Print Page - ESKONF detection tool

Title: ESKONF detection tool
Post by: rotax on March 24, 2017, 11:42:07 AM

The source code of my ESKONF tool can be found in the attached zip-file.
Compiles just fine on Linux.

There is also an updated Windows binary without the previous dll-dependancy.

Enjoy!
And please share with the community if you add or otherwise are enhacing my little tool...

Title: Re: ESKONF detection tool
Post by: vwaudiguy on March 24, 2017, 02:19:46 PM

Thanks for sharing, rotax. To make this work, it needs to be compiled? Will it work with Windows 7? Sorry for the lame questions.

Title: Re: ESKONF detection tool
Post by: Colt45 on March 25, 2017, 08:53:46 AM

Yeah you would need to compile it. If it has linux specific things you'll need to do that under cygwin or mingw in windows, otherwise any c compiler should work.

Ill try a bit later today, i apparently don't have any dev tools on this win7 computer.

Thanks Rotax, good idea!

Title: Re: ESKONF detection tool
Post by: rotax on March 25, 2017, 10:45:00 AM

I've compiled a Win32 version, see zip-file in first post.

The program searches after 7bytes that obey to the rules/logic of how ESKONF can be set up and prints out any matches with each individual bitpair in cleartext.

Test and report back any issues...

Enjoy!

Title: Re: ESKONF detection tool
Post by: vwaudiguy on March 25, 2017, 11:31:13 AM

Any chance for a 64 bit version? :)

Title: Re: ESKONF detection tool
Post by: rotax on March 25, 2017, 12:32:00 PM

Quote from: vwaudiguy on March 25, 2017, 11:31:13 AM

Any chance for a 64 bit version? :)

Did you try the uploaded version?

Title: Re: ESKONF detection tool
Post by: nyet on March 25, 2017, 01:02:37 PM

win32 has nothing to do with 64bit or 32bit ....

Title: Re: ESKONF detection tool
Post by: vwaudiguy on March 25, 2017, 03:43:25 PM

Apologies. I did try the uploaded version and it didn't work. I'm on Win 7 64.

I tried to run it in cmd as well with the same error.

Looking into the dll error now

Title: Re: ESKONF detection tool
Post by: vwaudiguy on March 25, 2017, 03:59:39 PM

Got it.

1. Needed to use cmd
2. Was missing this particular dll file only in the syswow64 folder. I had to install a 32bit version I dl'd into this folder.
3. This file was already present in the system32 folder (64 bit version)

Link

https://www.dll-files.com/vcruntime140.dll.html

Title: Re: ESKONF detection tool
Post by: DT on March 26, 2017, 04:16:03 AM

It might be perfectly safe but I would stay away from sites like dll-files.com

use:
https://www.microsoft.com/en-us/download/details.aspx?id=53840

if you need 2015 runtime

Title: Re: ESKONF detection tool
Post by: vdubnation on March 26, 2017, 08:12:29 AM

works awesome

Reading file [C:\Users\m\Desktop\Done\parkerv3.bin] to buffer...
Buffer ready... Filesize:1048576 (0x100000)

Searching for ESKONF (Bosch ME7.5) in file: C:\Users\m\Desktop\Done\parkerv3.bin
## ESKONF_0 (Addr:00004543) -- FF FF 00 F0 3F F0 2C
b0:FF ZUE4(95)..:N(11) ZUE3(94)..:N(11) ZUE2(103).:N(11) ZUE1(102).:N(11) ZUE=Ignition coil
b1:FF NC........:N(11) NC........:N(11) NC........:N(11) NC........:N(11)
b2:00 EV4(89)...:Y(00) EV3(88)...:Y(00) EV2(97)...:Y(00) EV1(96)...:Y(00) EV=Fuel injector
b3:F0 LSHHK(63).:N(11) EFLA(48)..:N(11) LDR(104)..:Y(00) TEV(64)...:Y(00) LSHHK=Rear O2, EFLA=Error lamp, LDR=N75, TEV=N80 purgevalve
b4:3F BKV(22)...:Y(00) NC(24)....:N(11) AAV(116)..:N(11) MIL(47)...:Y(00) BKV=Brakebooster pump, AAV=Shutoff valve, MIL=OBD lamp
b5:F0 NC........:N(11) NC........:N(11) EKP(65)...:Y(00) SLP(66)...:Y(00) EKP=Fuel pump, SLP=J299 SAI pump
b6:2C ULT(105)..:Y(00) UAGR(114).:S(10) SLV(9)....:N(11) NWS(115)..:Y(00) ULT=N249 wg valve, UAGR=EGR valve, SLV=N112 SAI relay, NWS=n205 VVT

