nihalot
Full Member
Karma: +41/-3
 Offline
Posts: 117
|
 |
« on: June 19, 2017, 12:40:43 AM »
|
|
|
Attached is -read log with MPPS -ECU ID in generic mode with MPPS https://drive.google.com/file/d/0B6S55hndsVcLVHMtM0lCQTBpMzA/view?usp=sharing(Cant upload anything over 2MB?!) Does anyone have any info about TPROT patch on this ecu? Or a write log over CAN with another tool? I am also making a RAM logger for this ECU, so any info on seed/key algo will be helpful I am using an Arduino UNO+MCP2515/MCP2551 I intend to make everything open source, so please share only if you are okay with this... 03L 906 018 AB CFFB SW: 9041 HW: H27 TPROT- V7.00.01 |
|
|
|
« Last Edit: June 19, 2017, 12:46:01 AM by nihalot »
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
|
aef
|
|
« Reply #1 on: June 19, 2017, 02:39:24 AM »
|
|
|
Dont you have KTAG, they have a build in patcher for tprot.
At least for EDC17C14, thats what i did lately.
|
|
|
|
|
Logged
|
|
|
|
nihalot
Full Member
Karma: +41/-3
Offline
Posts: 117
|
|
« Reply #2 on: June 19, 2017, 02:58:41 AM »
|
|
|
Dont you have KTAG, they have a build in patcher for tprot.
At least for EDC17C14, thats what i did lately.
I have clone version 2.13/6.070 I can't see the option anywhere... |
|
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
|
aef
|
|
« Reply #3 on: June 19, 2017, 02:59:29 AM »
|
|
|
|
|
|
|
|
Logged
|
|
|
|
|
aef
|
|
« Reply #4 on: June 19, 2017, 03:05:02 AM »
|
|
|
The message body was left empty.
|
|
|
|
|
Logged
|
|
|
|
nihalot
Full Member
Karma: +41/-3
Offline
Posts: 117
|
|
« Reply #5 on: June 19, 2017, 03:06:33 AM »
|
|
|
can you post your file? I would like to investigate the change in IDA
|
|
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
|
aef
|
|
« Reply #6 on: June 19, 2017, 03:19:50 AM »
|
|
|
PM'd you the files.
dont remember where the button was in ktag.
|
|
|
|
|
Logged
|
|
|
|
nihalot
Full Member
Karma: +41/-3
Offline
Posts: 117
|
|
« Reply #7 on: June 19, 2017, 03:30:43 AM »
|
|
|
Thanks! So it's not the 1st "3C 2B"... In your file it's 3rd and the same code is at the 2nd "3C 2B" pattern in my edc17c46... Will test if the solution works  Although I must investigate further, the consequences of this change  |
|
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
nihalot
Full Member
Karma: +41/-3
Offline
Posts: 117
|
|
« Reply #8 on: June 19, 2017, 06:23:12 AM »
|
|
|
Ok, so TPROT is patched But MPPS can't flash it on the bench over OBD... NRC 7F 10 22 in the log I took Thats conditions not correct... Could be a lot of things from what I'm told... I'm guessing its missing CAN gateway/cluster Voltage is 12 using a SMPS Any ideas? Should I try emulating the cluster using the arduino? Or emulating the gateway? |
|
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
|
cherry
|
|
« Reply #9 on: June 19, 2017, 04:44:31 PM »
|
|
|
You cannot flash EDC17 OBD on bench with any tool because of active immo. Disable immo in eeprom or flash. No gateway needed.
|
|
|
|
|
Logged
|
|
|
|
|
aef
|
|
« Reply #10 on: June 19, 2017, 10:10:43 PM »
|
|
|
...and voltage should be above 12v.
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #11 on: June 20, 2017, 12:33:09 AM »
|
|
|
...and voltage should be above 12v.
It will flash even with 8V. There is no voltage check and never has been. |
|
|
|
|
Logged
|
|
|
|
|
aef
|
|
« Reply #12 on: June 20, 2017, 12:39:01 AM »
|
|
|
Hmm, so you only attach a charger while in car flashing because of all the electrical loads?
|
|
|
|
|
Logged
|
|
|
|
nihalot
Full Member
Karma: +41/-3
Offline
Posts: 117
|
|
« Reply #13 on: June 20, 2017, 12:41:36 AM »
|
|
|
Yes, even I thought the same. On edc16 too, as far as I looked in the asm code, lot of things are checked but no voltage check...
Also, I have the ecu on bench with SMPS like I said in my post so no worries about other electrical loads
|
|
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
|
overspeed
|
|
« Reply #14 on: June 20, 2017, 10:05:03 AM »
|
|
|
Just to help (if it does)
MED17.5.2 with Tprot10, read in boot, made OBD unlock and write, then tried to write another file by OBD and MPPS canĀ“t, takes only about 10 seconds and no start (Fans ON), had to recover with original KESS and original file...
|
|
|
|
|
Logged
|
|
|
|
|
