NefMoto > Technical > Data Logging > Simos MK7 logging
Pages: 1 2 [3] 4
« previous next »
Author Topic: Simos MK7 logging  (Read 37262 times)
Pr3muToS
Full Member
***

Karma: +1/-4
Offline Offline

Posts: 65
« Reply #30 on: May 06, 2020, 12:12:13 AM »
ah oke...

well this isnt rly my job, if anyone is able to offer me this, please get me a pm
Nearly impossible to find interventions via VCDS on BT Setup. :-/
« Last Edit: May 06, 2020, 12:19:06 AM by Pr3muToS » Logged
prj
Hero Member
*****

Karma: +915/-426
Offline Offline

Posts: 5835
« Reply #31 on: May 06, 2020, 02:43:02 AM »
Quote from: Basano on May 05, 2020, 11:43:31 PM
Service $23 is present and can be invoked same as all the other UDS services.

But it always replies back with ‘Error – Conditions not correct’

The workaround is to jump over the condition checks at the start of the routine. This means patching the ASM to jump over these checks.


Or even better, implement your own service and get much faster logging speed.
I will release my logger this month. Wait a little more Smiley
Logged
PM's will not be answered, so don't even try.
Log your car properly.
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192
« Reply #32 on: May 06, 2020, 03:14:38 AM »
Your own bespoke service ?!?!

Good grief man  Grin
Logged
Pr3muToS
Full Member
***

Karma: +1/-4
Offline Offline

Posts: 65
« Reply #33 on: May 06, 2020, 03:16:37 AM »
Quote from: prj on May 06, 2020, 02:43:02 AM
Or even better, implement your own service and get much faster logging speed.
I will release my logger this month. Wait a little more Smiley

sounds good, let me be up2date
Logged
prj
Hero Member
*****

Karma: +915/-426
Offline Offline

Posts: 5835
« Reply #34 on: May 07, 2020, 12:45:09 AM »
Quote from: Basano on May 06, 2020, 03:14:38 AM
Your own bespoke service ?!?!

Good grief man  Grin


Why patch the (slow) mode 23, when you can just roll your own service and have ~2000 bytes/sec ? Smiley
Logged
PM's will not be answered, so don't even try.
Log your car properly.
Pr3muToS
Full Member
***

Karma: +1/-4
Offline Offline

Posts: 65
« Reply #35 on: May 08, 2020, 12:21:10 AM »
btw anybody ever tried to enable developer messages via GEKO ?
Yesterday i got a information that its possible to enable delevoper messages for measurment on can bus, but a FAZIT/GEKO account is need (account isnt the problem)
Logged
jamespinger
Jr. Member
**

Karma: +1/-0
Offline Offline

Posts: 35
« Reply #36 on: October 04, 2020, 08:58:59 AM »
Quote from: prj on May 07, 2020, 12:45:09 AM
Why patch the (slow) mode 23, when you can just roll your own service and have ~2000 bytes/sec ? Smiley

@prj, I'm assuming the "mode" you reference is the UDS diagnostic mode.
Much of this is outside my realm of expertise but I'm trying to come up to speed.

I've noticed that the maestro "HSL" isn't using 23, but rather 2C. There's 0x10 and 0x4F sent (which I believe references "extended diagnostic sessions?). 

After that there's a level 3 security check that gets performed (seed response that you refer to somewhere else, followed by a simple summing of the seed and a predefined 4 byte array). Then 0x2C is sent followed by a list of all the memory addresses (and their lengths) to be logged. Is this a custom ASW patch that handles things or is this the default extension of "read memory by address". The UDS points to 2C being "dynamically defined data" and it does say it implements readmemorybyaddress

Any way you can elaborate on what's going on? Or point me to where I can learn more (as the UDS documents I've found just reference how certain parameters are reserved, without actually stating what they do)
Logged
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192
« Reply #37 on: October 05, 2020, 02:22:00 AM »
Quote from: jamespinger on October 04, 2020, 08:58:59 AM
@prj, I'm assuming the "mode" you reference is the UDS diagnostic mode.
Much of this is outside my realm of expertise but I'm trying to come up to speed.

I've noticed that the maestro "HSL" isn't using 23, but rather 2C. There's 0x10 and 0x4F sent (which I believe references "extended diagnostic sessions?). 