C:\Users\m>

Title: Re: ESKONF detection tool
Post by: vwaudiguy on March 26, 2017, 10:27:00 AM

Thanks for the heads up, DT. I was nervous using that site, but saw it mentioned /linked to in a few places that seemed legit.

Title: Re: ESKONF detection tool
Post by: rotax on April 08, 2017, 04:54:08 AM

New fixed Windows version can be found in the #1 post.
No more DLL-hunting with the new version.

Enjoy!

Title: Re: ESKONF detection tool
Post by: armageddon on April 08, 2017, 01:40:35 PM

great tool, but topic title should change to ME7.5 ESKONF detection tool

Title: Re: ESKONF detection tool
Post by: Khendal on April 08, 2017, 04:35:22 PM

Quote from: armageddon on April 08, 2017, 01:40:35 PM

great tool, but topic title should change to ME7.5 ESKONF detection tool

Can i do a stupid question ? ::) ::) ::)

What is this ESKONF? Can someone explain me better? :D

Title: Re: ESKONF detection tool
Post by: flamy on April 08, 2017, 11:03:46 PM

It's a register to (de-)activate each output stage of the ECU.

Title: Re:
Post by: QuickS4 on April 08, 2017, 11:30:19 PM

Wait, it runs in CMD? My brain is tired hahaha

Sent from my Pixel XL using Tapatalk

Title: Re: ESKONF detection tool
Post by: SB_GLI on April 09, 2017, 07:04:08 AM

I've had mixed results on a few bins I tried this on. In some cases, it will incorrectly detect eskonf, it others it will detect the correct one, but also find another incorrect eskonf. Attached is an 032HS. This one does find eskonf, but it also finds anot

I find it just easier to manually find eskonf anyway. It's always right before kfkhfm, which is a super easy map to find.

Title: Re: ESKONF detection tool
Post by: rotax on April 09, 2017, 03:07:08 PM

The tool is only made to find ME7.5 ESKONF in 4 cylinder bins.

What kind of bin files did it fail on? (examples please...)

Due to the way it searches it sometimes do find byte groups that are false positives or at least not the primary ESKONF, i've seen up to 3 ESKONF hits in one file.
2 of them seems legit as an ESKONF but the third one is wierd.

I do find it really unplausable that there would be just random byte groups that really matches the rules, they are most probably variants of ESKONF settings used in certain situations, variant coding could perhaps explain their existence.

Title: Re: ESKONF detection tool
Post by: k0mpresd on April 09, 2017, 03:15:50 PM

Quote from: rotax on April 09, 2017, 03:07:08 PM

I do find it really unplausable that there would be just random byte groups that really matches the rules, they are most probably variants of ESKONF settings used in certain situations, variant coding could perhaps explain their existence.

i ran the tool and it said the eskonf was in 29xxxh range. totally wrong.
also, apparently vdubnation did not read his output before commenting on the tool "works awesome", because his address is 4xxxh. most definitely not correct either.

Title: Re: ESKONF detection tool
Post by: hopsis on April 09, 2017, 08:34:00 PM

I'm getting false results with 8 cylinder bins also. It's a nice tool anyway, thank You.

Title: Re: ESKONF detection tool
Post by: vwaudiguy on April 09, 2017, 08:43:46 PM

Quote from: hopsis on April 09, 2017, 08:34:00 PM

I'm getting false results with 8 cylinder bins also.

He mentioned it was only meant for the 4 cylinder bins.

Title: Re: ESKONF detection tool
Post by: nyet on April 09, 2017, 08:56:34 PM

For the record, this sort of tool is VERY hard to make general.. i spent weeks on me7sum to work with a variety of binaries.. just supporting all of the 2.7t variants was hard enough.

