|
bamofo
|
 |
« on: October 17, 2019, 06:16:43 AM »
|
|
|
Is there a write-up im not able to find on how to modify the EEPROM/ROM to make it so galleto cant read the rom off the car without going into bootmode? I realize its extra work but if there are posts that talk about how to do it I couldn't find it... Any help would be great and ill figure out the rest. Thanks!
|
|
|
|
|
Logged
|
|
|
|
rogerius
Full Member
Karma: +62/-6
 Offline
Posts: 116
|
|
« Reply #1 on: October 17, 2019, 06:57:37 AM »
|
|
|
Is there a write-up im not able to find on how to modify the EEPROM/ROM to make it so galleto cant read the rom off the car without going into bootmode? I realize its extra work but if there are posts that talk about how to do it I couldn't find it... Any help would be great and ill figure out the rest. Thanks!
maybe post #14 in this thread is what you want? http://nefariousmotorsports.com/forum/index.php?topic=7402.msg68438;topicseen#msg68438 |
|
|
|
|
Logged
|
|
|
|
|
bamofo
|
|
« Reply #2 on: October 17, 2019, 08:07:40 AM »
|
|
|
I will try this right now. Also, what about changing what the OBD Port sees at the Flash Method from Galletto?
|
|
|
|
|
Logged
|
|
|
|
|
bamofo
|
|
« Reply #3 on: October 17, 2019, 08:31:31 AM »
|
|
|
Not what i was looking for. But may be useful for logging or something else. If someone wants to PM me with the information because they dont want it shared here thats fine too... just looking for information on it. |
|
|
|
« Last Edit: October 17, 2019, 08:38:54 AM by bamofo »
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #4 on: October 17, 2019, 09:27:08 AM »
|
|
|
Waste of time, IMO. If somebody wants your code, they'll bootmode it anyway.
In my experience there isn't much anybody has done that is worth protecting (including "pro" tuners).
|
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
|
bamofo
|
|
« Reply #5 on: October 17, 2019, 09:33:48 AM »
|
|
|
Waste of time, IMO. If somebody wants your code, they'll bootmode it anyway.
In my experience there isn't much anybody has done that is worth protecting (including "pro" tuners).
Just looking for advise on how to change it so Galletto sees a 400BT setting instead of a 800BT which will just cause it to fail anyways. Yes i realize Bootmode will scrape it off. but thats a PITA and if they put that much effort into then fine. Trying to make sure i dont make it as easy as here is a galletto cable just read the rom and send it to me ill figure out what they did. If you have insight that would be great. If not thats fine too. Looks like Tony wrote about it a bit but i havent figured out where that is... |
|
|
|
|
Logged
|
|
|
|
|
BlackT
|
|
« Reply #6 on: October 17, 2019, 11:22:25 AM »
|
|
|
Waste of time, IMO. If somebody wants your code, they'll bootmode it anyway.
In my experience there isn't much anybody has done that is worth protecting (including "pro" tuners).
Is it possible to read every tune with boot mode( of course if there is a original 29F800BB) My friend have tuned car, i only need to read that tune and add 6 gear for cruise control. Is there any chance for brickong ecu while reading, if there is some protection in flash? |
|
|
|
|
Logged
|
|
|
|
|
bamofo
|
|
« Reply #7 on: October 17, 2019, 11:28:40 AM »
|
|
|
Is it possible to read every tune with boot mode( of course if there is a original 29F800BB)
My friend have tuned car, i only need to read that tune and add 6 gear for cruise control. Is there any chance for brickong ecu while reading, if there is some protection in flash?
not in boot mode. Im just talking about OBDII with no boot mode. I see you can change Seed Keys on 9.1 but in 7.1.1 i cant figure out how to change what is relayed to the software that says memory layout X vs Y. trying though.. |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #8 on: October 18, 2019, 03:15:47 AM »
|
|
|
The check is done via requestupload and trying to read a higher address.
MPPS uses dynadefine.
If you want to block reading you need to block requestUpload, dynamicallyDefineLocalIdentifier and readMemoryByAddress.
Otherwise it's still possible to read everything.
This will also block ME7Logger.
|
|
|
|
|
Logged
|
|
|
|
fluke9
Full Member
Karma: +26/-1
Offline
Posts: 113
|
|
« Reply #9 on: October 18, 2019, 03:27:56 AM »
|
|
|
Waste of time, IMO. If somebody wants your code, they'll bootmode it anyway.
In my experience there isn't much anybody has done that is worth protecting (including "pro" tuners).
For non-hybrids there are flash replacement daughterboards which have some logic on reads: They are more or less intelligent: One i have come across ages ago just detects if too many addresses are read in a sequential fashion and starts to return return crap, it can be defeated by writing bootmode code which reads addresses pseudo-randomly. Others know some more patterns or even check and are harder to defeat. |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #10 on: October 18, 2019, 08:44:58 AM »
|
|
|
For non-hybrids there are flash replacement daughterboards which have some logic on reads:
They are more or less intelligent:
One i have come across ages ago just detects if too many addresses are read in a sequential fashion and starts to return return crap,
it can be defeated by writing bootmode code which reads addresses pseudo-randomly.
Others know some more patterns or even check and are harder to defeat.
The simple daughterboards (w/o active logic on them) just rearrange address/data lines In any case, at this point they're laughably naive; nobody is doing anything that smart that requires protection. And if they are doing something that smart, they don't our need help with disabling OBD reads, rest assured that is a trivial thing for them to do themselves. |
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
fluke9
Full Member
Karma: +26/-1
Offline
Posts: 113
|
|
« Reply #11 on: October 18, 2019, 11:34:24 AM »
|
|
|
The simple daughterboards (w/o active logic on them) just rearrange address/data lines
Seen those, but also have seen one which had a cpld or fpga (number was scrubbed off) which really checked that you are not reading x times incrementing the address. But that was not a ECU which i wanted to dump for RE purposes. Nevertheless, there are always ways to see what the CPU sees. |
|
|
|
|
Logged
|
|
|
|
|
bamofo
|
|
« Reply #12 on: October 18, 2019, 01:46:26 PM »
|
|
|
The check is done via requestupload and trying to read a higher address.
MPPS uses dynadefine.
If you want to block reading you need to block requestUpload, dynamicallyDefineLocalIdentifier and readMemoryByAddress.
Otherwise it's still possible to read everything.
This will also block ME7Logger.
PRJ I saw you post this on another thread i was trying to re-find to ping you about. How do i go about finding these request calls in the rom... is there something you can point me to that will help get me over the hump? or the ID's i have many of them for the Rom im working on now. I have a rom that changes the reading tools to think its a different chip type and that blocks MPPS / Galletto / and ME7Logger never worked for me on ST10 Roms. Im not looking exactly for a hand out... if you want to help me on the side i would pay you if needed. but im guessing i need to use IDA and breakdown this rom to find the request upload / download and the other portions your talking about. Back to what nyet said at that point idk if i even want to do it... Rambling so i will stop. Any help is great, but i understand if the thread goes nowhere as well.  |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #13 on: October 18, 2019, 01:55:08 PM »
|
|
|
Not interested in reversing OBD protocols on 20 year old ECU's really... have more productive things to do. I told you services that need blocking, get the KWP2000 specs and have at it  |
|
|
|
|
Logged
|
|
|
|
|
