMMO myself on my own bench ECU, I'm not skilled enough to reverse the code on IDA and I realize I won't learn anything out of a single example. So except for trying all 255 remaining possibilities, I am left asking if anyone would be so kind as to give a pointer on how this calculation works. I know there are a bunch of cheap tools on ebay to do this or I could pay someone to do this, but I am really just curious about the method used behind these calculations. I suspect the change has to be made at 0x8A , 0x10A, 0x18A and the other 6 identical locations in the E2P that is attached. followed by the Checksum correction ofcourse. Any help or pointer is most appreciated. Title: Re: MED17.5 Immo Question Post by: _nameless on December 04, 2018, 03:54:08 PM here use this to compare to your original
Title: Re: MED17.5 Immo Question Post by: de_F on December 04, 2018, 09:32:31 PM Hello Marty, first of all, thanks a lot for the help. For those wondering, his Immo-Off solution works.
Quick analysis shows that the location for the actual Immo Off switching was correct at locations 0x8A, 0x10A, 0x18A and so on. Out of the 2 examples I now have, I came to the conclusion that even brute-force "testing" could yield results quickly since in none of my examples on MED9.1 or MED17.5 the new digit seems to be more than 3h difference from the original (up or down). Amended after receiving information from a forum member below. digit location 0x8A, 0x10A, 0x18A and all other copies of this string (mind you they could be at a different location in your file, just try and match it with this example file) Take that number and get turn it in bits. Example 0x20 would be 0010 0000 in bit. Now XOR it with 0x3 which is 0000 0011 And you get 0010 0000 0000 0011 ——————- 0010 0011 Result is 0x23. So now we replace 0x20 with 0x23 and we should have an Immo off E2P. The checksums will have to be corrected aswel ofcourse. Title: Re: MED17.5 Immo Question Post by: gt-innovation on December 05, 2018, 03:36:44 AM The SIA = Supervisor immobiliser authority is the Module that you need to study on to get a good grasp of what is going on.
A lot of things could be done from mpc as well... Now unfortunately the development team of this module was different and everything that has to do with extended information for it is not described in the FR/FDEF. SIA_Core_C (), SIA_Core_C (), SIA_Core_F (), SIA_EMSIFC () That doesn`t mean though that you can`t understand most of the things that are being done including the encryption function _EECrF5_pfn. To get bench flashing capabilities without the boot mode procedure i suppose that forcing the following conditions might help. Per A2l on Med17.5.5 Sia_Adapt B_ecudev B_ecudevsia B_nlwfs As for the immobilizer blocking the flash programing while active look for Sia_bFshPrgLck . Flash over obd worked fine for me while ecu was in, but maybe there are variants out there that might need some different approach. To bypass the main function that stops car from starting is only 2 consecutive lines of code that have to be replaced and it is easy to find them. Title: Re: MED17.5 Immo Question Post by: H2Deetoo on December 05, 2018, 07:03:31 AM Most tools simply do some XOR with 0x03 on the location where the immo status is stored.
This will invert the lower 2 bits and always results in "immo off" value. It's just a quick hack. Title: Re: MED17.5 Immo Question Post by: H2Deetoo on December 05, 2018, 07:04:24 AM Have you been able to read eeprom by OBD for (M)EDC17 ?
Title: Re: MED17.5 Immo Question Post by: H2Deetoo on December 05, 2018, 07:20:28 AM Btw, MEDC17 eeprom consists of blocks.
Blocks 0008, 0009 and 000A consist of immo data. These blocks have also got 2 checksums, both are explained on this forum already. Title: Re: MED17.5 Immo Question Post by: de_F on December 05, 2018, 08:54:46 AM All great info guys. Remember that what might look simple for you, might be complicated for people with a different background, or hobbyists like myself. So any info is more than welcome. :)
Title: Re: MED17.5 Immo Question Post by: de_F on December 05, 2018, 10:33:54 AM Most tools simply do some XOR with 0x03 on the location where the immo status is stored. This will invert the lower 2 bits and always results in "immo off" value. It's just a quick hack. That would explain why my examples were always either 1 or 3 (up or down) Was over analyzing this apparently. Title: Re: MED17.5 Immo Question Post by: gt-innovation on December 07, 2018, 11:22:18 AM That would explain why my examples were always either 1 or 3 (up or down) Was over analyzing this apparently. If you still have problems flashing the car in bench let me know so i can enable/disable those functions for you. Title: Re: MED17.5 Immo Question Post by: de_F on December 08, 2018, 04:07:46 AM If you still have problems flashing the car in bench let me know so i can enable those functions for you. Thx for the offer. Works perfect now though. Will give it a try with those conditions/functions set aswel. Title: Re: MED17.5 Immo Question Post by: gt-innovation on December 12, 2018, 04:53:17 AM Forcing the ecu with those conditions removes the epc fault dtc for sure and starts the car as i have already tested that on my own car.
|