That said, though, looking at the source, there might be an easier way to detect where eskonf is based on looking for ASM calls instead of map value matching.

Title: Re: ESKONF detection tool
Post by: flamy on April 10, 2017, 01:51:55 PM

Quote from: hopsis on April 09, 2017, 08:34:00 PM

I'm getting false results with 8 cylinder bins also. It's a nice tool anyway, thank You.

6/8-cylinder ECUs have a larger ESKONF register that is not compatible to the ones of the 4-cylinder ECUs.

Title: Re: ESKONF detection tool
Post by: hopsis on April 10, 2017, 08:39:14 PM

Yep, 13 bytes I believe.

Title: Re: ESKONF detection tool
Post by: flamy on April 11, 2017, 01:59:24 PM

Quote from: hopsis on April 10, 2017, 08:39:14 PM

Yep, 13 bytes I believe.

Right.

Title: Re: ESKONF detection tool
Post by: pedrosousa on September 09, 2017, 08:50:46 AM

Is normal to have a report of 3 ESKONF locations?

The file it's a 4B0906018DH 366497

Title: Re: ESKONF detection tool
Post by: vwnut8392 on November 06, 2017, 01:49:47 PM

Very cool tool! Great work!

Title: Re: ESKONF detection tool
Post by: Borg on September 09, 2018, 01:46:05 AM

sequence FF FF 00 F0 3F F0 2C found at some address A is false positive,its part of some subroutine @ A-0x59 or near.

Title: Re: ESKONF detection tool
Post by: 360trev on October 12, 2018, 09:57:25 AM

I've just had to implement this for the Ferrari specific DEKON function which has both ESKONF_L and ESKONF_R (left and right banks) using dual ecu concept, however inspecting DEKON on other variants there aren't that many different versions which means you can get pretty good support by using a needle/mask to find the DEKON code which references the ESKONF. Then extract value and segments and derive offset directly to the ESKONF data. This is the guarenteed way to make it work reliably without any false positives.

Take a look at source-code on my github for the Ferrari Swiss Army Knife tool. I haven't yet done other non Ferrari variants yet but if there is any interest let me know and I'll look into it...

Title: Re: ESKONF detection tool
Post by: 360trev on October 12, 2018, 10:00:55 AM

Here's the output on a Ferrari rom...

Code:

-[ ESKONF Configuration of power stage (actuators) ]-------------------------------------------

>>> Scanning for ESKONF Lookup code sequence...

found needle at offset=0x58336

 1. Configuration of output stages
 =================================
 The configuration is made with the Label ESKONF_R (right bank) & ESKONF_L (left bank), each by 7 bytes.

 Every byte is standing for 4 output stages. Therefore every output stage has got 2 consecutive
 configuration Bits.

 Enable of the output stages diagnosis
 -------------------------------------
 With the configurations-Bytes in ESKONF the functions have to be set active / inactive depending
 on the available components in the car. At the same time with the 2 Bits the function of the
 diagnosis is set.

 Assignment of the Bit pattern:
 ------------------------------
 00  Diagnosis active with OBDII-malfunction storage with test of healing
 01  Diagnosis active without OBDII-malfunction storage with test of healing
 10  Diagnosis active without OBDII-fault memory without test of healing (EKP)
 11  Diagnosis not active


