Pages: [1]
Author Topic: MEDC17 CCP service configuration bytes  (Read 22082 times)
Sr. Member

Karma: +60/-90
Offline Offline

Posts: 449

« on: February 13, 2019, 11:43:42 AM »

I have been trying to access ccp protocol with with asap2demo but due to incorrect/discarded seed.dll
asap2demo does not request a get seed command to unprotect daq so just right after that i get disconnected.


57.472    ← 7C4    8    62    RES(OK)    FF 00 3E 81 00 00 1A 80    ..>.....
58.251    → 7C3    4    63    Connect    01 3F 01 AD    .?..
58.255    ← 7C4    8    63    RES(OK)    FF 00 3F 81 00 00 1A 80    ..?.....
58.255    → 7C3    2    64    GetSStatus    0D 40    .@
58.259    ← 7C4    8    64    RES(OK)    FF 00 40 00 00 00 1A 80    ..@.....
58.259    → 7C3    4    65    GetCCPVersion    1B 41 02 01    .A..
58.263    ← 7C4    8    65    RES(OK)    FF 00 41 02 01 00 1A 80    ..A.....
58.263    → 7C3    2    66    ExchangeID    17 42    .B
58.267    ← 7C4    8    66    RES(OK)    FF 00 42 04 02 43 43 80    ..B..CC.
58.267    → 7C3    3    67    Upload    04 43 04    .C.
58.271    ← 7C4    8    67    RES(OK)    FF 00 43 33 BB AA 55 80    ..C3..U.
58.271    → 7C3    3    68    SetSStatus    0C 44 81    .D.
58.275    ← 7C4    8    68    RES(OK)    FF 00 44 33 BB AA 55 80    ..D3..U.
58.275    → 7C3    2    69    GetActiveCALPage    09 45    .E
58.279    ← 7C4    8    69    RES(OK)    FF 00 45 00 00 00 1A 80    ..E.....
59.311    → 7C3    2    70    GetSStatus    0D 46    .F
59.315    ← 7C4    8    70    RES(OK)    FF 00 46 81 00 00 1A 80    ..F.....
xx.466    → 7C3    6    62    Disconnect    07 3E 01 00 01 AD    .>....

Non of the leaked *.dll including the dummy ones are accepted by asap2demo so my only option if we need to continue using
that software is to unprotect by default daq.

And here is where Ccp_conf_cs comes into play....

The Exchange ID command is responded with:
FF 00 45 04 02 43 43 00

According to the CCP our edc17 supports PGM, DAQ and CAL and all of them require the unlock procedure (0x43) which starts with

ccp_Getseed and continues with ccp_unlock.

Now since we don`t even get into that procedure we need to have them by default unlocked and from my understanding the
ccp_conf_cs includes that information:

.asw_const:80049EB8                 .global Ccp_conf_cs
.asw_const:80049EB8 Ccp_conf_cs     .word DAQ_Descriptor    ; DATA XREF: Ccp_Sess_Proc_Ini+16↓o
.asw_const:80049EB8                                         ; Ccp_Sess_Proc_Ini+28↓o
.asw_const:80049EBC                 .word DAQ_List
.asw_const:80049EC0                 .word Event_List
.asw_const:80049EC4                 .word CCP_Service
.asw_const:80049EC8                 .word MPL_List
.asw_const:80049ECC                 .byte 0xC4
.asw_const:80049ECD                 .byte    7
.asw_const:80049ECE                 .byte    0
.asw_const:80049ECF                 .byte    0
.asw_const:80049ED0                 .byte 0x4A ; J
.asw_const:80049ED1                 .byte    0
.asw_const:80049ED2                 .byte 0x4B ; K
.asw_const:80049ED3                 .byte    0
.asw_const:80049ED4                 .byte    3
.asw_const:80049ED5                 .byte    0
.asw_const:80049ED6                 .byte    1
.asw_const:80049ED7                 .byte    1
.asw_const:80049ED8                 .byte 0x43 ; C    <----------------------needs ccp_unlock
.asw_const:80049ED9                 .byte 0x43 ; C    <----------------------needs ccp_unlock
.asw_const:80049EDA                 .byte    0
.asw_const:80049EDB                 .byte    0

Now my question is simple...Has anyone found which value is need to have by default unprotected daq?
From further code inspection i beleive it is 0x40... Are even those what is needed ?

