nihalot
Full Member
Karma: +40/-3
 Offline
Posts: 116
|
 |
« on: July 22, 2016, 06:46:12 AM »
|
|
|
edc15vm+
presently i'm trying to decode how the immobilizer works.
The ECU sends a message on the CANBUS at id 010h
If the key is inserted, then the instrument cluster replies at 011h id and the car can be started. But if the correct key is not inserted, then the reply by instrument cluster at id 011h is wrong and the ECU sends another message at 010h id, to which also the reply is wrong and this repeats for some time after which immobilizer warning is activated and car cant be started.
this is a log from my car with correct key:
010;3E;18;F4;FC;F4;E9
011;F9;21;9B;0D;04;BA
another log:
010;BB;DD;B0;5B;F9;61
011;34;B7;4F;8F;34;65
The transponder in the key has a code stored in it. That is used by the instrument cluster to reply to the ECU.
How i think it works:
-ECU and cluster both have the code which is stored in the transponder.
-ECU sends a seed at id 010h
-cluster does some math with seed and transponder code, and replies at id 011h
-if correct key is inserted, the seed-key matches and car can be started.
can anyone confirm?
also can anyone give any pointers as to the math done by the cluster? Ive tried XOR,and,or but no success.
|
|
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
|
nubcake
|
|
« Reply #1 on: July 24, 2016, 04:02:19 PM »
|
|
|
If you started reversing the ECU code already, then it makes sense to find out there what exactly is happening.
Find CAN routines, find how 010 and 011 are handled.
Depending on what you're trying to achieve, it might be way easier to immo off than to reverse the whole algo.
|
|
|
|
|
Logged
|
|
|
|
nihalot
Full Member
Karma: +40/-3
Offline
Posts: 116
|
|
« Reply #2 on: August 16, 2016, 12:22:24 AM »
|
|
|
hi
thanks for the input
ive started disassembly of the ROM and have identified most of the subroutines but im not able to identify WFS routines as there is no document available. Has anyone done it on the me7? cause i believe they share the same immo algo(ive swapped diesel and petrol clusters with no issues, hence immo algo must be same on both ECUs)
regards and sorry for the late reply,was busy disassembling...
|
|
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
|
nubcake
|
|
« Reply #3 on: August 16, 2016, 04:18:51 PM »
|
|
|
Haven't bothered with immo routines themselves, but I think I have most of the CAN communication reversed. At least I was able to produce custom packets and so forth.  So I suggest you start with CAN communication routines and find out where and how are those immo packets handled. In fact, I might later on check my binary for them as well. I was relying heavily on CAN IDs from the FR. If there's a similar document for the EDC, you can try searching for known packet IDs, their contents - and build your idb around that. If it's not as documented, you probably can still try and utilize info from the ME7 - as I'm fairly sure that CAN communication is more or less standardized even between different ECU families. |
|
|
|
« Last Edit: August 21, 2016, 03:39:19 AM by nubcake »
|
Logged
|
|
|
|
EuroXs4
Full Member
Karma: +15/-31
Offline
Posts: 209
|
|
« Reply #4 on: August 18, 2016, 05:55:51 PM »
|
|
|
nihalot I dont understand why your going to such lengths to know what exactly what immobilizer is doing??Just curious as immobilizer could be very easily disabled to matched without much tools or knowledge.
|
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #5 on: August 18, 2016, 06:06:38 PM »
|
|
|
I applaud the technical curiosity.
The "I just want it fixed now, I don't care how it works" mentality is not always a good thing.
|
|
|
|
|
Logged
|
|
|
|
|
k0mpresd
|
|
« Reply #6 on: August 18, 2016, 06:42:24 PM »
|
|
|
I applaud the technical curiosity.
