NefMoto

Technical => Reverse Engineering => Topic started by: labibelectronic on September 12, 2023, 04:47:22 AM



Title: EDC17c64 info request
Post by: labibelectronic on September 12, 2023, 04:47:22 AM
hi,

can anyone please provide any informations on what kind of data are located at the 25th sector (25 0xA0220000 0x00020000 RW
) of an edc17c64 ???

and is there a software possibility to set it to read only, then to bypass the flag in orther to write it ????

SAK-TC1797-512F180EX

thkx folks


Title: Re: EDC17c64 info request
Post by: prj on September 12, 2023, 05:04:52 AM
https://xyproblem.info/ (https://xyproblem.info/)

What is your goal? What are you trying to accomplish?


Title: Re: EDC17c64 info request
Post by: labibelectronic on September 12, 2023, 05:14:08 AM
nothing bad :)

I have an ecu that fails to write the mentionned sector using whatever tool in whatever protocol (obd, bench & boot)


Title: Re: EDC17c64 info request
Post by: prj on September 12, 2023, 06:55:24 AM
nothing bad :)

I have an ecu that fails to write the mentionned sector using whatever tool in whatever protocol (obd, bench & boot)

And this is exactly why I asked.
Sector probably has ECC failure and you need a tool that can work around it. Contact tool support.

If you only have china or cheap tools then you're not going to solve it.


Title: Re: EDC17c64 info request
Post by: labibelectronic on September 12, 2023, 08:27:35 AM
this tool for example :)


Title: Re: EDC17c64 info request
Post by: IamwhoIam on September 12, 2023, 08:45:45 AM
frieling iBoot will solve this as will another few tools out there on the market. If you're using cheap or clone tools, you won't be able to fix this ever. Good luck to you.


Title: Re: EDC17c64 info request
Post by: labibelectronic on September 12, 2023, 08:56:09 AM


using an original full master MMS Flex, so no problems (with the help of their perfect support)

but I think this issue is a bit deeper & unusual


Title: Re: EDC17c64 info request
Post by: prj on September 12, 2023, 09:46:28 AM
I don't think you will solve it with flex...

There is nothing deep about it, 99% you have an ecc failure in that flash sector and all the tools that assume this can never happen will not solve it.


Title: Re: EDC17c64 info request
Post by: labibelectronic on September 13, 2023, 06:57:54 AM
I don't think you will solve it with flex...

There is nothing deep about it, 99% you have an ecc failure in that flash sector and all the tools that assume this can never happen will not solve it.

hi,

can you provide more details please. downloaded the tc1797 datasheet and I guess I read something about changing sector statussuch as

• Sector specific write protection with support of re-programmability or locked forever

maybe somehow, the status changed


Title: Re: EDC17c64 info request
Post by: prj on September 13, 2023, 07:26:58 AM
hi,

can you provide more details please. downloaded the tc1797 datasheet and I guess I read something about changing sector statussuch as

• Sector specific write protection with support of re-programmability or locked forever

maybe somehow, the status changed

TC1797 user manual, PMU documentation. ECC.

I will tell you for the third time. Your assumption of the problem is wrong.
Your attempted solution is completely wrong, because you're assuming something that is not true.
You are so focused on your perceived solution that you fail to understand that the cause is something completely different.

Hence why I linked you to https://xyproblem.info/ (https://xyproblem.info/). I do recommend you read it.
Or you can continue this pointless discussion about read only regions, which has absolutely nothing to do with the problem you are facing.

For the final time, your sector has an ECC fault and the moment it gets accessed it causes a hardware trap on the processor. If the flashloader the tool is using is not set up to handle it, then it does not and the ECU resets.
Because causing an ECC fault is not really straightforward (you have to do something out of spec, like write without erase, which is used for obd exploits, and then fail in the middle) then most flashtools can't recover from it.

Write your own BSL loader or use a tool that can handle it, such as above mentioned Frieling tool and IIRC bFlash.


Title: Re: EDC17c64 info request
Post by: labibelectronic on September 14, 2023, 06:43:54 AM
@prj

official statment from the compagny

"we have to consider first critical point:
WRITE process implies ERASE in any case , it's mandatory.
Every ECM, every MICRO has fingerprint area so you cannot "override" data without perform ERASE in first place , otherwise programming process wouldn't even start.
So that's not the solution to such similar situation.

About ECC, this system (since you also read the TC1797 datasheet) works in mode "single error correction, double error detection" for this MICRO type.
When Flex starts WRITE process the ECC system is totally shut down via ERASE process.
Indeed , when you did WRITE, error came during UNLOCK , not during ERASE , so totally different stuff ."


Title: Re: EDC17c64 info request
Post by: prj on September 14, 2023, 07:26:19 AM
WRITE process implies ERASE in any case , it's mandatory.
This statement alone shows that this person does not really know what he is talking about.
Of course it's possible to write without erase. That's how all the OBD unlocks work and this is also how to trash the ECC.
As I said before, this issue has happened many times, and in the end was fixed with certain tools only.
Flex is not one of them.

I am not sure what the point of this yadda yadda is.

Just throw the ECU in the trash and get a new one, since this one clearly can't be saved ;)
Or find someone with tools mentioned above and recover it.


Title: Re: EDC17c64 info request
Post by: labibelectronic on September 14, 2023, 07:48:21 AM
hi,

"the person" is a MITM so ...

the ecu has been replaced cloned and the car is up & running

we'll plan to buy the mentionned tools later in case...

the yadda yadda is strictly for "educationnal purposes" :)

best rgrds