Pages: 1 ... 117 118 [119] 120 121 ... 182
Author Topic: The Volvo ME7 thread:  (Read 1064888 times)
rlinewiz
Jr. Member
**

Karma: +12/-1
Offline Offline

Posts: 42


« Reply #1770 on: October 31, 2022, 05:40:50 AM »

my car is 50GMHJ (30743144AA if that matters at all), I will attempt to flash a 50GPHJ in the next day or two and report my findings

vollmer, i kinda want to buy you a coffee and pick your brain lol, great idea integrating CEM functions, I'll definitely work towards that goal. already found the cem-cracking source in the repository, super helpful
Logged

2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
s60rawr
Full Member
***

Karma: +19/-1079
Offline Offline

Posts: 167



« Reply #1771 on: October 31, 2022, 11:05:49 AM »

0 - manual
1 - auto
For both 50GPHJ and 50WRHJ versions addr is 0x18029.


ty

Logged


There is a free flash suite in progres

-Karma Sponge
dikidera
Full Member
***

Karma: +8/-8
Offline Offline

Posts: 149


« Reply #1772 on: November 01, 2022, 09:03:42 AM »

Looking at the hilton code and other tools, there is a periodic message sent over the CAN bus to notify the CEM or ECM perhaps that a tool is present/attached. I am still reading the code, thank god for .NET decompilation. VDASH have obfuscated their code, but in the end, it doesn't even matter.

My issue if it is an issue is that on the bench, the ECM is sending the same changing sequence over CAN and is not replying to my CAN messages. Of course the CAN bus has many protocols layered on top and is a shitshow and maybe I am not passing the correct data.
Logged
Mach1
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 13


« Reply #1773 on: November 01, 2022, 09:18:49 AM »

Looking at the hilton code and other tools, there is a periodic message sent over the CAN bus to notify the CEM or ECM perhaps that a tool is present/attached. I am still reading the code, thank god for .NET decompilation. VDASH have obfuscated their code, but in the end, it doesn't even matter.

My issue if it is an issue is that on the bench, the ECM is sending the same changing sequence over CAN and is not replying to my CAN messages. Of course the CAN bus has many protocols layered on top and is a shitshow and maybe I am not passing the correct data.

https://hiltontuning.com/wp-content/uploads/2014/09/VolcanoResearchPaperWeb.pdf

Keep-alive message?

7 bytes
84 40 13 b2 f0 03 7c
every 5 seconds, otherwise it closes
Logged
rlinewiz
Jr. Member
**

Karma: +12/-1
Offline Offline

Posts: 42


« Reply #1774 on: November 01, 2022, 11:49:45 AM »

Looking at the hilton code and other tools, there is a periodic message sent over the CAN bus to notify the CEM or ECM perhaps that a tool is present/attached. I am still reading the code, thank god for .NET decompilation. VDASH have obfuscated their code, but in the end, it doesn't even matter.

My issue if it is an issue is that on the bench, the ECM is sending the same changing sequence over CAN and is not replying to my CAN messages. Of course the CAN bus has many protocols layered on top and is a shitshow and maybe I am not passing the correct data.

yeah screw all that, use dicedotnet.dll, it contains literally everything needed for flashing, logging, encrypting/decrypting... and its not obfuscated at all. all you need to do is write a simple wrapper program. the toolkit im writing will be using this dll, but i had to modify the code in a few places to correct hiltons' dumbassery. for example he hard coded a 240-second timeout on all message transmissions, so if you call say sendMsgReadResponse() and your interface isn't connected or if the key isn't in position II, the dll will hang for 240 seconds before reporting back to your app.

[edit] also want to mention that if using the dll for communication, the connect() function creates the two canbus connections, and also sets up the k-line and starts broadcasting the keep-alive for you, so you're free to just start sending commands and receiving data as you please
« Last Edit: November 01, 2022, 12:25:22 PM by rlinewiz » Logged

2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
s60rawr
Full Member
***

Karma: +19/-1079
Offline Offline

Posts: 167



« Reply #1775 on: November 01, 2022, 12:07:04 PM »

yeah screw all that, use dicedotnet.dll, it contains literally everything needed for flashing, logging, encrypting/decrypting... and its not obfuscated at all. all you need to do is write a simple wrapper program. the toolkit im writing will be using this dll, but i had to modify the code in a few places to correct hiltons' dumbassery. for example he hard coded a 240-second timeout on all message transmissions, so if you call say sendMsgReadResponse() and your interface isn't connected or if the key isn't in position II, the dll will hang for 240 seconds before reporting back to your app.


