pcmhacking.net

Knackersjewels wrote:Is there currently any way to flash an LY7 OS onto an E67 without SPS or a BCM/TCM?

LY7, as in the VZ V6 Engines? Those use an E55 ECU, not a E67 ECU.

Tazzi wrote:

Knackersjewels wrote:Is there currently any way to flash an LY7 OS onto an E67 without SPS or a BCM/TCM?

LY7, as in the VZ V6 Engines? Those use an E55 ECU, not a E67 ECU.

Also the E77 in the VE.

Tazzi wrote:

crystal_imprezav wrote:I am always working with the ECU unlocked, it is also patched. $34/$36 work fine. $35 NRC 0x11. Everything in the flash its self that I have tested I get a NRC 0x31. Only things readable are parts of the RAM.

Unless it has something to do with the patch which is highly unlikely (this is not an HP patch), I dont see a original giving more access. That being said, I will run the same tests on a E99(s) but I am thinking that may be locked down more but who knows. On a t87a, its not an issue, your can read/write what ever you want.

If it was used as an exploit to get in, then (personally) I would have patched it up. But this all depends how far someone goes to do this stuff.

*Edit
I believe the E88,E90 and E99 all use the same bootloader from what I have just looked at. At least the labelling for the loader has this labeling so Id assume this would be the case. Whether or not every single one can have the loader ripped is an uncertainty right now, but its a good 200+kb so its ALOT of decompiling ahead.

after more testing seems like the mpc5777 ecu's e88/e90/e99 etc are open to many areas but the e41 is for what ever reason more locked down and you can only read a very limited sector in ram.

crystal_imprezav wrote:after more testing seems like the mpc5777 ecu's e88/e90/e99 etc are open to many areas but the e41 is for what ever reason more locked down and you can only read a very limited sector in ram.

Requires a bit more inventive thinking on other ecus. Using higher unlock clearance to be allowed to read restricted areas would likely be the engineers option since.. well... I dont know anyone on the planet which has successfully used those modes since they don't have a method for generating keys. Doesn't mean it can't be done, just requires out the box thinking.

I have a development board on the way for the MPC57 cpu, so I can actually recover it after messing around with it. As its unlocked, this will allow actually stepping through code to better understand whats happening as well.

Have you seen this? It's the first concise write up I've seen concerning the security in the E99. I'd only seen bits and pieces scattered around whitepapers, industry presentations, etc.

https://www.tapouttuning.com/frequently ... blackwing/

Click on "Why can't Blackwings be tuned the same way we tune ATS-Vs?"

Tazzi wrote:

crystal_imprezav wrote:after more testing seems like the mpc5777 ecu's e88/e90/e99 etc are open to many areas but the e41 is for what ever reason more locked down and you can only read a very limited sector in ram.

Requires a bit more inventive thinking on other ecus. Using higher unlock clearance to be allowed to read restricted areas would likely be the engineers option since.. well... I dont know anyone on the planet which has successfully used those modes since they don't have a method for generating keys. Doesn't mean it can't be done, just requires out the box thinking.

I have a development board on the way for the MPC57 cpu, so I can actually recover it after messing around with it. As its unlocked, this will allow actually stepping through code to better understand whats happening as well.

I've extracted the full image from a boot read, using elevated privileges in 27 03 doesn't gain you anything so far that i have tested.

crystal_imprezav wrote:

Tazzi wrote:

crystal_imprezav wrote:after more testing seems like the mpc5777 ecu's e88/e90/e99 etc are open to many areas but the e41 is for what ever reason more locked down and you can only read a very limited sector in ram.

Requires a bit more inventive thinking on other ecus. Using higher unlock clearance to be allowed to read restricted areas would likely be the engineers option since.. well... I dont know anyone on the planet which has successfully used those modes since they don't have a method for generating keys. Doesn't mean it can't be done, just requires out the box thinking.

I have a development board on the way for the MPC57 cpu, so I can actually recover it after messing around with it. As its unlocked, this will allow actually stepping through code to better understand whats happening as well.

I've extracted the full image from a boot read, using elevated privileges in 27 03 doesn't gain you anything so far that i have tested.

This is what i keep telling people.

crystal_imprezav wrote:I've extracted the full image from a boot read, using elevated privileges in 27 03 doesn't gain you anything so far that i have tested.

Originally you said that the boot image can't even be read, yet.. it can in specific modules.

Its all about thinking outside the box. Just assuming it doesn't work doesn't help. 27 03 provides higher level access since it allows actually writing in seed/key values, serials ect. This in itself indicates higher level access as it writing security/secured memory areas which are typically locked. This does not mean its the only capability it does.
Whats to stop this from allow tampering with other sections? Do you have proof of unlocking with mode 27 03 and messing with these sections?

None of the above is a dig at you. I just hear it time and time again that "It can't be done" for many things I work on, yet... they can.... simply because people haven't tried all options or just assume it won't work.

Tazzi wrote:

Knackersjewels wrote:Is there currently any way to flash an LY7 OS onto an E67 without SPS or a BCM/TCM?

LY7, as in the VZ V6 Engines? Those use an E55 ECU, not a E67 ECU.

2007-2008 GMC Acadia were LY7 using an E67

These two documents are of importance

Using the Cryptographic Service Engine (CSE) - NXP Semiconductors
https://www.nxp.com/docs/en/application-note/AN4234.pdf
https://www.nxp.com/docs/en/application-note/AN4235.pdf

RAppID Boot Loader Utility can interface with the MPCs, you have to find the right files though. In that CSE pdf it details multiple different ways of the resetting/erasing to clear keys etc.. I'm pretty sure looking over the SPS bins that the first part of the code gets executed by the security module, then resets to determined mode, which allows certain read privileges depending on cases.