Delco HDRC (Y17DT DYRX, DMRW & DNLF)

User avatar
Posts: 1968
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby Tazzi » Thu Jan 08, 2015 11:52 am

antus wrote:Its a bit out of context... what do you think is in d0? The response from the immo? I cant say if its right or not but you could try patching that function and see if it'll still boot and see if you can break the immo function on a working car. Then you know your looking at the right code. Or could nop out the bne to 51a86 and see if the function at 6ae86 clears the security. I recommend going options / general / dissassembly and setting number of opcode bytes to 8. Need to do it once in graph mode and once in list mode. Can then easily see the bytes in the bin. Note there is a risk of engine damage hacking the code without being sure but I would think its a reasonably small risk. However it's your decision.

Surely I would have thought we could be able to "simulate" attempting to start an engine somehow rather than risking the cars integrity?

Im not sure what other vital modules are required for the ecu to successfully start up, but I would think grabbing all other required modules wiring them all up then applying an engine "on" power.. you could see if there is any power going to the injectors or something like that? If voltage stops after a few seconds then you know its not disabled.

..This is ll assuming you have plenty of space and money haha.. since buying half the cars electronics will probably be costly. :thumbup:
Image

Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby Ionut » Sun Feb 22, 2015 11:32 am

Too much pain in the a**.
You need to simulate a lot of sensors, need to simulate RPM signal, pump rpm signal, injection pump controller, pedal position sensor, etc, etc.
On this ECU check engine blinks if key is not recognized

Done some tests, with changing BNE to BE in routines that i thinked are immo related and nothing changed (apparently)

Site Admin
User avatar
Posts: 6039
Joined: Sat Feb 28, 2009 8:34 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby antus » Sun Feb 22, 2015 7:48 pm

Doh! Keep it up :)
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby Ionut » Wed Apr 01, 2015 4:14 am

Did some digging, but still no luck... Is hard to understand Assembly when all languages that i know are high level (PHP, Java, Visual basic, C#)...

User avatar
Posts: 1968
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby Tazzi » Fri Apr 24, 2015 7:36 pm

Ionut wrote:Did some digging, but still no luck... Is hard to understand Assembly when all languages that i know are high level (PHP, Java, Visual basic, C#)...

Its literally a matter of printing out (of simply CTRL-F) the assemby opcodes, and then writing the meaning next to each line. Slow..painful.. but gets the job done eventually.
Image

Site Admin
User avatar
Posts: 6039
Joined: Sat Feb 28, 2009 8:34 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby antus » Fri Apr 24, 2015 10:22 pm

If you use ida you can turn on auto comments to help.
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby Ionut » Fri Sep 18, 2015 8:05 am

Long time no see... meanwhile i didn`t used that car and didn`t had time to work on project, but if Bosch ME7.5 (C167 Processor) RAM values can be logged over OBD, would be possible to log RAM values from Motorola 68K over OBD? Any ideea HOW?

Thank you.

Site Admin
User avatar
Posts: 6039
Joined: Sat Feb 28, 2009 8:34 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby antus » Thu Oct 22, 2015 8:37 pm

depends on the implementation. on delphi pcms you need to pass a security challenge before you can read all addresses. what pcm?
Have you read the FAQ? For lots of information and links to significant threads see here: viewtopic.php?f=7&t=1396

Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby Ionut » Tue Dec 01, 2015 1:09 am

Delco HDRC.

Posts: 25
Joined: Thu Jul 24, 2014 9:43 pm

Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)

Postby Ionut » Fri Jan 06, 2017 2:21 am

After days and nights of study i was able to make the little mother fucker to read up to 255Kpa@4.97V (original was up to 207).
But my sensor is 4 bar, so i`ll need to extend up to 400Kpa. First try was to divide each division of boost previously changed, but of course this will set an overflow on 16bit variable used for boost and at 265Kpa value will be 10Kpa.

Changed in all 8 places where #$400 divisions was found.
I think the value is stored in 16 bit because map values are in 16 bit too.
Code: Select all
move.l  d7,-(sp)
move.w  ($FFF6B8).l,d7
move.w  d7,($FF8F80).l
moveq   #0,d0
move.w  d7,d0
moveq   #0,d1
move.w  (word_7246E).l,d1
muls.l  d1,d0
divs.l  #$400,d0
move.l  d0,d7
move.w  d7,($FF8F34).l
tst.b   ($FF81C8).l
beq.s   loc_5D43E
move.w  d7,($FF8F36).l
bra.s   loc_5D478

Code: Select all
; CODE XREF: sub_6AE44:loc_6AE72p
move.l  d7,-(sp)
move.l  d6,-(sp)
moveq   #0,d0
move.w  ($FFF6A2).l,d0
lsl.l   #5,d0
move.l  d0,d7
lsl.l   #3,d0
add.l   d0,d7
lsl.l   #5,d0
add.l   d0,d7
lsl.l   #2,d0
sub.l   d0,d7
lsl.l   #4,d0
add.l   d0,d7
divs.l  #$14AF,d7
lsl.l   #8,d7
divs.l  #$400,d7
add.w   #$A54,d7
move.w  d7,($FF8FB2).l
tst.b   ($FF81C8).l
beq.s   loc_5C998
move.w  d7,($FF8F6A).l
bra.s   loc_5C9CA

; CODE XREF: sub_5C94C+42j
move.w  ($FF8F6A).l,d6
moveq   #0,d1
move.w  d7,d1
moveq   #0,d0
move.w  d6,d0
sub.l   d0,d1
moveq   #0,d0
move.b  (byte_7254C).l,d0
muls.l  d1,d0
tst.l   d0
bge.s   loc_5C9C0
neg.l   d0
lsr.l   #7,d0
neg.l   d0
bra.s   loc_5C9C2


The factor used in ecu is 0.003906. Found a lot of #$6400 divisions (25600 in dec, or 0.390625 as division result between dec value and max value of 16 bit, 65535)
So, to have 0.003906 i should find a new division of #$64 (100 dec value), but no occurence looks like it should be to have a valid division :(

Any help?

PreviousNext

Return to Disassembly and Reassembly

Who is online

Users browsing this forum: No registered users and 0 guests