Pages: 1 ... 3 4 [5] 6 7 ... 9
Author Topic: MED9sum: Correct those MED9 eeprom checksums!  (Read 133667 times)
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #60 on: March 28, 2015, 07:52:51 AM »

I think I’ve managed to find the start and end addresses of that block. Using my own bin as an example, here’s what I did.

Here’s the sequence of bytes, both disassembled in IDA and also in a hex editor (I use HxD)





This sequence is at memory location 0x4BA104 (using memory locations as shown by IDA)

Next I did a search in IDA for byte sequence 0xA104. The search result gives me an instruction that’s loading 0xA104 into the low word of R10, preceded by an instruction loading 0xC into the high word of R10. At this point R10 (high and low) now contains the value stored in flash at 0xCA104. As I mentioned earlier, ignore the 0x400000 offset and weirdly there’s sometime a 0x10000 offset as well that I don’t understand, so B0000 sort of refers to C0000…





In the code you can see R10 (our checksum suspect) is compared to R9, where the value in R9 has been loaded from RAM address 0x7FBBDC. Stands to reason that 0x7FBBDC is very likely to contain a checksum if it’s being compared to the checksum value in the flash! Let’s see how 0x7FBBDC is calculated. Clicking on 0x7FBBDC and looking at cross-references, you can see where it’s set (stw) and read (lwz)



Here’s the interesting bit. In IDA, just above 0x45AB8C (stw) and 0x45AB64 (lwz) are a few instructions that look very familiar…

0x1C2000 and 0x1EFFFF. Start and End address?




Now I go back to my HxD editor, I select a block starting at 0x1C2000 and ending at 0x1EFFFF (which happens to be size 0x2E000, anyone remember that a2l mapping from a few posts back…). The HxD editor has got some checksum capability build-in (they all do), so selecting Checksum-32 as the algorithm gives me a checksum of 01361903 which is exactly the same as the byte sequence in the flash


« Last Edit: March 28, 2015, 07:54:44 AM by Basano » Logged
technic
Full Member
***

Karma: +18/-5
Offline Offline

Posts: 227


« Reply #61 on: March 28, 2015, 05:10:14 PM »

As usual, impressive work. Not only that you took time to help, but also writing it down in a detailed manner Smiley

I'll haven't had time to do anything the last couple of days but tomorrow I'll fire up IDA again Smiley

Kudos to you
Logged
technic
Full Member
***

Karma: +18/-5
Offline Offline

Posts: 227


« Reply #62 on: March 29, 2015, 01:28:10 PM »

Now this checksum is added to the tool. (thanks David) Another 7 checksums are also found and added.

I believe the only checksum left is the RSA.
For NOREAD/OBDPROT (and other changes not covered by the RSA) it should work fine.

Update is here : http://nefariousmotorsports.com/forum/index.php?topic=5833.msg54763#msg54763

Cheers
/Lars


Logged
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49


« Reply #63 on: April 13, 2015, 12:11:11 AM »

I believe the only checksum left is the RSA.

RSA in MED9 very similar to ME7.
Look at http://nefariousmotorsports.com/forum/index.php?topic=6457.msg67541#msg67541
But i calc RSA in MED9.5
In MED9.1 very strange algorithm Smiley
Logged

MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
Dobermann
Full Member
***

Karma: +7/-0
Offline Offline

Posts: 80


« Reply #64 on: May 02, 2015, 06:03:24 PM »

Hello i found that tool and i want to say thank you to ddillenger and technic for posting.

i have dont try but i will ! the adresses for immo off med9 i was knew but in that tool shows me the security access too !

someone tryed if that works too ??

absolut great tool !!

thanks friends !
« Last Edit: May 02, 2015, 06:27:36 PM by Dobermann » Logged
technic
Full Member
***

Karma: +18/-5
Offline Offline

Posts: 227


« Reply #65 on: May 03, 2015, 04:39:19 AM »

