|
prj
|
 |
« Reply #15 on: June 20, 2017, 10:55:14 AM »
|
|
|
Hmm, so you only attach a charger while in car flashing because of all the electrical loads?
I only attach a charger on those cars that turn fans on. And only because otherwise the car won't after. In fact the fan will cycle on/off due to the low voltage, and it will drop to even 8V but the ECU will not fail the flash. The ECU has very good voltage conditioning, you might want to read up on the ISO standards governing this. All this "must have x volts" is complete and utter bullshit repeated ad nauseum. |
|
|
|
|
Logged
|
|
|
|
|
vwaudiguy
|
|
« Reply #16 on: June 20, 2017, 12:26:50 PM »
|
|
|
All this "must have x volts" is complete and utter bullshit repeated ad nauseum.
When using Nefmoto's flasher on certain cars, it will repeatedly fail to read/write until a battery charger is in place, then it's rock solid. Seen this many many times. |
|
|
|
|
Logged
|
"If you have a chinese turbo, that you are worried is going to blow up when you floor it, then LOL."
|
|
|
chli1976
Jr. Member
Karma: +0/-0
 Offline
Posts: 25
|
|
« Reply #17 on: June 20, 2017, 01:57:18 PM »
|
|
|
You cannot flash EDC17 OBD on bench with any tool because of active immo. Disable immo in eeprom or flash. No gateway needed.
For me it works only if immo is off in eeprom |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #18 on: June 20, 2017, 03:40:29 PM »
|
|
|
When using Nefmoto's flasher on certain cars, it will repeatedly fail to read/write until a battery charger is in place, then it's rock solid. Seen this many many times.
The reason for that is the power supply in the cable you are using to r/w it. |
|
|
|
|
Logged
|
|
|
|
|
vwaudiguy
|
|
« Reply #19 on: June 20, 2017, 08:35:39 PM »
|
|
|
The reason for that is the power supply in the cable you are using to r/w it.
Thanks for the tip. I'll try and keep track what cables this happens on. |
|
|
|
|
Logged
|
"If you have a chinese turbo, that you are worried is going to blow up when you floor it, then LOL."
|
|
|
nihalot
Full Member
Karma: +41/-3
Offline
Posts: 117
|
|
« Reply #20 on: June 20, 2017, 09:56:00 PM »
|
|
|
Even with the TPROT patch I'm getting only calibration area read over OBD. I assume even writes will be for calibration area. The FR mentions a memory protection module, "AccPr"
Does anyone have mpre info on this? I would like full r/w access over OBD
|
|
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
|
prj
|
|
« Reply #21 on: June 20, 2017, 10:56:52 PM »
|
|
|
Even with the TPROT patch I'm getting only calibration area read over OBD. I assume even writes will be for calibration area. The FR mentions a memory protection module, "AccPr"
Does anyone have mpre info on this? I would like full r/w access over OBD
You can do full write with and without TPROT on. TPROT never stops you writing, it stops the RSA check from passing post write. |
|
|
|
|
Logged
|
|
|
|
nihalot
Full Member
Karma: +41/-3
Offline
Posts: 117
|
|
« Reply #22 on: June 20, 2017, 11:05:44 PM »
|
|
|
You can do full write with and without TPROT on.
TPROT never stops you writing, it stops the RSA check from passing post write.
Thanks!! The FR doesn't have a lot of info on TPROT. Where did you read about this? Can you share the document? |
|
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
|
aef
|
|
« Reply #23 on: June 21, 2017, 01:52:26 AM »
|
|
|
Does this mean you can write tprot patched file via obd?
No need to do the patching on the bench with ktag?
|
|
|
|
|
Logged
|
|
|
|
nihalot
Full Member
Karma: +41/-3
Offline
Posts: 117
|
|
« Reply #24 on: June 21, 2017, 01:54:16 AM »
|
|
|
Does this mean you can write tprot patched file via obd?
No need to do the patching on the bench with ktag?
I think not, as the original code is still going to RSA the new uploaded binary EDIT: How does flashing over OBD work on these ECUs? Is the flashing+TPROT code copied to RAM first? Or is this area not written(OTP)? Also in my CAN read log, some of the multiframe messages are missing some sequences, example: 70.5250 7E8 20 00 00 00 00 00 00 00
70.5289 7E8 22 C3 05 D7 03 33 03 33
70.5329 7E8 23 03 33 03 00 00 00 00
70.5360 7E8 24 00 00 00 00 00 00 CD
70.5390 7E8 26 33 03 33 03 33 03 00
70.5419 7E8 27 00 00 00 00 00 00 00
70.5449 7E8 29 05 D7 03 33 03 33 03
70.5479 7E8 2B 00 00 00 00 00 CD 1C
70.5520 7E8 2C 66 16 C3 05 D7 03 33
70.5550 7E8 2E 00 00 00 00 00 00 00
70.5579 7E8 2F 00 CD 1C 66 16 C3 05
In above log, 21,25,28,2A,2D are missing... Is the arduino too slow to handle logging? Or am i missing something in the protocol?? |
|
|
|
« Last Edit: June 21, 2017, 02:09:08 AM by nihalot »
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
jcsbanks
Full Member
Karma: +19/-3
Offline
Posts: 146
|
|
« Reply #25 on: June 21, 2017, 08:19:27 AM »
|
|
|
The ECU ID in Generic mode log I recognise as CCP 2.1 with a variety of single byte downloads to the ECU. I don't know if this constitutes a loader of some kind in RAM that then gets executed? What is the functional purpose of obtaining the ECU ID? Is it later used in a flash protocol to bypass RSA checks?
