Pages: 1 2 [3] 4 5 ... 9
Author Topic: How to prepare a spare MED9.1 ECU?  (Read 126738 times)
matchew
Hero Member
*****

Karma: +47/-22
Offline Offline

Posts: 503


« Reply #30 on: February 09, 2014, 08:43:10 PM »

I guarantee no other person that posts on this forum can turn the immo off by altering the eeprom contents only, which means that they don't understand how it works and uses the copy and paste method.
Logged
ddillenger
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640


« Reply #31 on: February 09, 2014, 08:52:34 PM »

I see your guarentee, and raise you Rarak.

I am a copy/paster fwiw.
Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #32 on: February 10, 2014, 01:51:23 AM »

Hi all,

Looks like it was a productive weekend Smiley

I made some progress myself.

I soldered the spring loaded pogo pins to the PCB. If you have a look at the photo, what I’ve done is use a few pieces of veroboard to hold the pins straight and parallel whilst I soldered them. I didn’t solder the pins to the veroboard, the veroboard has regular holes at a pitch of 2.54mm and just makes the pins stand up nice and straight.



My soldering skills are average on the whole but I was happy enough with the result.



BDM frame assembled and ready to read









BDM read is working!

« Last Edit: February 10, 2014, 01:54:27 AM by Basano » Logged
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #33 on: February 10, 2014, 02:00:57 AM »

Attached are the files I’ve retrieved so far.

Full CMD read (read_ecu)
Read of flash (read_M58BW016xB)
Read of serial e2prom (read_Serial_ E2Prom)
Log from CMD tool (CMD_1255.txt)
VCDS log (Log-WAUZZZ8P97A168790.txt)
ODB clone flash tool read (8P0907115K.Bin)

The VCDS log also has the freeze frame data and mileage, for the chap who wanted to look into that Smiley

BDM read of flash and ODB read of flash are identical, which was expected (two different ways of getting the same data).
Logged
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #34 on: February 10, 2014, 02:11:20 AM »

Thanks for the comments on the immobiliser off. That’s exactly where I am now  Grin

So to avoid treading on anyone’s toes or inadvertently upsetting anyone, what’s the etiquette for requesting or paying a member of this forum for immobiliser off files  Huh

I can understand that the member would probably not want their work published for all and sundry to reverse. I respect that. But in the months to come, as I progress I would probably want to post my bins for comment? Especially when I get stuck. If the immobiliser off solution is modifications to both e2prom and flash, would it still be OK to post the flash for review (but not the e2prom)? Would that be OK with people?

This is what I’m trying to do. Remember I’m constrained in that I can’t open my own original ECU to BDM read it. I can ODB read it as many times as I wish though.

Where I am now:
spare_ecu[spare_e2prom + spare_flash]

Where I want to be (I think):
spare_ecu[spare_e2prom_immo_off + my_own_flash_immo_off]

Secondly, what else is in the e2prom apart from the immobiliser data? I’m making a big assumption that I can just plug this spare ECU into my car with the changes described above. I'm sure I'll need to check and adjust the long coding, but what about any adaptions or other settings?

I know these are really basic questions  Undecided but I'm asking them to learn and putting them here so others can read the information as well.

Much appreciated.
Logged
ddillenger
Hero Member
*****

Karma: +641/-21
Offline Offline

Posts: 5640


« Reply #35 on: February 10, 2014, 02:50:18 AM »

You've put in some good effort, I'll set you up.
Logged

Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!

Email/Google chat:
DDillenger84(at)gmail(dot)com

Email>PM
_mumin_
Jr. Member
**

Karma: +2/-0
Offline Offline

Posts: 46


« Reply #36 on: February 10, 2014, 03:39:31 AM »

@Basano :

Check Your e-mail.
Logged
aef
Hero Member
*****

Karma: +69/-46
Offline Offline

Posts: 1600


« Reply #37 on: February 10, 2014, 06:59:14 AM »

applauded  Wink
Logged
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12268


WWW
« Reply #38 on: February 10, 2014, 09:18:04 AM »


I can understand that the member would probably not want their work published for all and sundry to reverse. I respect that. But in the months to come, as I progress I would probably want to post my bins for comment? Especially when I get stuck. If the immobiliser off solution is modifications to both e2prom and flash, would it still be OK to post the flash for review (but not the e2prom)? Would that be OK with people?


This is exactly why it took so long for me to get ME7 info. It was easy to find people who wanted to sell me info, almost impossible to find people who were ok with me giving away info they sold me.

So I took the more difficult route, and only talked to people willing to tell me things they were ok with me publishing.

In the long run, I'm glad I did it the hard way and that I told the fuckheads to eat a dick.
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
oldcarguy85
Full Member
***

Karma: +15/-1
Offline Offline

Posts: 247


« Reply #39 on: February 10, 2014, 05:08:46 PM »

This is exactly why it took so long for me to get ME7 info. It was easy to find people who wanted to sell me info, almost impossible to find people who were ok with me giving away info they sold me.

So I took the more difficult route, and only talked to people willing to tell me things they were ok with me publishing.

In the long run, I'm glad I did it the hard way and that I told the fuckheads to eat a dick.

Haha I like your style!!
Logged
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #40 on: February 11, 2014, 02:11:47 AM »

Thanks you all

You've put in some good effort, I'll set you up.

email sent (yesterday)

@Basano :

Check Your e-mail.

