NefMoto

Anyone here into linux and open source projects with cars? I've been using linux as my primary machine (I use arch btw) and I started playing around with USB2CAN and ELM327 to retrieve and write information momentary temporary information. Right now I am trying to wrap my head around how does an actually software read the full chip or just the part where is used for remapping? I've done specific chip reading before where electricity is stopped on the device, and with the use of pin clamps information is extracted in to a linux machine. This was for PC BIOS unlocking where some BIOS does not allow you to use different WIFI card. I believe the concept is similar. I have also seen people grounding some pins on the ECU to put it into boot mode where the software reads the full ECU. Both original and clone software don't give you an insight and full control of how things work. I want to fully find out how things work and help improve the open source community. There are already very good open source projects for car diagnostics and map configurations (as long as there are the map def files). But unfortunately I didn't come across anything regarding reading and writing into ECU with open source.

I would appreciate if anyone can point me to the right direction. Thanks.

oof, defo feel like i lost some brain cells on this one

That doesn't mean anything to me.

hmm how about https://github.com/NefMoto/NefMotoOpenSource/

https://github.com/nyetwurk/ecuxplot
https://github.com/nyetwurk/ME7Sum
https://github.com/nyetwurk/ME7L
https://github.com/nyetwurk/me7-tools
https://github.com/nyetwurk/mmll
https://github.com/nyetwurk/ME7Explorer

https://github.com/KalebKE/ME7Tuner

Thank you. I recently saw this. As you might tell I am new to the forum. I will check it out and play around with it.

Thank you! I just gave you a follow on GitHub  ;D You got very interesting projects there. Is this what you do as a main job or side hobby? Currently for me is just a side hobby and slowly will dive into thinkering around with ECUs as I just love programing, reverse engineering and IoT.

side hobby, unfortunately have less and less time to dedicate to it.

but good software devs that understand both git and cars are thin on the ground, so your help would be greatly appreciated!

I have been doing some research as I am new and will share what I have found out so far so that I can use it for reference for myself and to help other people out. This will only be the 1st update out of many.

My goal is to use Unix based OS and be able to read full ECU data, modify and write the modified data back.

First of all I learned how the communication happens between the device (laptop) and the ECU. The laptop uses USB to connect to the OBD2 port of the car. From there on, for retrieving data from the car's ECU the cheapest alternative that can be used is ELM327 micro-controller. According to Wikipedia, protocols supported by ELM327 are:

- SAE J1850 PWM (41.6 kbit/s)
- SAE J1850 VPW (10.4 kbit/s)
- ISO 9141-2 (5 baud init, 10.4 kbit/s)
- ISO 14230-4 KWP (5 baud init, 10.4 kbit/s)
- ISO 14230-4 KWP (fast init, 10.4 kbit/s)
- ISO 15765-4 CAN (11 bit ID, 500 kbit/s)
- ISO 15765-4 CAN (29 bit ID, 500 kbit/s)
- ISO 15765-4 CAN (11 bit ID, 250 kbit/s)
- ISO 15765-4 CAN (29 bit ID, 250 kbit/s)
- SAE J1939 (250kbit/s)
- SAE J1939 (500kbit/s)

I am not going to pretend that I know what all those mean but for now I am familiar with JXXXX and CAN. I learned that using ELM327 device and open source compatible projects like python-OBD [2] and PiOBDII [3], useful real time information can be obtained my accessing the right memory location or my monitoring the memory and reading the hex values.

After some more diving, I found out about SocketCAN [4]. It gives you a deeper understanding of how a communication happens through CAN and how you can read the values and even modify them (temporary). I followed these guides to generate fake CAN traffic and played around: Check Sources [5], [6] and [7].

After learning about that, the only thing on my mind was "how can I fully read and write to the ECU?". I came across a project called "ecutools" on github [8]. After checking out the source code, I came across a file called "j2534". I looked it up on Google and came across one article which explained it well for me to understand [9]. For some reason J2534 is known very well for diagnostic and reprogramming and is used by "professionals". Those professionals don't know how it works on a programming level, they just use the tools. While learning more about J2534, I came across a github issue which talks about very interesting points [10]. It is mentioned in the github issue that CAN can be used for reprogramming (even though I searched so many times on Google and didn't find anything that was a basic concept that explained that). Based on user Altenius "ECUs use a seed and key algorithm to secure certain services such as reprogramming, so you will not be able to reprogram it just by sniffing the session. You would need to find the algorithm which would require reverse engineering the firmware on the ECU." He suggests a book which I have came across but haven't read in detail [11].

