NefMoto > Technical > Reverse Engineering > Codeword to ignore checksum
Pages: 1 [2]
« previous next »
Author Topic: Codeword to ignore checksum  (Read 30038 times)
setzi62
Full Member
***

Karma: +142/-0
Offline Offline

Posts: 249
« Reply #15 on: November 12, 2010, 02:42:25 AM »
Very good , then I might have a look again at this uVision Simulator, of course if I find
some spare time.
Logged
k0mpresd
Hero Member
*****

Karma: +146/-54
Offline Offline

Posts: 1655
« Reply #16 on: December 03, 2010, 01:51:16 PM »
Quote from: setzi62 on November 08, 2010, 10:42:16 AM
Coding the ECU as test model is done in the eeprom, you have to change some data values:
in pages 1 and 2 you will find  69,C1, and A5, replace these by 8E,5A, and D2,
then update the checksums of both pages. I believe you (or other experienced users)
can manage this without more detailed instructions (and the noob's anyway shouldn't
do).

I do not know what could be changed by setting to test model besides the following:
 - the data checksum results will be ignored by the ECU,
 - you can start a programming session even if the ECU is locked for some time after
   sending a wrong security key,
 - you can download data to the flash without ciphering and compressing.

On ME7.5 images, when you have started a programming session (85) and
are requesting ecuIdentification with param 9B, the last string you get has 5 characters.
If the last character of this string shows a '*', this indicates your ECU is coded as test model. I think this is not done for ME7.1 images.

Be aware: this results from code reading and simulations, not yet tested by me on real hardware.



wow. this is awesome info and exactly what i was looking for. well, kind of exactly what i was looking for. many many thanks for this!
Logged
prj
Hero Member
*****

Karma: +915/-426
Offline Offline

Posts: 5835
« Reply #17 on: September 20, 2012, 06:12:09 AM »
Thanks from me as well and +rep to setzi62.

I will test this today/tomorrow.
Logged
PM's will not be answered, so don't even try.
Log your car properly.
dream3R
Hero Member
*****

Karma: +18/-8
Offline Offline

Posts: 1194
« Reply #18 on: November 26, 2013, 06:53:52 AM »
Blast from the past but wanted to add that this is implemented in Volvo ME7 ECU's.

Quote
                        mov     [-r0], r8
seg023:E19A                 mov     [-r0], r7
seg023:E19C                 mov     [-r0], r6
seg023:E19E                 movb    rl4, CW_NOROMCHKRESET
seg023:E1A2                 cmpb    rl4, #55h ; 'U' ; If there is 0x55 here  skip checksum checks
seg023:E1A6                 jmpa    cc_Z, loc_DE3DA
seg023:E1AA                 movb    byte_300F2E, ZEROS
seg023:E1AE                 mov     r4, word_303D76
seg023:E1B2                 and     r4, #0DFFFh
seg023:E1B6                 or      r4, #4000h
seg023:E1BA                 mov     word_303D76, r4
seg023:E1BE                 mov     r7, r4
seg023:E1C0                 and     r7, #1800h
seg023:E1C4                 jmpr    cc_NZ, loc_DE1DC
seg023:E1C6                 movb    rl4, byte_303362
seg023:E1CA                 cmpb    rl4, sub_17800+1
seg023:E1CE                 jmpa    cc_NZ, loc_DE3E2
seg023:E1D2                 movb    rl5, byte_303366
seg023:E1D6                 cmpb    rl5, #1
seg023:E1D8                 jmpa    cc_Z, loc_DE3E2
Logged


How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
antoffka666
Full Member
***

Karma: +11/-2
Offline Offline

Posts: 82
« Reply #19 on: July 27, 2018, 03:13:04 AM »
Hello, I changed the data in EEPROM (69,C1, and A5, replace these by 8E,5A, and D2) , flashed in ECU , and received a character (*) in the block description . After I flashed the file with the wrong checksum and after two launches ECU stopped switching on .
I repaired my ECU with flash backup eeprom and firmvare but did not understand what this manipulation gives.
I originally did this to get a working LC in 8E0909518F  0003_363670 , but so far nothing has happened.
Logged
prj
Hero Member
*****

