Pages: [1]
Author Topic: MED17.5 Immo Question  (Read 8545 times)
de_F
Newbie
*

Karma: +13/-0
Offline Offline

Posts: 22


« on: December 04, 2018, 10:10:45 AM »

Like most, I'm trying to play around a bit with a bench ECU. I managed to get some basic things done like read a part of the ECU flash with KWP protocol. (wrote it up in the datalogging forum if anyone is interested)
I wanted to venture a bit further and try a download command. But sadly that doesn't work on a bench ECU with the Immo on.
I found an example with Immo On and Immo Off in the e2p. But as written elsewhere here on this forum, without the calculation/algo behind it, it is pretty useless to try and disable the IMMO myself on my own bench ECU, I'm not skilled enough to reverse the code on IDA and I realize I won't learn anything out of a single example.
So except for trying all 255 remaining possibilities, I am left asking if anyone would be so kind as to give a pointer on how this calculation works. I know there are a bunch of cheap tools on ebay to do this or I could pay someone to do this, but I am really just curious about the method used behind these calculations.

I suspect the change has to be made at 0x8A , 0x10A, 0x18A and the other 6 identical locations in the E2P that is attached. followed by the Checksum correction ofcourse.

Any help or pointer is most appreciated.
Logged
_nameless
Hero Member
*****

Karma: +342/-466
Offline Offline

Posts: 2802



« Reply #1 on: December 04, 2018, 03:54:08 PM »

here use this to compare to your original
Logged

Giving your mom a tuneup
de_F
Newbie
*

Karma: +13/-0
Offline Offline

Posts: 22


« Reply #2 on: December 04, 2018, 09:32:31 PM »

Hello Marty, first of all, thanks a lot for the help. For those wondering, his Immo-Off solution works.

Quick analysis shows that the location for the actual Immo Off switching was correct at locations 0x8A, 0x10A, 0x18A and so on.
Out of the 2 examples I now have, I came to the conclusion that even brute-force "testing" could yield results quickly since in none of my examples on MED9.1 or MED17.5 the new digit seems to be more than 3h difference from the original (up or down).
 
Amended after receiving information from a forum member below.

digit location 0x8A, 0x10A, 0x18A and all other copies of this string (mind you they could be at a different location in your file, just try and match it with this example file)

Take that number and get turn it in bits.
Example 0x20 would be 0010 0000 in bit. Now XOR it with 0x3 which is 0000  0011
And you get

0010 0000
0000 0011
——————-
0010 0011

Result is 0x23. So now we replace 0x20 with 0x23 and we should have an Immo off E2P.
The checksums will have to be corrected aswel ofcourse.
« Last Edit: December 05, 2018, 08:47:49 PM by de_F » Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #3 on: December 05, 2018, 03:36:44 AM »

The SIA = Supervisor immobiliser authority is the Module that you need to study on to get a good grasp of what is going on.

A lot of things could be done from mpc as well...

Now unfortunately the development team of this module was different and everything that has to do with extended information for it is not described in the FR/FDEF.

SIA_Core_C (), SIA_Core_C (), SIA_Core_F (), SIA_EMSIFC ()

That doesn`t mean though that you can`t understand most of the things that are being done including
the encryption function _EECrF5_pfn. To get bench flashing capabilities without the boot mode procedure i suppose that forcing the following conditions might help.

Per A2l on Med17.5.5

  Sia_Adapt
      B_ecudev
      B_ecudevsia
      B_nlwfs

As for the immobilizer blocking the flash programing while active look for Sia_bFshPrgLck . Flash over obd worked fine for me while ecu was in, but maybe there are variants out there that might need some different approach.

To bypass the main function that stops car from starting is only 2 consecutive lines of code that have to be replaced and it is easy to find them.

« Last Edit: December 05, 2018, 06:15:44 AM by gt-innovation » Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #4 on: December 05, 2018, 07:03:31 AM »

Most tools simply do some XOR with 0x03 on the location where the immo status is stored.
This will invert the lower 2 bits and always results in "immo off" value.
It's just a quick hack.

Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #5 on: December 05, 2018, 07:04:24 AM »

Have you been able to read eeprom by OBD for (M)EDC17 ?
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #6 on: December 05, 2018, 07:20:28 AM »

Btw, MEDC17 eeprom consists of blocks.
Blocks 0008, 0009 and 000A consist of immo data.
These blocks have also got 2 checksums, both are explained on this forum already.
Logged
de_F
Newbie
*

Karma: +13/-0
Offline Offline

Posts: 22


« Reply #7 on: December 05, 2018, 08:54:46 AM »

All great info guys. Remember that what might look simple for you, might be complicated for people with a different background, or hobbyists like myself. So any info is more than welcome.  Smiley
Logged
de_F
Newbie
*

Karma: +13/-0
Offline Offline

Posts: 22


« Reply #8 on: December 05, 2018, 10:33:54 AM »

Most tools simply do some XOR with 0x03 on the location where the immo status is stored.
This will invert the lower 2 bits and always results in "immo off" value.
It's just a quick hack.

That would explain why my examples were always either 1 or 3 (up or down) Was over analyzing this apparently.
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #9 on: December 07, 2018, 11:22:18 AM »

That would explain why my examples were always either 1 or 3 (up or down) Was over analyzing this apparently.

If you still have problems flashing the car in bench let me know so i can enable/disable those functions for you.
« Last Edit: December 08, 2018, 01:23:37 PM by gt-innovation » Logged
de_F
Newbie
*

Karma: +13/-0
Offline Offline

Posts: 22


« Reply #10 on: December 08, 2018, 04:07:46 AM »

If you still have problems flashing the car in bench let me know so i can enable those functions for you.

Thx for the offer. Works perfect now though. Will give it a try with those conditions/functions set aswel.
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #11 on: December 12, 2018, 04:53:17 AM »

Forcing the ecu with those conditions removes the epc fault dtc for sure and starts the car as i have already tested that on my own car.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.018 seconds with 16 queries. (Pretty URLs adds 0s, 0q)