Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by Tazzi »

antus wrote:Its a bit out of context... what do you think is in d0? The response from the immo? I cant say if its right or not but you could try patching that function and see if it'll still boot and see if you can break the immo function on a working car. Then you know your looking at the right code. Or could nop out the bne to 51a86 and see if the function at 6ae86 clears the security. I recommend going options / general / dissassembly and setting number of opcode bytes to 8. Need to do it once in graph mode and once in list mode. Can then easily see the bytes in the bin. Note there is a risk of engine damage hacking the code without being sure but I would think its a reasonably small risk. However it's your decision.
Surely I would have thought we could be able to "simulate" attempting to start an engine somehow rather than risking the cars integrity?

Im not sure what other vital modules are required for the ecu to successfully start up, but I would think grabbing all other required modules wiring them all up then applying an engine "on" power.. you could see if there is any power going to the injectors or something like that? If voltage stops after a few seconds then you know its not disabled.

..This is ll assuming you have plenty of space and money haha.. since buying half the cars electronics will probably be costly. :thumbup:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Ionut
Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm
cars: Opel Astra 1.7DTI Y17DT

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by Ionut »

Too much pain in the a**.
You need to simulate a lot of sensors, need to simulate RPM signal, pump rpm signal, injection pump controller, pedal position sensor, etc, etc.
On this ECU check engine blinks if key is not recognized

Done some tests, with changing BNE to BE in routines that i thinked are immo related and nothing changed (apparently)
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by antus »

Doh! Keep it up :)
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Ionut
Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm
cars: Opel Astra 1.7DTI Y17DT

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by Ionut »

Did some digging, but still no luck... Is hard to understand Assembly when all languages that i know are high level (PHP, Java, Visual basic, C#)...
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by Tazzi »

Ionut wrote:Did some digging, but still no luck... Is hard to understand Assembly when all languages that i know are high level (PHP, Java, Visual basic, C#)...
Its literally a matter of printing out (of simply CTRL-F) the assemby opcodes, and then writing the meaning next to each line. Slow..painful.. but gets the job done eventually.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by antus »

If you use ida you can turn on auto comments to help.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Ionut
Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm
cars: Opel Astra 1.7DTI Y17DT

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by Ionut »

Long time no see... meanwhile i didn`t used that car and didn`t had time to work on project, but if Bosch ME7.5 (C167 Processor) RAM values can be logged over OBD, would be possible to log RAM values from Motorola 68K over OBD? Any ideea HOW?

Thank you.
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by antus »

depends on the implementation. on delphi pcms you need to pass a security challenge before you can read all addresses. what pcm?
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Ionut
Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm
cars: Opel Astra 1.7DTI Y17DT

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by Ionut »

Delco HDRC.
Ionut
Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm
cars: Opel Astra 1.7DTI Y17DT

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Post by Ionut »

After days and nights of study i was able to make the little mother fucker to read up to 255Kpa@4.97V (original was up to 207).
But my sensor is 4 bar, so i`ll need to extend up to 400Kpa. First try was to divide each division of boost previously changed, but of course this will set an overflow on 16bit variable used for boost and at 265Kpa value will be 10Kpa.

Changed in all 8 places where #$400 divisions was found.
I think the value is stored in 16 bit because map values are in 16 bit too.

Code: Select all

move.l  d7,-(sp)
move.w  ($FFF6B8).l,d7
move.w  d7,($FF8F80).l
moveq   #0,d0
move.w  d7,d0
moveq   #0,d1
move.w  (word_7246E).l,d1
muls.l  d1,d0
divs.l  #$400,d0
move.l  d0,d7
move.w  d7,($FF8F34).l
tst.b   ($FF81C8).l
beq.s   loc_5D43E
move.w  d7,($FF8F36).l
bra.s   loc_5D478

Code: Select all

; CODE XREF: sub_6AE44:loc_6AE72p
move.l  d7,-(sp)
move.l  d6,-(sp)
moveq   #0,d0
move.w  ($FFF6A2).l,d0
lsl.l   #5,d0
move.l  d0,d7
lsl.l   #3,d0
add.l   d0,d7
lsl.l   #5,d0
add.l   d0,d7
lsl.l   #2,d0
sub.l   d0,d7
lsl.l   #4,d0
add.l   d0,d7
divs.l  #$14AF,d7
lsl.l   #8,d7
divs.l  #$400,d7
add.w   #$A54,d7
move.w  d7,($FF8FB2).l
tst.b   ($FF81C8).l
beq.s   loc_5C998
move.w  d7,($FF8F6A).l
bra.s   loc_5C9CA

; CODE XREF: sub_5C94C+42j
move.w  ($FF8F6A).l,d6
moveq   #0,d1
move.w  d7,d1
moveq   #0,d0
move.w  d6,d0
sub.l   d0,d1
moveq   #0,d0
move.b  (byte_7254C).l,d0
muls.l  d1,d0
tst.l   d0
bge.s   loc_5C9C0
neg.l   d0
lsr.l   #7,d0
neg.l   d0
bra.s   loc_5C9C2
The factor used in ecu is 0.003906. Found a lot of #$6400 divisions (25600 in dec, or 0.390625 as division result between dec value and max value of 16 bit, 65535)
So, to have 0.003906 i should find a new division of #$64 (100 dec value), but no occurence looks like it should be to have a valid division :(

Any help?
Post Reply