j2534 Open Source Resources

User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: j2534 Open Source Resources

Post by antus »

Which protocol are you talking about? Im not aware of needing direct pin access for programming. The device firmware is open source.

The J2534 support would be the hard bit. Its a complicated protocol, not just a wrapper.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
rolls
Posts: 407
Joined: Wed Sep 07, 2016 11:22 am
cars: bf xr6t falcon

Re: j2534 Open Source Resources

Post by rolls »

Ford require 18v (though 12v seems to work) applied to pin 13 to flash the powerpc ecus.

I'm looking at making a cheap device to do this. Currently my best bet is a China clone vci mini j2534 cable with a hard wired switch to a laptop power supply however I would love to have an all in one cable with open source firmware.

J2534 isn't specifically required but it makes it a lot easier. 0x27 security access is obd/uds protocol over high speed canbus
User avatar
rolls
Posts: 407
Joined: Wed Sep 07, 2016 11:22 am
cars: bf xr6t falcon

Re: j2534 Open Source Resources

Post by rolls »

https://github.com/fenugrec/oj2534-fw/

Found this guy who has created probably the only open source J2534 tool. Uses an evaluation board. I might message him to see how complete the project is.

edit: There is also OpenPort 2.0 which is affordable however I cannot find how compliant their J2534 implementation is, emailed to find out.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: j2534 Open Source Resources

Post by Tazzi »

rolls wrote:Ford require 18v (though 12v seems to work) applied to pin 13 to flash the powerpc ecus.

I'm looking at making a cheap device to do this. Currently my best bet is a China clone vci mini j2534 cable with a hard wired switch to a laptop power supply however I would love to have an all in one cable with open source firmware.

J2534 isn't specifically required but it makes it a lot easier. 0x27 security access is obd/uds protocol over high speed canbus
Requires use of components like relays to switch purposes of pins ect.

For the Ford ECUs, I honestly always figured the smartest option would be to make a separate device that pumps out the 18v to pin 13 with something like a switch to turn it on or off. Or in my case, Im looking to make that a separate "addon" board to the diagnostic cable Im designing which can be controlled by the main diagnostic cable.

Do note.. J2534.. is a protocol.. and doesnt actually know the security algorithms ect required to get access to allow reading/writing to the ECU. Just a heads up there! As reverse engineering algorithms is its own absolutely shitstorm.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
rolls
Posts: 407
Joined: Wed Sep 07, 2016 11:22 am
cars: bf xr6t falcon

Re: j2534 Open Source Resources

Post by rolls »

Appears "figuring" out the protocol will be much easier than expected. Still got a few hurdles to go before it will be complete.

Found the seed key algorithm this afternoon and proved it will work with the bf falcon ecus I'm interested in.
http://www.fordmods.com/post1445053.html#p1445053

Agree with the external device providing 18v, probably just wire vbatt to pin 13 with an inline switch. Apparently whilst ids provides 18v 12v will do the job, only cost $5 and take maybe 20 minutes to do. This should be achievable for anyone capable of tuning a vehicle.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: j2534 Open Source Resources

Post by Tazzi »

rolls wrote:Appears "figuring" out the protocol will be much easier than expected. Still got a few hurdles to go before it will be complete.

Found the seed key algorithm this afternoon and proved it will work with the bf falcon ecus I'm interested in.
http://www.fordmods.com/post1445053.html#p1445053

Agree with the external device providing 18v, probably just wire vbatt to pin 13 with an inline switch. Apparently whilst ids provides 18v 12v will do the job, only cost $5 and take maybe 20 minutes to do. This should be achievable for anyone capable of tuning a vehicle.
AH right! Nice work!

Will take a peak at that thread now.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: j2534 Open Source Resources

Post by Tazzi »

Wow just got through that thread.

GREAT WORK ROLLS!

One thing though, will need to actually reverse engineer that algo for the ECU instead of using the file those guys found to calculate the key. Keen as to chime in on working on that!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
rolls
Posts: 407
Joined: Wed Sep 07, 2016 11:22 am
cars: bf xr6t falcon

Re: j2534 Open Source Resources

Post by rolls »

Yep very keen to find it in the pcm code. I have the binary for my pcm but so I can probably just search for the magic number in the algo to find it. Will have a look later.

Whilst I want to figure it out why do I need to if that python routine works?
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: j2534 Open Source Resources

Post by Tazzi »

rolls wrote:Yep very keen to find it in the pcm code. I have the binary for my pcm but so I can probably just search for the magic number in the algo to find it. Will have a look later.

Whilst I want to figure it out why do I need to if that python routine works?
Isnt that python routine calling a dll from IDS? Or have I read that completely wrong?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
rolls
Posts: 407
Joined: Wed Sep 07, 2016 11:22 am
cars: bf xr6t falcon

Re: j2534 Open Source Resources

Post by rolls »

Nope.

It is a simple routine about 20 lines long that rewrote in c# in about 30 minutes. They extracted the secrete keys from the ids software however you can brute force them. I wrote a routine to brute force them juts to prove it could be done but you need about 10 seed keys as there are a lot of secrete keys that have collisions and give the correct result for that seed only.
Post Reply