after more testing seems like the mpc5777 ecu's e88/e90/e99 etc are open to many areas but the e41 is for what ever reason more locked down and you can only read a very limited sector in ram. Requires a bit more inventive thinking on other ecus. Using higher unlock clearance to be allowed to read r...

I am always working with the ECU unlocked, it is also patched. $34/$36 work fine. $35 NRC 0x11. Everything in the flash its self that I have tested I get a NRC 0x31. Only things readable are parts of the RAM. Unless it has something to do with the patch which is highly unlikely (this is not an HP p...

I am always working with the ECU unlocked, it is also patched. $34/$36 work fine. $35 NRC 0x11. Everything in the flash its self that I have tested I get a NRC 0x31. Only things readable are parts of the RAM. Unless it has something to do with the patch which is highly unlikely (this is not an HP pa...

$23 only works in one range, so far nothing exciting. I've dumped about all that is open.

Not an assumption, NRC code 0x11 is pretty clear.

How do you figure you could read the boot loader? The e41 and e99 will not take a read/write loader via $34/$36 like all pre global-a. I havent tried, but I highly doubt $35/$36 or $23 will work. If I had a copy of the boot loader, i could easily get through the code in IDA.

They power glitch 27 01 on the E41. So it would appear no need to try 27 03. While you might get the ecu to accept unencryted/uncompressed, i would suspect that may take a lot of code change. IIRC everything but the bootloader is stored encrypted/compressed in the flash and is decoded in RAM. There ...

Back to the global-a stuff. Generally most people know how to do the 5 byte seed/key with ease. The 27 FB trick only works on T87 variants and its because it has a different type of bootloader from another supplier iirc. All of them use a form of power glitch like Tazzi mentioned at one point. None ...

Any interest in E99 development?