ESKONF_L @ ADR:0x810ae4 (offset 0x10ae4) - Left Bank Configuration
----------+----------------------------------------------------------------------
[i] Hex   |           Bit
          | 76     54     32     10
----------+----------------------------------------------------------------------
          | EV4    EV3    EV2    EV1
[0] 0x00  | 00     00     00     00
          | M52    M03    M35    M19
          +----------------------------------------------------------------------
          | M52   Cylinder 6 injector control power output
          | M03   Cylinder 8 injector control power output
          | M35   Cylinder 7 injector control power output
          | M19   Cylinder 5 injector control power output
----------+----------------------------------------------------------------------
          | LSHVK1 xxxx   TEV    MIL
[1] 0x33  | 00     11     00     11
          | M34    M21    M05    F46
          +----------------------------------------------------------------------
          | M34   LH rear Lambda sensor heater (duty cycle) Power output
          | M21   Not Used
          | M05   Control for LH canister purge valve (duty cycle) Power output
          | F46   Not Used
----------+----------------------------------------------------------------------
          | EKP    LUE1   LSHVK2 MIL
[2] 0xbf  | 10     11     11     11
          | F30    F50    M02    F02
          +----------------------------------------------------------------------
          | F30   Fuel pump control Digital output
          | F50   Not Used
          | M02   Not Used
          | F02   Not Used
----------+----------------------------------------------------------------------
          | --     --     KOS    LUE2
[3] 0xff  | 11     11     11     11
          | Fxx    Fxx    F13    F62
          +----------------------------------------------------------------------
          | Fxx   Not Used
          | Fxx   Not Used
          | F13   Not Used
          | F62   Not Used
----------+----------------------------------------------------------------------
          | xxxx   SU1    NWS    xxxx
[4] 0xfc  | 11     11     11     00
          | M53    M04    M36    M20
          +----------------------------------------------------------------------
          | M53   Not Used
          | M04   Not Used
          | M36   Not Used
          | M20   Control for LH exhaust by-pass power output
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx
[5] 0xff  | 11     11     11     11
          | F18    F33    F34    F01
          +----------------------------------------------------------------------
          | F18   Not Used
          | F33   Not Used
          | F34   Not Used
          | F01   Not Used
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx
[6] 0xff  | 11     11     11     11
          | M13    M13    M45    M45
          +----------------------------------------------------------------------
          | M13   Not Used
          | M13   Not Used
          | M45   Not Used
          | M45   Not Used
----------+----------------------------------------------------------------------


ESKONF_R @ ADR:0x810aeb (offset 0x10aeb) - Right Bank Configuration
----------+----------------------------------------------------------------------
[i] Hex   |           Bit
          | 76     54     32     10
----------+----------------------------------------------------------------------
          | EV4    EV3    EV2    EV1
[0] 0x00  | 00     00     00     00
          | M52    M03    M35    M19
          +----------------------------------------------------------------------
          | M52   Cylinder 2 injector control power output
          | M03   Cylinder 4 injector control power output
          | M35   Cylinder 3 injector control power output
          | M19   Cylinder 1 injector control power output
----------+----------------------------------------------------------------------
          | LSHVK1 xxxx   TEV    MIL
[1] 0x33  | 00     11     00     11
          | M34    M21    M05    F46
          +----------------------------------------------------------------------
          | M34   RH rear Lambda sensor heater (duty cycle) power output
          | M21   Not Used
          | M05   Control for RH canister purge valve (duty cycle) power output
          | F46   Not Used
----------+----------------------------------------------------------------------
          | EKP    LUE1   LSHVK2 MIL
[2] 0xbf  | 10     11     11     11
          | F30    F50    M02    F02
          +----------------------------------------------------------------------
          | F30   Fuel pump control digital output
          | F50   Not Used
          | M02   Not Used
          | F02   Not Used
----------+----------------------------------------------------------------------
          | --     --     KOS    LUE2
[3] 0xf3  | 11     11     00     11
          | Fxx    Fxx    F13    F62
          +----------------------------------------------------------------------
          | Fxx   Not Used
          | Fxx   Not Used
          | F13   A/C compressor control digital output
          | F62   Secondary air pump control digital output
----------+----------------------------------------------------------------------
          | xxxx   SU1    NWS    xxxx
[4] 0x00  | 00     00     00     00
          | M53    M04    M36    M20
          +----------------------------------------------------------------------
          | M53   Modular manifolds control power output
          | M04   Compensation throttle control power output
          | M36   Timing variator control  Digital output
          | M20   Control for RH exhaust by-pass power output
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx
[5] 0x3f  | 00     11     11     11
          | F18    F33    F34    F01
          +----------------------------------------------------------------------
          | F18   Canister closing control power output
          | F33   Not Used
          | F34   Secondary air valve control digital output
          | F01   Not Used
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx
[6] 0xff  | 11     11     11     11
          | M13    M13    M45    M45
          +----------------------------------------------------------------------
          | M13   Not Used
          | M13   Not Used
          | M45   Not Used
          | M45   Not Used
----------+----------------------------------------------------------------------

Title: Re: ESKONF detection tool
Post by: TurboMMJ on October 28, 2020, 07:01:17 AM

SUCH A NICE TOOL TO HAVE !

