Help Reading ram on e67 using elm327

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Help Reading ram on e67 using elm327

Post by 04colyZQ8 »

If the rams at 0x3f7000

Can I read 10 bytes at a time using mode 23?

Set header
Send 27 01
27 02 plus key
Then what ?

Anyone know?
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Help Reading ram on e67 using elm327

Post by ironduke »

I have no idea on reading ram...

I was able to read the flash in silverado BCM's using mode 23 though.. It wasn't fun getting it to work..
If you want to try and figure it out, or if it's even possible..

your going to use mode 23 commands, but it's going to error out, I was able to figure out the error codes which helped come up with a valid command.. I needed 2 mdi's connected to a Y cable so I could see what was actually being sent. I ended up getting it to work with can formatting turned off, then with kurdo's help I was able to get/figure out can formatting to work for me with the mdi's. As far as working with an elm327 I have no idea if it will send the correct length byte AND pad the message to a full 12 bytes..

ok, I'll give you something to try with the elm.. we'll see if you can get something to happen..

assuming you have the header set, can formatting turned on, and flow control turned on(so it will send the 0130 to send the rest of the data)
23aabbccdd1122 OR 23 aabbcc1122 , I'll try to explain it below..

aa bb cc dd is the address you want to try. or aa bb cc...
You'd use 00 3f 70 00 if the module accepts 4 byte addressing..
You'd use 3f 70 00 if the module accepts 3 byte addressing..
I have no way of knowing doing it this way except trial and error.. I suspect it's going to be 3 byte addressing but that's just a guess..

1122 is the length of bytes you want to try to read.. you suggested 10 bytes or 0x0a so you'd use 00 0a..

Exact message you would send is
23 00 3f 70 00 00 0a for 4 byte addressing.
23 3f 70 00 00 0a for 3 byte addressing.


Now if you had a way to look at the exact message on the bus it should be sending
00 00 07 eo 07 23 00 3f 70 00 00 0a for 4 byte addressing and
00 00 07 e0 06 23 3f 70 00 00 0a AA for 3 byte addressing. the AA could be ff's or 00's.. doesn't matter, but it needs to send the full 12 byte message.

Hopefully I've explained it fairly decently?? In any case.. your going to get some error codes back as you try this..

I am sorry but I don't have notes handy for this, I did it on the fly.. here goes by memory..

a 7f error with a 12 is invalid format.. This would mean byte addressing is wrong.. you should be able to try 3 or 4 byte addressing and NOT get a 7f error with a 12..

a 7f error with a 31 is bad range.. This is kinda good as it means it recognized the command at least, just that it was a bad address or it's restricted.. I found the BCM's did not even need to be unlocked to use mode 23 to read the entire flash..
a 7f error with a 31 could also be a too large read size.. but I would guess that 0x0a would be under the limit.. BCM's allowed larger chunks to be read at once..

In the end, hopefully you get some useable data.. Valid reply looks something like
23 aa bb cc dd XX XX XX XX where XX is the data you requested and aa bb cc dd is the address you requested it from..

Good luck, maybe someone with a lot better knowledge than I will dump some more knowledge on top if this, lol..
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Help Reading ram on e67 using elm327

Post by 04colyZQ8 »

ironduke wrote:I have no idea on reading ram...

I was able to read the flash in silverado BCM's using mode 23 though.. It wasn't fun getting it to work..
If you want to try and figure it out, or if it's even possible..

your going to use mode 23 commands, but it's going to error out, I was able to figure out the error codes which helped come up with a valid command.. I needed 2 mdi's connected to a Y cable so I could see what was actually being sent. I ended up getting it to work with can formatting turned off, then with kurdo's help I was able to get/figure out can formatting to work for me with the mdi's. As far as working with an elm327 I have no idea if it will send the correct length byte AND pad the message to a full 12 bytes..

ok, I'll give you something to try with the elm.. we'll see if you can get something to happen..

assuming you have the header set, can formatting turned on, and flow control turned on(so it will send the 0130 to send the rest of the data)
23aabbccdd1122 OR 23 aabbcc1122 , I'll try to explain it below..

aa bb cc dd is the address you want to try. or aa bb cc...
You'd use 00 3f 70 00 if the module accepts 4 byte addressing..
You'd use 3f 70 00 if the module accepts 3 byte addressing..
I have no way of knowing doing it this way except trial and error.. I suspect it's going to be 3 byte addressing but that's just a guess..

