I have been trying to access ccp protocol with with asap2demo but due to incorrect/discarded seed.dll
asap2demo does not request a get seed command to unprotect daq so just right after that i get disconnected.


Log

57.472    ← 7C4    8    62    RES(OK)    FF 00 3E 81 00 00 1A 80    ..>.....
58.251    → 7C3    4    63    Connect    01 3F 01 AD    .?..
58.255    ← 7C4    8    63    RES(OK)    FF 00 3F 81 00 00 1A 80    ..?.....
58.255    → 7C3    2    64    GetSStatus    0D 40    .@
58.259    ← 7C4    8    64    RES(OK)    FF 00 40 00 00 00 1A 80    ..@.....
58.259    → 7C3    4    65    GetCCPVersion    1B 41 02 01    .A..
58.263    ← 7C4    8    65    RES(OK)    FF 00 41 02 01 00 1A 80    ..A.....
58.263    → 7C3    2    66    ExchangeID    17 42    .B
58.267    ← 7C4    8    66    RES(OK)    FF 00 42 04 02 43 43 80    ..B..CC.
58.267    → 7C3    3    67    Upload    04 43 04    .C.
58.271    ← 7C4    8    67    RES(OK)    FF 00 43 33 BB AA 55 80    ..C3..U.
58.271    → 7C3    3    68    SetSStatus    0C 44 81    .D.
58.275    ← 7C4    8    68    RES(OK)    FF 00 44 33 BB AA 55 80    ..D3..U.
58.275    → 7C3    2    69    GetActiveCALPage    09 45    .E
58.279    ← 7C4    8    69    RES(OK)    FF 00 45 00 00 00 1A 80    ..E.....
59.311    → 7C3    2    70    GetSStatus    0D 46    .F
59.315    ← 7C4    8    70    RES(OK)    FF 00 46 81 00 00 1A 80    ..F.....
......................
xx.466    → 7C3    6    62    Disconnect    07 3E 01 00 01 AD    .>....


Non of the leaked *.dll including the dummy ones are accepted by asap2demo so my only option if we need to continue using
that software is to unprotect by default daq.


And here is where Ccp_conf_cs comes into play....

The Exchange ID command is responded with:
FF 00 45 04 02 43 43 00

According to the CCP our edc17 supports PGM, DAQ and CAL and all of them require the unlock procedure (0x43) which starts with

ccp_Getseed and continues with ccp_unlock.

Now since we don`t even get into that procedure we need to have them by default unlocked and from my understanding the
ccp_conf_cs includes that information:

.asw_const:80049EB8                 .global Ccp_conf_cs
.asw_const:80049EB8 Ccp_conf_cs     .word DAQ_Descriptor    ; DATA XREF: Ccp_Sess_Proc_Ini+16↓o
.asw_const:80049EB8                                         ; Ccp_Sess_Proc_Ini+28↓o
.asw_const:80049EBC                 .word DAQ_List
.asw_const:80049EC0                 .word Event_List
.asw_const:80049EC4                 .word CCP_Service
.asw_const:80049EC8                 .word MPL_List
.asw_const:80049ECC                 .byte 0xC4
.asw_const:80049ECD                 .byte    7
.asw_const:80049ECE                 .byte    0
.asw_const:80049ECF                 .byte    0
.asw_const:80049ED0                 .byte 0x4A ; J
.asw_const:80049ED1                 .byte    0
.asw_const:80049ED2                 .byte 0x4B ; K
.asw_const:80049ED3                 .byte    0
.asw_const:80049ED4                 .byte    3
.asw_const:80049ED5                 .byte    0
.asw_const:80049ED6                 .byte    1
.asw_const:80049ED7                 .byte    1
.asw_const:80049ED8                 .byte 0x43 ; C    <----------------------needs ccp_unlock
.asw_const:80049ED9                 .byte 0x43 ; C    <----------------------needs ccp_unlock
.asw_const:80049EDA                 .byte    0
.asw_const:80049EDB                 .byte    0


Now my question is simple...Has anyone found which value is need to have by default unprotected daq?
From further code inspection i beleive it is 0x40... Are even those what is needed ?

Here is some useful info for those who do own an already ccp/xcp  activated medc17 ecu or those who are willing to try to activate such a function.I am still working on it as well and have walked my way through while getting closer and closer to have this functions working.

The services on some ecus are standing behind the security access 3/4 seedkey challenge algo however on some ecus the
ccp protocol once you activate development mode condition is responding for 4sec and then disconnects.

Now the easy part is to just force b_ecudev to active but this is not working on all ecus.There are also some codewords that require activation by definition with a certain value(Calwup_swtWakeupEnaCpl_C & Calwup_swtWakeupEna_C)

If you need to do this the right way you have to change the hardware number from Hxx to Yxx or Xxx(with or without etk probe) or hack the code to use H for development mode

If your calibration software provides seedkey.dll functionality but you also like to unlock ccp services by default then you need to find the mpl list and set the 0x43 to 0x00 to each function that is locked.

Here is a small example of my mpl list.

