I don`t think it is hard to do this.
I have mine done on uds ones. Either you patch cboot after the exploit or you look at the function that has to do with CB data and writes on eeprom. Counters are fairly easy to find in eeprom or virtual eeprom in ram once you have a way to read ram.Usually near vin,
Thank you, I will look to dump the ram and look around the vin. I have looked into the MED17 UDS shared source code and found this function:
/**
***************************************************************************************************
* The data in buffer should not be changed in this time.
* Data in EEPRAM will be updated too. (But only if the considered block is mirrored in EEPRAM.)
* \param xBlkIdx_u16 Index of the block
* \param xOfs_u16 Offset between the first byte of the block and the first byte of the
* data element
* \param numBytes_u16 Number of data bytes
* \param xWrBuf_p Pointer to starting address of a write buffer
* \param stOrder_pu8 Pointer to order status information
* This parameter is used to get status feedback from the order queue.
* Do not use the same order status parameter several times, please wait
* until an accepted order is processed successfully or aborted with a
* warning or error.
***************************************************************************************************
*/
uint8 Eep_Write(uint16 xBlkIdx_u16, uint16 xOfs_u16, uint16 numBytes_u16,
void* xWrBuf_p, uint8* stOrder_pu8)
I found that function in IDA and I believe I also found the index of the CBData block. I will do more tests this week and see if it writes the eeprom properly
Don`t forget the hidden one
which is before the others
Hidden counter?
Would the counters be AttemptNo, SucceedNo and CBEraseCounter?
