Pages: 1 [2] 3 4
Author Topic: FRF and SGO - Differences?  (Read 19999 times)
Aurélien
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 58


« Reply #15 on: December 27, 2014, 03:29:22 PM »

Bosch ODX content is COMPRESSED and ENCRYPTED ( 11 )

Encryption is very easy.
Decompression is easy also... Smiley
Compression, the proper way ( not just tellng " following block is uncompressed " ) is a lot more work though.
Logged
KmosK04
Full Member
***

Karma: +4/-5
Offline Offline

Posts: 89


« Reply #16 on: January 16, 2015, 07:48:54 AM »

Can somebody know how to convert .frf files to .bin? I have an app that converts them to .odx. Now I have to convert that to .bin? If yes how?? Thanks
Logged
KmosK04
Full Member
***

Karma: +4/-5
Offline Offline

Posts: 89


« Reply #17 on: January 19, 2015, 02:07:04 PM »

Anyone please?
Logged
dream3R
Hero Member
*****

Karma: +13/-6
Offline Offline

Posts: 1202


« Reply #18 on: October 09, 2015, 03:29:27 PM »

So the resulting bin from FRF hat does it all contain?
Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
nyet
Administrator
Hero Member
*****

Karma: +327/-38
Offline Offline

Posts: 7853


WWW
« Reply #19 on: October 09, 2015, 07:02:47 PM »

Bosch ODX content is COMPRESSED and ENCRYPTED ( 11 )

Encryption is very easy.
Decompression is easy also... Smiley
Compression, the proper way ( not just tellng " following block is uncompressed " ) is a lot more work though.


Too bad nobody has the balls to release source code.

It is easy to say something is "easy".

It isn't easy to document and publish.

All balless wonders who talk a lot but not much else.
Logged

ME7.1 tuning guide (READ FIRST)
ECUx Plot
ME7Sum checksum checker/corrrector for ME7.x

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience.
n0ble
Full Member
***

Karma: +2/-0
Offline Offline

Posts: 192


« Reply #20 on: October 10, 2015, 01:17:41 PM »

I'm almost there with it....

Now at the final step of trying to work out the compression, I have half worked out the compression but unfortunately my knowledge lacks here.

However i'll keep at it, I'll get there in the end.
Logged
dream3R
Hero Member
*****

Karma: +13/-6
Offline Offline

Posts: 1202


« Reply #21 on: October 11, 2015, 10:56:45 AM »

Anyone know if VAG use FRF for UDS definitions i.e.  ReadDataByIdentifier?

Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
dream3R
Hero Member
*****

Karma: +13/-6
Offline Offline

Posts: 1202


« Reply #22 on: October 11, 2015, 12:10:41 PM »

I'm almost there with it....

Now at the final step of trying to work out the compression, I have half worked out the compression but unfortunately my knowledge lacks here.

However i'll keep at it, I'll get there in the end.

Care to post your progress?   I was looking before but didn't look like something i've seen before.

edit:  keeping wih it, assuiming it's within you, it's the best thing.  I nearly wen't mad doing 5 bar on my Volvo but got there.  BTW the one on here is incomplete...mods know this etc, prj knows it, pisses me off!

« Last Edit: October 11, 2015, 12:18:27 PM by dream3R » Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
dream3R
Hero Member
*****

Karma: +13/-6
Offline Offline

Posts: 1202


« Reply #23 on: October 11, 2015, 12:12:50 PM »

Bosch ODX content is COMPRESSED and ENCRYPTED ( 11 )

Encryption is very easy.
Decompression is easy also... Smiley
Compression, the proper way ( not just tellng " following block is uncompressed " ) is a lot more work though.


Come-on then friend, give me some clues, you were happy enough for my FREE MED9 help!
Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
Geremia
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 14


« Reply #24 on: October 17, 2015, 03:59:52 AM »

frf-to-odx is done inside SoxUtil.dll (odis or DTS7)
Code:
text:10001CC5                 call    edi ; MString::operator char const *(void) ; MString::operator char const *(void)
.text:10001CC7                 push    ebx             ; dest_zip_filename
.text:10001CC8                 push    eax             ; frf_filename
.text:10001CC9                 lea     ecx, [ebp+var_170]
.text:10001CCF                 call    MY_getKey_and_goto_descramble
.text:10001CD4                 lea     ecx, [ebp+var_170]
.text:10001CDA                 mov     byte ptr [ebp+var_4], 2
.text:10001CDE                 call    MY_unzipper_stuff
.text:10001CE3                 test    al, al
.text:10001CE5                 jnz     short loc_10001CFC
.text:10001CE7                 lea     ecx, [ebp+var_28]
.text:10001CEA                 push    offset unk_100046E0
.text:10001CEF                 push    ecx
.text:10001CF0                 mov     [ebp+var_28], offset aNotOne_odxInAr ; "Not one .odx in archive"
.text:10001CF7                 call    _CxxThrowException

