NefMoto

So this is my 1st legit contribution to the community.

This post is to gauge the interest of the community towards reversing edc15. If people are interested, I will post tutorials to add features such as multimap(not step by step though ;))

link to my video: https://www.youtube.com/watch?v=7tuTOx9vNXM

Big thanks to @Tim and @nubcake for guiding me through my 1st RE project :D

So the 1st problem I faced while injecting code to the file was that the checksum would be incorrect and ecu would not boot. Tried several tools to correct checksum but it always resulted in bad checksum.

There is a function in IROM to calculate checksum of 0x10000-0x13FFF. I found this out by connecting a logic analyzer to the address pins of the flash chip and seeing the boot sequence.(@john9357 thanks for doing this for me :D)

As its part of IROM, it cannot be disabled(due to IROM being a mask memory). So checksum of 0x10000-0x13FFF has to be correct no matter what

(https://s12.postimg.org/3pvrwp9bd/Screenshot_6.png) (https://postimg.org/image/3pvrwp9bd/)
sub_1584 is the checksum calculation function. r3 points to 0x10000 (dpp's are set before this snippet of code)
r0 points to the end address of 0x14000. Just like the logic analyzer showed :)

0x10000-0x13FFF contains code to initialize ECU(check RAM,etc) and calculate checksum of the remaining flash and EEPROM, and if it is correct, then ecu executes "einit" command and ecu boots.

If there is a checksum fault, then ecu transmits a few bytes over k-line(if anyone is interested, i will post how this works) and stops booting.

As i knew that 0x10000-0x13FFF is a special area, I started analyzing it, and I found the remaining checksum functions also.

(https://s12.postimg.org/7wgmc18x5/Screenshot_4.png) (https://postimg.org/image/7wgmc18x5/)

as flash is loaded at 0x80000, all addresses are offset by that much from the flash memory.

(https://s12.postimg.org/9cs4u6bu1/Screenshot_5.png) (https://postimg.org/image/9cs4u6bu1/)

the conditional jump would only allow the ecu to boot, if the checksum result is 0, otherwise ecu jumps to location 2D6,which results in a software reset, as shown in the snippet.

all that was left was to change the conditional jumps to unconditional jumps, and the checksum function would be disabled :D

Well done.

Thanks

Well done Nihalot, thanks for sharing your work, keep the posts coming  :)

Good work!

Btw, I am pretty sure this does not disable checksums while ECU is running...
Unless this function is called more from just start of course.

I havent shown the entire function, just a part as an example
Running checksums use the keyword D33D and they have a similar layout. Those can also be disabled with unconditional jumps

Great work, thanks for sharing

I can try to run an EDC15P with OLS300 emulator without checksum correction active, not sure if EVC will allow me to try such thing, but... It will save some harsle situations

excellent post! i have just been setting up OLS300 and want to disable checksum for live map changes, can anyone help with this?

Hi I know this is old thread but wondering if anyone can help me. I loaded irom into Ida pro and then loaded my additional binary (maps). IDA dissemble irom ok but I need help converting the EXT memory to code. loc_25e6, r3 points to 8000 but when I go to that address Ida not dissemble it. Thanks

Hello,

I'm on it since 6h and it's really difficult to do when you are newbie on IDA pro... :( (for the multimap)
What processor type does I need to use with EDC15P (Siemens C167) ? Siemens C166 family so? C167CR_SR or C167CS?
Create RAM section or ROM section ? 64K banks or not ?
Too much informations is missing... Thanks to the english community for his open-mindedness ! ;)

Hi everyone. I have a question, where I can find IROM in EDC15P? EEPROM and FLASH are cleare for me, but IROM I never heard about it.

Thanks for help.
Daniel

Inside the processor of course. Read it out with minimon if you need it.

Irom is the same in all edc15p/vm for me (read in 10 ecu always the same)

Yes I think all or almost all are the same and cross compatible.

Hello again :) I understand, but must I desoldering my processor from the ECU? Where can I buy a minimon program and a cable? I ask, because I can't find nothing about it, only the toys...

i made my ecu checksum disable today...nice. ;D

Hello, can you tell me how did you iROM read? I can't find it about EDC15P+. Can you help me please?

Here...
http://www.perschl.at/minimon.html (http://www.perschl.at/minimon.html)

Thank you well, but wich kind of kabel must I have? From IXAT USB to CAN V2 or something like this?

Regards Daniel