Karma: +915/-426
Offline Offline

Posts: 5835
« Reply #20 on: July 27, 2018, 03:29:29 AM »
Look on the forum in ME7.1.1 emulator thread, I described exactly how to turn everything off.
This only disables running checksums not startup sums.
Logged
PM's will not be answered, so don't even try.
Log your car properly.
antoffka666
Full Member
***

Karma: +11/-2
Offline Offline

Posts: 82
« Reply #21 on: July 27, 2018, 04:21:47 AM »
Quote from: prj on July 27, 2018, 03:29:29 AM
Look on the forum in ME7.1.1 emulator thread, I described exactly how to turn everything off.
This only disables running checksums not startup sums.
I understood ! Thank you!
Logged
antoffka666
Full Member
***

Karma: +11/-2
Offline Offline

Posts: 82
« Reply #22 on: July 30, 2018, 11:00:10 PM »
I changed the data in EEPROM (69,C1, and A5, replace these by 8E,5A, and D2) in 4B0906018DJ_366458 and changed  variable 0x384FF0 to 386000 . No errors  (p0601 checksum error) , 3 days cars work perfect , LC work ! Thank you !
Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235
« Reply #23 on: September 23, 2018, 12:30:19 PM »
Quote from: setzi62 on November 08, 2010, 03:52:51 AM
seems like my last post was cut when hitting a german letter ...

In damos/a2l you can see that the codeword CW_NOROMCHKRESET is used only
in the function URROM which is named "EGAS Ueberwachungskonzept: ROM-Test"
(electronic power control supervision concept: ROM-test).

By patching the NOP's and setting the codeword to "55" you could skip the EGAS-checks,
but the data checksums which are calculated/checked when the flash system is running can
not be disabled using the codeword CW_NOROMCHKRESET.

I think the data checksums can be disabled by coding your ECU as test model in the EEPROM.

I know this is an ancient post but i've just been exploring a ROM file which was given to me which works no problem but had non corrected checksums present. After a little analysis by comparing the rom to the original firmware I discovered;

---------------------------------------------
0x000668b8 (  420024): cc -> ea               jmpa    cc_Z,jmp +244          CW_NOROMCHKRESET Patch
0x000668b9 (  420025): 00 -> 20               
0x000668ba (  420026): cc -> ee               
0x000668bb (  420027): 00 -> 6a               

CC 00  is the machine code 'NOP' (No Operation, i.e. do nothing) and it was replaced with an
EA 20 which is a conditional jump relative based on the previous instruction which does the CMP against 0x55 in hex... which is normally set to 0'...

0x0001165a (   71258): 00 -> 55    CW_NOROMCHKRESET

Which surprise surprise they've set to 0x55 which means it always does the skip...

And then further to that they also set to 0x55 another CODEWORD,

0x00011b21 (   72481): 00 -> 55      CW_NOZYKLROMCHK - disable cyclic rom monitor checksums

I believe this is the one which the OP was interested in all along. I believe this disables the Multipoint Cyclic checksums from being checked by the rom monitor...

And all this was done on a very expensive car without the customer having any idea what they did... WTF! Why didn't they just re-calculate the checksums??!?!?! fine for R&D purposes but there is no way I would do this to anyone's personal car and leave it like that.
Logged
Pages: 1 [2]
  Print  
« previous next »
 
Jump to:  

Navigation
Personal Tools
  • April 18, 2024, 11:10:45 PM
  • Welcome, Guest. Please login or register.
    Did you miss your activation email?

    Login with username, password and session length
Search
 
Advanced Search
About Disclaimer
All Rights Reserved 2010 Nefarious Motosports
Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.021 seconds with 17 queries. (Pretty URLs adds 0s, 0q)