After that there's a level 3 security check that gets performed (seed response that you refer to somewhere else, followed by a simple summing of the seed and a predefined 4 byte array). Then 0x2C is sent followed by a list of all the memory addresses (and their lengths) to be logged. Is this a custom ASW patch that handles things or is this the default extension of "read memory by address". The UDS points to 2C being "dynamically defined data" and it does say it implements readmemorybyaddress

Any way you can elaborate on what's going on? Or point me to where I can learn more (as the UDS documents I've found just reference how certain parameters are reserved, without actually stating what they do)



$2C?

Which ECU ID (xxx906259xxx) are you looking at?

Agreed, $2C is the UDS service ‘Dynamically Define Data Identifier’ and if it was available then life would be simpler…

In the SIMOS 18.1 and 18.10 bins that I’ve been looking at, I only ever came across $22 (Read Data By Identifier) and $23 (Read Memory By Address). But $2C was just not there to start with. Not hidden, not deactivated, but really just not even there. There wasn’t even ASM code to implement it, at least that I could see...

And whilst $23 is at least there in the ASM, I had to patch it (by jumping over some conditional checks it does at the beginning of the routine, checks related to IMMO I think?) before it would work.

In the 18.1/18.10 bins you can find a table which shows what services are available and also where the ASM for that service starts. Strictly speaking there are two tables, one in ASW for the services when the ECU is running from ASW and second in CBOOT when the ECU is running from CBOOT.

(you might also notice that $35 ‘Request Upload’ is missing from CBOOT, which is why you can’t read stuff out and it’s always a virtual read instead)

Clearly you have gotten some working version of $2C, I am just curious how it was implemented if it was indeed on SIMOS 18...

Code:

5G0906259C_0002

ASW UDS Services

PFLASH:8005E498                 .word sub_801DC438
PFLASH:8005E49C                 .byte 0x10 <- $10 Diagnostic Session Control
PFLASH:8005E49D                 .byte 0x19
PFLASH:8005E49E                 .byte    0
PFLASH:8005E49F                 .byte    0
PFLASH:8005E4A0                 .word sub_801DC844
PFLASH:8005E4A4                 .byte 0x11 <- $11 ECU Reset
PFLASH:8005E4A5                 .byte 0x18
PFLASH:8005E4A6                 .byte    0
PFLASH:8005E4A7                 .byte    0
PFLASH:8005E4A8                 .word sub_801DBC50
PFLASH:8005E4AC                 .byte 0x19 <- $19 Read DTC Information
PFLASH:8005E4AD                 .byte 0x18
PFLASH:8005E4AE                 .byte    0
PFLASH:8005E4AF                 .byte    0
PFLASH:8005E4B0                 .word loc_801DC878
PFLASH:8005E4B4                 .byte 0x22 ; " <- $22 Read Data By Identifi er
PFLASH:8005E4B5                 .byte 0x18
PFLASH:8005E4B6                 .byte    0
PFLASH:8005E4B7                 .byte    0
PFLASH:8005E4B8                 .word sub_801E494C
PFLASH:8005E4BC                 .byte 0x23 ; # <- $23 Read Memory By Address
PFLASH:8005E4BD                 .byte 0x10
PFLASH:8005E4BE                 .byte    0
PFLASH:8005E4BF                 .byte    0
PFLASH:8005E4C0                 .word loc_801E4AB0
PFLASH:8005E4C4                 .byte 0x27 ; ' <-$27 Security Access
PFLASH:8005E4C5                 .byte 0x10
PFLASH:8005E4C6                 .byte    0
PFLASH:8005E4C7                 .byte    0
PFLASH:8005E4C8                 .word loc_801E5004
PFLASH:8005E4CC                 .byte 0x28 ; ( <- $28 Communication Control
PFLASH:8005E4CD                 .byte 0x11
PFLASH:8005E4CE                 .byte    0
PFLASH:8005E4CF                 .byte    0
PFLASH:8005E4D0                 .word sub_801E511C
PFLASH:8005E4D4                 .byte 0x2E ; . <- $2E Write Data By Identifi er
PFLASH:8005E4D5                 .byte 0x10
PFLASH:8005E4D6                 .byte    0
PFLASH:8005E4D7                 .byte    0
PFLASH:8005E4D8                 .word sub_801E597C
PFLASH:8005E4DC                 .byte 0x2F ; / <- $2F Input Output Control By Identifi er
PFLASH:8005E4DD                 .byte 0x10
PFLASH:8005E4DE                 .byte    0
PFLASH:8005E4DF                 .byte    0
PFLASH:8005E4E0                 .word sub_801E5B1C
PFLASH:8005E4E4                 .byte 0x31 ; 1 <- $31 Routine Control
PFLASH:8005E4E5                 .byte 0x10
PFLASH:8005E4E6                 .byte    0
PFLASH:8005E4E7                 .byte    0
PFLASH:8005E4E8                 .word loc_801E6930
PFLASH:8005E4EC                 .byte 0x3E ; > <- $3E Tester Present
PFLASH:8005E4ED                 .byte 0x19
PFLASH:8005E4EE                 .byte    0
PFLASH:8005E4EF                 .byte    0
PFLASH:8005E4F0                 .word sub_801E6968
PFLASH:8005E4F4                 .byte 0x85 <- $85 Control DTC Setting
PFLASH:8005E4F5                 .byte 0x11
PFLASH:8005E4F6                 .byte    0
PFLASH:8005E4F7                 .byte    0

