Pages: 1 2 [3] 4
Author Topic: MPPS- EDC17C46 Read log  (Read 40708 times)
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #30 on: June 22, 2017, 12:46:10 AM »

Thanks!! The FR doesn't have a lot of info on TPROT. Where did you read about this? Can you share the document?
There is no public document.

Simply put TPROT software side is - every file you load to the ECU is signed, this digital signature is checked upon completion of the flash. If the signature does not match, the ECU will not go out of download mode.
Bypassing this check is done by exploiting the bootloader.

The hardware tprot password can also be bypassed using certain exploits, most notably voltage glitching on the flash power supply pin.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #31 on: June 22, 2017, 01:34:50 AM »

Of course there's no public document... Cheesy

Flash power supply on Tricore?

I did read about clock glitching but not specific to Tricore
In fact I haven't seen such an attack published on Tricore, if you have a source? Or personal experience?
Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
aef
Hero Member
*****

Karma: +70/-46
Offline Offline

Posts: 1601


« Reply #32 on: June 22, 2017, 02:29:27 AM »

If i remember correctly, he is talking about voltage glitching. (for dumping, not flashing)
Cant verify at the moment.

https://www.youtube.com/watch?v=7t4paclIwuU
« Last Edit: June 22, 2017, 02:35:18 AM by aef » Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #33 on: June 22, 2017, 04:29:52 AM »

If i remember correctly, he is talking about voltage glitching. (for dumping, not flashing)
Cant verify at the moment.

https://www.youtube.com/watch?v=7t4paclIwuU

If you can unprotect the flash you can both read and write it.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #34 on: June 24, 2017, 03:56:30 AM »

Cant get it to work :/
So far I've tried
-ReadMemoryByAddress- NRC 31
-ReadDataByIdentifier- NRC 11
-RequestUpload- NRC 11
I'm trying to log 0xD0000000
Any other ideas?
« Last Edit: June 24, 2017, 04:13:27 AM by nihalot » Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« Reply #35 on: June 24, 2017, 05:06:00 PM »

Cant get it to work :/
So far I've tried
-ReadMemoryByAddress- NRC 31
-ReadDataByIdentifier- NRC 11
-RequestUpload- NRC 11
I'm trying to log 0xD0000000
Any other ideas?

Find tester communication routines and see if they can be enabled/patched without too much hassle.
Using KWP? Diag access?

This thread suggests that RequestUpload should work.
Logged
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #36 on: June 24, 2017, 08:53:50 PM »

On that thread the edc17 is KWP
But mine is based on UDS

First DiagSession- 0x03
Then switched to 0x4F
This is the way MPPS does it and then it uses ReadMemoryByAddress(0x20000-0x6FFFF is only accepted, all other addresses give NRC 31 or NRC 13)
Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
jcsbanks
Full Member
***

Karma: +19/-3
Offline Offline

Posts: 146


« Reply #37 on: June 29, 2017, 01:55:43 AM »

You could try CCP to read. Or if you can already flash it you can unlock ranges.
Logged
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« Reply #38 on: July 13, 2017, 01:07:00 AM »

I think for flash needs another seed key, level 3 is only for read.
 
I wonder why CMD and KESS do not read this ECU? What about EDC17CP20? It can be read this way too?

About voltage... only some Hitachi ECUs will not allow read/write while low voltage... Other ECUs work fine even with 8v.
Logged
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #39 on: July 13, 2017, 02:30:39 AM »

Level 1/2 are also needed for the RAM log I suppose
So now I'm making an ECU simulator to get seed/key from MPPS
Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #40 on: July 13, 2017, 04:02:09 AM »

Just finished with EDC16 ECU simulator on Arduino(pretty easy to make, only need to respond ECU ident services and then respond with a key of your own- inspired by Basano's thread Smiley)

Level1/2 is very similar to MED9

Left shift 5 times. If carry is set at any shift, XOR with 0x0A221289
« Last Edit: July 13, 2017, 04:04:11 AM by nihalot » Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #41 on: August 09, 2017, 12:19:07 PM »

I think for flash needs another seed key, level 3 is only for read.
 
I wonder why CMD and KESS do not read this ECU? What about EDC17CP20? It can be read this way too?

About voltage... only some Hitachi ECUs will not allow read/write while low voltage... Other ECUs work fine even with 8v.


Because there is in most cases no point to read any VAG ECU.
Take the VAG flash db and unpack the frf/sgo, job done.

I don't even read ME7/EDC15/EDC16, never mind the newer ones. There is simply no point to do so.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
superglitch
Jr. Member
**

Karma: +4/-0
Offline Offline

Posts: 45


« Reply #42 on: August 21, 2017, 08:01:31 PM »

The read process is also very long, VR is much easier.
Logged
aef
Hero Member
*****

Karma: +70/-46
Offline Offline

Posts: 1601


« Reply #43 on: August 22, 2017, 02:41:38 AM »

Can you describe what Virtual Read technically does?
Is it, "hey give me your id and i will download stock file form my database", or what?
Logged
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« Reply #44 on: August 22, 2017, 04:44:28 AM »

Because there is in most cases no point to read any VAG ECU.

I'm not agree, because sometimes car is already tuned and customer wants to add DPF, EGR etc.
It was not quite so long ago, Porsche EDC17CP44 3.0TDI was tuned + DPF + EGR by someone for 1200eu.
CMD doesn't read it, only VR. The client would like to know what for he paid 1200eu. The reason he asked me to check it was EGR's DTC and no gain.
So I downloaded ori file from CMD server, tuned it and wrote back... and the client is happy now, but what if he wouldn't? I can write back only stock file. And this is a really big problem.

Logged
Pages: 1 2 [3] 4
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.022 seconds with 17 queries. (Pretty URLs adds 0s, 0q)