For now that's all I know. I am just starting to dive into how I can actually read and write to the ECU. I am clear on how reading live values work and how it can be temporarily manipulated, but reprogramming is on another level.

If you have anything to add or correct, please do.

Thank you and I hope someone has found this helpful.

[1] https://en.wikipedia.org/wiki/ELM327#Protocols_supported_by_ELM327
[2] https://github.com/brendan-w/python-OBD
[3] https://github.com/BirchJD/PiOBDII
[4] https://www.kernel.org/doc/Documentation/networking/can.txt
[5] https://medium.com/@yogeshojha/car-hacking-101-practical-guide-to-exploiting-can-bus-using-instrument-cluster-simulator-part-i-cd88d3eb4a53
[6] https://medium.com/@yogeshojha/car-hacking-101-practical-guide-to-exploiting-can-bus-using-instrument-cluster-simulator-part-ee998570758
[7] https://medium.com/@yogeshojha/car-hacking-101-practical-guide-to-exploiting-can-bus-using-instrument-cluster-simulator-part-ea40c05c49cd
[8] https://github.com/jeremyhahn/ecutools
[9] http://www.drewtech.com/customers/diagaftmkt.html
[10] https://github.com/Altenius/j2534-rs/issues/1
[11] http://opengarages.org/handbook/

Great links, these schould be somewere on sticky tread or some wiki

You're going down the right path. I don't mean to diminish your research. These links are all great for a beginner and keeping this in one place is wonderful.

But, you're going in a slow meandering way IMO.

Read the code to the NefMoto flasher I linked you, it's all there for you. Then read about ISO 14229 UDS, which is generally speaking based on the KWP protocol the NefMoto flasher uses but over CAN-TP as the transport instead of a serial line.

J2534 is a minor aside in all this, it's a convenient way to access CAN from Windows but nothing more. You could use the ELM327 protocol (not recommended, it sucks) or SocketCAN on Linux instead of J2534 on Windows, it's all the same at the end of the day. It sounds like you've figured this part out already :)

Between the NefMoto flasher and the ISO 14229 documentation, you'll have a general idea of the ECU flashing process works (very broadly speaking diagnostic session -> security access -> erasememory -> request download -> transfer data (repeat) -> exit transfer -> checksum -> reset).

Now you can read "Corporate Group Requirement Specification For Programming Control Units with Keyword Protocol 2000 Transport Protocol 2.0.pdf" which documents this procedure for VW ECUs specifically, including the SecurityAccess Seed/Key calculation which is a simple bytecode script transformation.

Next, you need to understand how the ECU software verifies its own integrity. This varies from ECU to ECU. For example, in ME7 (which the NefMoto flasher handles) this is basic sum/CRC checksums applied to various blocks. ME7Sum at https://github.com/nyetwurk/ME7Sum can calculate these for you and "fix" an ME7 file so it will pass its own integrity checks. Later in the ME7 days, an RSA integrity check was added to the application running on the ECU, but it's performed by the software itself after it's running rather than when it's written, so it can either be removed in the ECU code or self-signed (the public key replaced and the file signed with a valid, matching key). ME7Sum can self-sign RSA ME7 files as well.

For newer ECUs, there is usually a real integrity check (RSA, etc.) and sometimes the flash payload is encrypted with AES, too. For these ECUs, you need to reverse engineer the integrity checking and find the AES keys as well as an exploit in the chain of trust, just as you would with any other protected hardware. Unfortunately these exploits are usually fought over and protected as there's $$$ to be made in this industry. Learning to use Ghidra or IDA and how to map ECU files at the correct memory addresses to follow the disassembly is what will let you eventually figure this stuff out.

Also, you mention reading. On most modern ECUs, you simply can't read the ECU back when the application software is running as the ability to do so was intentionally left out of the software. You'll have to add the ability back by breaking the chain of trust somewhere and adding your own flash read-out/transfer code, or rely on decrypted factory update files (FRFs), also known as "virtual reads" to help you on your path.