1122 is the length of bytes you want to try to read.. you suggested 10 bytes or 0x0a so you'd use 00 0a..

Exact message you would send is
23 00 3f 70 00 00 0a for 4 byte addressing.
23 3f 70 00 00 0a for 3 byte addressing.


Now if you had a way to look at the exact message on the bus it should be sending
00 00 07 eo 07 23 00 3f 70 00 00 0a for 4 byte addressing and
00 00 07 e0 06 23 3f 70 00 00 0a AA for 3 byte addressing. the AA could be ff's or 00's.. doesn't matter, but it needs to send the full 12 byte message.

Hopefully I've explained it fairly decently?? In any case.. your going to get some error codes back as you try this..

I am sorry but I don't have notes handy for this, I did it on the fly.. here goes by memory..

a 7f error with a 12 is invalid format.. This would mean byte addressing is wrong.. you should be able to try 3 or 4 byte addressing and NOT get a 7f error with a 12..

a 7f error with a 31 is bad range.. This is kinda good as it means it recognized the command at least, just that it was a bad address or it's restricted.. I found the BCM's did not even need to be unlocked to use mode 23 to read the entire flash..
a 7f error with a 31 could also be a too large read size.. but I would guess that 0x0a would be under the limit.. BCM's allowed larger chunks to be read at once..

In the end, hopefully you get some useable data.. Valid reply looks something like
23 aa bb cc dd XX XX XX XX where XX is the data you requested and aa bb cc dd is the address you requested it from..

Good luck, maybe someone with a lot better knowledge than I will dump some more knowledge on top if this, lol..
This sounds really promising…

Now should I send a silent message to all nodes?

If I send 27 01 both the pcm and tcm are responding with key lol!

And do I need to send a message between reading the bytes?

And to read the next 10 bytes I’d just add 10 and request again?

00 00 07 e0 06 23 3f 70 00 00 0a AA
00 00 07 e0 06 23 3f 70 10 00 0a AA //like this ?

Does mode 35 not work with can?

It sure works well with vpw.

I just was told to try 23 for can modules.

Also I was under the impression that I had to convert this 0x3f7000h to decimal? So
That would be 4157440 in decimal

And send 00 00 07 e0 06 23 04 15 74 40 0A 00
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Help Reading ram on e67 using elm327

Post by antus »

Dont think about it can vs vpw, take it platform by platform. The modes are standardised but the frames are a little different depending on protocol. I can tell you the VPW PCMs check the requested address for mode 23 and decide if they will give you the data or not. For example on a P01 or a P59 if you request a calibration address it'll give you a response, if you request OS or parts of 'secure' memory (eg the key) then it wont. This is why we need to pass the security and then upload our own read kernel that does not have these restrictions in place. Similar is likely to apply here. Just get mode 23 working, then start probeing around to see what addresses you get a response from.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Help Reading ram on e67 using elm327

Post by ironduke »

04colyZQ8 wrote:
This sounds really promising…

Now should I send a silent message to all nodes?

If I send 27 01 both the pcm and tcm are responding with key lol!

And do I need to send a message between reading the bytes?

And to read the next 10 bytes I’d just add 10 and request again?

00 00 07 e0 06 23 3f 70 00 00 0a AA
00 00 07 e0 06 23 3f 70 10 00 0a AA //like this ?

Does mode 35 not work with can?

It sure works well with vpw.

I just was told to try 23 for can modules.