AFTER READING MY FILE THERE IS ESKONF 0 AND ESKONF 1 , BOTH HAS TO BE CODED IS THAT RIGHT TO DELETE SAI,... ,etc. ?

see attached please

Title: Re: ESKONF detection tool
Post by: BlackT on October 28, 2020, 07:25:26 AM

Yes

Title: Re: ESKONF detection tool
Post by: sonique on October 28, 2020, 04:24:03 PM

Quote from: TurboMMJ on October 28, 2020, 07:01:17 AM

SUCH A NICE TOOL TO HAVE !

AFTER READING MY FILE THERE IS ESKONF 0 AND ESKONF 1 , BOTH HAS TO BE CODED IS THAT RIGHT TO DELETE SAI,... ,etc. ?

see attached please

this file only one
tool not good

Title: Re: ESKONF detection tool
Post by: mdccode5150 on October 28, 2020, 09:27:31 PM

Question: about which ESKONF is for my car (LOGIC would say, and would have to be ESKONF_1) 2002 ALMS AUDI TT 225HP NO VVT am I right? and ESKONF_0 has NO ZUE=Ignition coils! I don't know what the purpose of this would be?

Searching for ESKONF (Bosch ME7.5) in file: ori.bin
## ESKONF_0 (Addr:000044B3) -- FF FF 00 F0 3F F0 2C
b0:FF ZUE4(95)..:N(11) ZUE3(94)..:N(11) ZUE2(103).:N(11) ZUE1(102).:N(11) ZUE=Ignition coil
b1:FF NC........:N(11) NC........:N(11) NC........:N(11) NC........:N(11)
b2:00 EV4(89)...:Y(00) EV3(88)...:Y(00) EV2(97)...:Y(00) EV1(96)...:Y(00) EV=Fuel injector
b3:F0 LSHHK(63).:N(11) EFLA(48)..:N(11) LDR(104)..:Y(00) TEV(64)...:Y(00) LSHHK=Rear O2, EFLA=Error lamp, LDR=N75, TEV=N80 purge valve
b4:3F BKV(22)...:Y(00) NC(24)....:N(11) AAV(116)..:N(11) MIL(47)...:Y(00) BKV=Brake booster pump, AAV=Shutoff valve, MIL=OBD lamp
b5:F0 NC........:N(11) NC........:N(11) EKP(65)...:Y(00) SLP(66)...:Y(00) EKP=Fuel pump, SLP=J299 SAI pump
b6:2C ULT(105)..:Y(00) UAGR(114).:S(10) SLV(9)....:N(11) NWS(115)..:Y(00) ULT=N249 wg valve, UAGR=EGR valve, SLV=N112 SAI relay, NWS=n205 VVT

=================================================================================================================

## ESKONF_1 (Addr:000151E2) -- AA FF 00 30 F3 F8 33

b0:AA ZUE4(95)..:S(10) ZUE3(94)..:S(10) ZUE2(103).:S(10) ZUE1(102).:S(10) ZUE=Ignition coil
b1:FF NC........:N(11) NC........:N(11) NC........:N(11) NC........:N(11)
b2:00 EV4(89) ...:Y(00) EV3(88)...:Y(00) EV2(97)...:Y(00) EV1(96)...:Y(00) EV=Fuel injector
b3:30 LSHHK(63) .:Y(00) EFLA(48)..:N(11) LDR(104)..:Y(00) TEV(64)...:Y(00) LSHHK=Rear O2, EFLA=Error lamp, LDR=N75, TEV=N80 purge valve
b4:F3 BKV(22)...:N(11) NC(24)....:N(11) AAV(116)..:N(11) MIL(47)...:Y(00) BKV=Brake booster pump, AAV=Shutoff valve, MIL=OBD lamp
b5:F8 NC........:N(11) NC........:N(11) EKP(65)...:S(10) SLP(66)...:Y(00) EKP=Fuel pump, SLP=J299 SAI pump
b6:33 ULT(105)..:Y(00) UAGR(114).:N(11) SLV(9)....:Y(00) NWS(115)..:N(11) ULT=N249 wg valve, UAGR=EGR valve, SLV=N112 SAI relay, NWS=n205 VVT

