Pages: 1 2 [3]
Author Topic: Developing a Arduino Based version of ME7Logger  (Read 31015 times)
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12270


WWW
« Reply #30 on: January 10, 2023, 11:04:43 AM »

Minor change in the Start Development Session:
    txBuf[0] = 0x03;  //Message Length
    txBuf[1] = 0x10;  //StartDiagnosticSession
    txBuf[2] = 0x86;  //Development Session
    txBuf[3] = 0x14;  //?? *Was 63

Changed Byte 4 to be 14, not 63 and it works!

as prj points out, this is an example of extremely poor coding practice potentially leading to more and more bugs.

The length and checksum should be added as part of a function that constructs a message, sets up a header, calculates checksum.
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
adam-
Hero Member
*****

Karma: +124/-33
Offline Offline

Posts: 2179


« Reply #31 on: January 10, 2023, 11:15:51 AM »

It's not a full extract of the code, the checksum is sent last (not in that above).
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6035


« Reply #32 on: January 10, 2023, 11:30:03 AM »

Might be a good idea to post full info then.
I guess you want to change the baud rate.

But I mean if you just want the standard 10400 speed, then you can omit it.
« Last Edit: January 10, 2023, 11:35:18 AM by prj » Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
adam-
Hero Member
*****

Karma: +124/-33
Offline Offline

Posts: 2179


« Reply #33 on: January 10, 2023, 02:03:30 PM »

Sorry, would have been clearer for all.  Was just in the excitement!  I'll read that doc though, seems very good!  Thanks as per.
Logged
adam-
Hero Member
*****

Karma: +124/-33
Offline Offline

Posts: 2179


« Reply #34 on: January 17, 2023, 02:23:47 PM »

This works fine for ME7.5 but not for ME7.1 (MK4 VR6).  Not even sure where to begin tbh.
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6035


« Reply #35 on: January 17, 2023, 04:14:54 PM »

This works fine for ME7.5 but not for ME7.1 (MK4 VR6).  Not even sure where to begin tbh.
Because it's a braindead copy of ME7Logger's handler.
But ME7Logger's handler is bootrom specific. But of course only one ECU was sniffed and then the result copypasted.

If you want a proper solution, you can use my handler:
https://github.com/prj/me7log
But you will need to either disassemble every bootrom or you will need smart heuristics to detect variable locations just using the $23 service and fill the handler info (this is what I did).

If you don't care super much about CPU load just use APR's exploit, it's same for every ECU.
But yeah, you're gonna have to use some braincells and understand what you are doing, and not just ctrl+c ctrl+v a ME7Logger sniff lol.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 248



« Reply #36 on: January 18, 2023, 06:54:24 AM »

This works fine for ME7.5 but not for ME7.1 (MK4 VR6).  Not even sure where to begin tbh.
One step ,or should I say command , at a time.
Work on keeping connection alive number 1, then see what commands are rejected.Do the ARP hack before you attempt he one prj mentions.
Took me many months, mind you I'm a brick layer not a programmer(, or is it coder these days)?
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6035


« Reply #37 on: January 18, 2023, 07:01:18 AM »

One step ,or should I say command , at a time.
Work on keeping connection alive number 1, then see what commands are rejected.Do the ARP hack before you attempt he one prj mentions.
Took me many months, mind you I'm a brick layer not a programmer(, or is it coder these days)?
You are giving the author too much credit.
They have no idea what they are doing. They simply sniffed what ME7Logger was doing and then sent exact the same data to the ECU.

As I said before, this is bootrom specific. So if you want to replicate it on just one bootrom, you can do it like that, but otherwise you're gonna have to understand what is going on.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
adam-
Hero Member
*****

Karma: +124/-33
Offline Offline

Posts: 2179


« Reply #38 on: January 20, 2023, 12:19:00 PM »

Okay so real progress, got ReadByMemoryAddress working absolutely fine.  Assuming it needs authentication (works with an ECU on the bench with immo off, not on), got it filling 8 vars (for the 8 lines on FIS).

Made up 5 'cards' with individual variables for each one.  Got it cycling through the cards and getting a response for each variable. 

The DDLI is a bit over my head but at this stage I don't need it for FIS, it's not fast enough and it's a gimick more than required to have 50 vars at any one time. 

PRJ is right, if you read the doc the process is easy(ish) to understand.
Logged
adam-
Hero Member
*****

Karma: +124/-33
Offline Offline

Posts: 2179


« Reply #39 on: January 26, 2023, 12:06:20 AM »

ME7.5 doesn't seem to require Security Access for ReadMemoryByAddress and will read fine.  ME7.1.1 does?  You can see it in the ME7Logger trace too: it tries for a diagnostic session and gets 7F so then attempts to get Security Access (0x27 0x01) and is successful, then it retries a diagnostic session and is successful.

Since I'm not needing to write, does Security Access Level 2/3 work?  So it'll be 0x27 0x03 which gives me a seed.  I add 0x00011170 to it? (is this right?) then pass it back as 0x27 0x04 xx xx xx xx CS.

This fails.  I'll take a trace and check to see I'm writing the correct key back but is the addition correct?  How do you determine it?  MK4 VR6.
Logged
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 248



« Reply #40 on: January 28, 2023, 06:51:46 AM »

ME7.5 doesn't seem to require Security Access for ReadMemoryByAddress and will read fine.  ME7.1.1 does?  You can see it in the ME7Logger trace too: it tries for a diagnostic session and gets 7F so then attempts to get Security Access (0x27 0x01) and is successful, then it retries a diagnostic session and is successful.

Since I'm not needing to write, does Security Access Level 2/3 work?  So it'll be 0x27 0x03 which gives me a seed.  I add 0x00011170 to it? (is this right?) then pass it back as 0x27 0x04 xx xx xx xx CS.

This fails.  I'll take a trace and check to see I'm writing the correct key back but is the addition correct?  How do you determine it?  MK4 VR6.

The defunct minimal linux logger has the code for level x01.
You may need to decompile to get the algo for x03.
« Last Edit: January 28, 2023, 06:58:15 AM by R32Dude » Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6035


« Reply #41 on: January 29, 2023, 05:12:34 PM »

The defunct minimal linux logger has the code for level x01.
You may need to decompile to get the algo for x03.
What is on github does not.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6035


« Reply #42 on: January 29, 2023, 05:24:21 PM »

https://github.com/NefMoto/NefMotoOpenSource/blob/e084bbee922b935f73e23497c3ab336f657ae7c5/Communication/KWP2000Actions.cs
Have fun.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Pages: 1 2 [3]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.022 seconds with 16 queries. (Pretty URLs adds 0s, 0q)