|
| rolls |
|
||
|
Not really. The stuff I want to add is very specific to ford so I really need my own software for me to be happy with it.
I've already written viewer software with checksum capabilities and auto definition parsing so a lot of the hard stuff is already done. |
||
| Top | |
||
| rolls |
|
||
|
I just tried the python code against my sniffed key exchange and it works flawlessly
Appears the key exchange on the BF falcon is done as follows: send security request 0x7E0 0x02 0x27 0x01 Get back a response with a seed (this will change every time) 0x7E8 0x05 0x67 0x01 0x61 0x43 0xE7 Call the generate key function with the seed that was sent back (secret keys in the python file posted earlier which are extracted out of AlgData.dll) bool GenerateResponse(uint secretKey, uint seed, out uint response) GenerateResponse(0x08 30 61 A4 C5, 0x61 43 E7, out response) Response = 0x4E8DE2 Send response 0x7E0 0x05 0x27 0x02 0x4E 0x8D 0xE2 Receive success! 0x7E8 0x02 0x67 0x62 Way easier than I thought, appears those guys saved us a lot of time of trying to find this routine. They had a clever idea and reversed the IDS software dll itself opposed to trying to reverse the PCM code. Reversing X86 is often easier as you have function call names and you can debug the code MUCH easier. Next step is for me to implement this in code and test it out with the $25 toyota VCI mini to see if we have a cheap read/write solution. I suspect there will be many more hurdles before I can get that far. Open source J2534 .net code here. Seems to be a good base to do some testing and works with the VCI mini, far from complete though. https://github.com/fenugrec/oj2534-fw/ |
||
| Top | |
||
| frankieh |
|
|||
|
galapogos01 wrote: rolls, have you considered using TunerPro (or a similar open platform) as the editor and just building the software required to handle the Flash handshake and upload as a plugin? It would limit you in some ways but save you time in others. Just a thought. I was planning to base my work on this: http://www.openecu.org/index.php?title=Main_Page My initial work is using wxwidgets just to get a working setup, but then once I have it down I was planning on making it work with openecu/ecuflash. As I understand it, tunerPro isn't open source, using the plugin mech of tunerpro is basically adding value to someone elses closed source application. |
|||
| Top | |
|||
| rolls |
|
||
|
https://github.com/rolandh/j2534-logger/
I've forked a J2534 shim DLL. If you download and compile this you can edit your J2534 registry entries to use this DLL, when the DLL is called it will create a dialog box and ask which real J2534 DLL you would like you use and a log location. I've tested it with a VCI mini china clone and FORscan in windows 10 x64 without issue. I'll create an installer for it later but you guys should be able to figure it out manually. You can then use IDS, moates etc and it will record all J2534 DLL calls to disk which you can then use to replay/recreate the functionality. Enjoy! |
||
| Top | |
||
| frankieh |
|
|||
|
rolls wrote: https://github.com/rolandh/j2534-logger/ I've forked a J2534 shim DLL. If you download and compile this you can edit your J2534 registry entries to use this DLL, when the DLL is called it will create a dialog box and ask which real J2534 DLL you would like you use and a log location. I've tested it with a VCI mini china clone and FORscan in windows 10 x64 without issue. I'll create an installer for it later but you guys should be able to figure it out manually. You can then use IDS, moates etc and it will record all J2534 DLL calls to disk which you can then use to replay/recreate the functionality. Enjoy! That is awesome.. I've been wanting to sniff the J2534 traffic.. this is exactly what I'm looking for. |
|||
| Top | |
|||
| Nigel |
|
||
|
I did this a while back, but instead used a Serial Port Duplicator. Cant even remember what that was - but had all serial activity mirrored to RealTerm, where it was recorded. Seemed much easier.
I was going to do custom Arduino's with Press-Button Programming for the FDIM on the FG Falcons (The Display) - Enable/Disable Camera, Enable/Disable FPV Mode, Enable/Disable Reverse Sensors etc. Ended up just getting involved with Forscan, and having them add the functionality to the program. Given its a community driven Effort I dont mind that, and Forscan also has Iphone and Android Apps. Good luck with what you guys are doing here. Im interested (but just dont have the time any more) |
||
| Top | |
||
| rolls |
|
||
|
Just found out the ford IDS .phf files are not encrypted and contain the raw binary information in them. You can also download the files without a subscription if you know your calibration ID (which is easy to guess)
Very interesting! |
||
| Top | |
||
| frankieh |
|
|||
|
rolls wrote: Just found out the ford IDS .phf files are not encrypted and contain the raw binary information in them. You can also download the files without a subscription if you know your calibration ID (which is easy to guess) Very interesting! yes, near as I Can tell the phf files are a motorola srec format.. I also have a raw one here that I've been trying to extract the file system from.. got part of the way there.. if I can figure it out I can script the extraction and then things get more interesting. There was a ford tool that leaked at one stage that would make this all very easy.. but it's damn hard to find. lukeysan mentioned it by name on here once but I can't find the post anymore. |
|||
| Top | |
|||
| rolls |
|
||
|
I'll write something up tonight, should be easy as to extract the binary from it. Even includes the checksum locations in the PHF file!
|
||
| Top | |
||
| frankieh |
|
|||
|
rolls wrote: I'll write something up tonight, should be easy as to extract the binary from it. Even includes the checksum locations in the PHF file! That's what I thought too.. unless I got one of the steps wrong, I managed to get the compressed images out of the file but the decompression stage was always corrupted.. Im guessing I missed an offset or something. I only tried for a couple of hours one night after work. I wanted to ask, do you have the up to date spec of J2534? I don't really want to pay a 100 bucks for a standard that should be open since it's been mandated worldwide. |
|||
| Top | |
|||
| rolls |
|
||
|
frankieh wrote: rolls wrote: I'll write something up tonight, should be easy as to extract the binary from it. Even includes the checksum locations in the PHF file! That's what I thought too.. unless I got one of the steps wrong, I managed to get the compressed images out of the file but the decompression stage was always corrupted.. Im guessing I missed an offset or something. I only tried for a couple of hours one night after work. I wanted to ask, do you have the up to date spec of J2534? I don't really want to pay a 100 bucks for a standard that should be open since it's been mandated worldwide. Loading it up in IDAPro it doesn't appear to be compressed? I only have the 2002 edition o J2534 that I've run through OCR, I haven't needed anything more indepth than this so far as it has all of the DLL functions described in detail. |
||
| Top | |
||
| gogetta |
|
|||
|
do u think the day will come when we can flash and tune the ecu without an expensive software licence .. like the j3 tuning on an e/AU ecu? .. is that one of you guys goals?
_________________ |
|||
| Top | |
|||
| rolls |
|
||
|
gogetta wrote: do u think the day will come when we can flash and tune the ecu without an expensive software licence .. like the j3 tuning on an e/AU ecu? .. is that one of you guys goals? It absolutely is. Either free definitions with no support or something like you pay $50 per strategy/definition each that someone has verified every point and made sure it is as good as the competition. |
||
| Top | |
||
| Nigel |
|
||
|
Theres already a guy on FordForums who can flash the AU (and EL/EF I think) EEC's, and do custom tunes to them. He charges from $100-$150 to do that, and has most of the Ford Binaries. He uses Custom Hardware that he put together.
So its doable. |
||
| Top | |
||
| rolls |
|
||
|
I'm talking about the ppc ecus, eg ba/bf/fg, there is nothing cheap available for them.
|
||
| Top | |
||
| Who is online |
|---|
Users browsing this forum: Google [Bot] and 12 guests |