CBOOT UDS Services

PFLASH:80022DE0                 .word unk_D0013522
PFLASH:80022DE4                 .byte 0x10
PFLASH:80022DE5                 .byte 0x11
PFLASH:80022DE6                 .byte    0
PFLASH:80022DE7                 .byte    0
PFLASH:80022DE8                 .word unk_D0013990
PFLASH:80022DEC                 .byte 0x11
PFLASH:80022DED                 .byte 0x11
PFLASH:80022DEE                 .byte    0
PFLASH:80022DEF                 .byte    0
PFLASH:80022DF0                 .word unk_D0013A6E
PFLASH:80022DF4                 .byte 0x22 ; "
PFLASH:80022DF5                 .byte 0x10
PFLASH:80022DF6                 .byte    0
PFLASH:80022DF7                 .byte    0
PFLASH:80022DF8                 .word unk_D0014756
PFLASH:80022DFC                 .byte 0x27 ; '
PFLASH:80022DFD                 .byte    2
PFLASH:80022DFE                 .byte    0
PFLASH:80022DFF                 .byte    0
PFLASH:80022E00                 .word unk_D0014EFE
PFLASH:80022E04                 .byte 0x28 ; (
PFLASH:80022E05                 .byte 0x11
PFLASH:80022E06                 .byte    0
PFLASH:80022E07                 .byte    0
PFLASH:80022E08                 .word unk_D0014FB8
PFLASH:80022E0C                 .byte 0x2E ; .
PFLASH:80022E0D                 .byte 0x10
PFLASH:80022E0E                 .byte    0
PFLASH:80022E0F                 .byte    0
PFLASH:80022E10                 .word unk_D0015168
PFLASH:80022E14                 .byte 0x31 ; 1
PFLASH:80022E15                 .byte 0x10
PFLASH:80022E16                 .byte    0
PFLASH:80022E17                 .byte    0
PFLASH:80022E18                 .word unk_D0015798
PFLASH:80022E1C                 .byte 0x34 ; 4
PFLASH:80022E1D                 .byte 0x42 ; B
PFLASH:80022E1E                 .byte    0
PFLASH:80022E1F                 .byte    0
PFLASH:80022E20                 .word unk_D00158FC
PFLASH:80022E24                 .byte 0x36 ; 6
PFLASH:80022E25                 .byte 0x42 ; B
PFLASH:80022E26                 .byte    0
PFLASH:80022E27                 .byte    0
PFLASH:80022E28                 .word unk_D0015BBE
PFLASH:80022E2C                 .byte 0x37 ; 7
PFLASH:80022E2D                 .byte 0x42 ; B
PFLASH:80022E2E                 .byte    0
PFLASH:80022E2F                 .byte    0
PFLASH:80022E30                 .word unk_D0015C14
PFLASH:80022E34                 .byte 0x3E ; >
PFLASH:80022E35                 .byte 0x11
PFLASH:80022E36                 .byte    0
PFLASH:80022E37                 .byte    0
PFLASH:80022E38                 .word unk_D0015C4C
PFLASH:80022E3C                 .byte 0x85
PFLASH:80022E3D                 .byte 0x11
PFLASH:80022E3E                 .byte    0
PFLASH:80022E3F                 .byte    0
PFLASH:80022E40                 .word unk_D0015CD4
PFLASH:80022E44                 .byte 0x87
PFLASH:80022E45                 .byte    3
PFLASH:80022E46                 .byte    0
PFLASH:80022E47                 .byte    0
Logged
jamespinger
Jr. Member
**

Karma: +1/-0
Offline Offline

Posts: 35
« Reply #38 on: October 05, 2020, 03:40:07 AM »
Quote from: Basano on October 05, 2020, 02:22:00 AM
$2C?