Thank you one more time. Will definitely do! I really appreciate the points you gave for me to adjust my route instead and move forward on specific topics, instead of "meandering" around. I will check out the code and see how NefMoto handles the reading, writing and checksum part. I think that would be a starting point. Love reading documentations so I will read ISO 14229 documentation too.

Does anyone know where I can find free PDF for ISO 14229 documentation? It's a lot of money which I am not willing to pay.

Never mind. Found the 2006 edition for now.

Okay I found something interesting and new for me.

As you guys know, geohotz is into AI and vehicles. I checked out his projects of his company comma.ai and found panda.

As I am good with python, I checked the code and I kind of understand it (especially after I checked out ISO 14229). This two links are what I am going to look and try to understand:

- https://github.com/commaai/panda/blob/9fb584b20cbbee80aa3e4c98416da726dcd4c1f2/python/dfu.py#L14

- https://github.com/commaai/panda/blob/9fb584b20cbbee80aa3e4c98416da726dcd4c1f2/python/dfu.py#L14

The crazy part is that they have a JS version which allows you do read and write from your browser. I have long way to go and just using my free time on learning for now. So I though I share for people that can make use of it, because trust me I have spent a lot of time researching and will for sure spend hundreds of hours more.

That's it for now.
Thanks.

I'm a little confused where you're going here, this DFU mode code you linked in the Panda is the way the Panda gets reflashed over USB, it's entirely unrelated to ECUs or even cars really, just a standard STM32 microcontroller update system.

Maybe https://github.com/pylessard/python-udsoncan and https://github.com/richClubb/python-uds/ , specifically https://github.com/richClubb/python-uds/blob/master/test/Uds-Config-Tool/Functional%20Tests/E400NewProgrammingSequence.py can help if your best language is Python?

That second project is massive academic overkill since it tries to implement the ASAM flashing standard (where the addresses and blocks to flash are defined by an ODX file), but that file does give you a good outline in Python of the steps I laid out in my last post on this thread: diagnostic session -> security access -> erase memory -> download -> transfer data -> exit transfer -> checksum -> reset ECU.

Also, geohotz is a wanker.

Today I found one more alternative.

Its a python library called UDSonCAN. I am considering using MCP2515 can bus module either with RP3 or Arduino to start my testing because is cheap but reliable way. UDSonCAN is basically everything you need that was specified on ISO 14229 documentation. I am still not clear on how change diagnostic session works for writing data but I guess now I need an ECU to play around with. That would be the only way to learn.

- UDSonCAN: https://github.com/pylessard/python-udsoncan
- MCP2515 Module CAN Bus Module SPI Module CAN Shield for Raspberry Pi

Lol I agree. I actually posted about UDSonCAN just now and saw your post. Panda is too expensive and overcomplicated. Check my update and thanks for the recommendation.

https://github.com/bri3d/VW_Flash/blob/master/flashsimos18.py here's a worked example of UDSonCAN -> Flash.

I hope this illustrates my main points:

The basic flashing routine is simple. Diagnostic session -> security access -> erasememory -> request download -> transfer data (repeat) -> exit transfer -> checksum -> reset is shared across almost all ECUs, because there's no reason to add complexity, and why make your dealer tools more expensive to develop? The details of SecurityAccess and the routines used in flashing differ from manufacturer to manufacturer, but for the most part, there's no reason to add extra cost to both the supplier's ECU development process and the manufacturer's tools development process.

Here's the thing though: this is where the commonalities end. The ability to flash arbitrary software on any given ECU is an exercise in reverse engineering much simpler than (most of the time...) but no different to jailbreaking a new mobile phone or games console: the trust chain needs to be compromised at runtime, arbitrary code must be inserted, and then a permanent "untethered" security bypass needs to be installed to allow for custom calibration.

This is the challenge in tuning and goes far beyond flashing, which is honestly the elementary part left to the reader. I think a lot of the reason you don't see more open-source flashing software, not to be elitist to _too_ great a degree, is that by the time you've built a tuning solution for an ECU, flashing is a distant, trivial afterthought.