NefMoto

Technical => Communication Protocols => Topic started by: marcjero on February 22, 2018, 02:09:09 PM



Title: Compare flash bytes with bin file ?
Post by: marcjero on February 22, 2018, 02:09:09 PM
Hello,

I would like to know if it's possible to compare the flash content of the ecu with a bin file without actually reading the flash ? I mean using the kwp protocol and without using the boot mode of the ecu.

Thank you.

Envoyé de mon Nexus 4 en utilisant Tapatalk



Title: Re: Compare flash bytes with bin file ?
Post by: nyet on February 22, 2018, 10:58:29 PM
Depends on the ecu.

ME7 can do it (Nef uses this technique)

I do not know what others.


Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 23, 2018, 05:56:47 AM
Ecu is meg 1.0 I think it's similar. Is the mechanism you ate thinking about based on checksum calculations ?

Envoyé de mon Nexus 4 en utilisant Tapatalk



Title: Re: Compare flash bytes with bin file ?
Post by: nyet on February 23, 2018, 01:00:52 PM
Ecu is meg 1.0 I think it's similar. Is the mechanism you ate thinking about based on checksum calculations ?

Yes, in fast mode, Nef queries the ECU for checksums of each sector against the local file before deciding whether or not to read/write.


Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 23, 2018, 01:19:05 PM
Thank you so there is no way to do a real byte to byte comparison right ? I found a PDF on the forum that describes the flashing protocol for me 7 and it looks like what you are saying.
My goal is to hide a remap from outside.  I think I have to make sure that segment checksums calculated after mods are matching the original ones.

Envoyé de mon Nexus 4 en utilisant Tapatalk



Title: Re: Compare flash bytes with bin file ?
Post by: eliotroyano on February 23, 2018, 07:18:24 PM
My goal is to hide a remap from outside.  I think I have to make sure that segment checksums calculated after mods are matching the original ones.

CVN????


Title: Re: Compare flash bytes with bin file ?
Post by: prj on February 23, 2018, 07:44:00 PM
CVN of course.

And what are you going to hide?
One run with the car and a diag log, and done.

On newer ECU's each flash is recorded in EEPROM, and it's read out at the dealer after, you will get flagged regardless of current CVN.


Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 23, 2018, 08:42:09 PM
Sorry but what does CVN mean ?
My problem is that Europe is introducing deeper OBD checking during the car inspections. They will now automatically check if the ecu software is genuine.

AFAIK they will process this way :
-Get the VIN and the software number from the ecu
-Download the matching bin file
-Compare the ecu firmware with the bin file

Knowing that most ECU are write only by default, I guess they will use the checksum method that should work most of the time.

I agree that a serious analysis (using logger or dumping the ecu in boot mode) will reveal the remap but this will require more knowledge about the car and will cost much more.









Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 23, 2018, 08:50:43 PM
On newer ECU's each flash is recorded in EEPROM, and it's read out at the dealer after, you will get flagged regardless of current CVN.

Yes that's another issue. Do you know if flashing in boot mode can prevent the flash counter increment ?


Title: Re: Compare flash bytes with bin file ?
Post by: superglitch on February 23, 2018, 10:55:21 PM
Yes that's another issue. Do you know if flashing in boot mode can prevent the flash counter increment ?

I have heard that on the newest ECU's boot mode access count is recorded, most of the older stuff you'll be fine to do just boot mode.


Title: Re: Compare flash bytes with bin file ?
Post by: superglitch on February 23, 2018, 10:57:29 PM
Sorry but what does CVN mean ?

Calibration Verification Number

For each ECU type you'll need to figure out the algorithm it uses to calculate the CVN before spitting it out, I would start by checking the basics such as summing or crc.


Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 24, 2018, 04:40:53 AM
Ok I understood cvn is the checksum of the flash. Cvn is stored on flash and maybe in eeprom as well.

Of course they could just check this value but they seem to verify each block of the firmware. So is it possible to run the kwp checksum calculation function without actually updating the flash ?


