Ive been working on making my own flashing tools for verious reasons. Anyway, I thought I would share some of the information that I uncovered.........
## Status

| Component | Status |
|---|---|
| Fast init (StartCommunication) | implemented from sniff |
| ReadECUID 0x9B + flash counter extraction | implemented + verified |
| Security Access L1 (algorithm) | **verified algorithmically** against 14 captured pairs |
| Security Access L2 | INTENTIONALLY NOT IMPLEMENTED — locks ECU on failure |
| Programming session entry (10 85 + 10 85 50) | implemented from sniff |
| Auto-baud switch to 38400 | implemented |
| RequestDownload (SID 0x34, fmt 0x02 plain) | implemented from sniff |
| Erase routine (StartRoutine 0xC4) with counter trailer | implemented + verified |
| TransferData (128-byte chunks, plain) | implemented from sniff |
| TransferExit (SID 0x37) | implemented from sniff |
| Checksum validation (StartRoutine 0xC5, sum-of-bytes) | **verified** against bin file |
| Read flow | NOT IMPLEMENTED (no read sniffs yet) |
| GUI | NOT IMPLEMENTED — CLI only |

Calibration regions (the only parts a normal flash writes):
calA: 0x180000..0x1BFFFF (256 KB)
calB: 0x1C0000..0x1FDFFF (248 KB)
Bootloader and main code are NEVER touched during a calibration write.
This makes EDC16 inherently safer than ME7 cross-flashing.
Wire framing: always physically-addressed (80 10 F1 ...).
No Bosch extended-short-form like ME7 uses.
Programming baud: 38400 (auto-baud after 10 85 50)
Chunk size: configurable 128–254 bytes per TransferData frame.
The ECU advertises its max block in the RequestDownload response.
Security Access L1: SAME algorithm as ME7 (NefMoto 5-round XOR/rotate),
just with KEY = 0x0A221289 (table[0]) instead of ME7's 0x5FBD5DBD (table[63]).
Security Access L2: key = seed + 0x00002FC9 (32-bit big-endian).
Required only for read operations. Not all ECU variants implement it.
Checksum: simple sum-of-bytes mod 65536, NOT CRC-32 (which is what ME7 uses)
Flash counter: ECU stores a session counter at offset 18-22 of the
ReadECUID 0x9B response. The erase command must include 00 [N+1] [N+1] 00 00 [N]
in the trailer, where N is the current counter. The ECU rejects mismatches.
Read protocol (Kess-verified):
L1 + L2 security unlock
10 86 diagnostic session (stays at 10400 baud — no switch)
RequestUpload with format 0x00 (plaintext, not encrypted)
TransferData using bare non-addressed framing (01 36 37)
Data returned as raw plaintext — no LFSR decryption needed
Some ECUs require a small prerequisite read (256 bytes from 0x1C0000)
before the main 516 KB read from 0x180000