@ozzy_rp : Thanks. Will look into it.
@Dobermann : I haven't actually tried the security access. It is coded based on info I got from looking on how it is done in another tool. If you try it, please report back.
Logged
semmel3k
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 1


« Reply #66 on: July 07, 2015, 12:28:55 PM »

Thank you for the great tool! Do you think it's possible to implement a function for immo on (after immo off) and for immo new?
It's easier to adapt a "new" ECU against a used one.
Logged
alexrae
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 32


« Reply #67 on: October 27, 2015, 07:27:38 AM »

guys, correct me if Im wrong. to use this tool I need to have eeprom file. is there a way to get eeprom via OBD (as with 95040 tool) or only desolder eeprom option with 9.1.1?  Also  - according to Rosstech its possible to swap ECU if you have both pins...  (thats what I need to do, actually) Where I can see the current PIN in this tool? Under Edit Inventory? in this case which field exactly? Thanks in advance
Logged
technic
Full Member
***

Karma: +18/-5
Offline Offline

Posts: 227


« Reply #68 on: October 27, 2015, 08:22:10 AM »

Read eeprom with BDM. Pin is under edit inventory. Unencrypted eeprom only
Logged
alexrae
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 32


« Reply #69 on: October 27, 2015, 08:39:12 AM »

What is BDM stands for? (sadly, search on forum does not work - it would eliminate a lot of stupid question, I think)...  actually - nevermind - found post about it - reading at the moment Smiley ... but if I dont have time to BDM - can I just unsolder eeprom - read it - use your tool to defeat immo or get pin and solder it back? Which field in Inventory stands for PIN then? Security access or manufacturer number?
« Last Edit: October 27, 2015, 08:55:10 AM by alexrae » Logged
weijie
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 46


« Reply #70 on: April 07, 2016, 02:45:30 AM »

I got an used ME9 and want to use it as a spare so i flashed in a new .bin file and tried to immo defeat but i failed.
I tried to use the tool supplied by technic but my immobilizer is still active on the MFD but it shows '4' in adaptation block 91.
I've read through this thread several times and know that the tool from technic is only 'correcting' the eeprom, i've heard from others that the flash has to be edited as well so im lost.
I've attached the immo off file, could anyone shed some light here?
Logged
BraxS4
Full Member
***

Karma: +2/-6
Offline Offline

Posts: 162



« Reply #71 on: June 18, 2016, 03:07:52 PM »

did you find a solution?
Logged

stage 3 b5 S4
Placebo
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 108


« Reply #72 on: July 26, 2016, 09:35:15 PM »

I got an used ME9 and want to use it as a spare so i flashed in a new .bin file and tried to immo defeat but i failed.
I tried to use the tool supplied by technic but my immobilizer is still active on the MFD but it shows '4' in adaptation block 91.

Trying to do the same thing and stuck at the same point.  Using original flash from 8P0907115B on an a 3C0907115S with eeprom defeated using eeprom_v2.2.1.  Surely missing something simple.
 
Am I correct that the flash does not need to be modified?

  Little confused about swappability of eeproms files. Maybe the two ecus have eeproms of different sizes? Both are 8P0907115B.   Trying to avoid cracking open the original ECU.

 Once read,  defeated and  coded correctly, could I be writing any MED9.1 eeprom file if of the correct size?

Thanks for whatever info you can share.


Logged
BraxS4
Full Member
***

Karma: +2/-6
Offline Offline

Posts: 162



« Reply #73 on: July 26, 2016, 09:42:48 PM »

EPROM needs a few hex changed
Logged

stage 3 b5 S4
Placebo
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 108


« Reply #74 on: July 27, 2016, 05:06:20 AM »

EPROM needs a few hex changed


Thanks for the hint.  Can you elaborate or suggest where to read?  I interpret this to mean the immo off eeprom program is not working for my eeprom, flash combo.


Sent from my iPhone using Tapatalk
Logged
Pages: 1 ... 3 4 [5] 6 7 ... 9
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.056 seconds with 17 queries. (Pretty URLs adds 0.002s, 0q)