Thank you very much! Please check your email. It will be a couple of days before I can try anything, but will give feedback as soon as I am able.

This is exactly why it took so long for me to get ME7 info. It was easy to find people who wanted to sell me info, almost impossible to find people who were ok with me giving away info they sold me.

So I took the more difficult route, and only talked to people willing to tell me things they were ok with me publishing.

So true Grin That's why I've brought it up now, at the beginning. Like anyone else, I can always buy a tune. But what am I or anyone else going to learn from that really (although maybe you just want a tune). This way's more fun and ultimately satisfying for me personally. I've learnt loads already (the seed-keys and xor obfuscation for example) and found that to be pretty interesting. I shared it and hope that others found it interesting as well. I might never manage to do anything decent tunewise, but will have a lot of fun trying.
« Last Edit: February 11, 2014, 02:17:53 AM by Basano » Logged
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #41 on: February 12, 2014, 01:27:00 AM »

I was looking at the serial eeprom and wondering what else it contained (apart from the obvious VIN) Huh Spotted that the last 2048 bytes are a mirror image of the first 2048 bytes.

Then I got a bit distracted and realised just what this post was trying to explain about checksums in the serial eeproms Cheesy Interesting read.

However my own assumption is that the pages in my example are 32 bytes in size and the last 2 bytes are the checksum. The checksum is calculated by adding the first 30 bytes together and then negating the sum.

Example 1
(0x01 + 0x03 + 0xDC + 0x9D + 0x56 + 0x20 + 0x04 + 0xDD + 0xBE +
 0x01 + 0x05 + 0x6F + 0xB1 + 0x48 + 0xD7 + 0xB3 + 0xE8 + 0xF5 +
 0x2D + 0x13 + 0x9E + 0xBC + 0x09 + 0x6A + 0x52 + 0x52 + 0x02 +
 0x1C + 0x03 + 0x09) = 0x0B42

0x0B42 = 0000 1011 0100 0010

Negate this (flip the ones and zeros)

0000 1011 0100 0010
1111 0100 1011 1101

1111 0100 1011 1101 = 0xF4BD (last two bytes)


Example 2
(0x05 + 0x03 + 0x38 + 0x50 + 0x30 + 0x39 + 0x30 + 0x37 + 0x31 +
 0x31 + 0x35 + 0x42 + 0x20 + 0x20 + 0x20 + 0x20 + 0x20 + 0x20 +
 0x00 + 0x00 + 0x00 + 0x00 + 0x00 + 0x00 + 0x00 + 0x00 + 0x00 +
 0x00 + 0x00 + 0x00) = 0x02F9

0x02F9 = 0000 0010 1111 1001
Negate this (flip the ones and zeros)

0000 0010 1111 1001
1111 1101 0000 0110

1111 1101 0000 0110 = 0xFD06 (last two bytes)

Picture shows what I'm trying to explain!



There is a LOT of information and answers in this forum. If I look at some of the queries I posted, I'm cringing because they are the same questions everyone asks time and again, and they've already been answered! Sorry guys Sad

« Last Edit: February 12, 2014, 04:45:06 AM by Basano » Logged
oldcarguy85
Full Member
***

Karma: +15/-1
Offline Offline

Posts: 247


« Reply #42 on: February 12, 2014, 07:48:36 PM »

So i took the plunge and removed my ECU.  i BDM read everything, then drove a couple miles, ad re-read.  to my suprise, data DID change after driving.  i haven't dug in yet to find out what change, but as far as i can tell, the mileage is not stored as i'd expect.  this may not even be what's changing.  It could be time or something like that.

On a side note.  i'm a bit worried about posting the full read siince it shows my VIN.  my car is still under warranty.  anyone have any thoughts on that?

Thanks!
Logged
oldcarguy85
Full Member
***

Karma: +15/-1
Offline Offline

Posts: 247


« Reply #43 on: February 12, 2014, 08:33:09 PM »

screw it! i'm attaching the pre-drive and post-drive versions of my read.  both flash and eeprom have changes after drive.

BTW - the clone worked beautifully! I actually cloned my stock ECU, then drove the car a few miles on the clone, the re-read the clone.

there are a LOAD of differences.  I really am totally lost as to what these changes are.  MOST seem to be incremented by 1, the checksums updated where applicable, but theres also some section that are just wildly different.  mileage was 17,856 pre-drive and 17,857 post-drive.  i can't find data that looks like this ANYWHERE.

thanks for any help!
Logged
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #44 on: February 13, 2014, 04:03:26 AM »

Hi oldcarguy85,

Thanks for posting the readouts! I was interested in this as well. I’ve taken a look and I see what you mean.

A few differences in the flash, but very small ones (increment/decrement by 1). This chap saw something similar as well.

The big changes are in the e2prom though? Lots of changes (which affect the checksum bytes like I discovered in my post above Smiley so that was handy)

Do you have any fault codes set? I’m guessing now, but I’m think these are the kinds of things that could be in the e2prom:

fault codes?
mileage?
date/time?
driving cycle readiness / test results?


Especially if you just drove a mile, the various tests might not have finished. But I'm taking a stab in the dark.
Logged
Pages: 1 2 [3] 4 5 ... 9
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.034 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)