^^^^^^^^^^^^^^^^^ this
the dll has all the capabilities
just beyond my basic programming knowledge lol
Logged


There is a free flash suite in progres

-Karma Sponge
dikidera
Full Member
***

Karma: +8/-8
Offline Offline

Posts: 149


« Reply #1776 on: November 01, 2022, 12:50:12 PM »

yeah screw all that, use dicedotnet.dll, it contains literally everything needed for flashing, logging, encrypting/decrypting... and its not obfuscated at all. all you need to do is write a simple wrapper program. the toolkit im writing will be using this dll, but i had to modify the code in a few places to correct hiltons' dumbassery. for example he hard coded a 240-second timeout on all message transmissions, so if you call say sendMsgReadResponse() and your interface isn't connected or if the key isn't in position II, the dll will hang for 240 seconds before reporting back to your app.

[edit] also want to mention that if using the dll for communication, the connect() function creates the two canbus connections, and also sets up the k-line and starts broadcasting the keep-alive for you, so you're free to just start sending commands and receiving data as you please
Except, I am using an ARM-based RPI, so I am working with socketcan. I don't have any j2534/flashing tool.
Logged
dikidera
Full Member
***

Karma: +8/-8
Offline Offline

Posts: 149


« Reply #1777 on: November 01, 2022, 01:05:30 PM »

https://hiltontuning.com/wp-content/uploads/2014/09/VolcanoResearchPaperWeb.pdf

Keep-alive message?

7 bytes
84 40 13 b2 f0 03 7c
every 5 seconds, otherwise it closes
Definitely not. The packets are sent every 80ms, and some every 16.