11 = OFF (EFLA=Error lamp, BKV=Brake booster pump, AAV=Shutoff valve, BKV=Brake booster pump, AAV=Shutoff valve, UAGR=EGR valve, NWS=n205 VVT)
00 = ON (Injectors, LSHHK=Rear O2, LDR=N75, TEV=N80 purge valve, MIL=OBD lamp, SLP=J299 SAI pump, ULT=N249 wg valve, SLV=N112 SAI relay)
10 = Special (ZUE=Ignition coil, EKP=Fuel pump,)

Title: Re: ESKONF detection tool
Post by: mdccode5150 on December 06, 2020, 05:22:25 PM

After some research reading definition files, Tuning S4 ESKONF, and playing around with ME7.5, and Porsche's ME7.1.1 ESKONF Bits with success I put this cheat sheet together. Maybe it'll help someone. Let me know if there is mistakes or more information...Thanks!

I posted here: http://nefariousmotorsports.com/forum/index.php?topic=18803.0title=

TITLE: ME7.5 Cheat Sheet and Templates for ESKONF BITS (Disabling Outputs/Devices) Diagnostics

Title: Re: ESKONF detection tool
Post by: mdccode5150 on December 06, 2020, 05:47:03 PM

Quote from: mdccode5150 on December 06, 2020, 05:22:25 PM

Made a small change

Title: Re: ESKONF detection tool
Post by: TeknoFi on October 04, 2022, 10:50:39 AM

great little tool, thank you.

Title: Re: ESKONF detection tool
Post by: RetardedTiming on March 08, 2023, 09:21:17 PM

Quote from: mdccode5150 on December 06, 2020, 05:22:25 PM

I have an Audi TT 1.8T ATC 180HP 8N0906018S and trying to delete O2 sensors, is this correct ESKONF? http://nefariousmotorsports.com/forum/index.php?topic=9178.0title= Someone on this post said? "Early files have no coil circuit diagnosis."

Code:

Reading file [TT.bin] to buffer...
Buffer ready... Filesize:524288 (0x80000)

Searching for ESKONF (Bosch ME7.5) in file: TT.bin
## ESKONF_0 (Addr:000280FB) -- FF FF 00 F0 3F F0 2C
b0:FF    ZUE4(95)..:N(11)    ZUE3(94)..:N(11)    ZUE2(103).:N(11)    ZUE1(102).:N(11)   ZUE=Ignition coil
b1:FF    NC........:N(11)    NC........:N(11)    NC........:N(11)    NC........:N(11)
b2:00    EV4(89)...:Y(00)    EV3(88)...:Y(00)    EV2(97)...:Y(00)    EV1(96)...:Y(00)   EV=Fuel injector
b3:F0    LSHHK(63).:N(11)    EFLA(48)..:N(11)    LDR(104)..:Y(00)    TEV(64)...:Y(00)   LSHHK=Rear O2, EFLA=Error lamp, LDR=N75, TEV=N80 purgevalve
b4:3F    BKV(22)...:Y(00)    NC(24)....:N(11)    AAV(116)..:N(11)    MIL(47)...:Y(00)   BKV=Brakebooster pump, AAV=Shutoff valve, MIL=OBD lamp
b5:F0    NC........:N(11)    NC........:N(11)    EKP(65)...:Y(00)    SLP(66)...:Y(00)   EKP=Fuel pump, SLP=J299 SAI pump
b6:2C    ULT(105)..:Y(00)    UAGR(114).:S(10)    SLV(9)....:N(11)    NWS(115)..:Y(00)   ULT=N249 wg valve, UAGR=EGR valve, SLV=N112 SAI relay, NWS=n205 VVT

NefMoto

Technical => Reverse Engineering => Topic started by: rotax on March 24, 2017, 11:42:07 AM