|
Title: MED17 Flashcounter ASM patch Post by: Artemisia on May 17, 2025, 03:30:26 PM Hi,
I am looking to purchase a code patch to either freeze or reset the flash counter on VAG MED17 ECU using TP 2.0. I spent some time messing with related functions for CBData, no dice, and I would rather pay for a solution at this point. Send your price in PM and I will get in touch with you Thank you for your time! Title: Re: MED17 Flashcounter ASM patch Post by: gt-innovation on May 18, 2025, 11:59:17 AM I don`t think it is hard to do this.
I have mine done on uds ones. Either you patch cboot after the exploit or you look at the function that has to do with CB data and writes on eeprom. Counters are fairly easy to find in eeprom or virtual eeprom in ram once you have a way to read ram.Usually near vin, Title: Re: MED17 Flashcounter ASM patch Post by: fknbrkn on May 19, 2025, 02:08:10 AM I don`t think it is hard to do this. Will the ecu reflect the changed ram value in eeprom?I have mine done on uds ones. Either you patch cboot after the exploit or you look at the function that has to do with CB data and writes on eeprom. Counters are fairly easy to find in eeprom or virtual eeprom in ram once you have a way to read ram.Usually near vin, Title: Re: MED17 Flashcounter ASM patch Post by: gt-innovation on May 19, 2025, 03:34:48 AM The mirror of e2p in ram always copies itself back.I utilized the oem function to Zero out the counters. Again Look at CBdata .
Title: Re: MED17 Flashcounter ASM patch Post by: fknbrkn on May 19, 2025, 04:41:03 AM The mirror of e2p in ram always copies itself back.I utilized the oem function to Zero out the counters. Again Look at CBdata . Thanks, I'll try that Title: Re: MED17 Flashcounter ASM patch Post by: gt-innovation on May 19, 2025, 02:02:36 PM Thanks, I'll try that Don`t forget the hidden one :) which is before the others ;) Title: Re: MED17 Flashcounter ASM patch Post by: Artemisia on May 19, 2025, 06:17:04 PM I don`t think it is hard to do this. I have mine done on uds ones. Either you patch cboot after the exploit or you look at the function that has to do with CB data and writes on eeprom. Counters are fairly easy to find in eeprom or virtual eeprom in ram once you have a way to read ram.Usually near vin, Thank you, I will look to dump the ram and look around the vin. I have looked into the MED17 UDS shared source code and found this function: Code: /** I found that function in IDA and I believe I also found the index of the CBData block. I will do more tests this week and see if it writes the eeprom properly Don`t forget the hidden one :) which is before the others ;) Hidden counter?:) Would the counters be AttemptNo, SucceedNo and CBEraseCounter? Title: Re: MED17 Flashcounter ASM patch Post by: gt-innovation on May 20, 2025, 08:22:55 AM Eep_write is just a function to access/write the eeprom data. CBdata includes the counters. you can zero out the counters from eeprom manually or you can write a patch that will get an array of bytes and flash to the index / block / position that the counters are located. There is one counter alone(hidden like) and 5 or 6 counters depending on the available blocks grouped and saved exactly the same way that are presented via UDS DID.
To find the block / index position you need to calculate the distance between other known data saved in the same area.Failing to do so will overwrite vital data and eeprom might need to be recovered so back that stuff up. |