NefMoto

Technical => Reverse Engineering => Topic started by: elRey on March 08, 2012, 08:51:48 PM



Title: Immo functions in flash?
Post by: elRey on March 08, 2012, 08:51:48 PM
What are the functions in the flash that read/check the immo EEPROM and verify vin?

I'd like to code Vin into flash and check if vin in flash matches vin in EEPROM

Thanks,
Rey


Title: Re: Immo functions in flash?
Post by: gremlin on March 10, 2012, 07:06:50 AM
What are the functions in the flash that read/check the immo EEPROM and verify vin?

I'd like to code Vin into flash and check if vin in flash matches vin in EEPROM

What is your final target? Tuning Anti-copy?
IMHO than it's more easy to patch ECU warm init process with some (VIN or any another special marks) checking routine.
If OK than routine ends with "ret" command, if not OK ends with "srst"
Ecu will be virtually "bricked" (go to endless init loop) - no start, no answer etc...


Title: Re: Immo functions in flash?
Post by: elRey on March 10, 2012, 08:01:00 AM
What is your final target? Tuning Anti-copy?

Yes. But I don't want to disable the vehicle. Maybe just limp mode. I want them to be able to flash it back to stock over OBD.

Has anyone identified the IMMO check in the disassembled code yet? If so, what does it look like so  I know what I'm looking for.

Thanks,
Rey



Title: Re: Immo functions in flash?
Post by: gremlin on March 10, 2012, 08:50:02 AM
Yes. But I don't want to disable the vehicle. Maybe just limp mode. I want them to be able to flash it back to stock over OBD.

Why not a secrect combination of pedals, CCS-switch etc to bypass checking routine?
After that you can rewrite ECU until IGN is on...


Title: Re: Immo functions in flash?
Post by: elRey on March 13, 2012, 10:32:59 AM
I want to copy immo function and set limp mode if vin doesn't match coded vin in flash. Simple.


If someone could point me to the immo function in IDA (sample code from immo3 ecu to search for)  I can start there.

Thanks,
Rey