Pages: [1]
Author Topic: Help with EDC15C2 checksum algorithm or disable  (Read 2005 times)
Julien.grf
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« on: February 28, 2023, 04:06:22 AM »

Hi,
I'm currently working on switching from Ols to TunerPro with an eeprom emulator to live tune.
In order to, I have to find a way to manage Checksums:
First way, finding the algorithm of calculation and implement it in a .dll plugin for TunerPro
Or second, disable checksum.

For the first solution I have identified the checksum zone and associated checksum addresses. I try all the calculation method in TunerPro (sum, complement 1, complement 2) and others in HxD and none of them fit the one calculated with Ols.
I have hearded that EDC15 checksum are is calculated with bit shifting and factors but no more precise information ?

For the second solution I have the Irom disassemble in IDA Pro, if there is a way to completely disable checksum of the flash, that might be easier ?

I will post zone addresses and associated checksum addresses.

Attached my ori file

Waiting to hearing from you guys.

Thanks in advance
Logged
prj
Hero Member
*****

Karma: +1072/-485
Offline Offline

Posts: 6040


« Reply #1 on: February 28, 2023, 04:08:41 AM »

For emulation you have to disable it or ECU will randomly reset, because these checksums are calculated while ECU is running.
So if you update it, then it will still fail the current cycle.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Julien.grf
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #2 on: February 28, 2023, 04:26:59 AM »

Thanks for the answer.
So I have to find a way to disable it.
I've read that their are different things to change.
If I understand well, some values control the checksum at the start of the motor and others while the motor is running.

I've try this on my file:
1. Search for "47 F8 55 00 CC 00 CC 00" (1 match)
2. Search forward for "E6 F4 FF DF", notice the address, save the last 4 bytes (0x69E0A -> 9E0A)
3. Change "47 F8 55 00 CC 00 CC 00" to "47 F8 55 00 EA 00 0A 9E" (use the last 4 bytes loHi)

but "47 F8 55 00 CC 00 CC 00" doesn't exist in my file.

Will I have to modify the irom to disable it. Or it can be done in the flash directly?

« Last Edit: February 28, 2023, 04:32:02 AM by Julien.grf » Logged
prj
Hero Member
*****

Karma: +1072/-485
Offline Offline

Posts: 6040


« Reply #3 on: February 28, 2023, 05:41:55 AM »

This is for ME7, EDC15 is completely different.

There are no shortcuts, you will have to reverse the software, find the checksum routine and patch it.
Or live with the fact that every time you change something the ECU is going to reset.

Also the IROM is OTP on EDC15.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Julien.grf
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #4 on: February 28, 2023, 07:16:48 AM »

I have the irom disassemble in IDA. I've looked at it sometime ago in order to modify it for multimap purpose. For this, we have to patch a specific checksum in this part of the code (0x10000-0x13FFF range).
But is the checksums I need to patch are in the irom or in the Flash (and their I will have to disasemble the Flash ?)
Thanks for the help
Logged
prj
Hero Member
*****

Karma: +1072/-485
Offline Offline

Posts: 6040


« Reply #5 on: February 28, 2023, 07:51:12 AM »

I have the irom disassemble in IDA. I've looked at it sometime ago in order to modify it for multimap purpose. For this, we have to patch a specific checksum in this part of the code (0x10000-0x13FFF range).
But is the checksums I need to patch are in the irom or in the Flash (and their I will have to disasemble the Flash ?)
Thanks for the help

Might be a good idea to at least understand the memory layout.
This ECU only has internal ROM, which is 32kb in the processor.
And the rest is external flash, 29F400BT.

You can not change the internal ROM, it's OTP. Chances are you haven't even read it.

You can change everything in the extflash.
0x10000-0x13FFF does not even exist in the memory map. Load the file correctly first before you say even more silly things.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Julien.grf
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #6 on: February 28, 2023, 03:51:51 PM »

You'r right I'm sorry I messed up on the adresses. Cry

0x00000 -> 0x08000 is the internal Rom
08001 -> 7FFFE is the external flash
if I understand well

I got the Interal Rom from someone who read it with minimon.

I will read more about C167 datasheet and will be back with news hopefully

Thanks
Logged
prj
Hero Member
*****

Karma: +1072/-485
Offline Offline

Posts: 6040


« Reply #7 on: March 01, 2023, 01:45:43 AM »

/SND,  CODE1 $0 $7FFF
/SND,  CODE2 $80000 $EFFFF
/SND,  CODE3 $FC000 $FFFFF
/SND,  DATA1 $9000 $9FFF
/SND,  DATA2 $4C000 $4FFFF
/SND,  DATA3 $F0000 $FBFFF
/SND,  EXRAM1 $A000 $FFFF
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Julien.grf
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #8 on: March 08, 2023, 12:41:01 PM »

I've now a partially disassembled file.
0 -> 8000 IROM
and flash loaded at 80000

I've also disassembled a edc15p file, found the checksum function and the 4 jumps that have to be modified (easy with all the information on forums).

In edc15c2 here are the zones of checksums i've found (with some testing):

08000-0FFFF
10000-13FFF
14000-5FFFF
60000-60FFF
61000-6BCFF
70000-70FFF
71000-7BCFF
 
From what I've seen, previous checksums doesn't feed next ones like on edc15p. Am I right ?

I've found one checksum function in the Irom but is it the only one ? (it's only called 2 times in the flash that what bother me)
Logged
prj
Hero Member
*****

Karma: +1072/-485
Offline Offline

Posts: 6040


« Reply #9 on: March 09, 2023, 04:25:31 AM »

I don't think anyone here can answer those questions.
I am also not sure what validation you seek - test it and see the result.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.016 seconds with 15 queries. (Pretty URLs adds 0.001s, 0q)