Also I was under the impression that I had to convert this 0x3f7000h to decimal? So
That would be 4157440 in decimal

And send 00 00 07 e0 06 23 04 15 74 40 0A 00
If the pcm and tcm are replying to the 27 01 then you have the header set to default global messaging to all ecu's, 07 df I think?
Change header to 07 e0 for just the ecm to reply only. otherwise the mode 23 requests are being sent to everyone.

I read the bcm both ways with other modules told to be quiet and without sending that, didn't make much of a difference.

no other message needed as far as I know in between reading of segments. I believe I sent a tool present message every now and then but it's not really needed.

Mode 35 is ecu specific. It would have to be supported by the operating system. No idea what will and what won't.

I have never heard of converting hex to decimal for addressing.. could be a thing but I have never ran into it..
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Help Reading ram on e67 using elm327

Post by 04colyZQ8 »

Perfect thanks so much for your time! I will give it a try using mode 23, and hex addresses.

Yes it’s a stupid elm327 wifi giving me greif

I’m not sure
At sh 00 07 e0
Is doing anything

The cable elm327 works better
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Help Reading ram on e67 using elm327

Post by Tazzi »

04colyZQ8 wrote:Perfect thanks so much for your time! I will give it a try using mode 23, and hex addresses.

Yes it’s a stupid elm327 wifi giving me greif

I’m not sure
At sh 00 07 e0
Is doing anything

The cable elm327 works better
Different elm clones will respond differently.

But since your only dealing with 11bit CAN, you’ll only need to do AT SH 7E0
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Help Reading ram on e67 using elm327

Post by 04colyZQ8 »

I get 67 02 positive unlock
Then sent as many addresses as I could think of! Nothing worked
Allways this response
7f 23 31
04colyZQ8
Posts: 380
Joined: Thu Jan 16, 2014 12:41 pm
cars: 2004 Colorado 4.8L swap
86/90 Jimmy 6.5L diesel swap
80 Chevrolet Silverado TBI swap
88dodge W100 LPG conversion

Re: Help Reading ram on e67 using elm327

Post by 04colyZQ8 »

here is me fooling around ..

neat trick to get key from dps.. if you have the utility file located 02 27 near the top and the next two bytes xx yy are the (aligro = xx) , and (table= yy)
enter those in the get info fields click get info and it will spit out the seed and key for you.


ELM327 v1.5?

>aattzz //forget to force auto echo off


?

>aattzz //forget to force auto echo off


ELM327 v1.5

>atz

ELM327 v1.5

>ate1

OK

>atl1

OK

>ats0

OK

>atal

OK

>atsp6

OK

>atdp

ISO 15765-4 (CAN 11/500)

>atar

OK

>atat0

OK

>ath1

OK

>atsh0007e0

OK

>atcra000007e8

OK

>2701

7E80467017A30



>1cb6

NO DATA

>27021cb6

7E8026702



>23

7E8037F2312



>at

?

>3

?

>233f7000000a

7E8037F2312



>233f700

7E8037F2312



>233f7000000a00

7E8037F2331



>23000000000a00

7E8037F2331



>23080000000a00

7E8037F2331



>atc0

?

>atc0

?

>atcaf0

OK

>2701

7E80467017A30



>012701

7E80641018527E5E5



>1a90

7E810135A9031474345

7E82153454650354338

7E822313131393734



>1adf

7E8037F1A31



>1a90

7E810135A9031474345

7E82153454650354338

7E822313131393734



>atcaf1

OK

>1a90

7E810135A9031474345

7E82153454650354338

7E822313131393734



>2701

7E80467017A30



>27021cb6

7E8026702



>23 3f 70 00 00 0a 00

7E8037F2331



>23 3f 70 00 00 0a aa

7E8037F2331



>23 10 00 00 00 0a aa

7E8037F2331



>23 00 00 10 00 0a aa

7E8037F2331



>23 30 40 00 00 0a aa

7E8037F2331



>23 3f ff ff 00 0a ?

>aa

7E8037FAA12



>>23 3f ff ff 00 0a aa

?