« Last Edit: February 13, 2019, 12:07:31 PM by gt-innovation » Logged
Sr. Member

Karma: +60/-90
Offline Offline

Posts: 449

« Reply #1 on: February 14, 2019, 08:23:37 AM »

Small update as the trail is long :

Ccp_SetConfiguration is setting the initial values for the ccp_exchangeid and those values are coming from Ccp_conf_ps

The complete procedure is handled by Ccp_Sess_Proc_Ini.

ccp_conf_ps gets the values from DAQ DEscriptor and here is the key to unlock completely the ccp service by default without the need of get_seed function

.asw_const:80049F7C                 .global DAQ_Descriptor
.asw_const:80049F7C DAQ_Descriptor  .byte  0xA              ; DATA XREF: .asw_const:Ccp_conf_cs↑o
.asw_const:80049F7D                 .byte    0
.asw_const:80049F7E                 .byte    0
.asw_const:80049F7F                 .byte    0
.asw_const:80049F80                 .byte 0x48 ; H
.asw_const:80049F81                 .byte 0x4D ; M
.asw_const:80049F82                 .byte    0
.asw_const:80049F83                 .byte 0xC0
.asw_const:80049F84                 .byte 0xFF
.asw_const:80049F85                 .byte 0xFF
.asw_const:80049F86                 .byte 0x4C ; L
.asw_const:80049F87                 .byte    0
.asw_const:80049F88                 .byte 0x55 ; U
.asw_const:80049F89                 .byte    0
.asw_const:80049F8A                 .byte    0
.asw_const:80049F8B                 .byte    0
.asw_const:80049F8C                 .byte  0xF
.asw_const:80049F8D                 .byte  0xA
.asw_const:80049F8E                 .byte    0
.asw_const:80049F8F                 .byte    0
.asw_const:80049F90                 .byte 0xD8
.asw_const:80049F91                 .byte 0x4E ; N
.asw_const:80049F92                 .byte    0
.asw_const:80049F93                 .byte 0xC0
.asw_const:80049F94                 .byte  0xA
.asw_const:80049F95                 .byte    0
.asw_const:80049F96                 .byte 0x56 ; V
.asw_const:80049F97                 .byte    0
.asw_const:80049F98                 .byte 0x59 ; Y
.asw_const:80049F99                 .byte    0
.asw_const:80049F9A                 .byte    0
.asw_const:80049F9B                 .byte    0
.asw_const:80049F9C                 .byte  0xF
.asw_const:80049F9D                 .byte 0x19
.asw_const:80049F9E                 .byte    0
.asw_const:80049F9F                 .byte    0
.asw_const:80049FA0                 .byte 0x30 ; 0
.asw_const:80049FA1                 .byte 0x51 ; Q
.asw_const:80049FA2                 .byte    0
.asw_const:80049FA3                 .byte 0xC0
.asw_const:80049FA4                 .byte 0x64 ; d
.asw_const:80049FA5                 .byte    0
.asw_const:80049FA6                 .byte 0x5A ; Z
.asw_const:80049FA7                 .byte    0
.asw_const:80049FA8                 .byte 0x5B ; [
.asw_const:80049FA9                 .byte    0
.asw_const:80049FAA                 .byte    0
.asw_const:80049FAB                 .byte    0

Sr. Member

Karma: +60/-90
Offline Offline

Posts: 449

« Reply #2 on: March 19, 2019, 05:18:23 AM »

Here is some useful info for those who do own an already ccp/xcp  activated medc17 ecu or those who are willing to try to activate such a function.I am still working on it as well and have walked my way through while getting closer and closer to have this functions working.

