NefMoto

I'm honestly at a loss and hoping someone has some guidance. I bought a MG1 DME from an M5 (F90) to do some bench experiments. I also have a AMT BST clone interface and another commercial tool for bench reading and writing these ECU's.  The bench diagram uses (2) 12V leads, GND and CAN-H and CAN-L for communciation. Each of the tools identifies and is able to read and write to the ECU. I hooked up my Picoscope to record the CAN traffic and tried to decode with built in CAN decoder. I had moderate success with this ... mainly just some initial frames but never the whole exchange. This problem 1. Problem 2 ... I tried attaching a Raspberry Pi with CAN Hat to the CAN bus and candump the bench tool reading the ECU's ID. Communication fails if the CAN hat is connected to the bus with the tools (either one). Yet, the CAN hat can talk CAN0 to CAN1 no problem if wired back to back. My ultimate goal is to analyze the CAN exchange of a bench tool communicating with the ECU, reading VIN, and ideally later writing but I'm not even crawling at this point ... just pooping my diaper.  ;D

Adding a snapshot from the Picoscope. The initial identification with the commercial tool sends around 100 CAN frames with all of the same data, then pauses and any further CAN messages are not able to be decided with the built in CAN decoder (at least by me).

At your level of knowledge... give up now... sorry.

1. The protocol is not CAN, it's only using CAN transceiver. So any CAN sniffing tools do not work.
2. Learn at least about the CAN topology, this is open info. Your Pi probably has a termination resistor.

"At your level of knowledge... give up now... sorry."

Ha ... I expected nothing less from you. Seems to be your MO. I'll continue researching and publish stuff in my thread as I find valuable info. At least others at my inferior level may find some benefit. Thanks for your helpful advice as always.

You ain’t sorry. You are a Liar

Can’t help? Can’t teach, or show him the way?
You know how to do it, and can help and can teach, but you actively choose not to because being a total CUNT makes you feel better than others.

Greedy whores who can’t share free knowledge

This place is sad as fuck

PRJ, how about you give up on life?
You have the appeal of a steaming pile of shit

I truly was not expecting someone to hand over code they've been working on for a while or anything remotely close. Instead of the "kindly fuck off and kill yourself ... sorry" that I got, here would have been a slightly more helpful response or even none at all.

1. The protocol is not CAN, it's only using CAN transceiver. So any CAN sniffing tools do not work.  <<<< Good start to a response. Maybe give a hint as to what protocol is actually running if you know (ISO-TP, UDS, etc). Still don't understand why I did actually see some CAN traffic that was decoded though if there's no CAN.
2. Learn at least about the CAN topology, this is open info. Your Pi probably has a termination resistor. <<< Not a horrible response. At least it gives a hint. I did research and actually tried the 120 ohm switch in both settings. I've since found another thread discussing "silent" mode (RX only) on the CAN transceivers which I will experiment with.

In the SBOOT itself the only thing used from CAN is the physical transceiver, as I already told you.
Why you bring in transport and service layer protocols when it's not even running CAN frames is beyond me. I mean you see it yourself at this point, don't you?
No amount of CAN configuration will give you anything, because it's not really CAN beyond the physical layer.

Search this forum, this has been discussed here in the past...
But you really picked the wrong protocol for an easy copy paste.

Thank you for responding. I'll keep at it. If it were easy, it wouldn't be any fun.  ;D Maybe I'm just a glutton for punishment or I enjoy spending thousands on tools, toys and software. It's all about the journey. I don't make my living off of any of this. It will never be more than a hobby for me.

UART?

It's UART. First CAN, then switches to UART.
MEDC17 can be fully read via CAN, but not sure about MDG.

Can someone remind me of the usb-adapter which is able to communicate with UART and CAN on physical CAN-Pins? It would help the thread starter as he want to do opensource solution.

- want to make opensource copypaste of some [probably cloned] commercial tool protocol
- can't even understand a sniff
- pretend a tutorial from the knowledged people, since precious hints are not enought.

Pause 5minutes, guess how many months of reverse engineering it would take to find a bug to exploit in first place, do you think that these exploits grows in the garden for free? Where do you think the knowledge comes from, if not from years of professional reverse engineering? Do you really think to deserve help to make your afterdinner project to get cool with friends? This is not "car-hacking" around steering wheel of a crappy jeep with arduino, sorry.

No idea of the USB adapter, but an ESP32 is able to do UART or CAN on the same pins and is able to be switched at run time. Most microcontrollers with pin mapping should be able to.

WTF are you talking about? Not one of these assertions is even remotely true. I'm not sure if you feel threatened about folks sharing information with each other and it affecting your livelihood or if you're just a dick, maybe both? As far as using a commercial tool(s) and studying them, OF COURSE I'm going to do that. I already own them and why wouldn't I glean info if available? You'd have to be at least mildly retarded not to. That is LITERALLY the definition of reverse engineering. I'd venture to guess you've probably done the same as well before you decided to hoard and sell the info. Also, I have no need to "get cool with friends" ... maybe that's your bag? Maybe just projecting a bit?  Really trying to understand your hostility here.

Reverse engineering is if you take the ECU and find your way in without copying what someone else did before you.
Calling sniffing a commercial tool and replicating the behaviour "reverse engineering" is an insult to those of us who actually do it and make the solutions that others copy.
The correct term is "stealing IP".

Reverse engineering means smashing balls with ida for weeks/months, what you are doing is fishing infos to have an easy job done, typical approach of today dickyhead kids, better ask mama to solve problems.
I don't remember to have asked anyone for hints, aid just takes away to pleasure of discovering.
I've an ethic which differs from yours, i dont' give a fuck if some big company sw engineer made bugged code, i respect people that spend time in finding bugs to exploit, i disrespect scriptkiddies.

First of all prj, thank you for what helpful info you did choose to provide to me ... even if it was in a bit of a dick-ish manner initially. I think part of the problem is that there's a bit of bias and assumptions about what my intent is with whatever information I end up with. I understand many of you that have developed solutions only to find them being stolen and sold on Aliexpress. Facts are, the tools I'm using are most likely clones of clone of clones. I'm feeling confident that not all of these tools found some unique vulnerability and exploited it. But bashing me for trying to leverage existing work and expedite my time to solution is misguided. I'm simply trying to learn from others that have done this before me like "standing on the shoulders of giants". This isn't a go and plagiarize someone else's work and then go sell or distribute it as my own sort of thing like I'm being accused of. Would I love for there to be an open source solution like others (bri3d) have chosen to do, sure. But what someone does with their own work is their choice. It is not my intent to take anything and go publish or profit from it. I have 2 tools that do different things with some overlap, but neither of them do exactly what I want. I'm kind of just trying to combine the hammer and screwdriver into a single tool for my own selfish needs.

Geremia - I'm not even sure why you are in this thread. You're offering no help at all other than entertaining me like Grampa Simpson. You keep referring to kids and script kiddies like a grumpy curmudgeon. I'm probably older than you are in reality. If you are just here to dick ride prj, you can start your own thread. This isn't about you and I could care less what you approve of, find pleasure in or if you enjoy smashing your balls.  Just move along, ignore and go on about your day.

Sure, will do, happy fishing