Page 5 of 6
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
Posted: Thu Jan 08, 2015 11:52 am
by Tazzi
antus wrote:Its a bit out of context... what do you think is in d0? The response from the immo? I cant say if its right or not but you could try patching that function and see if it'll still boot and see if you can break the immo function on a working car. Then you know your looking at the right code. Or could nop out the bne to 51a86 and see if the function at 6ae86 clears the security. I recommend going options / general / dissassembly and setting number of opcode bytes to 8. Need to do it once in graph mode and once in list mode. Can then easily see the bytes in the bin. Note there is a risk of engine damage hacking the code without being sure but I would think its a reasonably small risk. However it's your decision.
Surely I would have thought we could be able to "simulate" attempting to start an engine somehow rather than risking the cars integrity?
Im not sure what other vital modules are required for the ecu to successfully start up, but I would think grabbing all other required modules wiring them all up then applying an engine "on" power.. you could see if there is any power going to the injectors or something like that? If voltage stops after a few seconds then you know its not disabled.
..This is ll assuming you have plenty of space and money haha.. since buying half the cars electronics will probably be costly.
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
Posted: Sun Feb 22, 2015 11:32 am
by Ionut
Too much pain in the a**.
You need to simulate a lot of sensors, need to simulate RPM signal, pump rpm signal, injection pump controller, pedal position sensor, etc, etc.
On this ECU check engine blinks if key is not recognized
Done some tests, with changing BNE to BE in routines that i thinked are immo related and nothing changed (apparently)
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
Posted: Sun Feb 22, 2015 7:48 pm
by antus
Doh! Keep it up
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
Posted: Wed Apr 01, 2015 4:14 am
by Ionut
Did some digging, but still no luck... Is hard to understand Assembly when all languages that i know are high level (PHP, Java, Visual basic, C#)...
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
Posted: Fri Apr 24, 2015 7:36 pm
by Tazzi
Ionut wrote:Did some digging, but still no luck... Is hard to understand Assembly when all languages that i know are high level (PHP, Java, Visual basic, C#)...
Its literally a matter of printing out (of simply CTRL-F) the assemby opcodes, and then writing the meaning next to each line. Slow..painful.. but gets the job done eventually.
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
Posted: Fri Apr 24, 2015 10:22 pm
by antus
If you use ida you can turn on auto comments to help.
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
Posted: Fri Sep 18, 2015 8:05 am
by Ionut
Long time no see... meanwhile i didn`t used that car and didn`t had time to work on project, but if Bosch ME7.5 (C167 Processor) RAM values can be logged over OBD, would be possible to log RAM values from Motorola 68K over OBD? Any ideea HOW?
Thank you.
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
Posted: Thu Oct 22, 2015 8:37 pm
by antus
depends on the implementation. on delphi pcms you need to pass a security challenge before you can read all addresses. what pcm?
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
Posted: Tue Dec 01, 2015 1:09 am
by Ionut
Delco HDRC.
Re: Delco HDRC (Y17DT DYRX, DMRW & DNLF)
Posted: Fri Jan 06, 2017 2:21 am
by Ionut
After days and nights of study i was able to make the little mother fucker to read up to 255Kpa@4.97V (original was up to 207).
But my sensor is 4 bar, so i`ll need to extend up to 400Kpa. First try was to divide each division of boost previously changed, but of course this will set an overflow on 16bit variable used for boost and at 265Kpa value will be 10Kpa.
Changed in all 8 places where #$400 divisions was found.
I think the value is stored in 16 bit because map values are in 16 bit too.
Code: Select all
move.l d7,-(sp)
move.w ($FFF6B8).l,d7
move.w d7,($FF8F80).l
moveq #0,d0
move.w d7,d0
moveq #0,d1
move.w (word_7246E).l,d1
muls.l d1,d0
divs.l #$400,d0
move.l d0,d7
move.w d7,($FF8F34).l
tst.b ($FF81C8).l
beq.s loc_5D43E
move.w d7,($FF8F36).l
bra.s loc_5D478
Code: Select all
; CODE XREF: sub_6AE44:loc_6AE72p
move.l d7,-(sp)
move.l d6,-(sp)
moveq #0,d0
move.w ($FFF6A2).l,d0
lsl.l #5,d0
move.l d0,d7
lsl.l #3,d0
add.l d0,d7
lsl.l #5,d0
add.l d0,d7
lsl.l #2,d0
sub.l d0,d7
lsl.l #4,d0
add.l d0,d7
divs.l #$14AF,d7
lsl.l #8,d7
divs.l #$400,d7
add.w #$A54,d7
move.w d7,($FF8FB2).l
tst.b ($FF81C8).l
beq.s loc_5C998
move.w d7,($FF8F6A).l
bra.s loc_5C9CA
; CODE XREF: sub_5C94C+42j
move.w ($FF8F6A).l,d6
moveq #0,d1
move.w d7,d1
moveq #0,d0
move.w d6,d0
sub.l d0,d1
moveq #0,d0
move.b (byte_7254C).l,d0
muls.l d1,d0
tst.l d0
bge.s loc_5C9C0
neg.l d0
lsr.l #7,d0
neg.l d0
bra.s loc_5C9C2
The factor used in ecu is 0.003906. Found a lot of #$6400 divisions (25600 in dec, or 0.390625 as division result between dec value and max value of 16 bit, 65535)
So, to have 0.003906 i should find a new division of #$64 (100 dec value), but no occurence looks like it should be to have a valid division
Any help?