 can0  0010001C   [8]  00 0B 40 58 44 00 A7 25
  can0  0010001C   [8]  00 0B 40 58 44 00 A7 25
  can0  0040001E   [8]  00 00 01 00 04 00 60 00
  can0  0040001E   [8]  00 00 01 00 04 00 60 00
  can0  0010001C   [8]  40 0B C0 58 44 00 27 25
  can0  0010001C   [8]  40 0B C0 58 44 00 27 25
  can0  0040001E   [8]  44 00 01 00 04 00 60 00
  can0  0040001E   [8]  44 00 01 00 04 00 60 00
  can0  00600006   [8]  C0 00 20 00 00 00 00 00
  can0  00600006   [8]  C0 00 20 00 00 00 00 00
  can0  0010001C   [8]  80 0B 40 58 44 00 A7 25
  can0  0010001C   [8]  80 0B 40 58 44 00 A7 25
  can0  0040001E   [8]  80 00 01 00 04 00 60 00
  can0  0040001E   [8]  80 00 01 00 04 00 60 00
  can0  0010001C   [8]  C0 0B 40 58 44 00 27 25
  can0  0010001C   [8]  C0 0B 40 58 44 00 27 25
  can0  0040001E   [8]  C3 00 85 00 04 00 60 00
  can0  0040001E   [8]  C3 00 85 00 04 00 60 00
  can0  00600006   [8]  00 00 00 00 00 00 00 00
  can0  00600006   [8]  00 00 00 00 00 00 00 00
  can0  0010001C   [8]  00 0B 40 58 44 00 A7 25
  can0  0010001C   [8]  00 0B 40 58 44 00 A7 25
  can0  0040001E   [8]  00 00 01 00 04 00 60 00
  can0  0040001E   [8]  00 00 01 00 04 00 60 00
  can0  00900006   [8]  00 0A 89 87 00 14 00 00
  can0  00900006   [8]  00 0A 89 87 00 14 00 00
  can0  0010001C   [8]  40 0B 40 58 44 00 27 25
  can0  0010001C   [8]  40 0B 40 58 44 00 27 25
  can0  0040001E   [8]  40 00 01 00 04 00 60 00
  can0  0040001E   [8]  40 00 01 00 04 00 60 00
  can0  00600006   [8]  40 00 00 00 00 00 00 00
  can0  00600006   [8]  40 00 00 00 00 00 00 00
  can0  0010001C   [8]  80 0B 40 58 44 00 A7 25
  can0  0010001C   [8]  80 0B 40 58 44 00 A7 25
  can0  0040001E   [8]  80 00 01 00 04 00 60 00
  can0  0040001E   [8]  80 00 01 00 04 00 60 00
  can0  00E00010   [8]  05 00 80 00 AA AA 00 00
  can0  00E00010   [8]  05 00 80 00 AA AA 00 00
  can0  0010001C   [8]  C0 0B 40 58 44 00 27 25
  can0  0010001C   [8]  C0 0B 40 58 44 00 27 25
  can0  0040001E   [8]  C3 00 85 00 04 00 60 00
  can0  0040001E   [8]  C3 00 85 00 04 00 60 00
  can0  00600006   [8]  C0 00 20 00 00 00 00 00
  can0  00600006   [8]  C0 00 20 00 00 00 00 00
  can0  0010001C   [8]  80 0B 40 58 44 00 A7 25
  can0  0010001C   [8]  80 0B 40 58 44 00 A7 25
  can0  0040001E   [8]  80 00 01 00 04 00 60 00
  can0  0040001E   [8]  80 00 01 00 04 00 60 00
  can0  0010001C   [8]  C0 0B 40 58 44 00 27 25
  can0  0010001C   [8]  C0 0B 40 58 44 00 27 25
  can0  0040001E   [8]  C3 00 85 00 04 00 60 00
  can0  0040001E   [8]  C3 00 85 00 04 00 60 00
  can0  00600006   [8]  00 00 00 00 00 00 00 00
  can0  00600006   [8]  00 00 00 00 00 00 00 00
  can0  0010001C   [8]  00 0B 40 58 44 00 A7 25
  can0  0010001C   [8]  00 0B 40 58 44 00 A7 25
  can0  0040001E   [8]  00 00 01 00 04 00 60 00
  can0  0040001E   [8]  00 00 01 00 04 00 60 00
  can0  0010001C   [8]  40 0B 40 58 44 00 27 25
  can0  0010001C   [8]  40 0B 40 58 44 00 27 25
  can0  0040001E   [8]  40 00 01 00 04 00 60 00
  can0  0040001E   [8]  40 00 01 00 04 00 60 00
  can0  00600006   [8]  40 00 00 00 00 00 00 00
  can0  00600006   [8]  40 00 00 00 00 00 00 00
  can0  0010001C   [8]  80 0B 40 58 44 00 A7 25
  can0  0010001C   [8]  80 0B 40 58 44 00 A7 25
  can0  0040001E   [8]  80 00 01 00 04 00 60 00
  can0  0040001E   [8]  80 00 01 00 04 00 60 00
  can0  00900006   [8]  40 02 01 07 00 14 00 00
  can0  00900006   [8]  40 02 01 07 00 14 00 00
  can0  0010001C   [8]  C0 0B 40 58 44 00 27 25
  can0  0010001C   [8]  C0 0B 40 58 44 00 27 25
  can0  0040001E   [8]  C3 00 85 00 04 00 60 00
  can0  0040001E   [8]  C3 00 85 00 04 00 60 00
  can0  00600006   [8]  80 00 00 00 00 00 00 00
  can0  00600006   [8]  80 00 00 00 00 00 00 00
  can0  0010001C   [8]  00 0B 40 58 44 00 A7 25
  can0  0010001C   [8]  00 0B 40 58 44 00 A7 25
  can0  0040001E   [8]  00 00 01 00 04 00 60 00
  can0  0040001E   [8]  00 00 01 00 04 00 60 00
  can0  0010001C   [8]  80 0B 40 58 44 00 A7 25
  can0  0010001C   [8]  80 0B 40 58 44 00 A7 25
  can0  0040001E   [8]  80 00 01 00 04 00 60 00
  can0  0040001E   [8]  80 00 01 00 04 00 60 00
  can0  0010001C   [8]  C0 0B 40 58 44 00 27 25
  can0  0010001C   [8]  C0 0B 40 58 44 00 27 25
  can0  0040001E   [8]  C3 00 85 00 04 00 60 00
  can0  0040001E   [8]  C3 00 85 00 04 00 60 00
  can0  00600006   [8]  00 00 00 00 00 00 00 00
  can0  00600006   [8]  00 00 00 00 00 00 00 00
  can0  0010001C   [8]  00 0B 40 58 44 00 A7 25
  can0  0010001C   [8]  00 0B 40 58 44 00 A7 25
  can0  0040001E   [8]  00 00 01 00 04 00 60 00
  can0  0040001E   [8]  00 00 01 00 04 00 60 00
  can0  0010001C   [8]  40 0B 40 58 44 00 27 25
  can0  0010001C   [8]  40 0B 40 58 44 00 27 25
  can0  0040001E   [8]  40 00 01 00 04 00 60 00
  can0  0040001E   [8]  40 00 01 00 04 00 60 00
  can0  00600006   [8]  40 00 00 00 00 00 00 00
  can0  00600006   [8]  40 00 00 00 00 00 00 00

