Pages: [1]
Author Topic: Connect through OBD, send/receive CAN messages, where does it all fall apart?  (Read 4247 times)
jamesconway
Newbie
*

Karma: +0/-5
Offline Offline

Posts: 17



I saw a $200 J2534 MyGenius tool recently and I got inspired. It claims it can read + write from the latest and greatest Mercedes ECUs (Bosch MED17.7.5)

http://www.dimsport.it/en/my-genius/

Pretty much everything else online I see contradicts that. From $5k master/slave setups, buying an hour of time for access through Mercedes, etc.

Where does it fall apart in terms of simplicity:

1. Connect PINs to CAN high/low in OBD-II port
2. Send/receive CAN messages following UDS

I've read about Seed/Key algorithms and I get how without the dump of the ECU firmware it'd be near impossible to brute force these days. What other modern protection methods are at play? I've heard about 1024-bit keys for BMW. TPROT, etc. When are all of those encountered through the process?

Is it just... start a UDS diagnostic session, request a seed, send back a key, and you can read/write to whatever region of memory you want? No, right? So, is it different for every manufacturer?
Logged
jamesconway
Newbie
*

Karma: +0/-5
Offline Offline

Posts: 17



I'm obviously a noob but I'm a software engineer and I've done a bit of research trying to piece what is out there together.

I get that for some cars, this is a wide open field day. It takes little to no effort to tune an older car, etc.

I get that manufacturers are adding more and more levels of protection these days. I just don't understand where they fit into the flow/stack.

Is it possible to read an ECU over CAN through OBD-II ports for every single car these days? If not, why? What's different? Is it that some cars don't implement/speak UDS? Is it that some cars don't support CAN over OBD-II? Where do pins other than the CAN pins (like KLine) come into play?

Where does ECU password protection sit? What is TPROT and where does that sit in the flow of CAN -> UDS -> data? Is it an extension of CAN?
Logged
nyet
Administrator
Hero Member
*****

Karma: +604/-166
Offline Offline

Posts: 12232


WWW

There is VERY little openly available information about this, every manufacturer does it differently, and every model year they do something different...
Logged

ME7.1 tuning guide (READ FIRST)
ECUx Plot
ME7Sum checksum checker/corrrector for ME7.x

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience.
jamesconway
Newbie
*

Karma: +0/-5
Offline Offline

Posts: 17



What is the general gist? Am I on the right track that it's UDS over CAN/K-line through the OBD-II port? Are there layers above UDS that are manufacturer specific? If you try to perform a diagnostic session then read the ECU... what happens? Do they just, close down the access/not allow it?
Logged
jcsbanks
Full Member
***

Karma: +15/-3
Offline Offline

Posts: 125



Compressed version for sw engineer and talking OBD access: UDS on CAN is ubiquitous on late models, but there are some others like KWP on CAN and TP2.0 on some earlier MED17. Reading with UDS commands is often not implemented or has restricted address ranges and session permissions protected by seed key challenges. When you can write, you often have private public key based signature checks of a hash of the flashed segments before the ECU will run them.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.015 seconds with 17 queries. (Pretty URLs adds 0s, 0q)