OBDX Development - Developer Tools and Suggestions

[kur4o]

I have successfully read the AU Falcon ECU on the bench. Attached in the .bin and also a VCM2 log of it reading!

So my ECU is a 3byte seed and 2byte key as per the previous unlocks we have seen by Intech.

24 10 F5 27 01
C4 F5 10 67 01 57 59 BC
24 10 F5 27 02 00 CD
C4 F5 10 67 02 34

We can see the seed is 57 59 BD and key is 00 CD

I can confirm this is correct using the unlock algo which matches.


It then does another unlock almost immediately after the first one:
24 10 F5 27 01
C4 F5 10 67 01 37 38 2C
24 10 F5 27 02 DA 64
C4 F5 10 67 02 34

Seed is 37 38 2C and key is DA 64, this also works when applying the second key derivative.

And after that.. it reads the memory. It doesnt take very long to be honest, its quite fast.

But... still no high speed request. It stayed at the same baud rate the whole time through.

I feel like Im chasing a mythical ability at this point! Id rather not base my coding off of dealing only with a simulating PWM highspeed requests on a scantool, Id rather actually get live data from an ecu since its real results including time interval between IFR bytes and end of frame bytes.

I should be able to just half the timings I currently use for it to be correct.. but again, I want to know its right first.

Thanks for the logs. In short summary, I figured some of the missing pieces and how to set j-tool to monitor all data on pwm bus.
The feps is also applied on all the time during the read/write event. I noticed it took 10 seconds for pcm to send 00 05 message after feps been on. Does this require some ignition cycling or it is some security timeout.

[Gampy]

Great explanation ... Thank you!

Ok, I am doing it right, it does not work, the vin is not returned.

All I get in the logger pane is the red send of said command ...

Edit:
If it matters, I allowed the STN1110 to auto search the protocol and it came up with: ISO 15765-4 (CAN 11/500)

-Enjoy

[kur4o]

Great explanation ... Thank you!

Ok, I am doing it right, it does not work, the vin is not returned.

All I get in the logger pane is the red send of said command ...

Edit:
If it matters, I allowed the STN1110 to auto search the protocol and it came up with: ISO 15765-4 (CAN 11/500)

-Enjoy

You can try running the script. It will log all 1a identifiers. Vin might be there too.

[Gampy]

Could not load file or assembly 'gmkeylib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified.

and in the logger pane:

[19:35:19.604] 00 00 07 DF 28
[19:35:19.808] 00 00 07 DF 3E

in red ...

Edit:
Just tested the same with GM MDI Clone.

-Enjoy

[kur4o]

Gapmy,

You are just great at finding bugs. It is indeed some bug. Until fixed you can test with previous version, if you have it on file.

[Tazzi]

So with a bit of help, I may have the required commands to enter highspeed.

Since my ECU does seem to support standard seed key setup, and also we seem to be able to do both unlocks, all thats left is coding it all up!

I am going to start with using the VCM2, simply because it does support FEPs and PWM, assuming it does actual enter highspeed mode (Fingers crossed), we can then move towards using the OBDX PWM prototype.

The fact that the frames cannot be any larger then 12bytes does make it easier. I can now used a fixed buffer size, and actually apply it into a queue based system so that the main processor task can continue searching and pulling in new messages without having to worry about if the last frame had been sent yet.

I think the biggest mission of them all.. is seeing if this can't be encouraged to go onto the OBDX FT. I know Pete has already said there is not enough room.... but.... if we remove the ESP32 wireless module for something smaller.... I think.... it could work.

Theres a module I have been looking at which is less then a quarter of its size. It does classic bluetooth and BLE5. So it does lose wifi, but thats not the end of the world. The bonus with this chip also is we may (eventually) be able to support classic bluetooth on iOS since it supports the apple MFi requirements once implemented on a PCB and approved by apple.

Our initial release for the OBDX Pro FT will be MS CAN, HS CAN and FEPs. If the new bluetooth module is deemed to be a winner, and IF it can also fit PWM... we will look at a v2 FT with PWM also.

[kur4o]

At one point I though the high speed mode was never used. Great you figured the needed commands to make it happen.
If it follows gm modes
a0=prepare high speed mode
than
a1= switch to high speed

but as being ford it should be tough as hell.


I managed to get a full writing session with ngc4 random file. Nothing unusual, no voltages being applied. Looks like pcm contains all the code needed for flashing, and only some erase commands are being issued.
Now I am working with ngc3, and hopefully the seed/key algos will be broken.

With ngc3 I am having some issue, it commands ignition off -at that point it applies 12v at pin13, after 2-3 seconds it wants ignition ON- here it commands voltage at pin13 removed.

At that point it expects something to be send from pcm. I have no idea what should be send. Some logs will be very helpful.

Gampy to get the vin out of ngc4 send
00 00 07 e0 1a 90

[Gampy]

Not necessarily trying to get the VIN, just testing UP communications.

I know the VIN, I own the vehicle ...

Using an elm and terminal I can also get the VIN.

I'll try 1A90 with elm and terminal.

-Enjoy

[kur4o]

That is great. So if I need anything tested on ngc4, we can sacrifice the vehicle.

A new script for testing, I removed the part that errors out. It will read all 1a identifiers, and will poll the pcm for supported pids, mode22

If it runs too slow you can play with timing settings.
goto->settings tab->timeouts button-> decrease TimeoutConsoleRecieve between 5 and 20. If it misses frames increase it.

If you are willing to share the log minus sensitive information. I need some identifiers to fill missing gaps response format.

[Gampy]

That is great. So if I need anything tested on ngc4, we can sacrifice the vehicle.

Sure, then I can die quickly by the hands of my wife versus slowly suffocating to death!

Now, no joking, when it comes time and there is testing needed I am willing to risk the ECM, but first I have to have it hauled to the dealer and have the ECM replaced with a new one to preserve the original, it's a special vehicle and originality is imperative.

Another bug found ... Maybe by design ?
In the Logger pane
. Right-Click
. . Select All
. . Copy

Copies only the visible area ...
Anyway it's selected, it only copies the visible data.

So I ticked 'File' to redirect to file ...

And got the following, I did stop the script as it was receiving nothing.

ISO15765_1a_22_read_ngc4-Log.rtf

(8.73 KiB) Downloaded 51 times

-Enjoy