Which ECU ID (xxx906259xxx) are you looking at?

I'm not looking at the bin, I'm looking at what Maestro is doing when you enter the logger.  It's for the "Simos18HSL", and it appears to apply to the whole family (at least when looking at the switch's). 

 
Quote from: Basano
In the 18.1/18.10 bins you can find a table which shows what services are available and also where the ASM for that service starts. Strictly speaking there are two tables, one in ASW for the services when the ECU is running from ASW and second in CBOOT when the ECU is running from CBOOT.


Where about are those tables (should they be in the same location in all the bins?).  New to reversing, but your snippet snows 8005Exxx, the bins I have are nowhere near that long. Ghidra also doesn't have the definition for this processor so I'm using the 176x, so maybe it's not showing me everything correctly?  If I know where to look for that table I can pull it out.
Logged
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192
« Reply #39 on: October 05, 2020, 05:34:57 AM »
Quickest way is just to use a hex editor and search for a hex string like ’10 19 00 00’ or ‘11 18 00 00’. There’s only one occurrence (well for me at least), so when you find it you are in the middle of the table.

(I use IDA myself, just never got around to Ghidra)

I haven’t used / seen Maestro myself, so don’t know very much about it at all. How did you identify $2C? I assumed you used a CANBUS sniffer and saw the raw bytes being exchanged? Or does Maestro show some traffic log itself? If you are able to include a snippet of the log showing the exchange e.g. 10 4F, 27 aa bb cc dd, 2C xx xx xx xx etc it might be interesting to see if it’s really $2C or just some text saying $2C and the raw bytes are something else…
Logged
jamespinger
Jr. Member
**

Karma: +1/-0
Offline Offline

Posts: 35
« Reply #40 on: October 05, 2020, 06:34:03 AM »
I actually tried that but I can't seem to locate the table.  I'll look in the stock bin since it should be the same and I'll go from there.

Sent you a PM so we can stop clogging up this thread with back and forth.
Logged
prj
Hero Member
*****

Karma: +915/-426
Offline Offline

Posts: 5835
« Reply #41 on: October 05, 2020, 09:12:24 AM »
http://docs.vehical.net/logger

MEDC17, S18.1, S12, S18.10 implemented.

Approx 20-30hz with 300 simultaneous 16 bit ram cells logged.
Logged
PM's will not be answered, so don't even try.
Log your car properly.
sonique
Sr. Member
****

Karma: +24/-12
Offline Offline

Posts: 283
« Reply #42 on: October 05, 2020, 09:52:27 AM »
read specifications great app
 but not run win7 64bit
only win10 ? Sad
Logged
prj
Hero Member
*****

Karma: +915/-426
Offline Offline

Posts: 5835
« Reply #43 on: October 05, 2020, 10:21:23 AM »
Quote from: sonique on October 05, 2020, 09:52:27 AM
read specifications great app
 but not run win7 64bit
only win10 ? Sad

Win7 has been EOL in January this year. It's dead, no more updates, no more downloads.
That said, if you spent even a moment to read the page, you would see that I wrote, that Win7 will be supported, just not right now, it's still early beta.
Logged
PM's will not be answered, so don't even try.
Log your car properly.
jamespinger
Jr. Member
**

Karma: +1/-0
Offline Offline

Posts: 35
« Reply #44 on: October 05, 2020, 10:44:08 AM »
Windows 10 is terrible, but get on a supported OS already...

Thanks PRJ - the tool is cool and no doubt accomplishes the high logging rate that's being discussed.  The page mentions bench, bflash, and PCMFlash.  PCMFlash is relatively cheap (though every time I've looked there's no SIMOS18 support). Are there other hobbyists out there actually spending for tools like bflash? Who is this targeted at?

I posted back to the thread to understand 'how' not 'whether' [it's possible].  I understand it's not doable without patching the ASW, I was curious if the things that I'm seeing mean there's patches already in place [in the software I'm running].
Logged
Pages: 1 2 [3] 4
  Print  
« previous next »
 
Jump to:  

Navigation
Personal Tools
  • April 18, 2024, 09:51:49 AM
  • Welcome, Guest. Please login or register.
    Did you miss your activation email?

    Login with username, password and session length
Search
 
Advanced Search
About Disclaimer
All Rights Reserved 2010 Nefarious Motosports
Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.026 seconds with 16 queries. (Pretty URLs adds 0s, 0q)