Pages: [1] 2
Author Topic: EDC15 checksum disable  (Read 24612 times)
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« on: February 28, 2017, 12:40:02 PM »

So this is my 1st legit contribution to the community.

This post is to gauge the interest of the community towards reversing edc15. If people are interested, I will post tutorials to add features such as multimap(not step by step though Wink)

link to my video: https://www.youtube.com/watch?v=7tuTOx9vNXM

Big thanks to @Tim and @nubcake for guiding me through my 1st RE project Cheesy

So the 1st problem I faced while injecting code to the file was that the checksum would be incorrect and ecu would not boot. Tried several tools to correct checksum but it always resulted in bad checksum.

There is a function in IROM to calculate checksum of 0x10000-0x13FFF. I found this out by connecting a logic analyzer to the address pins of the flash chip and seeing the boot sequence.(@john9357 thanks for doing this for me Cheesy)

As its part of IROM, it cannot be disabled(due to IROM being a mask memory). So checksum of 0x10000-0x13FFF has to be correct no matter what


sub_1584 is the checksum calculation function. r3 points to 0x10000 (dpp's are set before this snippet of code)
r0 points to the end address of 0x14000. Just like the logic analyzer showed Smiley

0x10000-0x13FFF contains code to initialize ECU(check RAM,etc) and calculate checksum of the remaining flash and EEPROM, and if it is correct, then ecu executes "einit" command and ecu boots.

If there is a checksum fault, then ecu transmits a few bytes over k-line(if anyone is interested, i will post how this works) and stops booting.

As i knew that 0x10000-0x13FFF is a special area, I started analyzing it, and I found the remaining checksum functions also.



as flash is loaded at 0x80000, all addresses are offset by that much from the flash memory.



the conditional jump would only allow the ecu to boot, if the checksum result is 0, otherwise ecu jumps to location 2D6,which results in a software reset, as shown in the snippet.

all that was left was to change the conditional jumps to unconditional jumps, and the checksum function would be disabled Cheesy




Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #1 on: February 28, 2017, 01:30:20 PM »

Well done.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #2 on: March 01, 2017, 02:48:47 AM »

Well done.

Thanks
Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
Tim
Newbie
*

Karma: +6/-0
Offline Offline

Posts: 12



« Reply #3 on: March 02, 2017, 10:19:35 AM »

Well done Nihalot, thanks for sharing your work, keep the posts coming  Smiley
Logged
turbojohan
Full Member
***

Karma: +5/-0
Offline Offline

Posts: 185


« Reply #4 on: March 15, 2017, 12:32:01 AM »

Good work!
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #5 on: March 15, 2017, 02:53:38 AM »

Btw, I am pretty sure this does not disable checksums while ECU is running...
Unless this function is called more from just start of course.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #6 on: March 15, 2017, 03:18:48 AM »

Btw, I am pretty sure this does not disable checksums while ECU is running...
Unless this function is called more from just start of course.

I havent shown the entire function, just a part as an example
Running checksums use the keyword D33D and they have a similar layout. Those can also be disabled with unconditional jumps
Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
Teitek
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 21


« Reply #7 on: March 15, 2017, 07:17:48 AM »

Great work, thanks for sharing
Logged
Powerchips
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #8 on: April 14, 2017, 02:05:08 PM »

I can try to run an EDC15P with OLS300 emulator without checksum correction active, not sure if EVC will allow me to try such thing, but... It will save some harsle situations
Logged
ecossetuning
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


« Reply #9 on: November 28, 2017, 02:14:08 PM »

excellent post! i have just been setting up OLS300 and want to disable checksum for live map changes, can anyone help with this?
Logged
kennyspark8574
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 1


« Reply #10 on: December 16, 2017, 11:10:05 AM »

Hi I know this is old thread but wondering if anyone can help me. I loaded irom into Ida pro and then loaded my additional binary (maps). IDA dissemble irom ok but I need help converting the EXT memory to code. loc_25e6, r3 points to 8000 but when I go to that address Ida not dissemble it. Thanks
Logged
unk972
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« Reply #11 on: December 28, 2017, 05:12:40 AM »

Hello,

I'm on it since 6h and it's really difficult to do when you are newbie on IDA pro... Sad (for the multimap)
What processor type does I need to use with EDC15P (Siemens C167) ? Siemens C166 family so? C167CR_SR or C167CS?
Create RAM section or ROM section ? 64K banks or not ?
Too much informations is missing... Thanks to the english community for his open-mindedness ! Wink
Logged
len1991
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


« Reply #12 on: April 10, 2018, 01:47:35 AM »

Hi everyone. I have a question, where I can find IROM in EDC15P? EEPROM and FLASH are cleare for me, but IROM I never heard about it.

Thanks for help.
Daniel
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #13 on: April 10, 2018, 04:02:29 AM »

Inside the processor of course. Read it out with minimon if you need it.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
john9357
Full Member
***

Karma: +10/-1
Offline Offline

Posts: 54


« Reply #14 on: April 10, 2018, 11:10:56 PM »

Irom is the same in all edc15p/vm for me (read in 10 ecu always the same)
Logged
Pages: [1] 2
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.025 seconds with 17 queries. (Pretty URLs adds 0s, 0q)