I still have not figured out why the ECM is broadcasting packets twice. In any case I am still reading, there's a lot of information to process on the protocols. I am also reading the ecu directly via the pins(aka bench mode).
« Last Edit: November 01, 2022, 01:07:38 PM by dikidera » Logged
rlinewiz
Jr. Member
**

Karma: +12/-1
Offline Offline

Posts: 42


« Reply #1778 on: November 01, 2022, 02:00:59 PM »

The keep-alive message is sent from the flashing software to the CEM over the K-Line to enable communication via the OBD port. If you are benching, this isn't needed at all. Depending on what you're doing you may need to broadcast a 'Test Tool Present' message: (tho im pretty sure this is also not needed for ECU)

Code:
D8 00 00 00 00 00 00 00

« Last Edit: November 01, 2022, 02:23:20 PM by rlinewiz » Logged

2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
s60rawr
Full Member
***

Karma: +19/-1079
Offline Offline

Posts: 167



« Reply #1779 on: November 01, 2022, 04:10:02 PM »

yeah screw all that, use dicedotnet.dll, it contains literally everything needed for flashing, logging, encrypting/decrypting... and its not obfuscated at all. all you need to do is write a simple wrapper program. the toolkit im writing will be using this dll, but i had to modify the code in a few places to correct hiltons' dumbassery. for example he hard coded a 240-second timeout on all message transmissions, so if you call say sendMsgReadResponse() and your interface isn't connected or if the key isn't in position II, the dll will hang for 240 seconds before reporting back to your app.

[edit] also want to mention that if using the dll for communication, the connect() function creates the two canbus connections, and also sets up the k-line and starts broadcasting the keep-alive for you, so you're free to just start sending commands and receiving data as you please

incorporate the checksum before flashing Cheesy
« Last Edit: November 01, 2022, 04:12:19 PM by s60rawr » Logged


There is a free flash suite in progres

-Karma Sponge
rlinewiz
Jr. Member
**

Karma: +12/-1
Offline Offline

Posts: 42


« Reply #1780 on: November 02, 2022, 06:03:24 AM »

I'm incorporating a BIN tool that lets you load up any bin, quickly see its version and other info, check and repair checksums, and quickly determine if the maps are stock or tuned

ps here are the locations for some of the GMHJ maps if anyone needs, many are exactly the same place as GPHJ but some are offset a bit
Logged

2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
t6
Full Member
***

Karma: +0/-5
Offline Offline

Posts: 55


« Reply #1781 on: November 02, 2022, 01:27:21 PM »

Hi, WRHJ software is 250 kbit CAN? fits s60r 2003, in mine it is
ĘT03 P2X B5254RT
ME 7.0.1 5XQG
SW: 30668178A
P24 / P26 0310
B5244T4 25RT
MAN AWD UE
50QGHJ.a2l
2003-06
CBQGTVD0
Logged
Dudde
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 14


« Reply #1782 on: November 02, 2022, 02:16:12 PM »

Can someone help confirm CWKONABG adress 0x1801E? Volvo XC90 2.9 T6, 60LPHJ

Logged
SparkyR
Full Member
***

Karma: +18/-21
Offline Offline

Posts: 77



« Reply #1783 on: November 02, 2022, 03:06:12 PM »

I'm incorporating a BIN tool that lets you load up any bin, quickly see its version and other info, check and repair checksums, and quickly determine if the maps are stock or tuned

ps here are the locations for some of the GMHJ maps if anyone needs, many are exactly the same place as GPHJ but some are offset a bit


I usually flash a 50GPHJ in an 05 auto car.  This Will cross flash no problem. As long as you are sure the bin is a auto
Logged

2005 S60R m66, Xona Rotor 7864, turbosmart 45mm wastegate, id1700cc injectors
SparkyR
Full Member
***

Karma: +18/-21
Offline Offline

Posts: 77



« Reply #1784 on: November 02, 2022, 03:08:33 PM »

Hi, WRHJ software is 250 kbit CAN? fits s60r 2003, in mine it is
ĘT03 P2X B5254RT
ME 7.0.1 5XQG
SW: 30668178A
P24 / P26 0310
B5244T4 25RT
MAN AWD UE
50QGHJ.a2l
2003-06
CBQGTVD0


50wrhj are found in 06-07 some manual and all auto cars. These are all 500kbit
Logged

2005 S60R m66, Xona Rotor 7864, turbosmart 45mm wastegate, id1700cc injectors
Pages: 1 ... 117 118 [119] 120 121 ... 182
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.037 seconds with 18 queries. (Pretty URLs adds 0s, 0q)