>23 3f ff ff 00 0a aa

7E8037F2331



>23 3f ff ff 00 0a aa

7E8037F2331



>23 00 00 23 f0 0aaa

7E8037F2331



>23 00 00 00 00 00 00

7E8037F2331



>23 00 10 00 00 04 00

7E8037F2331



>23 00 10 00 00 00 04

7E8037F2331



>23 00 01 00 00 0a 00

7E8037F2331



>23 00 01 00 00 00 0a

7E8037F2331



>23 00 00 10 00 00 0a

7E8037F2378



>23 00 00 10 00 0a 00

7E8037F2331



>23 00 00 10 00 00 04

7E8037F2378



>23 00 00 01 00 00 0a

7E8037F2331



>23 00 00 00 10 00 0a

7E8037F2331



>23 ff ff ff ff 00 0a

7E8037F2331



>23 99 99 99 99 0a 00

7E8037F2331



>23 80 00 00 00 0a 00

7E8037F2331



>23 00 10 00 00 04

7E8037F2312



>23 00 10 00 00 00 04

7E8037F2331



>23 00 10 00 00 04 00

7E8037F2331



>35 00 10 00 00 04 00

NO DATA

>35 00

NO DATA

>23 38 00 00 00 0a 00

7E8037F2331



>23 38 00 00 00 0a 00

7E8037F2331



>23 38 00 00 00 00 0a

7E8037F2331



>23 00 23 00 0 00 0a

7E8037F2312



>23 00 38 00 00 00 0a

7E8037F2331



>23 00 38 00 00 0a 00

7E8037F2331



>23 40 00 00 00 00 0a

7E8037F2331



>ACT ALERT

>LP ALERT

>ELM▒▒▒▒▒▒▒▒▒27 v1.5

?

>atz

ELM327 v1.5

>atsp6

OK

>2701

67 01 7A 30



>27021cb6

67 02



>1a90

013
0: 5A 90 31 47 43 45

1: 53 45 46 50 35 43 38

2: 31 31 31 39 37 34



>23 00 00 2C 09 00 05

7F 23 31



>23 00 00 2c 09 00 0a 00

7F 23 31



>23 44444444444444444444

7F 23 31



>23 555555555555555555555555555555555NO DATA

>

NO DATA

>23 555555555555555555555

7F 23 31



>23555555555555555555555

7F 23 31



>atcra000007ea

OK

>atsh0007e8

OK

>2701

67 01 7A 30



>27021cb6

67 02



>1a90

013
0: 5A 90 31 47 43 45

1: 53 45 46 50 35 43 38

2: 31 31 31 39 37 34



>1adf

7F 1A 31



>34 00 00 23 60

7F 34 22



>36 00 40 00 04 00 40 00

7F 36 22



>1a90

013
0: 5A 90 31 47 43 45

1: 53 45 46 50 35 43 38

2: 31 31 31 39 37 34



>23 ffffffffffffffffff0a

7F 23 31



>23000000ff000000000a

7F 23 31



>
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Help Reading ram on e67 using elm327

Post by ironduke »

ok... 2 problems I saw..
you tried 0a 00 a lot.. that is probably way too large a read size.. it's 00 0a for size attempt..
I saw a lot of 4 byte addressing but didn't see any 3 byte attempts. if there were 3 byte attempts then I am guessing you put the 00 at the end to make it the same size message. Don't do that as the elm will mess up the size byte when it sends the actual command to the ecu..

This is at the end

Code: Select all

>23 00 00 2c 09 00 0a 00

7F 23 31
That is 4 byte addressing and 0x0a 00 read size..
Instead try
23 00 2c 09 00 0a
that is 23 11 22 33 AA BB where 11 22 33 is address and AA BB is read size.. I believe read size is always 2 bytes even with small read sizes.
or below. // is just me making remarks.. don't type that..
23 00 00 00 00 0a // lowest read address attempt with 0a read size.
23 ff ff 00 00 0a // read address 0xffff00 with 0x0a read size..

that is 23 11 22 33 AA BB where 11 22 33 is address and AA BB is read size.. I believe read size is always 2 bytes even with small read sizes.
Post Reply