|
| rolls |
|
||
|
https://dl.dropboxusercontent.com/u/142 ... shim32.dll
Can confirm if you use my shim dll in place of the bosch VCM2 dll it will let you use as VCI mini or basically any J2534 device. IDS has issues with it though and will not let you do most of the functionality due to random timeouts etc. I suspect that is due to dodgy cheap $25 hardware. I'm guessing if you use a mongoose or an OpenPort 2.0 it will work fine. I suspect you can also interchange the Ford and GM flashing tool via this method. |
||
| Top | |
||
| snap0964 |
|
|||
|
Nigel wrote: Theres already a guy on FordForums who can flash the AU (and EL/EF I think) EEC's, and do custom tunes to them. He charges from $100-$150 to do that, and has most of the Ford Binaries. He uses Custom Hardware that he put together.So its doable. So this is communicating directly with the ECU onboard ROM ? Not just to a plug in J3 chip ?Ripping an onboard binary seems straightforward - a J3 programmer and the F2E connector, which is essentially a pass through connector, and the software executionable. I guess it wouldn't be that straightforward to write another executionable to use this same setup to enable writing to the onboard ROM.
_________________ 96 XH Longreach 'S': LPG, Alarm, 3.23:1 LSD, Cruise, Trip Comp, ABS, Power Windows, Mid Series Dome Lt, Climate Ctrl |
|||
| Top | |
|||
| data_mine |
|
|||
|
snap0964 wrote: Nigel wrote: Theres already a guy on FordForums who can flash the AU (and EL/EF I think) EEC's, and do custom tunes to them. He charges from $100-$150 to do that, and has most of the Ford Binaries. He uses Custom Hardware that he put together.So its doable. So this is communicating directly with the ECU onboard ROM ? Not just to a plug in J3 chip ?Ripping an onboard binary seems straightforward - a J3 programmer and the F2E connector, which is essentially a pass through connector, and the software executionable. I guess it wouldn't be that straightforward to write another executionable to use this same setup to enable writing to the onboard ROM. EF/EL don't have flashable ECU's. the chips on them are all read only things. AU (maybe AU2+) do have flashable ECU's.
_________________ 1998 DL LTD in Sparkling Burgundy, daily, 302W, stereo, slow |
|||
| Top | |
|||
| frankieh |
|
|||
|
Nigel wrote: Theres already a guy on FordForums who can flash the AU (and EL/EF I think) EEC's, and do custom tunes to them. He charges from $100-$150 to do that, and has most of the Ford Binaries. He uses Custom Hardware that he put together. So its doable. You are probably talking about TI performance... Jason? We have him here too.. in fact he posted in this very thread last week. username galapogos01 
|
|||
| Top | |
|||
| galapogos01 |
|
|||
Posts: 1139 Joined: 27th Feb 2005 Ride: Supercharged EF Fairmont Location: T.I. Performance HQ |
Yep. Very keen to help get an open definition solution for BA-FGX too
_________________ T.I. Performance - Ford Performance Tuning - J3 Chips & Tuning, Fuel Pumps & Injectors, Camshafts and much more! |
|||
| Top | |
|||
| frankieh |
|
|||
|
It's very serendipitous that this is happening now.
There are limitations to the binary editor setup I have with my mongoose cable most related to the encrypted schema I'm having to use. It was so frustrating getting it working that I resolved to start making a system myself to do it. I setup a work bench and started getting kitted up for testing.  Got a ton of PCM's, a CRO, a proper USB to CAN adaptor (not elm) Arduino and canshield, 2 Raspberry Pi's and 2 J2534 adaptors, couple of laptops and started wiring up pinouts on PCM's, BCM's and ICC's.. (got some work to do with those too.) Started sniffing and coding on Linux to start with simply because that's my day job, but as it turns out, there is a ton more Windows stuff available for J2534 than Linux.. so started teaching myself Wxwidgets as that is what Forscan is written too and I like the look and function of Forscan. If Fordscan was OSS I'd knock up a PCM write extension to that. It already has PATS and some built as data stuff.. would be nice to have a single tool that does everything a lowly falcon/territory owner could want. Perhaps that is what this will end up being. Last edited by frankieh on Mon Sep 12, 2016 4:53 pm, edited 1 time in total. |
|||
| Top | |
|||
| rolls |
|
||
|
That is one oldschool cro you have there.
