Pages: 1 [2] 3
Author Topic: KWP2000 Security Access  (Read 12822 times)
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #15 on: February 03, 2023, 12:11:51 PM »

Your ROM has completely standard services, just like every other one.
Doing SA2 normally places the ECU into the ROM service layer, and that indeed does not have support for any of those services.

So I think you need to do 03 instead of 01.
I have never looked at it in ME7, but on Bosch 01 is always SA2 for flashing in the later ECU's.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
adam-
Hero Member
*****

Karma: +124/-33
Offline Offline

Posts: 2179


« Reply #16 on: February 03, 2023, 12:12:40 PM »

Okay, thank you for looking at that, it's appreciated.

I'm waiting on the timeout clearing and I'll try 03.  Will report back.
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #17 on: February 03, 2023, 12:47:02 PM »

Btw there is no need to do 10 86 14.
Just do 10 86, because you connect at 10400 every time anyway.

Baud rate list is published in the KWP2000 logging thread.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 248



« Reply #18 on: February 03, 2023, 04:50:39 PM »

Ive had no time to investigate it, but a kind soul suggested that the 3/4 algo might simply look for the string "SECURITY".
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #19 on: February 03, 2023, 06:39:57 PM »

Thats the lv1 Algo and it's all there on GitHub in nef flasher code.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 248



« Reply #20 on: February 05, 2023, 04:42:49 AM »

FR 9.1 translates 3/4 to :
"Security level 3/4 is used to switch to developer mode and also to replace the previous login (coding 2). The available range of values is halved for the applications."
KLOGIN and SLOGIN are mentioned in the same paragraph, I couldn't figure out what it was talking about.


« Last Edit: February 05, 2023, 05:01:03 AM by R32Dude » Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #21 on: February 05, 2023, 07:03:09 AM »

Applying MED9 logic to ME7 is a mistake.
But SLOGIN is the one on newer ECU's.

Although on MED9 RAM reading is just completely open via $2C, there is no need to use any security.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
adam-
Hero Member
*****

Karma: +124/-33
Offline Offline

Posts: 2179


« Reply #22 on: February 08, 2023, 02:10:58 PM »

Struggling to get security access for level 3.

Bear with me here: I can't read the STOCK flash with Nef either.  Service not available.  Confirmed it is an ori but wondering if that's why the service is disabled.

It's not documented (that I can find here) on how to actually disable RequestUpload / Read, but is that a possiblity?  That I'm just not able to use RBMA because the stock file has it disabled?

If that is the case, how would you go about re-enabling it?
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #23 on: February 08, 2023, 04:42:10 PM »

The service is in the service table.
You need to be in a development session for RMBA.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
adam-
Hero Member
*****

Karma: +124/-33
Offline Offline

Posts: 2179


« Reply #24 on: February 09, 2023, 12:44:45 PM »

I am unable to read the STOCK file (attached above) on the bench, but can write it fine.  Confirmed fully stock.  Was the same story with an R32 too: can write stock fine but cannot read: "RequestUpload may have been disabled by aftermarket engine software."

Found: "09 0A 0B 0C 0F" where I'd think you'd replace 0F with 00 to disable (but it's already enabled). 

I think this is why I'm unable to use the service RBMA.  How would it be disabled in flash, and how do I go about re-enabling it?
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #25 on: February 09, 2023, 02:02:28 PM »

Sigh.

Did you switch to development session successfully?
10 86?
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 248



« Reply #26 on: February 09, 2023, 04:47:43 PM »

I am unable to read the STOCK file (attached above) on the bench, but can write it fine.  Confirmed fully stock.  Was the same story with an R32 too: can write stock fine but cannot read: "RequestUpload may have been disabled by aftermarket engine software."

Found: "09 0A 0B 0C 0F" where I'd think you'd replace 0F with 00 to disable (but it's already enabled).  

I think this is why I'm unable to use the service RBMA.  How would it be disabled in flash, and how do I go about re-enabling it?

Use bootmode with galletto on the bench to avoid trouble like that!

I spent 2 days looking at stock 7.1.1 code for a c166 and it looks like some service masks are applied to the tables depending on security level. So the RBMA is deflected to the service not available. I'm totally useless with assembler so what I said might not be correct. I also had a look at seed/key algos  but had no idea of where the code goes for level 3/4 key check. Level 1 stands out like dogs balls because it has a few XOR commands and because I knew of it before I recognized it. The code is near checks for KLOGIN and many other logins (which is a bunch of numbers in the flash) which confused me even more.
Modding your flash might be the quickest way to go, but it will not be a universal logger if you do that.
The algo should be in the code I attached, hopefully your assembler skills are better than mine. Share if you decipher it!
« Last Edit: February 09, 2023, 05:13:47 PM by R32Dude » Logged
adam-
Hero Member
*****

Karma: +124/-33
Offline Offline

Posts: 2179


« Reply #27 on: February 09, 2023, 06:33:33 PM »

Yes, I am able to get into developer mode. 10 86.
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #28 on: February 10, 2023, 03:11:58 PM »

Well, I don't have a such ECU, so can't tell you what's up, but in your dump $23 is deffo present.
Feel free to reverse it and see where it gets hung up on...
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
adam-
Hero Member
*****

Karma: +124/-33
Offline Offline

Posts: 2179


« Reply #29 on: February 10, 2023, 09:26:03 PM »

How much do you charge to help? Smiley
Logged
Pages: 1 [2] 3
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.018 seconds with 16 queries. (Pretty URLs adds 0s, 0q)