Pages: [1]
Author Topic: SAAB Trionic 8 flashing  (Read 21267 times)
Dilemma
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 11


« on: April 28, 2011, 11:53:02 AM »

Hi all,

New to this place but i've been hacking my way into several ecus in the last couple of years.
Currently i'm working on a flashing tool for SAABs trionic 8 (also used in some other GM cars).
I've already found the seed&key algorithm for security access and i can read the entire content of the flash over the canbus. Flashing however seems to require an encryption algorithm and that is a bitch to find reversing the code.

If someone has info he/she wants to share on the subject that would be much appreciated. Please know that all the resulting code and information will become public in my open source projects which you can find here: http://trionic.mobixs.eu

The t8 flasher projects progress can be followed here: http://www.trionictuning.com/forum/viewtopic.php?f=35&t=493

Thanks for the very informative site you are running here... found some documents that might come in handy in the near future Smiley

Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +132/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #1 on: April 28, 2011, 03:55:43 PM »

Small world as I was just browsing this thread you had started: http://forum.ecuproject.com/showthread.php?3174-MotronicSuite

The way I found the seed/key algorithm in the ME7 was by tracking down the code that handles the KWP2000 security negotiation. Then I drove myself crazy translating it from assembly into C#.
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
Dilemma
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 11


« Reply #2 on: April 30, 2011, 12:40:48 AM »

Hi,

Small world indeed. There seem to be only a handful of people publicly working on these things.
Gladly i see a lot more of them working with the results Smiley

You don't have these routines available as open-source right? Wink

I'm sure i will come to a point where ME7 will be a priority but that is not now. Trionic 8 is eating up all my spare time (even bug reports for Trionic 5 and 7 have to wait a little, my concentration goes down the drain when i try to focus on multiple complex tasks).

I've posted the Trionic 8 library (the code is a copy from the Trionic 5 library, so there are routines for T5 left in it, i need to clean it up a little more) here:

Source for library: http://trionic.mobixs.eu/T8/T8CANLib.rar
Source for testapp: http://trionic.mobixs.eu/T8/T8CanLibTester.rar

There seed & key algorithm is also in there (SeedToKey.cs).

Hope this helps someone.
/Guido

Logged
Dilemma
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 11


« Reply #3 on: May 09, 2011, 11:16:03 AM »

I think i found it:

Rotating XOR mechanism it seems.

XOR 0x39
XOR 0x68
XOR 0x77
XOR 0x6D
XOR 0x47
XOR 0x39

So, six XOR values, which are used one after the other. First byte goes XOR 0x39, second byte XOR 0x68 etc...
Logged
mtx-electronics
Full Member
***

Karma: +11/-1
Offline Offline

Posts: 66


WWW
« Reply #4 on: May 09, 2011, 12:24:17 PM »

Your doing a great job with your Trionic Suite when I have time I'll be using it to play around with my SAAB 95.

Nice to see that your getting close to the solution for the T8 encryption.

Logged
Dilemma
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 11


« Reply #5 on: May 10, 2011, 08:00:03 AM »

Thanks!

I'm pretty sure that i have all the info needed to build a flasher and get live data from the ECU now.

Enjoy T7Suite in the meantime Smiley
Logged
Dilemma
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 11


« Reply #6 on: May 11, 2011, 09:33:56 AM »

The flasher is done. I already integrated it into T8Suite (version 1.2.6)
First results from real world still have to come in though because i don't have access to a Trionic 8 car.
Logged
Dilemma
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 11


« Reply #7 on: May 14, 2011, 04:07:15 AM »

First results are back and everything seems to work properly.
Logged
DJGonzo
Guest
« Reply #8 on: May 14, 2011, 09:26:27 PM »

Those are some great news!
Logged
Dilemma
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 11


« Reply #9 on: May 17, 2011, 03:40:29 AM »

I'm working on the divorce and marry process at the moment.
This is needed if you replace the ECU (physically) from the car and use a different one.
The new ECU needs to be married to the car in that case.
Logged
Dilemma
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 11


« Reply #10 on: June 29, 2011, 03:41:04 AM »

Recovery mode has been implemented as well.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.018 seconds with 17 queries. (Pretty URLs adds 0s, 0q)