What j2534 adapters are you using? |
||
| Top | |
||
| frankieh |
|
|||
|
rolls wrote: That is one oldschool cro you have there. What j2534 adapters are you using? yeah, the CRO is ancient.. but it works perfectly.. kinda cool in a retro sort of way.. the lab power supply is of a similiar vintage and it works perfectly too. The two J2534's I have are an old Mongoose Pro ford and a new VX diag one I bought on a whim a while pack. http://www.vxdiag.net interestingly I had issues getting the VXdiag to putput the 18v on pin 13 (going from memory) so I bought a OBD2 extension and a small 12 to 18v step up which just arrived so I'll be able to manually trigger the 18v if I have to.. (but I'd rather find out how to do it via the vxdiag DLL...) It apparently works fine with FMP so it must be there.. I can't get FMP anymore as they figured out I was in australia and stopped letting me buy it otherwise I'd do a write and trace it with the both the mongoose and vxdiag. I also have a VCM but the vxdiag can be both VCM and J2534 which was why I bought it.. it also has wireless which I wouldn't use for writting (no backup power if you get fluctuations or voltage drops) but for PATS resets it works well enough. Forscan uses it well too. |
|||
| Top | |
|||
| rolls |
|
||
|
edit: double post
Last edited by rolls on Mon Sep 12, 2016 8:37 pm, edited 1 time in total. |
||
| Top | |
||
| rolls |
|
||
|
https://dl.dropboxusercontent.com/u/1428435/PHF2BIN.rar
Ford IDS PHF to Binary converter I wrote this afternoon. Wrote a plugin structure so it can be extended to open/save other formats if desired. All source code included. It only works with BF/FG PHF files, I haven't tested it with others. Also the PHF file is missing the binary from 0x10000 to 0x20000 which I believe is some unimportant bit of ROM. I fill this section with 0xFF Not sure if it is of use to anyone but I am using the plugin library in my PCM editing software so other people can extend it to open/save other formats. |
||
| Top | |
||
| frankieh |
|
|||
|
rolls wrote: https://dl.dropboxusercontent.com/u/1428435/PHF2BIN.rar Ford IDS PHF to Binary converter I wrote this afternoon. Wrote a plugin structure so it can be extended to open/save other formats if desired. All source code included. It only works with BF/FG PHF files, I haven't tested it with others. Also the PHF file is missing the binary from 0x10000 to 0x20000 which I believe is some unimportant bit of ROM. I fill this section with 0xFF Not sure if it is of use to anyone but I am using the plugin library in my PCM editing software so other people can extend it to open/save other formats. That's pretty cool. Does IDApro help with pulling out the OS? I tried half a dozen OSS apps that do much the same thing as IDA but none did the job and the free IDA doesn't do the motorola CPU stuff. you certainly move quickly.. I have 3 kids and 2 jobs so I do what I can when I can.. wish I had more as I enjoy this stuff. |
|||
| Top | |
|||
| rolls |
|
||
|
Yes Ida pro will load the binary. It is powerpc big endian, processor is mpc5xx spanish/black oak is ppc not motorola
Can find all the maps in Ida pretty easy. Personally I've written my own binary library that dereferences all the pointers, finds the table structs and then displays the data. I work full time but no kids, I have to keep my gf entertained so the only time I get is maybe 1 day on the weekend, spare time at work and some week nights. I still reckon I get a solid 20 hours a week to ply with this though. |
||
| Top | |
||
| rolls |
|
||
|
Ok so I'm playing with the security request commands with my J2534 library that is here: https://github.com/rolandh/J2534DotNet
I've gotten this far: Request security access level 3 00 00 00 07 E0 27 03 00 00 00 I get back response 00 00 00 07 E8 67 03 xx xx xx Where I suspect xx xx xx is the seed however once I calculate the seed response I don't know how to send it back. I tried 27 04 xx xx xx where x is the seed response but I always get 7F 27 error back suggesting I am sending the wrong seed reponse back. The sniffed security access exchange I found was sending the following: 00 00 00 07 E0 27 01 00 00 00 However if I try and access mode 01 I get back 00 00 00 07 E8 7F 10 11 Where 7F is error 11. I'm unsure where to find a list of error codes but it doesn't accept mode 01. Perhaps this is where I need to apply the 18v to pin 13 for it to accept it. Thoughts? I will try with my laptop power supply connected to this pin later on tonight/this week and see what happens. I'm thinking if I'm requesting mode 03 I need to use a different security key to the one I'm using for mode 01, assume I send the seed response back using 04. I will try the other keys I've got and see if it accepts any of them. Eg request mode 01, send seed response back using mode 02 request mode 03, send seed response back using mode 04 Sound like I'm on the right track? |
||
| Top | |
||
| rolls |
|
||
|
Ok figured it out, there are two different seed keys used depending on the level of security access you are requesting.
I did the seed request for level 2 (27 03), generated the response with the correct key and it replied with 67 03 indicating success. I'm going to bet the level 1 (27 01) access requires the 18v on pin 13. Should be easy to test. If it is the case I should have a read binary app developed by the end of the week! |
||
| Top | |
||
| rolls |
|
||
|
Ok so I managed to get the level 1 security access (required for flashing) working.
Pull Pin 13 high (used 20v laptop power supply) Power cycle ignition off Wait a few seconds Power cycle ignition on ...set CAN baud rate etc Enter security level 1 00 00 07 E0 27 01 Possible responses: If you have not applied power to pin 18 you will get: 7F 27 11 If you have applied power to pin 18 but not power cycled you will get 7F 27 12 If everything was ok you will get 67 which means successfully requested level 1 00 00 07 E8 67 01 XX XX XX Generate seed response with level 1 security key 0xYY YY YY = GenerateSeed(level1_security_key, XX XX XX) Send response 00 00 07 E0 27 02 YY YY YY If you generated the response correctly you will get: 00 00 07 E8 67 02 You have now successfully unlocked the controller. Send the following to initiate a read from memory request 00 00 07 E0 23 00 00 00 00 01 00 This is where it fails with my VCI mini crashing and causing an access violation or timeout regardless of the baud rate, timeout or how long I wait before polling the device. The cables requires a full power reset at this point. I'm ordering an OpenPort 2.0 and will see how I go with that, the bonus is it has full 0-20V support for all vendor pins. |
||
| Top | |
||
| Who is online |
|---|
Users browsing this forum: No registered users and 16 guests |