The services on some ecus are standing behind the security access 3/4 seedkey challenge algo however on some ecus the
ccp protocol once you activate development mode condition is responding for 4sec and then disconnects.

Now the easy part is to just force b_ecudev to active but this is not working on all ecus.There are also some codewords that require activation by definition with a certain value(Calwup_swtWakeupEnaCpl_C & Calwup_swtWakeupEna_C)

If you need to do this the right way you have to change the hardware number from Hxx to Yxx or Xxx(with or without etk probe) or hack the code to use H for development mode Smiley Smiley

If your calibration software provides seedkey.dll functionality but you also like to unlock ccp services by default then you need to find the mpl list and set the 0x43 to 0x00 to each function that is locked.

Here is a small example of my mpl list.

The CCP services are :

.sdata2:8008D8F0                 .word Ccp_DummyService
.sdata2:8008D8F4                 .word Ccp_Connect
.sdata2:8008D8F8                 .word Ccp_SetMTA
.sdata2:8008D8FC                 .word Ccp_Download
.sdata2:8008D900                 .word Ccp_Upload
.sdata2:8008D904                 .word Ccp_DummyService
.sdata2:8008D908                 .word Ccp_StartStop
.sdata2:8008D90C                 .word Ccp_Disconnect
.sdata2:8008D910                 .word Ccp_StartStopAll
.sdata2:8008D914                 .word Ccp_GetCalPage
.sdata2:8008D918                 .word Ccp_DummyService
.sdata2:8008D91C                 .word Ccp_DummyService
.sdata2:8008D920                 .word Ccp_SetSessStatus
.sdata2:8008D924                 .word Ccp_GetSessStatus
.sdata2:8008D928                 .word Ccp_BuildChecksum
.sdata2:8008D92C                 .word Ccp_ShortUpload
.sdata2:8008D930                 .word Ccp_DummyService
.sdata2:8008D934                 .word Ccp_SelectCalPage
.sdata2:8008D938                 .word Ccp_GetSeed
.sdata2:8008D93C                 .word Ccp_Unlock
.sdata2:8008D940                 .word Ccp_GetDaqSize
.sdata2:8008D944                 .word Ccp_SetDaqPtr
.sdata2:8008D948                 .word Ccp_WriteDaq
.sdata2:8008D94C                 .word Ccp_ExchangeId
.sdata2:8008D950                 .word Ccp_DummyService
.sdata2:8008D954                 .word Ccp_Move
.sdata2:8008D958                 .word Ccp_DummyService
.sdata2:8008D95C                 .word Ccp_GetVersion
.sdata2:8008D960                 .word Ccp_DummyService
.sdata2:8008D964                 .word Ccp_DummyService
.sdata2:8008D968                 .word Ccp_DummyService
.sdata2:8008D96C                 .word Ccp_DummyService
.sdata2:8008D970                 .word Ccp_DummyService
.sdata2:8008D974                 .word Ccp_DummyService
.sdata2:8008D978                 .word Ccp_DummyService
.sdata2:8008D97C                 .word Ccp_Download6

and the corresponding list to that services is :

