Electronic Fuel Injection - Developement & Tuning
https://pcmhacking.net/forums/
The immobiliser,seed/key,vin,serial ect is in the parameter block area, which is from the 0x8000 to 0xA000 area of the top of my head.Tre-Cool wrote:So with the cloning option.
Where about's in the bin file or segment has the security link information. mainly interested in copying it from one bin to another. i.e if doing a OS change/upgrade.
Maybe it will give you some ideas to incorporate. Fun stuff 
Code: Select all
SaveA: equ $XX ;IO Register address
BTDelay: equ $F0 ;bit delay this can be any value ya like
;
;BootStrap code starts here
;
sei ;enable interrupts, not really necessary
lda #$55 ;55h is the response that basically says you are
;running this bootstrap, can be any value you like
bra Start ;run dumper
SendByte: sta SaveA
clra
bsr DecA ;Inter-Byte delay
ldx #$0A
coma ;invert byte
bclr0 $00 ;5 Zero Bit
bsr DelayBit ;1st Start Bit
bra SetIO ;3
SetIO: bset $00, #0 ;5 One Bit
bsr DelayBit
clc ;2nd Start Bit
SendBit: bcs Send1 ;3
bclr0 $00 ;5 Zero Bit |
bra bitdelay ;3 |count this for timing calc
Send1: bset $00, #0 ;5 One Bit |but not this
bra bitdelay ;3 |
bitdelay: bsr DelayBit
asla a ;3
decx ;3
bne SendBit ;3
bset $00, #0 ;Parity = 0, Stop bits = 1
rts ;6
DelayBit: ;standard 8 bit delay loop
sta SaveA
lda #BTDelay
DecA: deca
bne DecA
lda $XX ;SaveA This is the IO register
rts
Start: bsr SendByte
LongDelay: deca
bsr DelayBit
bne LongDelay
lda #$30 ;Start address of 3000
sta $47 ;Now address stored at 47,48 in ram
lda #$00
sta $48
; ---------------------------------------------------------------------------
dw $7180 ;Change page to eeprom
; ---------------------------------------------------------------------------
Loop: dw $92C6 ;Load A with the value of this next byte address 92C647
;Haven't fixed assembler to allow this new opcode yet
db $47
bsr SendByte
inc $48
bne Loop
inc $47
bne Loop
;need to create "reversible" idling loop here or rts
Thanks!The1 wrote:awesome work tazzi, lots of hours to get this far
Sweet as. Iv been bogged down with work during all the COVID, its only starting to normalise for me now so I will (Hopefully) have more free time again soon to start attacking more ecus.In-Tech wrote:Hiya Tazzi,
Just an update that I built bench setups for the E67, E78 and E92 if you want me to do anything. I can rig up a CAN logger/sniffer too. I'll make the T42 and T87 adapters soon.
I screwed up the other day and didn't read a messed up E38 after I got the key. It was fubar'd bad enough it only had a 3 byte seed. Seed was BE2 and key was 881, didn't take long to brute it and I got sidetracked by the phone and forgot to read it before repair
Here's a couple E78 reads from some ebay puters.
