VCM Suite now accesses EFI Live tunes

EPROM EEPROM SRAM NVRAM Flash chips, reading/writing hardware and software
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: VCM Suite now accesses EFI Live tunes

Post by Tazzi »

Tre-Cool wrote:As for the HPT reading EFI custom OS stuff, I think it's a bit rude/wrong for HPT to not so much add support for it. But more the fact they are making money to license it for people to tune. Especially since they didn't develop the modified code.
If there was any 'bridges' between the two tuning companies to co-operate with one another.. I imagine they would have been burnt down almost instantly after that update.
Makes you wonder how many of them actually do the hard yards of reverse engineering all the tables and options.. and how many just simply copy the others work :wtf:

Probably the only thing unique between them is the bootloader (If applicable), even so.. can imagine they have based each of their 'custom code' off of each others. Everything gets copied/pirated these days!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
rolls
Posts: 407
Joined: Wed Sep 07, 2016 11:22 am
cars: bf xr6t falcon

Re: VCM Suite now accesses EFI Live tunes

Post by rolls »

Well most of them would be copying the official bootloaders that the OEM tuning tools use so I figure it is fair game.

To actually figure out how to flash one of these vehicles from first principles with no inside knowledge would be very challenging and time consuming if you were not an expert at reverse engineering/cracking, especially if they use security algorithms that require a seed (eg Ford). Sure you could dump the flash with a BDM but finding the security algorithm is challenging, even more so if you don't even know there is a security algorithm to find in the first place.

I have found the security algorithm, secret keys and the UDS command routine in the Ford ROM but that was with a massive helping hand from that adventures in IO document that gave me some great starting points. They didn't even do it from scratch, they just hacked IDS to get the secret keys as it was easier to hack Windows software than a PPC with a debugger.

So what makes more business sense. Build a full harness and tweak each variable one by one and continuously poke the RAM, then once you find some variables that are known you can start dumping out tables. This could take a few months per platofmr.

OR just load up your scan tool of choice and start logging some PIDs, you then correlate the PIDs to a RAM address and from the RAM addresses find find the routine that stores this value, then you find the table within the ROM very quickly. This is how we did it and it is easier than you'd think.

Regarding copying the custom code, in a legal/copyright sense this is no different from copying the original ford tunes, however personally I would frown on it more as they are making their living from these, ford are making money selling cars, not ECU code.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: VCM Suite now accesses EFI Live tunes

Post by Tazzi »

rolls wrote:Well most of them would be copying the official bootloaders that the OEM tuning tools use so I figure it is fair game.

To actually figure out how to flash one of these vehicles from first principles with no inside knowledge would be very challenging and time consuming if you were not an expert at reverse engineering/cracking, especially if they use security algorithms that require a seed (eg Ford). Sure you could dump the flash with a BDM but finding the security algorithm is challenging, even more so if you don't even know there is a security algorithm to find in the first place.

I have found the security algorithm, secret keys and the UDS command routine in the Ford ROM but that was with a massive helping hand from that adventures in IO document that gave me some great starting points. They didn't even do it from scratch, they just hacked IDS to get the secret keys as it was easier to hack Windows software than a PPC with a debugger.

So what makes more business sense. Build a full harness and tweak each variable one by one and continuously poke the RAM, then once you find some variables that are known you can start dumping out tables. This could take a few months per platofmr.

OR just load up your scan tool of choice and start logging some PIDs, you then correlate the PIDs to a RAM address and from the RAM addresses find find the routine that stores this value, then you find the table within the ROM very quickly. This is how we did it and it is easier than you'd think.

Regarding copying the custom code, in a legal/copyright sense this is no different from copying the original ford tunes, however personally I would frown on it more as they are making their living from these, ford are making money selling cars, not ECU code.
Fair game :lol: Makes me laugh, its like a battle of the hackers :lol:

Recon your spot on though, everything has originated from the manufacturers bootloader.. well.. at least the write routines did. I dont believe Holden have read bootloaders so they are custom design.

yeah, would be easier to look in with windows software. Getting setup with BDM on PPC for things that allow in-circuit debugging is extremely pricey so BDM loses out on both those circumstances. Really.. BDM is there as a bit of a backup tool to put in the initial flash or recover bad ones. Ill have to rip off the case on one of these Ford ones and probe the pins to find where the BDM pins go to.. least thats a start for playing around with if anyone pulls out a BDM tool.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: VCM Suite now accesses EFI Live tunes

Post by antus »

I actually disagree with some of this. They all do use original bootloaders. How they developed them is not public information but they're all unique. Also the flash process is half way between propriety and documented. They security key exchange process and upload and download of data is standard OBD2 and the various modes etc are standard across obd2 protocols. Thats certainly not to say all the information is published (especially hardware information where there is only manufacturers datasheets for some ICs) but its more than some people might think.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
rolls
Posts: 407
Joined: Wed Sep 07, 2016 11:22 am
cars: bf xr6t falcon

Re: VCM Suite now accesses EFI Live tunes

Post by rolls »

antus wrote:I actually disagree with some of this. They all do use original bootloaders.
I wonder if that was to avoid using IP from GM ? I guess it would be pretty easy to write your own and a good learning exercise regardless.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: VCM Suite now accesses EFI Live tunes

Post by Tazzi »

rolls wrote: I wonder if that was to avoid using IP from GM ? I guess it would be pretty easy to write your own and a good learning exercise regardless.
Yeah it would be, plus GM doesnt have any public 'read' bootloaders anyways,
Antus has gone down the road of developing his own for the Holden LS1 ecus. He can probably give the best insite on how difficult it really is!
antus wrote:I actually disagree with some of this. They all do use original bootloaders.
Original and completely different, no doubt!
But.. did they really just jump into the deep end.. and just wing it? Or take advantage of a freely available (Well.. almost) bootloaders developed by GM.
Decompiling and understanding how it works, routines addressed ect would cut down R&D time by weeks or even months for the little guys. You'd almost be mad not to do it!?! No point re-inventing the wheel :lol:
As they would all be addressing the same inbuilt 'functions' where possible to minimize the required custom code needed.

As a bit of an example (After doing a bit of research on this). The E38 ecus do some funky things with the flash. Flash is compressed and decompressed at runtime to minimize code size without losing any performance.
I cant even imagine the headf*ck that would be to try reverse engineer the compression/decompression algorithms.. and honestly don't believe they did that either.. otherwise they would all be simply reading and writing using the compressed file to save on processing times.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: VCM Suite now accesses EFI Live tunes

Post by antus »

rolls wrote:
antus wrote:I actually disagree with some of this. They all do use original bootloaders.
I wonder if that was to avoid using IP from GM ? I guess it would be pretty easy to write your own and a good learning exercise regardless.
Most likely yes. Its not easy to write your own, as there is custom silicon and a custom hardware platform and any error might mostly work but could brick pcms in corner cases. But nothing is impossible if you have the time and skills.


Note that I have removed some inappropriate posts from this thread. If one of them was yours, please dont re-post it. Discussion of piracy is not allowed or encouraged.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Post Reply