Title: Re: Compare flash bytes with bin file ?
Post by: prj on February 24, 2018, 10:04:24 AM
Sorry but what does CVN mean ?
My problem is that Europe is introducing deeper OBD checking during the car inspections. They will now automatically check if the ecu software is genuine.

AFAIK they will process this way :
-Get the VIN and the software number from the ecu
-Download the matching bin file
-Compare the ecu firmware with the bin file

I think the sun is closer to the earth than you are to the truth.
The check is simply a CVN check. The testers for the cars are EOBD, they don't have access to ANYTHING regarding ECU firmware or flashing.
It's as simple as reading the CVN from the car and check if this CVN is in the CVN database as an OK or not.
It's not tied to a car, ECU, engine or anything like that, the CVN is unique enough, that it's enough to submit only the CVN. The likelihood of a CVN collision is practically 0.


Title: Re: Compare flash bytes with bin file ?
Post by: woj on February 24, 2018, 12:14:27 PM
The check is simply a CVN check. The testers for the cars are EOBD

Is there a specific KWP for this? Should I look in the canonical OBD command set?
EDIT: Never mind, found it, OBD PID 09.

As for the preceding discussion:

1. Where is this information about enhanced OBD checks in Europe?

2. A curiosity - on my ME ECU just checking the block crcs increases the flash counter, so I don't think they would be doing that, also for the reason of having to know a specific manufacturer KWP protocol for this, I can hardly see this happening in practice.



Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 24, 2018, 01:14:00 PM

1. Where is this information about enhanced OBD checks in Europe?


These OBD operations are part of the new european vehicle inspection (2014/45/UE I think). They claim they are are able to detect any change in the ecu software. They can detect tuning and mods (disabled DPF will be detected as well)
There is not a lot of details about the processing they do but I got an example of possible output :

Code:
[15:30:31] Status : Connecting OK

[15:30:31] Status : S1 OK

[15:30:32] Status : S2 OK

[15:30:35] Status : S3 OK

[15:30:35] Status : R/W Function available

[15:30:35] Status : Device waiting for commands.

[15:30:40] Status : Finding USB Device Status: OK

[15:30:53] Status : Verifying 29F400BT Flash Block 0 OK

[15:31:06] Status : Verifying 29F400BT Flash Block 1 OK

[15:31:19] Status : Verifying 29F400BT Flash Block 2 OK

[15:31:32] Status : Verifying 29F400BT Flash Block 3 OK

[15:31:45] Status : Verifying 29F400BT Flash Block 4 OK

[15:31:58] Status : Verifying 29F400BT Flash Block 5 OK

[15:32:11] Status : Verifying 29F400BT Flash Block 6 NOT OK Emission Law Fraud Detected

[15:32:24] Status : Verifying 29F400BT Flash Block 7 OK

[15:32:37] Status : Verifying 29F400BT Flash Block 8 OK

[15:32:51] Status : Verifying 29F400BT Flash Block 9 NOT OK Emission Law Fraud Detected

[15:32:57] Status : Verifying 29F400BT Flash Block 10 OK

[15:32:57] Status : Device waiting for commands.

This check is done mainly to detect DPF removals. But it will detect any tuning as well. Does it look like a CVN check. I'm confused too.


Title: Re: Compare flash bytes with bin file ?
Post by: woj on February 24, 2018, 02:32:47 PM
If that log has anything to do with any reality, even alternate in somebody's head, the time stamps suggest indeed that this is done by reading the blocks out, the complete block-by-block CRC check should take a couple of seconds in total. Nevertheless, I find all too hard to believe.


Title: Re: Compare flash bytes with bin file ?
Post by: superglitch on February 24, 2018, 04:05:35 PM
Simply put there’s no way manufacturers are going to share how to read out full data, it will be a simple query to the ecu for the Cal ID and CVN.


Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 24, 2018, 06:26:18 PM
As I said I'm confused about this. I dont' know if a block CRC can be done in a standardized way. If yes they could do this.

But I find the benefit of block CRC vs simple CVN check is very thin. If a tuner can fake the CVN he will be able to fake the block CRC as well.

Reading the blocks throught OBD won't work for all ECUs. Howerver it would be a killer option as no workaround would be possible then.

