Pages: [1]
Author Topic: Ford Reverse Engineering CAN BUS immo system  (Read 4654 times)
aqua_life
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


« on: December 09, 2020, 01:59:33 AM »

Hello,

I am trying to understand how communication between ECU and BCM works on Ford Focus 2016.
Engine ECU is MED17.2
Attached I send ECU eeprom file.
Basically I want to make Immo OFF however there is no solution on internet and already tried many different things on software without success.
So, I think its easier to understand communication between ECU and BCM and make a CAN bus emulator to allow engine start.
With a CAN bus data logger I was able to discover this:

Each time I turn ON ignition engine ECU sends CAN id 0x60.
Each time I turn OFF and ON ignition the bytes 2, 3, 4, 5, 6 are different.
Then engine ECU waits for BCM answer CAN id 0x1D0.
Each time I turn ignition ON engine ECU sends different message and BCM answers different message to allow engine start.
BCM CAN id 0x1D0 the bytes 4, 5, 6, 7, 8 are different for each ECU message.

Example 1:
Engine send CAN  0x60     00, 80, F4, 87, 62, 78, 00, 10
BCM answer CAN 0x1D0   A9, FF, FF, 83, DD, 20, C9, 4E

Example 2:
Engine send CAN  0x60     00, 68, 8C, 72, 85, 13, 00, 10
BCM answer CAN 0x1D0   A9, FF, FF, BA, 2C, A6, 82, 1E

Example 3:
Engine send CAN  0x60     00, 3D, C1, 1F, 73, 34, 00, 10
BCM answer CAN 0x1D0  A9, FF, FF, 8B, 6B, 7B, 5D, B0

I have many more examples but I am not able to find the algorithm to calculate this BCM code. Are you able to help ?

Not sure if I am correct but I think this is the eeprom part that contains Immo data:
08 00 82 BF 75 04 00 00 00 00 01 00 E0 01 02 00
06 C2 00 00 00 00 00 00 3A 27 00 00 00 00 00 00
58 02 A5 01 C2 CC 9D 60 F3 9B 74 0C DA 7F 00 00
00 00 00 00 00 02 02 01 3F 80 00 00 40 40 00 00
43 FA 00 00 AA FF 00 00 00 00 01 00 00 00 01 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
45 53 2D 58 53 37 46 2D 08 00 00 00 10 8E DC E7

Thanks for your help
Logged
aqua_life
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


« Reply #1 on: December 09, 2020, 02:06:33 AM »

Just some more information...
I was able to make a CAN module to send this ECU message instead of the ECU.
And I check the BCM answer.
Just a curiosity. If engine sends 00 00 00 00 00 the BCM does not answer Smiley
If engine sends other messages BCM answers correctly.
Engine message   -   BCM answer
00 00 00 00 01    -   38 51 B0 DE 9B
00 00 00 00 02    -   EA 1D D8 80 51
00 00 00 00 03    -   7B 11 81 C7 94
00 00 00 00 04    -   32 CA 67 71 69

Thanks for your help
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #2 on: December 10, 2020, 01:29:54 AM »

It is very hard to determine an algo by looking at examples.
I suggest you disasm a part of the ecu firmware and find the appropriate routines. There is the algo ...


Rgs H2Deetoo
Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 654


« Reply #3 on: December 10, 2020, 11:47:44 AM »

I have many more examples but I am not able to find the algorithm to calculate this BCM code. Are you able to help ?

Download complete dump of ECU flash memory.
Maybe then someone can give a hint.
Logged
aqua_life
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


« Reply #4 on: December 11, 2020, 04:39:54 AM »

Thanks for your help.
Attached I send you the flash file of the ECU.
If someone want to try any Immo OFF I can test on the car.
And if someone can try to find Immo Algorithm / routines.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.015 seconds with 16 queries. (Pretty URLs adds 0.001s, 0q)