Pages: [1]
Author Topic: Kess Flash Sniffing Suggestions  (Read 13968 times)
bluelighttube
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 9


« on: December 06, 2022, 03:01:24 PM »

Does anyone have suggestions for sniffing a Kess KWP protocol flash on CAN high/low wires?

Normally, I plug a k+dcan cable into a Y splitter cable and listen live with putty or some other serial logger.

However with the Kess, when I plug my K+dcan cable in the OBD Y splitter, there is packet loss whether i'm listening live or not. It shows as either unable to identify ECU or or it identifies it with bad data ie VIN and HW ID appear truncated. The sniffed data is accurate up until the failure too.

I have both a genuine and non kess both of which behave the same in this scenario.
Logged
cherry
Sr. Member
****

Karma: +26/-2
Offline Offline

Posts: 260


« Reply #1 on: December 06, 2022, 03:52:02 PM »

Look into datasheet from your transceiver and mute it. You need to connect a pin. Not all support this, maybe you need to use a compatible one, and maybe lift pin.
Logged
bluelighttube
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 9


« Reply #2 on: December 07, 2022, 08:57:26 AM »

Look into datasheet from your transceiver and mute it. You need to connect a pin. Not all support this, maybe you need to use a compatible one, and maybe lift pin.
I am open to hardware suggestions as well.
Logged
cherry
Sr. Member
****

Karma: +26/-2
Offline Offline

Posts: 260


« Reply #3 on: December 07, 2022, 03:08:33 PM »

Did you open your interface, check transceiver and read in datasheet how to mute it?
Logged
bluelighttube
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 9


« Reply #4 on: December 07, 2022, 03:11:36 PM »

Did you open your interface, check transceiver and read in datasheet how to mute it?
It is a ft232RL and could not find anything relating to muting in the datasheet.
Logged
bluelighttube
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 9


« Reply #5 on: December 16, 2022, 08:25:52 AM »

Did you open your interface, check transceiver and read in datasheet how to mute it?
So I found it is a mcp2515. The top was not easily legible.

The datasheet states "The Listen-only mode is activated by setting the mode request bits in the CANCTRL register"

Would this have to be in the program that's on the atmega162 operating the whole device? I have not interfaced with a transciever like this.

https://www.sparkfun.com/datasheets/DevTools/Arduino/MCP2515.pdf
Logged
cherry
Sr. Member
****

Karma: +26/-2
Offline Offline

Posts: 260


« Reply #6 on: December 16, 2022, 09:36:42 AM »

Take a look for another cable with SOIC8 inside. If it´s MPC2551 inside replace it with a TJA1050, then you can mute it by connection.
Logged
IamwhoIam
Hero Member
*****

Karma: +52/-114
Offline Offline

Posts: 1070


« Reply #7 on: December 16, 2022, 09:39:59 AM »

What sort of top secret super dooper protocol are you trying to sniff from a Kess of all things?
Logged

I have no logs because I have a boost gauge (makes things easier)
bluelighttube
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 9


« Reply #8 on: December 16, 2022, 10:56:32 AM »

Take a look for another cable with SOIC8 inside. If it´s MPC2551 inside replace it with a TJA1050, then you can mute it by connection.
Thanks this worked to a point where the communication with KESS is not disrupted. However, it seems i'm only sniffing maybe 5% of the traffic (but are clean packets logged)
Logged
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #9 on: April 20, 2023, 11:16:09 AM »

Kess switches baud rates after initial loader is sent to the ecu in boot/bench protocols

Usually init is at 100kBit/s and switched to 500/1000kBit/s
This varies from ecu to ecu but you can use something like PCAN and write scripts to change baud automatically
Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
K2d33
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


« Reply #10 on: April 09, 2024, 01:26:02 AM »

Kess switches baud rates after initial loader is sent to the ecu in boot/bench protocols

Usually init is at 100kBit/s and switched to 500/1000kBit/s
This varies from ecu to ecu but you can use something like PCAN and write scripts to change baud automatically
Or simply use another kind of logging devices... such as Salae or Kingst Logic analyzer to log "start communication" - and your tool enabled with delay to grab another data ;-)
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.019 seconds with 16 queries. (Pretty URLs adds 0s, 0q)