So there are 3 options :

-1 CVN check : easy to do but weak
-2 Blocks CRC : more difficult to implement but a bit stronger
-3 Read Blocks : straightforward, very stong but only work for a limited set of ECUs

Code:
[15:30:35] Status : R/W Function available
is interesting as it seems that the ecu is in read/write mode. So it looks like they use option 3.

Another option would be to send the blocks to the ECU and then ask (how ?) the ECU to compare the bytes on it side. This would give similar timestamps. Realistic or not ?
 

I have a question regarding flash and boot mode (ME7) I understand that the EEPROM content is not updated at all when flashing in boot mode. Is it correct ? So there is a problem if CVN has changed right ?











Title: Re: Compare flash bytes with bin file ?
Post by: nyet on February 24, 2018, 08:28:24 PM
Interesting. I would like to know more about how CVN is calculated, and if modifying ME7 binaries changes the CVN read by OBD.

Note: my interest is specific to ME7.

In particular, do they have a whitelist of all possible ME7 ECU revisions? I assume crossflashing from similar (stock) ECUs is ok? Or not ok?


Title: Re: Compare flash bytes with bin file ?
Post by: prj on February 24, 2018, 09:22:45 PM
Pretty sure someone made that up, or w/e.

They can only check with EOBD standard. Flashing algorithms are manufacturer-specific for every car, and they are not available for third parties either.
Remember, to initiate any checksum checking you need to have seed-key access to the ECU, and that's just not going to happen, it's not information the OEM's have to give out.
The amount of work to make a universal tool that speaks every vehicle specific protocol is unreal too. Just not going to happen, nor is it part of any standard.

Read the ME7 FR on how CVN is calculated and queried, it's all in there.

On any ECU to bypass this, you need to read the original CVN, store it in the binary, and when CVN calc request is sent instead of calculating it, just load RAM values with stored value.
Or you can patch Mode 9 request to answer fixed values instead of actual CVN. Mode 9 is the only thing there is in the ecu's that can be checked universally. Needs a huge database of all possible calibrations, but that is still doable vs. trying to get programming access to each ecu.

Waste of time if you ask me. It will be just worked around, because you are trusting the ECU to tell you something. And ECU is just running code inside it. Those that are implementing this legislation aren't too bright.

Also, all that 2014/45/EU says is that from Euro 6 on gasoline vehicles, they want to use EOBD readiness in place of gas analyzers. Nothing else.


Title: Re: Compare flash bytes with bin file ?
Post by: woj on February 25, 2018, 02:04:21 AM
Where is that supposed verification log coming from BTW?

They do check readiness in Sweden where I live, but I have not seen anyone coming anyone near my car with a tester / reader in the Netherlands before I moved (the same car). And I know for sure that in certain other countries this is pure fiction, regardless of what EU directives say. What I would like to know is what is the exact procedure here in Sweden, is it just reading monitor status, or resetting them through DTC clearing and seeing if they behave as expected. I know they leave the device connected for some minutes, but that could as well be incidental / work parallelisation. In any case, all this is done with engine off.

As to how is the CVN calculated, why not check the code? I did for ME7.9.10 (car / ECU is from early 2008), and the only thing I found is that for PID 09 only 00 (goes without saying) and 04 requests are supported. 04 is calibration ID and it sends a fixed SW number from the flash. So no CVN here whatsoever.


Title: Re: Compare flash bytes with bin file ?
Post by: prj on February 25, 2018, 06:42:34 AM
CVN is implemented after 2005 MY IIRC.

Also they check readiness monitors with EOBD. Diesel has a readiness monitor for EGR, but not for DPF I think.
Once again, readiness monitors are something the ECU says - and what I've done in the past is replace the service function with my own, that just always says that everything is fine and dandy.


Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 25, 2018, 07:47:21 AM
They can only check with EOBD standard. Flashing algorithms are manufacturer-specific for every car, and they are not available for third parties either.
Remember, to initiate any checksum checking you need to have seed-key access to the ECU, and that's just not going to happen, it's not information the OEM's have to give out.
The amount of work to make a universal tool that speaks every vehicle specific protocol is unreal too. Just not going to happen, nor is it part of any standard.