|
|
|
|
|
Logged
|
|
|
|
jcsbanks
Full Member
Karma: +19/-3
Offline
Posts: 146
|
|
« Reply #26 on: June 21, 2017, 08:22:30 AM »
|
|
|
You cannot flash EDC17 OBD on bench with any tool because of active immo. Disable immo in eeprom or flash. No gateway needed.
Does this mean disable immo through an OBD flash and then bench flashes are possible? Is MED17 different? MEVD17 is. |
|
|
|
|
Logged
|
|
|
|
nihalot
Full Member
Karma: +41/-3
Offline
Posts: 117
|
|
« Reply #27 on: June 21, 2017, 08:32:30 AM »
|
|
|
The ECU ID in Generic mode log I recognise as CCP 2.1 with a variety of single byte downloads to the ECU. I don't know if this constitutes a loader of some kind in RAM that then gets executed? What is the functional purpose of obtaining the ECU ID? Is it later used in a flash protocol to bypass RSA checks?
AFAIK, it is to obtain TPROT version and what MPPS says as " checking presence of DS check routine" <-- what is this?? |
|
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
nihalot
Full Member
Karma: +41/-3
Offline
Posts: 117
|
|
« Reply #28 on: June 21, 2017, 01:08:30 PM »
|
|
|
So... Finally got around to analyzing the seed key. It's same as on EDC16 for 03/04 seed/key... Key=Seed+0x2FC9 But MPPS always tries Key=Seed+0xA7C6 before trying the above(which is rejected), wonder why... Some more seed/key logs if anyone's interested: 92.4929 7E0 02 27 03 01 FB 40 F0
92.4980 7E8 06 67 03 D3 A7 4F 9E
92.5120 7E0 06 27 04 D3 A7 F7 64
92.5479 7E8 03 7F 27 78 55 55 55
92.5579 7E8 03 7F 27 35 55 55 55
93.0780 7E0 02 27 03 D3 A7 F7 64
93.0869 7E8 06 67 03 85 0B 16 2D
93.1060 7E0 06 27 04 85 0B 45 F6
93.1179 7E8 02 67 04 55 55 55 55
14.3210 7E0 02 27 03 01 23 A0 F0
14.3240 7E8 06 67 03 4D 9B 36 6C
14.3389 7E0 06 27 04 4D 9B DE 32
14.3719 7E8 03 7F 27 35 55 55 55
14.9060 7E0 02 27 03 4D 9B DE 32
14.9119 7E8 06 67 03 7A F5 EA D5
14.9350 7E0 06 27 04 7A F6 1A 9E
14.9519 7E8 02 67 04 55 55 55 55
14.9700 7E0 06 23 13 00 00 00 10
32.6290 7E0 02 27 03 01 2B 20 F0
32.6310 7E8 06 67 03 9B 37 6E DC
32.6489 7E0 06 27 04 9B 38 16 A2
32.6809 7E8 03 7F 27 78 55 55 55
32.6920 7E8 03 7F 27 35 55 55 55
33.2169 7E0 02 27 03 9B 38 16 A2
33.2210 7E8 06 67 03 70 E1 C3 86
33.2389 7E0 06 27 04 70 E1 F3 4F
33.2509 7E8 02 67 04 55 55 55 55
49.6679 7E0 02 27 03 01 29 40 F0
49.6720 7E8 06 67 03 89 13 26 4D
49.6860 7E0 06 27 04 89 13 CE 13
49.7220 7E8 03 7F 27 35 55 55 55
50.2470 7E0 02 27 03 89 13 CE 13
50.2509 7E8 06 67 03 92 25 4B 97
50.2690 7E0 06 27 04 92 25 7B 60
50.2820 7E8 02 67 04 55 55 55 55
64.1050 7E0 02 27 03 01 1E 00 F0
64.1110 7E8 06 67 03 35 6B D7 AF
64.1279 7E0 06 27 04 35 6C 7F 75
64.1610 7E8 03 7F 27 35 55 55 55
64.6880 7E0 02 27 03 35 6C 7F 75
64.6910 7E8 06 67 03 4D 9B 36 6D
64.7089 7E0 06 27 04 4D 9B 66 36
64.7200 7E8 02 67 04 55 55 55 55
Can anyone share an immo off solution? Would like to try the tougher seed/key for write... |
|
|
|
« Last Edit: June 21, 2017, 01:11:04 PM by nihalot »
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
|
aef
|
|
« Reply #29 on: June 21, 2017, 11:42:13 PM »
|
|
|
|
|
|
|
|
Logged
|
|
|
|
|
