|
Title: KWP2000 (CAN) eeprom read Post by: H2Deetoo on July 23, 2015, 12:45:44 AM Hi guys,
I am trying to write some software to read (and write) the eeprom of a specific module in my VW Passat car. It is the door/window module, which is reachable using the OBD connector and uses KWP2000/TP20 protocol. I can communicate with it already (requesting ident) but I am having troubles reading eeprom. I am doing something like this: -> 10 84 (Go to diagnostic mode 84) <- 50 84 (Positive response) -> 27 03 (Request seed) <- 67 03 AA BB CC DD (Seed response) -> 27 04 11 22 33 44 (Send key) <- 67 04 34 (Positive key response) -> 23 40 00 00 10 (Request 16 bytes of memory from address 400000h) <- 7F 23 11 (Negative response: Service not supported in this session) The problem I am facing is that there are too many possible variables: - Which diagnostic session to use? -> I made a list of valid values and tried them all - Which seed/key index to use? -> I haven't tried them all, but only 03/04 seemed valid at first - Which seed/key algo to use? -> I found a static login value (simple addition) which works. Perhaps not the correct one for reading eeprom - Which command is used to read eeprom? -> I am trying with KWP2000 command 23, but perhaps this module uses a different or even custom command - Which address is used to access eeprom? -> I just tried different values like 000000 and 200000 and 400000 ... Does anyone have a valid log of any eeprom read of any KWP2000/TP20 device? Any log will be helpfull at this point I suppose. Thank you, H2Deetoo Title: Re: KWP2000 (CAN) eeprom read Post by: Deko on July 23, 2015, 03:19:13 AM Hi guys, I am trying to write some software to read (and write) the eeprom of a specific module in my VW Passat car. It is the door/window module, which is reachable using the OBD connector and uses KWP2000/TP20 protocol. I can communicate with it already (requesting ident) but I am having troubles reading eeprom. I am doing something like this: -> 10 84 (Go to diagnostic mode 84) <- 50 84 (Positive response) -> 27 03 (Request seed) <- 67 03 AA BB CC DD (Seed response) -> 27 04 11 22 33 44 (Send key) <- 67 04 34 (Positive key response) -> 23 40 00 00 10 (Request 16 bytes of memory from address 400000h) <- 7F 23 11 (Negative response: Service not supported in this session) The problem I am facing is that there are too many possible variables: - Which diagnostic session to use? -> I made a list of valid values and tried them all - Which seed/key index to use? -> I haven't tried them all, but only 03/04 seemed valid at first - Which seed/key algo to use? -> I found a static login value (simple addition) which works. Perhaps not the correct one for reading eeprom - Which command is used to read eeprom? -> I am trying with KWP2000 command 23, but perhaps this module uses a different or even custom command - Which address is used to access eeprom? -> I just tried different values like 000000 and 200000 and 400000 ... Does anyone have a valid log of any eeprom read of any KWP2000/TP20 device? Any log will be helpfull at this point I suppose. Thank you, H2Deetoo sent you a PM Title: Re: KWP2000 (CAN) eeprom read Post by: roth18 on July 23, 2015, 07:32:00 AM You might need this. ;D
BR, Roth Title: Re: KWP2000 (CAN) eeprom read Post by: Basano on July 23, 2015, 10:37:42 AM On my MED9.1 ecu I was able to read the e2p indirectly via the KWP commands.
The e2p is mirrored in RAM and by reading the RAM you can deduce the e2p contents. Maybe you could try something similar? I'm not sure if they'd use a RAM mirror for a door/window module though (pretty static data) Title: Re: KWP2000 (CAN) eeprom read Post by: H2Deetoo on July 24, 2015, 12:49:11 AM Hi Basano,
Yes I understand what you mean, but still leaves me with exactly the same questions as stated above :( Rgs H2Deetoo Title: Re: KWP2000 (CAN) eeprom read Post by: H2Deetoo on July 26, 2015, 07:14:38 AM Solved, cmd 35h was used to read eeprom ;-)
Title: Re: KWP2000 (CAN) eeprom read Post by: dream3R on October 13, 2015, 09:41:44 AM Solved, cmd 35h was used to read eeprom ;-) Nice one, I used the mirror too as as it was easier. was 35h over UDS/CAN or kline? Title: Re: KWP2000 (CAN) eeprom read Post by: dream3R on October 13, 2015, 10:17:27 AM seems like 35h is request upload https://en.wikipedia.org/wiki/Unified_Diagnostic_Services
|