pcmhacking.net

Posted: **Sat Dec 16, 2023 10:02 pm**

The following is how to access the BA Falcon Body Electronic Module EEPROM, this is done via CAN Calibration Protocol over Ford Diagnostic Protocol over CANbus. It requires using standard diagnostic service 0x2F inputOutputControlbyLocalIdentifier to open a CAN Calibration Protocol session with the module, unlock security with a seed/key request and then request the EEPROM bytes. Uses the standard CAN identifiers for BEM_DiagSig_Rx 0x726 and BEM_DiagSig_Tx 0x72E and when the CCP session is opened, proceeds on CAN Identifiers BEM_CCP_Rx 0x706 and BEM_CCP_Tx 0x712.

CAN RX & TX IDENTIFIERS

Code: Select all

BEM_DiagSig_Rx         = 0x726
BEM_DiagSig_Tx         = 0x72E
BEM_CCP_Rx             = 0x706
BEM_CCP_Tx             = 0x712

The first step is to start an ecuAdjustmentSession 0x1087 with the module.
Send:

Code: Select all

726#0210870000000000

Response:

Code: Select all

72E#0250870000000000

Then using 0x2F inputOutputControlbyLocalIdentifier request a CCP session with the module:
Send:

Code: Select all

726#072FF2A907976A65

Response:

Code: Select all

72E#026FF2A900000000

Now using the BEM_CCP_Rx CAN Identifier connect to the module:
Send:

Code: Select all

706#0101BEBE00000000

Response:

Code: Select all

712#FF00010000000000

request the security access seed from the module:
Send:

Code: Select all

706#1202020000000000

Response:

Code: Select all

712#FF000102K1K2K3K4

Using K1-4 as your seed bytes, calcuate the key response for the module with the algorithm:
Seed Key Bytes

Code: Select all

    SECURITY_ID0 = 0x41
    SECURITY_ID1 = 0x55
    SECURITY_ID2 = 0x36
    SECURITY_ID3 = 0x74

Security Algorithm

Code: Select all

    challenge0_ubl         = 0
    challenge1_ubl         = 0 
    challenge2_ubl         = 0
    challenge3_ubl         = 0
    result0_ubl            = 0
    result1_ubl            = 0
    result2_ubl            = 0
    result3_ubl            = 0
    reply_cnt_ubl          = 0
    adden_a_uil            = 0
    adden_b_uil            = 0
    sum_uil                = 0
    temp1_ubl              = 0
    temp2_ubl              = 0
    temp3_ubl              = 0
    print("    Calculating Response Key...")
    adden_a_uil  = (SECURITY_ID2 << 8) + (SECURITY_ID0)
    adden_b_uil  = (challenge2_ubl << 8) + (challenge3_ubl)
    sum_uil      = adden_a_uil + adden_b_uil

    result2_ubl  = (sum_uil >> 8)
    result3_ubl  = (sum_uil & 0xFF)

    adden_a_uil  = (SECURITY_ID0 << 8) + SECURITY_ID1
    adden_a_uil  = (challenge2_ubl << 8) + challenge3_ubl
    sum_uil      = adden_a_uil + adden_b_uil

    result0_ubl  = (sum_uil >> 8)
    result1_ubl  = (sum_uil & 0xFF)

    result3_ubl  = result3_ubl * 13
    result2_ubl  = result2_ubl * 11
    result1_ubl  = result1_ubl * 19
    result0_ubl  = result0_ubl * 17

    result3_ubl  = (((temp1_ubl == result3_ubl) << 6) | ((temp2_ubl == result3_ubl) >> 2))
    result2_ubl  = (((temp1_ubl == result2_ubl) << 6) | ((temp2_ubl == result2_ubl) >> 2))
    result1_ubl  = (((temp1_ubl == result1_ubl) << 6) | ((temp2_ubl == result1_ubl) >> 2))
    result0_ubl  = (((temp1_ubl == result0_ubl) << 6) | ((temp2_ubl == result0_ubl) >> 2))

    result3_ubl  =  result3_ubl ^ 17
    result2_ubl  = result2_ubl ^ 86
    result1_ubl  = result1_ubl ^ 75
    result0_ubl  = result0_ubl ^ 52

    if result2_ubl & 0x04:
        temp3_ubl = (temp1_ubl == (result3_ubl >> 4)) | (temp2_ubl == (result3_ubl << 4))
        temp2_ubl = (temp1_ubl == (result2_ubl >> 4)) | (temp2_ubl == (result2_ubl << 4))
        result3_ubl = temp2_ubl
        result2_ubl = temp3_ubl

    else:
        temp3_ubl = (temp1_ubl == (result1_ubl >> 4)) | (temp2_ubl == (result1_ubl << 4))
        temp2_ubl = (temp1_ubl == (result0_ubl >> 4)) | (temp2_ubl == (result0_ubl << 4))
        result1_ubl = temp2_ubl
        result0_ubl = temp3_ubl

    print("    Key Calculated.")
    R1 = result0_ubl
    R2 = result1_ubl
    R3 = result2_ubl
    R4 = result3_ubl
    print("    ", R1, R2, R3, R4)
    return R1, R2, R3, R4

and send the key response bytes:
Send:

Code: Select all

706#1303R1R2R3R40000

Response:

Code: Select all

712#FF00030200000000

Upload from ECU EEPROM to Tester where SS is data size and UU is data transferred:
Send:

Code: Select all

706#0406SS0000000000

Response:

Code: Select all

712#FF0006UUUUUUUUUU

Download to ECU EEPROM from Tester where SS is data size and UU is data transferred:
Send:

Code: Select all

706#0305SSUUUUUUUU00

Response:

Code: Select all

712#FF000500000004004

Attached below is a partially completed python script for use with socketcan/python-can

Posted: **Sat Dec 16, 2023 10:36 pm**

hell yeah man. Bloody awesome!

Posted: **Mon Dec 18, 2023 6:09 pm**

hjtrbo wrote:hell yeah man. Bloody awesome!

Thanks cunny

Posted: **Wed Dec 20, 2023 11:23 am**

GREAT WORK, I hadn't checked this but after the crash module data I thought it was worth looking & WOW!

Posted: **Wed Dec 20, 2023 12:49 pm**

VX L67 Getrag wrote:GREAT WORK, I hadn't checked this but after the crash module data I thought it was worth looking & WOW!

Had you found a resolution via OBD for RCM?

Posted: **Wed Dec 20, 2023 1:23 pm**

Whiteford wrote:
VX L67 Getrag wrote:GREAT WORK, I hadn't checked this but after the crash module data I thought it was worth looking & WOW!
Had you found a resolution via OBD for RCM?

Read RCM flash then disassemble methinky. I have an RCM ready to be bench tested, start on it next year

Posted: **Sat Feb 03, 2024 2:07 am**

This is pretty amazing stuff. Nice work.

Is F2A9 a standard DID for Ford CCP? I've been chipping away at the software for a newer truck cluster and I don't see that DID in the list of 2F sub functions.

So do I just assume CCP isn't supported on this module, or do I need to dig into each of the unknown DIDs to see if one of them points to CCP functions? I wonder if they changed the DID when they moved to the newer electrical architecture.

*Edit*
I may have answered my own question. They standardized everything around ISO 14229 at some point. All the DIDs on my cluster line up with that document, and that would put F2A9 into the range of periodic data identifier DIDs. So if my cluster does support CCP, it's tied to one of the manufacturer or supplier DIDs I haven't investigated yet.

Exciting stuff.

Posted: **Mon Feb 05, 2024 5:08 pm**

Gatecrasher wrote: ↑Sat Feb 03, 2024 2:07 am This is pretty amazing stuff. Nice work.

Is F2A9 a standard DID for Ford CCP? I've been chipping away at the software for a newer truck cluster and I don't see that DID in the list of 2F sub functions.

So do I just assume CCP isn't supported on this module, or do I need to dig into each of the unknown DIDs to see if one of them points to CCP functions? I wonder if they changed the DID when they moved to the newer electrical architecture.

*Edit*
I may have answered my own question. They standardized everything around ISO 14229 at some point. All the DIDs on my cluster line up with that document, and that would put F2A9 into the range of periodic data identifier DIDs. So if my cluster does support CCP, it's tied to one of the manufacturer or supplier DIDs I haven't investigated yet.

Exciting stuff.

Not that I am aware of - The same 0x2F request on an FG falcon fails with 0x7F error 0x12(I think). It may be in the supplier reserved range of the Ford spec, meaning that the component manufacturer would be the ones using it, and wouldn't be needed or used in the Ford factory or OEM Diagnostic software.

What cluster are you talking about? from a Falcon?

Posted: **Mon Feb 05, 2024 5:13 pm**

Keep in mind this is circa 2000's era stuff basically. CCP was superseded by XCP, this is all pre-VBF and GGDS.

Posted: **Tue Feb 06, 2024 12:31 am**

2018 F150 8" cluster in a 2017 truck. I did a quick skim of the code associated with the high range DIDs and it looks like none of them do anything especially interesting.

pcmhacking.net

BA Falcon BEM EEPROM via CAN

BA Falcon BEM EEPROM via CAN

Re: BA Falcon BEM EEPROM via CAN

Re: BA Falcon BEM EEPROM via CAN

Re: BA Falcon BEM EEPROM via CAN

Re: BA Falcon BEM EEPROM via CAN

Re: BA Falcon BEM EEPROM via CAN

Re: BA Falcon BEM EEPROM via CAN

Re: BA Falcon BEM EEPROM via CAN

Re: BA Falcon BEM EEPROM via CAN

Re: BA Falcon BEM EEPROM via CAN