Pages: [1]
Author Topic: Blocking Read Mode (unless in boot mode) - ME 7.1 ME7.1.1 Question  (Read 6755 times)
bamofo
Sr. Member
****

Karma: +34/-3
Offline Offline

Posts: 420



Is there a write-up im not able to find on how to modify the EEPROM/ROM to make it so galleto cant read the rom off the car without going into bootmode? I realize its extra work but if there are posts that talk about how to do it I couldn't find it... Any help would be great and ill figure out the rest. Thanks!
Logged
rogerius
Full Member
***

Karma: +62/-6
Offline Offline

Posts: 116


« Reply #1 on: October 17, 2019, 06:57:37 AM »

Is there a write-up im not able to find on how to modify the EEPROM/ROM to make it so galleto cant read the rom off the car without going into bootmode? I realize its extra work but if there are posts that talk about how to do it I couldn't find it... Any help would be great and ill figure out the rest. Thanks!
maybe post #14 in this thread is what you want?
http://nefariousmotorsports.com/forum/index.php?topic=7402.msg68438;topicseen#msg68438
Logged
bamofo
Sr. Member
****

Karma: +34/-3
Offline Offline

Posts: 420


« Reply #2 on: October 17, 2019, 08:07:40 AM »

I will try this right now. Also, what about changing what the OBD Port sees at the Flash Method from Galletto?
Logged
bamofo
Sr. Member
****

Karma: +34/-3
Offline Offline

Posts: 420


« Reply #3 on: October 17, 2019, 08:31:31 AM »


Not what i was looking for. But may be useful for logging or something else. If someone wants to PM me with the information because they dont want it shared here thats fine too... just looking for information on it.
« Last Edit: October 17, 2019, 08:38:54 AM by bamofo » Logged
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Online Online

Posts: 12270


WWW
« Reply #4 on: October 17, 2019, 09:27:08 AM »

Waste of time, IMO. If somebody wants your code, they'll bootmode it anyway.

In my experience there isn't much anybody has done that is worth protecting (including "pro" tuners).
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
bamofo
Sr. Member
****

Karma: +34/-3
Offline Offline

Posts: 420


« Reply #5 on: October 17, 2019, 09:33:48 AM »

Waste of time, IMO. If somebody wants your code, they'll bootmode it anyway.

In my experience there isn't much anybody has done that is worth protecting (including "pro" tuners).

Just looking for advise on how to change it so Galletto sees a 400BT setting instead of a 800BT which will just cause it to fail anyways. Yes i realize Bootmode will scrape it off. but thats a PITA and if they put that much effort into then fine. Trying to make sure i dont make it as easy as here is a galletto cable just read the rom and send it to me ill figure out what they did. If you have insight that would be great. If not thats fine too. Looks like Tony wrote about it a bit but i havent figured out where that is...
Logged
BlackT
Hero Member
*****

Karma: +79/-40
Offline Offline

Posts: 1425



« Reply #6 on: October 17, 2019, 11:22:25 AM »

Waste of time, IMO. If somebody wants your code, they'll bootmode it anyway.

In my experience there isn't much anybody has done that is worth protecting (including "pro" tuners).
Is it possible to read every tune with boot mode( of course if there is a original 29F800BB)
My friend have tuned car, i only need to read that tune and add 6 gear for cruise control. Is there any chance for brickong ecu while reading, if there is some protection in flash?
Logged
bamofo
Sr. Member
****

Karma: +34/-3
Offline Offline

Posts: 420


« Reply #7 on: October 17, 2019, 11:28:40 AM »

Is it possible to read every tune with boot mode( of course if there is a original 29F800BB)
My friend have tuned car, i only need to read that tune and add 6 gear for cruise control. Is there any chance for brickong ecu while reading, if there is some protection in flash?

not in boot mode. Im just talking about OBDII with no boot mode. I see you can change Seed Keys on 9.1 but in 7.1.1 i cant figure out how to change what is relayed to the software that says memory layout X vs Y. trying though..
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #8 on: October 18, 2019, 03:15:47 AM »

The check is done via requestupload and trying to read a higher address.
MPPS uses dynadefine.

If you want to block reading you need to block requestUpload, dynamicallyDefineLocalIdentifier and readMemoryByAddress.
Otherwise it's still possible to read everything.

This will also block ME7Logger.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
fluke9
Full Member
***

Karma: +26/-1
Offline Offline

Posts: 113


« Reply #9 on: October 18, 2019, 03:27:56 AM »

Waste of time, IMO. If somebody wants your code, they'll bootmode it anyway.

In my experience there isn't much anybody has done that is worth protecting (including "pro" tuners).

For non-hybrids there are flash replacement daughterboards which have some logic on reads:
They are more or less intelligent:
One i have come across ages ago just detects if too many addresses are read in a sequential fashion and starts to return return crap,
it can be defeated by writing bootmode code which reads addresses pseudo-randomly.

Others know some more patterns or even check and are harder to defeat.
Logged
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Online Online

Posts: 12270


WWW
« Reply #10 on: October 18, 2019, 08:44:58 AM »

For non-hybrids there are flash replacement daughterboards which have some logic on reads:
They are more or less intelligent:
One i have come across ages ago just detects if too many addresses are read in a sequential fashion and starts to return return crap,
it can be defeated by writing bootmode code which reads addresses pseudo-randomly.

Others know some more patterns or even check and are harder to defeat.

The simple daughterboards (w/o active logic on them) just rearrange address/data lines

In any case, at this point they're laughably naive; nobody is doing anything that smart that requires protection. And if they are doing something that smart, they don't our need help with disabling OBD reads, rest assured that is a trivial thing for them to do themselves.
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
fluke9
Full Member
***

Karma: +26/-1
Offline Offline

Posts: 113


« Reply #11 on: October 18, 2019, 11:34:24 AM »

The simple daughterboards (w/o active logic on them) just rearrange address/data lines
Seen those,
but also have seen one which had a cpld or fpga (number was scrubbed off) which really checked that you are not reading x times incrementing the address.
But that was not a ECU which i wanted to dump for RE purposes.

Nevertheless, there are always ways to see what the CPU sees.
 
Logged
bamofo
Sr. Member
****

Karma: +34/-3
Offline Offline

Posts: 420


« Reply #12 on: October 18, 2019, 01:46:26 PM »

The check is done via requestupload and trying to read a higher address.
MPPS uses dynadefine.

If you want to block reading you need to block requestUpload, dynamicallyDefineLocalIdentifier and readMemoryByAddress.
Otherwise it's still possible to read everything.

This will also block ME7Logger.

PRJ I saw you post this on another thread i was trying to re-find to ping you about. How do i go about finding these request calls in the rom... is there something you can point me to that will help get me over the hump? or the  ID's i have many of them for the Rom im working on now.

I have a rom that changes the reading tools  to think its a different chip type and that blocks MPPS / Galletto / and ME7Logger never worked for me on ST10 Roms. Im not looking exactly for a hand out... if you want to help me on the side i would pay you if needed. but im guessing i need to use IDA and breakdown this rom to find the request upload / download and the other portions your talking about. Back to what nyet said at that point idk if i even want to do it...

Rambling so i will stop.

Any help is great, but i understand if the thread goes nowhere as well. Smiley
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #13 on: October 18, 2019, 01:55:08 PM »

Not interested in reversing OBD protocols on 20 year old ECU's really... have more productive things to do.
I told you services that need blocking, get the KWP2000 specs and have at it Tongue
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.048 seconds with 16 queries. (Pretty URLs adds 0.001s, 0q)