Why I hate VZ V6 ECUs...

A place For General Chit Chat Etc
User avatar
The1
Posts: 4694
Joined: Mon Jan 04, 2010 10:23 am

Re: Why I hate VZ V6 ECUs...

Post by The1 »

This is my log using reset function in tech2, im guessing if FE changes with correct pin it'l spit out a response based on the AA DPID Schedule poll rate. Looks like FE is packed with PIDS 1644, 1643?

Code: Select all

(002.104743)  RX  7E0   [8]  02 AA 00 00 00 00 00 00   $AA Stop ECU Sending all Scheduled DPIDS
 (002.124728)  RX  7E0   [8]  01 20 00 00 00 00 00 00   $20 Return to Normal Operation
 (002.128416)  RX  7E8   [8]  01 60 00 00 00 00 00 00   ECU OK
 (011.699654)  RX  7E0   [8]  10 08 2C FE 16 44 16 43   $10 Service, Send 08 Bytes in next string, $2C Pack Dynamic DPID ,DPID FE, Data Memory Locations 1644, 1643
 (012.064497)  RX  7E8   [8]  02 6C FE 00 00 00 00 00	ECU $6C Positive Reponse to 2C Request DPID FE, ALL DONE
 (012.084398)  RX  7E0   [8]  03 AA 04 FE 00 00 00 00	$AA Read DPID FE Fast at Rate 04 25ms
 (015.988560)  RX  7E0   [8]  01 3E 00 00 00 00 00 00	$3E Scantool Present
 (015.994423)  RX  7E8   [8]  01 7E 00 00 00 00 00 00	ECU OK
 (019.922637)  RX  7E0   [8]  01 3E 00 00 00 00 00 00	$3E Scantool Present
 (019.930190)  RX  7E8   [8]  01 7E 00 00 00 00 00 00	ECU OK
 (023.853381)  RX  7E0   [8]  01 3E 00 00 00 00 00 00	$3E Scantool Present
 (023.877445)  RX  7E8   [8]  01 7E 00 00 00 00 00 00	ECU OK
 (028.108651)  RX  7E8   [8]  01 7E 00 00 00 00 00 00	ECU OK
 (032.034016)  RX  7E0   [8]  01 3E 00 00 00 00 00 00	$3E Scantool Present
 (032.040864)  RX  7E8   [8]  01 7E 00 00 00 00 00 00	ECU OK
 (032.070456)  RX  7E0   [8]  07 AE 7D 08 31 32 33 34	$AE Control Mode DPID 7D 08? PIN 1234
 (032.075244)  RX  7E8   [8]  03 7F AE A2 00 00 00 00	7F Pin Failed Mode AE PID 7D response A2, sometimes A4
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Why I hate VZ V6 ECUs...

Post by Tazzi »

Iv got a few security sets laying about, Ill hook them up tonight and reset/link ect and see what the hell is going on.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Why I hate VZ V6 ECUs...

Post by Tazzi »

On a programmed unit, it says Security Code Programmed YES, and Immobiliser Function Programmed YES.

When its successful for resetting...

7E0 10 08 2C FE 16 44 16 43
7E8 30 20 02 2C 7F 7F 7F 7F
7E0 21 11 07 55 55 55 55 55
7E8 02 6C FE 00 00 00 00 00
7E0 03 AA 04 FE 55 55 55 55 -all above is setting up dpids and then executing
5E8 FE 08 A1 42 00 0C 00 00 -live data
7E0 07 AE 7D 08 33 32 30 37 -request reset, immo 3207
7E8 02 EE 7D 00 00 00 00 00 - accepted.

With that now reset, we now have a DTC of "No transponder key programmed", whereas on the rooted unit, it says "incorrect transponder key".

It also now says Security Code Programmed NO and Immobiliser Function Programmed NO.

If I now try to reset after it has been reset, the following occurs:
7E0 10 08 2C FE 16 44 16 43
7E8 30 20 02 7C FF FF FF F9
7E0 21 11 07 55 55 55 55 55
7E8 02 6C FE 00 00 00 00 00
7E0 03 AA 04 FE 55 55 55 55
5E8 FE 02 A0 42 00 0C 00 00

And then reports "System already reset"
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Why I hate VZ V6 ECUs...

Post by Tazzi »

Now resetting the matching PIM:
244 01 20 55 55 55 55 55 55
644 01 60 00 00 00 00 00 00
244 06 3B 60 33 32 30 37 55
644 03 7F 3B 78 00 00 00 00
644 02 7B 60 78 00 00 00 00
244 02 3B 6D 55 55 55 55 55
644 02 7B 6D 78 00 00 00 00

Which now says reset completed successfully.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Why I hate VZ V6 ECUs...