The "I just want it fixed now, I don't care how it works" mentality is not always a good thing.
i wish i was smart enough to understand all of it. it is all so very interesting. |
|
|
|
|
Logged
|
|
|
|
|
Carsinc
|
|
« Reply #7 on: August 18, 2016, 10:22:36 PM »
|
|
|
i wish i was smart enough to understand all of it. it is all so very interesting.
Dude thats how i feel all the time I'm on here. |
|
|
|
|
Logged
|
|
|
|
nihalot
Full Member
Karma: +40/-3
Offline
Posts: 116
|
|
« Reply #8 on: August 21, 2016, 11:47:38 AM »
|
|
|
nihalot I dont understand why your going to such lengths to know what exactly what immobilizer is doing??Just curious as immobilizer could be very easily disabled to matched without much tools or knowledge.
I want to design a remote start/stop system and i don't like the idea of disabling immo/keeping key under dash. so I'm going to have a "man in the middle" attack on immo(using a MCU on canbus). I applaud the technical curiosity.
The "I just want it fixed now, I don't care how it works" mentality is not always a good thing.
appreciate the compliment. regards |
|
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
nihalot
Full Member
Karma: +40/-3
Offline
Posts: 116
|
|
« Reply #9 on: August 21, 2016, 11:51:38 AM »
|
|
|
Haven't bothered with immo routines themselves, but I think I have most of the CAN communication reversed. At least I was able to produce custom packets and so forth. So I suggest you start with CAN communication routines and find out where and how are those immo packets handled. In fact, I might later on check my binary for them as well. I was relying heavily on CAN IDs from the FR. If there's a similar document for the EDC, you can try searching for known packet IDs, their contents - and build your idb around that. If it's not as documented, you probably can still try and utilize info from the ME7 - as I'm fairly sure that CAN communication is more or less standardized even between different ECU families. thanks for your help, I was able to identify how the canbus messages are handled and have identified the immo message routine also... I had to use a RAM dumper made by @john9357 and we were able to see how the message ids 0x010h and 0x011h were handled by the ECU regards |
|
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
EuroXs4
Full Member
Karma: +15/-31
Offline
Posts: 209
|
|
« Reply #10 on: August 28, 2016, 08:30:56 AM »
|
|
|
I want to design a remote start/stop system and i don't like the idea of disabling immo/keeping key under dash.
so I'm going to have a "man in the middle" attack on immo(using a MCU on canbus).
appreciate the compliment.
regards
You don't need to have a physical key under dash all you need is the immobilizer pill next to the antenna/reader.This is how it's supposed to be done.But ok if that's what your set on keep at it. Sent from my iPhone using Tapatalk |
|
|
|
|
Logged
|
|
|
|
nihalot
Full Member
Karma: +40/-3
Offline
Posts: 116
|
|
« Reply #11 on: October 13, 2016, 11:28:25 PM »
|
|
|
That is a workaround.
You loose immo functanality by doing that...
|
|
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
sjscirocco3
Newbie
Karma: +1/-0
Offline
Posts: 2
|
|
« Reply #12 on: October 14, 2016, 01:36:56 PM »
|
|
|
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #13 on: October 15, 2016, 09:52:25 AM »
|
|
|
That is a workaround.
You loose immo functanality by doing that...
But who cares? Immo off the ECU, build in the immo pill so the cluster is happy. Then add a custom code routine to allow or not allow start based on a condition YOU specify. You can make it as difficult as CAN or you can make it as simple as an analog input to an unused pin of your ECU from your keyless controller. Hell, you can even do it without any code in the ECU by just shorting the RPM signal to ground with your MCU if the key is not found - but that will produce a DTC. Your approach is an extreme waste of time for absolutely no reason... |
|
|
|
|
Logged
|
|
|
|
|
nubcake
|
|
« Reply #14 on: October 15, 2016, 01:29:53 PM »
|
|
|
Your approach is an extreme waste of time for absolutely no reason... Well, his approach has at least one legit reason - learning c167 asm. |
|
|
|
|
Logged
|
|
|
|
|
