Pages: 1 2 3 [4] 5 6 ... 9
Author Topic: MED 17 , EDC 17 EEPROM CHECKSUM  (Read 103139 times)
jcsbanks
Full Member
***

Karma: +19/-3
Offline Offline

Posts: 146


« Reply #45 on: October 26, 2017, 09:20:21 AM »

I wrote back an EEPROM I had just read from MEVD17.2 (TC1797), but I added some data in dataflash bank 1 which was not being used at the time. It read back correctly in boot mode, then when the ECU was powered up normally it wiped the new data.

I will try it in dataflash bank 0.

I did not package the data with a block ID or checksums.
« Last Edit: October 26, 2017, 09:33:51 AM by jcsbanks » Logged
abedc17
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 8


« Reply #46 on: March 06, 2018, 05:45:09 AM »

Next update Smiley


Algorithm for CS1:
data from - 0x04
leight - 0x7C
CS calculated with Tricore internal CRC32 and low half word - CS1
Inicial value - block id


unsigned long crc_buffer(unsigned long crc, const unsigned long *p, unsigned long sz)
{
   const unsigned long poly = 0xEDB88320;
   unsigned long tmp1, tmp2;

   while(sz--)
   {
      tmp1 = 0;
      tmp2 = crc & poly;
      for(int i = 0; i <=31; i++ )
      tmp1 ^= ((tmp2 >> i) & 1);
      crc = *p++ ^ ((crc << 1) | tmp1) ;
   }
   return crc;
}





great job thankss
i converted this script to c# but i don't know how it works
can any one give an exemple to run this function ?

Example block (exemple of kolocar membre Wink ) :

36 00 F2 78 E2 09 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 6F 79 00 00 B1 6F 00 00 85 7C 88 7C

CS1 = F2 78
ID = 36 00
 what is the initial value for cs1
there are 3 varialbes in the crc_buffer function (crc, p, sz) ... wich one is initial value ?

please help
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #47 on: March 08, 2018, 01:02:03 AM »

crc seems to be the initial value if you just look at the code.
p is the buffer with data
and sz is the size
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #48 on: March 08, 2018, 03:28:25 AM »

check this:

CS1=2D81 -> OK

INIT = 00000009
LENGTH = 0000001F
DATA: 5D33AED29D521DB5173E61E41A896771D36CE10790AA89A6947F586FAA8001004C46563341323447304533303835353830328BC262C72A96C3A4F6D9BF3C7FA7BAFDF5E9F53724F7541B1B8D0B0000000000000000000000000000000000000000000000000000000000000000000000
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #49 on: March 08, 2018, 07:06:09 AM »

Sorry I used wrong example. Here is the data for your example record:

INIT = 00000036
LENGTH = 0000001F
DATA: E20900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006F790000B16F0000857C887C
CS1=78F2 -> OK
Logged
abedc17
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 8


« Reply #50 on: March 08, 2018, 12:37:41 PM »

thank you very much .. it's work now ( in 32 bits)
i'm going to search for cs2 now  Cool
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #51 on: March 08, 2018, 12:54:56 PM »

CS2 is documented by me several postings ago.
Logged
morfej
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


« Reply #52 on: July 05, 2018, 06:05:53 AM »

What about TC1793 that doesn't seems to use CS2. Blocks still looks to be same size, but no block ID is used.

Emulated eeprom is 192Kb in size.

At place where normally CS2 is, only something similar to CS1.


« Last Edit: July 05, 2018, 06:17:18 AM by morfej » Logged
vwphun
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


« Reply #53 on: July 09, 2018, 01:11:52 AM »

Very interesting topic, thank you "ozzy_rp and H2Deetoo" Grin. CS1 and CS2 are clear now. And what about crypted immo data block 0x08 0x09 0x0A? How are crypted CS, PIN, MAC in eeprom with data from flash OTP sector? VIN is visible in RAW data.
« Last Edit: July 10, 2018, 12:23:43 AM by vwphun » Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #54 on: July 09, 2018, 10:39:21 PM »

it is a simple XOR
Logged
vwphun
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


« Reply #55 on: July 10, 2018, 03:31:44 AM »

Thank you for confirmation. Can you give me a hint? I try some combination on known immodata (Block id 0x08) offset 0x08 - 0x1D (PIN, CS, MAC location?) from begin of block (EDC17cp14), but without success. Is crypt key located in flash arrea 0x17F00-0x17F7F? Thank you for your patience  Wink
« Last Edit: July 10, 2018, 03:38:03 AM by vwphun » Logged
kuebk
Jr. Member
**

Karma: +3/-0
Offline Offline

Posts: 47



« Reply #56 on: July 10, 2018, 03:45:07 AM »

Crypt key is located in OTP area but it's hashed multiple times to get final value for XOR.
Logged

VAG immo solutions (clone, immo off, repair) MEDC17, SIMOS, SDI, BCM2, ELV, DQ/DL/VL gearboxes, INVCON, MED9.x crypto
vwphun
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


« Reply #57 on: July 10, 2018, 04:22:53 AM »

Thank you for answer. Do you have an example? Algo is the same for every EDC17 family?
« Last Edit: July 10, 2018, 04:24:28 AM by vwphun » Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #58 on: July 10, 2018, 07:19:23 AM »

You can deduct the XOR with known values.
It is calculated from unique ID from EDC17 from OTP area, so the XOR result is unique for each EDC.
Logged
vwphun
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


« Reply #59 on: July 10, 2018, 09:47:13 AM »

Thank you. I know, that operands and XOR result is differnt for each ecu, but algo (adresses) same for family (f. e. EDC17CP14)? Unique ID is present twice consecutively (2 x 20bytes)? It!s needed dissasembled code of mcu for algo, or is simple and can get result with some combination (with known data as PIN, CS, MAC? How is organisation and order of immodata - 1) CS 6bytes, 2) PIN 2bytes, 3) MAC 4bytes? In attached img selected data are right?
« Last Edit: July 10, 2018, 10:16:17 AM by vwphun » Logged
Pages: 1 2 3 [4] 5 6 ... 9
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.046 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)