E41 LP5 ECU Hacking via OBD2

A place For General Chit Chat Etc
Post Reply
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

E41 LP5 ECU Hacking via OBD2

Post by Tazzi »

What a time to be alive, its developments like these which just get me revved up to continue reverse engineering!

Edge has brought out brand new product that allows unlocking and tuning the E41 ecus, and its a fraction of the cost of HPtuners service+credits: https://www.edgeproducts.com/products/h ... arts/26402

Looking over their unlocking manual, it appears they are power glitching the ECU. This is either to get it into a recovery state or to execute code before any 'security' actually engages within the ecus firmware.. likely during the boot code process.

It wouldnt be a far fetch concept to assume this could be applied to other ecus, assuming they have the same recovery state (Most global A/B modules do) or boot setup. I can't imagine its micro second precision required, since its simply using a fuse at the engine bays ECM fuse location, with a wire that runs to the 'unlocker box'. I assume the handheld scantool then sends commands to the unlocker box to begin glitching/power cycling the ecu. Once its in some sort of recovery state or vulnerable state to inject code, it can then have is boot code modified to allow uploading tunes without signature verification.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8238
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: E41 LP5 ECU Hacking via OBD2

Post by antus »

thats awesome, glitching seems to often be the way to go on newer platforms. like you say its interesting that its just power, often something else would be tweaked to slow the processor down to make it easier to get the timing right, but unless its doing something to pins on the OBD bus that we cant see that doesnt seem to be the case here.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
gmtech825
Posts: 186
Joined: Fri Feb 24, 2017 11:27 am

Re: E41 LP5 ECU Hacking via OBD2

Post by gmtech825 »

that's awesome. I've had the theory for a while now that HP is not opening the e41 at all to "modify" them for tuning. I have one of the "modified" e41's and it doesn't look like it has been opened up at all. Unless they're are very good at it I just don't see this being the case. I think they have a way they are able to upload the boot code that allows their signed files.
In-Tech
Posts: 779
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: E41 LP5 ECU Hacking via OBD2

Post by In-Tech »

antus wrote:thats awesome, glitching seems to often be the way to go on newer platforms. like you say its interesting that its just power, often something else would be tweaked to slow the processor down to make it easier to get the timing right, but unless its doing something to pins on the OBD bus that we cant see that doesnt seem to be the case here.
On board is quite different than being connected directly, due to capacitance. It is a hard thing to do and is different in every application. Some times you can do "in circuit" but most times not. When reverse engineering you generally have to separate the flash or the cpu/flash to get it to comply. It's not an easy task, but much easier than getting to the bits through a microscope :afro:
Post Reply