Pages: 1 [2]
Author Topic: edc15 immobilizer  (Read 15124 times)
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #15 on: October 17, 2016, 08:45:49 AM »

But who cares?

Me.

Well, his approach has at least one legit reason - learning c167 asm. Smiley

also, to learn what engineers at bosch thought when they designed this system.


I think these work by turning immo off, not by emulating the key or the dashboard.
I logged the ram on my ecu and saw the area which contained ids 10 and 11(these are used for immo) Then you can trace which part of the program writes to these ram locations, and you will have the code for immo algo. I did this on the edc15.
let me know if you need any help..
regards
Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #16 on: October 19, 2016, 02:26:06 AM »

I am just curious about the following:

The cluster will send the correct 011h answer when it sees a valid transponder.
Does it actually use a value programmed in the transponder to generate the right response?
Or does it simply check if the transponder ID is stored in its list, and then generate the correct answer based on the other immo data (like CS, MAC, PIN, STATUS) ?


Rgs H2Deetoo
Logged
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #17 on: October 24, 2016, 09:48:36 PM »

I am just curious about the following:

The cluster will send the correct 011h answer when it sees a valid transponder.
Does it actually use a value programmed in the transponder to generate the right response?
Or does it simply check if the transponder ID is stored in its list, and then generate the correct answer based on the other immo data (like CS, MAC, PIN, STATUS) ?


Rgs H2Deetoo

I don't know how the transponder is handled as i haven't disassembled the instrument cluster...
Does anyone have any info on the micronas chip in the instrument cluster? I would like to disassemble it's firmware...
Regards
Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #18 on: October 24, 2016, 11:06:53 PM »

Well, we know the transponder itself is not really needed, I mean the ecu can validate the correct answer only using its 6 bytes CS (and MAC and/or PIN perhaps).
So the rest is don't care as far as this immo challenge goes.


Rgs H2Deetoo
Logged
Pages: 1 [2]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.015 seconds with 16 queries. (Pretty URLs adds 0s, 0q)