The CCP services are :

.sdata2:8008D8F0                 .word Ccp_DummyService
.sdata2:8008D8F4                 .word Ccp_Connect
.sdata2:8008D8F8                 .word Ccp_SetMTA
.sdata2:8008D8FC                 .word Ccp_Download
.sdata2:8008D900                 .word Ccp_Upload
.sdata2:8008D904                 .word Ccp_DummyService
.sdata2:8008D908                 .word Ccp_StartStop
.sdata2:8008D90C                 .word Ccp_Disconnect
.sdata2:8008D910                 .word Ccp_StartStopAll
.sdata2:8008D914                 .word Ccp_GetCalPage
.sdata2:8008D918                 .word Ccp_DummyService
.sdata2:8008D91C                 .word Ccp_DummyService
.sdata2:8008D920                 .word Ccp_SetSessStatus
.sdata2:8008D924                 .word Ccp_GetSessStatus
.sdata2:8008D928                 .word Ccp_BuildChecksum
.sdata2:8008D92C                 .word Ccp_ShortUpload
.sdata2:8008D930                 .word Ccp_DummyService
.sdata2:8008D934                 .word Ccp_SelectCalPage
.sdata2:8008D938                 .word Ccp_GetSeed
.sdata2:8008D93C                 .word Ccp_Unlock
.sdata2:8008D940                 .word Ccp_GetDaqSize
.sdata2:8008D944                 .word Ccp_SetDaqPtr
.sdata2:8008D948                 .word Ccp_WriteDaq
.sdata2:8008D94C                 .word Ccp_ExchangeId
.sdata2:8008D950                 .word Ccp_DummyService
.sdata2:8008D954                 .word Ccp_Move
.sdata2:8008D958                 .word Ccp_DummyService
.sdata2:8008D95C                 .word Ccp_GetVersion
.sdata2:8008D960                 .word Ccp_DummyService
.sdata2:8008D964                 .word Ccp_DummyService
.sdata2:8008D968                 .word Ccp_DummyService
.sdata2:8008D96C                 .word Ccp_DummyService
.sdata2:8008D970                 .word Ccp_DummyService
.sdata2:8008D974                 .word Ccp_DummyService
.sdata2:8008D978                 .word Ccp_DummyService
.sdata2:8008D97C                 .word Ccp_Download6



and the corresponding list to that services is :

.sdata2:8008F2E3 MPL_List        .byte    0              ; DATA XREF: .sdata2:8008D8D4↑o
.sdata2:8008F2E4                 .byte 0x43 ; C
.sdata2:8008F2E5                 .byte 0x43 ; C
.sdata2:8008F2E6                 .byte 0x43 ; C
.sdata2:8008F2E7                 .byte 0x43 ; C
.sdata2:8008F2E8                 .byte    0
.sdata2:8008F2E9                 .byte    2
.sdata2:8008F2EA                 .byte 0x43 ; C
.sdata2:8008F2EB                 .byte 0x43 ; C
.sdata2:8008F2EC                 .byte    1
.sdata2:8008F2ED                 .byte    0
.sdata2:8008F2EE                 .byte    0
.sdata2:8008F2EF                 .byte 0x43 ; C
.sdata2:8008F2F0                 .byte 0x43 ; C
.sdata2:8008F2F1                 .byte    1
.sdata2:8008F2F2                 .byte    2
.sdata2:8008F2F3                 .byte    0
.sdata2:8008F2F4                 .byte    1
.sdata2:8008F2F5                 .byte 0x43 ; C
.sdata2:8008F2F6                 .byte 0x43 ; C
.sdata2:8008F2F7                 .byte    2
.sdata2:8008F2F8                 .byte    2
.sdata2:8008F2F9                 .byte    2
.sdata2:8008F2FA                 .byte 0x43 ; C
.sdata2:8008F2FB                 .byte    0
.sdata2:8008F2FC                 .byte 0x40 ; @
.sdata2:8008F2FD                 .byte    0
.sdata2:8008F2FE                 .byte 0x43 ; C
.sdata2:8008F2FF                 .byte    0
.sdata2:8008F300                 .byte    0
.sdata2:8008F301                 .byte    0
.sdata2:8008F302                 .byte    0
.sdata2:8008F303                 .byte    0
.sdata2:8008F304                 .byte    0
.sdata2:8008F305                 .byte    0
.sdata2:8008F306                 .byte    1
.sdata2:8008F307                 .global Eeepdd_NumTocPages_cu8


as you see each service has an assigned property/lock byte and if this service is requested and not unlocked part of the response of the can message will contain the byte 0x43.

Now the ETK function that wakes up those services is already checking your immo status so unless it is completely disabled or matched i assume it will never meet the requirements for further protocol activation. So can bus will disregard your requests if a security access is not initially done successfully.Will post up more things i found in the next days.

CCP is a (slow) development protocol that will allow you to tune the ecu ETK style using can bus.

There are plenty of protocol specifications and pdf documents out there with the latest 2.1 version.

Since that's THE topic on the internet regarding CCP/XCP:

I am looking for _any_ ECU+A2L file with XCP to sniff it on a bench. I am involved with rusEFI and the idea is to implement XCP in rusEFI, to do that quickly it looks like having a working bench setup is the best way forward. Would appreciate any keyworks like part numbers and A2L files