|
Title: Ford Reverse Engineering CAN BUS immo system Post by: aqua_life on December 09, 2020, 01:59:33 AM Hello,
I am trying to understand how communication between ECU and BCM works on Ford Focus 2016. Engine ECU is MED17.2 Attached I send ECU eeprom file. Basically I want to make Immo OFF however there is no solution on internet and already tried many different things on software without success. So, I think its easier to understand communication between ECU and BCM and make a CAN bus emulator to allow engine start. With a CAN bus data logger I was able to discover this: Each time I turn ON ignition engine ECU sends CAN id 0x60. Each time I turn OFF and ON ignition the bytes 2, 3, 4, 5, 6 are different. Then engine ECU waits for BCM answer CAN id 0x1D0. Each time I turn ignition ON engine ECU sends different message and BCM answers different message to allow engine start. BCM CAN id 0x1D0 the bytes 4, 5, 6, 7, 8 are different for each ECU message. Example 1: Engine send CAN 0x60 00, 80, F4, 87, 62, 78, 00, 10 BCM answer CAN 0x1D0 A9, FF, FF, 83, DD, 20, C9, 4E Example 2: Engine send CAN 0x60 00, 68, 8C, 72, 85, 13, 00, 10 BCM answer CAN 0x1D0 A9, FF, FF, BA, 2C, A6, 82, 1E Example 3: Engine send CAN 0x60 00, 3D, C1, 1F, 73, 34, 00, 10 BCM answer CAN 0x1D0 A9, FF, FF, 8B, 6B, 7B, 5D, B0 I have many more examples but I am not able to find the algorithm to calculate this BCM code. Are you able to help ? Not sure if I am correct but I think this is the eeprom part that contains Immo data: 08 00 82 BF 75 04 00 00 00 00 01 00 E0 01 02 00 06 C2 00 00 00 00 00 00 3A 27 00 00 00 00 00 00 58 02 A5 01 C2 CC 9D 60 F3 9B 74 0C DA 7F 00 00 00 00 00 00 00 02 02 01 3F 80 00 00 40 40 00 00 43 FA 00 00 AA FF 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 45 53 2D 58 53 37 46 2D 08 00 00 00 10 8E DC E7 Thanks for your help Title: Re: Ford Reverse Engineering CAN BUS immo system Post by: aqua_life on December 09, 2020, 02:06:33 AM Just some more information...
I was able to make a CAN module to send this ECU message instead of the ECU. And I check the BCM answer. Just a curiosity. If engine sends 00 00 00 00 00 the BCM does not answer :) If engine sends other messages BCM answers correctly. Engine message - BCM answer 00 00 00 00 01 - 38 51 B0 DE 9B 00 00 00 00 02 - EA 1D D8 80 51 00 00 00 00 03 - 7B 11 81 C7 94 00 00 00 00 04 - 32 CA 67 71 69 Thanks for your help Title: Re: Ford Reverse Engineering CAN BUS immo system Post by: H2Deetoo on December 10, 2020, 01:29:54 AM It is very hard to determine an algo by looking at examples.
I suggest you disasm a part of the ecu firmware and find the appropriate routines. There is the algo ... Rgs H2Deetoo Title: Re: Ford Reverse Engineering CAN BUS immo system Post by: gremlin on December 10, 2020, 11:47:44 AM I have many more examples but I am not able to find the algorithm to calculate this BCM code. Are you able to help ? Download complete dump of ECU flash memory. Maybe then someone can give a hint. Title: Re: Ford Reverse Engineering CAN BUS immo system Post by: aqua_life on December 11, 2020, 04:39:54 AM Thanks for your help.
Attached I send you the flash file of the ECU. If someone want to try any Immo OFF I can test on the car. And if someone can try to find Immo Algorithm / routines. |