Well it looks like the manufacturers are contributing to this. The Diesel Gate helped to convince them. Galletto can flash a large number of ecus so I think they can do similar things with the active help of manufacturers.

Read the ME7 FR on how CVN is calculated and queried, it's all in there.

Where can I find this doc please ?

Or you can patch Mode 9 request to answer fixed values instead of actual CVN. Mode 9 is the only thing there is in the ecu's that can be checked universally. Needs a huge database of all possible calibrations, but that is still doable vs. trying to get programming access to each ecu.

Looks like they already have a database from manufacturers.




Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 25, 2018, 07:54:52 AM
Where is that supposed verification log coming from BTW?

They do check readiness in Sweden where I live, but I have not seen anyone coming anyone near my car with a tester / reader in the Netherlands before I moved (the same car). And I know for sure that in certain other countries this is pure fiction, regardless of what EU directives say. What I would like to know is what is the exact procedure here in Sweden, is it just reading monitor status, or resetting them through DTC clearing and seeing if they behave as expected. I know they leave the device connected for some minutes, but that could as well be incidental / work parallelisation. In any case, all this is done with engine off.

This is planned to start in France in May. This will be an european inspection. So most verification processes will be common for all EU countries. I think the OBD part will be shared in order to limit costs and to get a simpler relationship with manufacturers. Anyway each country can add its own verifications.


Title: Re: Compare flash bytes with bin file ?
Post by: prj on February 26, 2018, 10:05:24 AM
Well it looks like the manufacturers are contributing to this. The Diesel Gate helped to convince them. Galletto can flash a large number of ecus so I think they can do similar things with the active help of manufacturers.
SOURCE?

You're just making shit up as you go, it's getting boring.


Title: Re: Compare flash bytes with bin file ?
Post by: KasperH on February 26, 2018, 02:10:48 PM

Read the ME7 FR on how CVN is calculated and queried, it's all in there.

Where can I find this doc please ?


FFS.


Title: Re: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 26, 2018, 02:28:41 PM
SOURCE?

You're just making shit up as you go, it's getting boring.
Source is a local tuner. I stop boring you now.


Title: Re: Re: Compare flash bytes with bin file ?
Post by: prj on February 26, 2018, 05:33:45 PM
Source is a local tuner. I stop boring you now.
Yeah, so you have no source.


Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 26, 2018, 05:51:40 PM
These informations were shared to me by a well known profesional  tuner. This is all I can say. Probably not enough for you.

I think that a tuner would not warn customer this way without solid reasons. Because he is loosing business saying that.

Let's see what will happen in May. I got answers to my questions. I will keep you updated about the new inspection checks.


Title: Re: Compare flash bytes with bin file ?
Post by: woj on February 27, 2018, 01:42:24 AM
Because he is loosing business saying that.

The opposite. The crowd of people wanting to remove DPF/EGR and what not is always going to be large (in some countries this is national sport and people budget money for this before they even buy the car), for him it is a reason to charge more for the service claiming he can bypass the check but it needs his magic touch (and this magic for EOBD readiness is really simple, the average customer does not need to know that). And he can charge old customers for fixing their cars before they get "caught". Come to think of it, that's a genius plan :D

Of course, I don't know that particular person so it's a general remark rather than personal, but it does reflect things I have heard of in the "tuning scene".


Title: Re: Compare flash bytes with bin file ?
Post by: prj on February 27, 2018, 02:47:23 AM
Yeah, it's BS.
Those checks are already in place in Germany and some other countries. But of course the french always think they are first  ::)

It's a CVN check plain and simple. EOBD is the way it is done and will always be done.


Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 27, 2018, 05:48:48 AM
 I agree with you it's probably bs. I was thinking about a checksum based check from the beginning but he said it was a real byte check. So I wanted to know what are the real capabilities for deep ecus analysis.
Looks like they are close to 0. And knowing that this cvn based inspection is already live in Germany is a good proof of that. France I think is a leader in the dpf removal game because there are a lot of diesel cars here. As you said it's a large business for tuners. Informations leaks can be also wrongly alarming in order to discourage customers.
Interesting to know how you actually manage the cvn check in Germany for instance. Are there tools for that ?





