|
Title: EDC16U31 info Post by: _nameless on May 08, 2026, 11:38:27 PM Ive been working on making my own flashing tools for verious reasons. Anyway, I thought I would share some of the information that I uncovered.........
## Status | Component | Status | |---|---| | Fast init (StartCommunication) | implemented from sniff | | ReadECUID 0x9B + flash counter extraction | implemented + verified | | Security Access L1 (algorithm) | **verified algorithmically** against 14 captured pairs | | Security Access L2 | INTENTIONALLY NOT IMPLEMENTED — locks ECU on failure | | Programming session entry (10 85 + 10 85 50) | implemented from sniff | | Auto-baud switch to 38400 | implemented | | RequestDownload (SID 0x34, fmt 0x02 plain) | implemented from sniff | | Erase routine (StartRoutine 0xC4) with counter trailer | implemented + verified | | TransferData (128-byte chunks, plain) | implemented from sniff | | TransferExit (SID 0x37) | implemented from sniff | | Checksum validation (StartRoutine 0xC5, sum-of-bytes) | **verified** against bin file | | Read flow | NOT IMPLEMENTED (no read sniffs yet) | | GUI | NOT IMPLEMENTED — CLI only | Calibration regions (the only parts a normal flash writes): calA: 0x180000..0x1BFFFF (256 KB) calB: 0x1C0000..0x1FDFFF (248 KB) Bootloader and main code are NEVER touched during a calibration write. This makes EDC16 inherently safer than ME7 cross-flashing. Wire framing: always physically-addressed (80 10 F1 ...). No Bosch extended-short-form like ME7 uses. Programming baud: 38400 (auto-baud after 10 85 50) Chunk size: configurable 128–254 bytes per TransferData frame. The ECU advertises its max block in the RequestDownload response. Security Access L1: SAME algorithm as ME7 (NefMoto 5-round XOR/rotate), just with KEY = 0x0A221289 (table[0]) instead of ME7's 0x5FBD5DBD (table[63]). Security Access L2: key = seed + 0x00002FC9 (32-bit big-endian). Required only for read operations. Not all ECU variants implement it. Checksum: simple sum-of-bytes mod 65536, NOT CRC-32 (which is what ME7 uses) Flash counter: ECU stores a session counter at offset 18-22 of the ReadECUID 0x9B response. The erase command must include 00 [N+1] [N+1] 00 00 [N] in the trailer, where N is the current counter. The ECU rejects mismatches. Read protocol (Kess-verified): L1 + L2 security unlock 10 86 diagnostic session (stays at 10400 baud — no switch) RequestUpload with format 0x00 (plaintext, not encrypted) TransferData using bare non-addressed framing (01 36 37) Data returned as raw plaintext — no LFSR decryption needed Some ECUs require a small prerequisite read (256 bytes from 0x1C0000) before the main 516 KB read from 0x180000 |