Post by Tazzi »

Now with BOTH reset and programming to the car.. I have set it to 3207

7E0 02 27 01 55 55 55 55 55 -security unlock
7E8 04 67 01 06 76 00 00 00
7E0 04 27 02 C2 C4 55 55 55
7E8 02 67 02 00 00 00 00 00
7E0 01 20 55 55 55 55 55 55
7E8 01 60 00 00 00 00 00 00

7E0 10 08 2C FE 16 44 16 43 - request live data about security status
7E8 30 20 02 2C 00 80 3D FC
7E0 21 11 07 55 55 55 55 55
7E8 02 6C FE 00 00 00 00 00
7E0 03 AA 04 FE 55 55 55 55
5E8 FE 02 A0 42 00 0C 00 00

244 01 20 55 55 55 55 55 55
644 01 60 5A B0 1C 1D 1E 1F
244 06 3B 62 33 32 30 37 55 - write 3207
644 03 7F 3B 78 1C 1D 1E 1F -im slow
644 02 7B 62 78 1C 1D 1E 1F -accepted
244 06 3B 60 33 32 30 37 55 - write 3207
644 02 7B 60 78 1C 1D 1E 1F - accepted
244 02 3B 63 55 55 55 55 55 - perform security update to ECU
488 10 30 3B 63 33 32 30 37
488 21 00 00 00 00 00 00 00
488 22 00 00 00 00 00 00 00
488 23 00 00 00 00 00 00 00
488 24 00 00 00 00 00 2D 68
488 25 23 03 3E BF 21 D0 A1
488 26 30 2C 4E 54 BC 44 7E - end of PIMs immo update information
490 02 7B 63 33 32 30 37 00 -ECU says Accepted
644 02 7B 63 78 1C 1D 1E 1F - Accepted
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Why I hate VZ V6 ECUs...

Post by Tazzi »

Now looking back at the el'fucked unit, when going to reset and looking at the live data request, it reports:
5E8 FE 40 F0 42 00 0C 00 00

That second byte there is 0x40, whereas on the other unit, its 0xA0 when its reset. And 0xA1 when programmed.

So.. this unit has learnt the first key its seen, and a non-possible immobiliser which now reports as "not programmed" but has infact programmed as 0x0000. *sigh*.

So only way I can think of, is trying to do some sort of dump of the firmware and write back into it.

For shits and gigs, I just tried to program just the ECM with the other PIM/BCM.. and shes still a no go.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Why I hate VZ V6 ECUs...

Post by Tazzi »

Right.. so appears something called "carprog" should be able to attack these ecus.. looks like it talks about some sort of 'k-line' which I wasnt aware of on these ecus.

http://blog.obdii365.com/2018/01/16/wha ... cu-unlock/

Looks like I do actually have a carprog here.. so gonna installing into a virtual machine and give it a crack
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
The1
Posts: 4694
Joined: Mon Jan 04, 2010 10:23 am

Re: Why I hate VZ V6 ECUs...

Post by The1 »

Tazzi wrote:Now looking back at the el'fucked unit, when going to reset and looking at the live data request, it reports:
5E8 FE 40 F0 42 00 0C 00 00

That second byte there is 0x40, whereas on the other unit, its 0xA0 when its reset. And 0xA1 when programmed.

So.. this unit has learnt the first key its seen, and a non-possible immobiliser which now reports as "not programmed" but has infact programmed as 0x0000. *sigh*.

So only way I can think of, is trying to do some sort of dump of the firmware and write back into it.

For shits and gigs, I just tried to program just the ECM with the other PIM/BCM.. and shes still a no go.
is that 7E8 or 5E8? either way That's very interesting, As FE 40 is the bit we set to on for "Theft Deterrent EEPROM Access"

Ive looked at carprog before, it's needs there proprietary cable of coarse, but yes ive seen a video somewhere of it doing a Pin code read, not sure what it does but over several minutes, maybe perhaps uploading some code to read memory and spit out the result through a PID or something?
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Why I hate VZ V6 ECUs...

Post by Tazzi »

The1 wrote: is that 7E8 or 5E8? either way That's very interesting, As FE 40 is the bit we set to on for "Theft Deterrent EEPROM Access"

Ive looked at carprog before, it's needs there proprietary cable of coarse, but yes ive seen a video somewhere of it doing a Pin code read, not sure what it does but over several minutes, maybe perhaps uploading some code to read memory and spit out the result through a PID or something?
Thats correct, 5E8.

When its outputting DPID data, it will be on the 5E8 ID.

The FE is the DPID frame, and the data after that is corresponding to the PIDs it had setup in the DPID.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
The1
Posts: 4694
Joined: Mon Jan 04, 2010 10:23 am

Re: Why I hate VZ V6 ECUs...

Post by The1 »

Is the VIN numbers all the same in the modules and ECU after linking?
Post Reply