Title: Re: Compare flash bytes with bin file ?
Post by: prj on February 27, 2018, 05:53:37 AM
I already wrote exactly how to do it. What else do you want to know? :)


Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 27, 2018, 06:04:52 AM
Yeah I know... The explanation is clear but did you actually implement it ? I guess it's possible to build a generic cvn patching tool.


Title: Re: Compare flash bytes with bin file ?
Post by: prj on February 27, 2018, 09:49:48 AM
What kind of question is that? Explaining how to do it takes longer than actually doing it.

Generic CVN patching tool? Good luck with that. Maybe on one or two ECU families make-specific.


Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 27, 2018, 01:38:56 PM
What kind of question is that? Explaining how to do it takes longer than actually doing it.

Generic CVN patching tool? Good luck with that. Maybe on one or two ECU families make-specific.

Looks like you dislike french people.  :-\
I want details because my ecu is not exactly a ME 7. It's a MEG 1.1 used in some Smart cars (<2006). MEG is quite similar to ME7 ecus (AFAIK) 'G' stands for the integrated gearbox management.
I don't know if this ecu supports CVN. I suppose that I need to find and disassemble the OBD mode 9 functions right ? Where would you start from ?


Title: Re: Compare flash bytes with bin file ?
Post by: woj on February 27, 2018, 01:58:20 PM
The easiest? Get your hands on any ELM327, can be the cheapest cloned stuff from anywhere and use a terminal program (either on Android if it's Bluetooth or putty if on PC/USB) and talk to your ECU. Connect and then 09 00 to get supported requests for PID 09 and try the supported ones to see. More info here: https://en.wikipedia.org/wiki/OBD-II_PIDs


Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 27, 2018, 02:08:26 PM
Thank you !


Title: Re: Compare flash bytes with bin file ?
Post by: prj on February 27, 2018, 03:57:37 PM
Looks like you dislike french people.  :-\
I dislike stupidity and ignorance. Whether french or any other is irrelevant.
You start posting about stuff you don't have a good understanding of, you get people from the industry telling you how it actually works, you disregard that.
When you finally realize how it works, your first reaction is "ooh I am sure someone will make me a tool".

Get a damos for your ECU or similar ECU, find the CVN variables, disassemble file, find the access and you will find mode 9 request.
Simply load them from flash instead of loading from memory, and put the correct values into the flash which you queried before in mode 9 with any EOBD tool.
After that flash tuned file and do what you want because CVN returned will be always from what you make it return.

If you can't do it, pay someone to do it for you. It will have to be done on a per-file or at least per-ecu-type basis.


Title: Re: Compare flash bytes with bin file ?
Post by: marcjero on February 27, 2018, 06:53:34 PM
I never asked you for a tool.  I never ask to work for free. If my ecu is supporting CVN and if I need patching I will make a tool and will share it. I don't see anything wrong in looking around for existing free or open source tools that could help.

I asked for informations. And yes I was (and still is) ignorant about the way these ecus are working. This is the reason I started this thread. Because what I was hearing (from a respected professional) was sounding a bit strange.

Get a damos for your ECU or similar ECU, find the CVN variables, disassemble file, find the access and you will find mode 9 request.
Simply load them from flash instead of loading from memory, and put the correct values into the flash which you queried before in mode 9 with any EOBD tool.
After that flash tuned file and do what you want because CVN returned will be always from what you make it return.
If you can't do it, pay someone to do it for you. It will have to be done on a per-file or at least per-ecu-type basis.
Thank you for this methology. I got a MEG damos file from the forum, I will look at it. Yes I think I can do it.

TBH problem is not about money but about trust. You are rude with me and I never talk to anyone the way you do.
But of course the french always think they are first  ::)

I probably hurt you in some way. I apologize for that. My assumptions were based on a BS.

 

  


Title: Re: Compare flash bytes with bin file ?
Post by: ko4you on October 23, 2019, 03:30:20 AM
does anyone got some new info about it?