.sdata2:8008F2E3 MPL_List        .byte    0              ; DATA XREF: .sdata2:8008D8D4↑o
.sdata2:8008F2E4                 .byte 0x43 ; C
.sdata2:8008F2E5                 .byte 0x43 ; C
.sdata2:8008F2E6                 .byte 0x43 ; C
.sdata2:8008F2E7                 .byte 0x43 ; C
.sdata2:8008F2E8                 .byte    0
.sdata2:8008F2E9                 .byte    2
.sdata2:8008F2EA                 .byte 0x43 ; C
.sdata2:8008F2EB                 .byte 0x43 ; C
.sdata2:8008F2EC                 .byte    1
.sdata2:8008F2ED                 .byte    0
.sdata2:8008F2EE                 .byte    0
.sdata2:8008F2EF                 .byte 0x43 ; C
.sdata2:8008F2F0                 .byte 0x43 ; C
.sdata2:8008F2F1                 .byte    1
.sdata2:8008F2F2                 .byte    2
.sdata2:8008F2F3                 .byte    0
.sdata2:8008F2F4                 .byte    1
.sdata2:8008F2F5                 .byte 0x43 ; C
.sdata2:8008F2F6                 .byte 0x43 ; C
.sdata2:8008F2F7                 .byte    2
.sdata2:8008F2F8                 .byte    2
.sdata2:8008F2F9                 .byte    2
.sdata2:8008F2FA                 .byte 0x43 ; C
.sdata2:8008F2FB                 .byte    0
.sdata2:8008F2FC                 .byte 0x40 ; @
.sdata2:8008F2FD                 .byte    0
.sdata2:8008F2FE                 .byte 0x43 ; C
.sdata2:8008F2FF                 .byte    0
.sdata2:8008F300                 .byte    0
.sdata2:8008F301                 .byte    0
.sdata2:8008F302                 .byte    0
.sdata2:8008F303                 .byte    0
.sdata2:8008F304                 .byte    0
.sdata2:8008F305                 .byte    0
.sdata2:8008F306                 .byte    1
.sdata2:8008F307                 .global Eeepdd_NumTocPages_cu8

as you see each service has an assigned property/lock byte and if this service is requested and not unlocked part of the response of the can message will contain the byte 0x43.

Now the ETK function that wakes up those services is already checking your immo status so unless it is completely disabled or matched i assume it will never meet the requirements for further protocol activation. So can bus will disregard your requests if a security access is not initially done successfully.Will post up more things i found in the next days.
Sr. Member

Karma: +26/-1
Offline Offline

Posts: 256

« Reply #3 on: March 22, 2019, 01:05:34 AM »

What can be done more with this CCP protocol compared to the standard KWP2000 commands?

Rgs H2Deetoo
Sr. Member

Karma: +60/-90
Offline Offline

Posts: 449

« Reply #4 on: March 22, 2019, 03:25:24 AM »

CCP is a (slow) development protocol that will allow you to tune the ecu ETK style using can bus.

There are plenty of protocol specifications and pdf documents out there with the latest 2.1 version.

Karma: +1/-1
Offline Offline

Posts: 5

« Reply #5 on: May 13, 2020, 01:50:48 PM »

Hi T  . Did you get it working on  ASAP demo ?

Just out of lockdown bordum ,  looking at med9  . Wonder if its possible to bypass the ccp  seed&key  on that .

Karma: +0/-0
Offline Offline

Posts: 9

« Reply #6 on: September 02, 2022, 01:38:20 PM »

Since that's THE topic on the internet regarding CCP/XCP:

I am looking for _any_ ECU+A2L file with XCP to sniff it on a bench. I am involved with rusEFI and the idea is to implement XCP in rusEFI, to do that quickly it looks like having a working bench setup is the best way forward. Would appreciate any keyworks like part numbers and A2L files Smiley
Hero Member

Karma: +1054/-443
Offline Offline

Posts: 5905

« Reply #7 on: September 02, 2022, 02:52:37 PM »

Why do you need to sniff anything? The specifications are public and available online.
Does your ECU already provide the full metadata in a2l format? If not, then you can start with that, because none of the OEM CCP supporting tools are going to do anything if you don't have full metadata.

Also, implementing CCP on any aftermarket tool is a waste of time on most ECU's.
This is because the gateway blocks it on 99%, and then you need to tap the PTCAN on every car.
Since it's closed anyway on 99% of production cars and you need a patch, then you might as well tap the routines in the ECU directly instead of going through CCP.
Which is what I did...

PM's will not be answered, so don't even try.
Log your car properly.
Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.053 seconds with 16 queries. (Pretty URLs adds 0.001s, 0q)