key.bin is inside the resource area

Then, as told, the odx contains flash data in encrypted/compressed form.
I dont' know for ECUs, you need to RE bootarea to know the decryption/decompression algo and i did only for dq200 0CW, and yes they are simple once ported to C code, but takes some days to RE them, so i'm not surprised if they don't go opensource quickly.
Flashdata first need to be descrambled and, at least for dsg, it's the same scrambling algo found in previous sgo files, just the byte subst table is per ecu type.
About compression algo, don't know, probably dsg uses diff algo than bosch, anyway comparing compressed and uncompressed data makes the task very easy.
Logged
tmbinc
Newbie
*

Karma: +4/-0
Offline Offline

Posts: 7


« Reply #25 on: November 09, 2015, 04:00:22 PM »

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

const unsigned char key[4095] = {
#include "key.h"
};

int main(void)
{
   int kidx = 0;
   int seed0 = 0;
   int seed1 = 1;
   
   while (1)
   {
      unsigned char buf[1024];
      int i;
      int n = read(0, buf, sizeof(buf));
      if (!n) {
         break;
      }
      
      for (i = 0; i < n; ++i) {
         unsigned char kb = key[kidx];
         kidx += 1;
         kidx %= sizeof(key);

         seed0 = ((seed0 + kb) * 3) & 0xFF;

         buf ^= seed0 ^ 0xFF ^ seed1 ^ kb;

         seed1 = ((seed1 + 1) * seed0) & 0xFF;
      }
      
      write(1, buf, n);
   }
   return 0;
}
Logged
Geremia
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 14


« Reply #26 on: November 10, 2015, 03:45:36 PM »

welcome! Wink
I do like this, but it's ok anyway, since keysize is 0xFFF
buf ^= seed0 ^ sizeof(key) ^ seed1 ^ kb;
Logged
tmbinc
Newbie
*

Karma: +4/-0
Offline Offline

Posts: 7


« Reply #27 on: November 13, 2015, 05:16:18 PM »

Also, to unpack "BCB Type1" compressed data:

import sys, struct

key = "BiWbBuD101"

img = sys.stdin.read()
img = img[img.index("\x1A\x01") + 2:]
img = ''.join(chr(ord(j)^ord(key[i%len(key)])) for i, j in enumerate(img))

p = 0
res = ""

while p < len(img):
  l = struct.unpack(">H", img[p:p+2])[0]
  p += 2

  fl = l >> 14
  l &= 0x3FFF

  if fl == 0: # literal
    res += img[p:p+l]
    p += l
  elif fl == 1: # RLE
    res += img[p] * l
    p += 1
  else:
    sys.stderr.write("remaining bytes: " + img[p:].encode('hex') + "\n")
    break

sys.stdout.write(res)

Logged
Geremia
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 14


« Reply #28 on: November 15, 2015, 05:11:44 PM »

else //fl==3 checksum
      {
         p++;
         unsigned int chk=(inbuf[p]<<24)|(inbuf[p+1]<<16)|(inbuf[p+2]<<Cool|inbuf[p+3];
         unsigned int chk2=0;
         for(unsigned int i=0;i<outsize;i++) chk2+=outbuf;
         if(chk!=chk2)
         {
            printf("Checksum mismatch, file=0x%X calc=0x%X at inbuf offset 0x%X\n", chk, chk2, p);
            error=true;
         }
         if((p+4)!=size)
         {
            printf("Checksum at offset 0x%X not EOF\n",p);
            error=true;
         }
         break;
      }
Logged
H2Deetoo
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 101


« Reply #29 on: November 16, 2015, 12:35:16 AM »

This looks very interesting guys!

Is somebody able to post a complete example of input/output data to verify the posted routines?
I am interested in writing a (Delphi) application for this...


Thanks,
H2Deetoo
Logged
Pages: 1 [2] 3 4
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.026 seconds with 18 queries. (Pretty URLs adds 0.001s, 0q)