T43 access to ram area using Universal Patcher

[hjtrbo]

On a tangent from my T43 thread, I have a need to read certain RAM addresses during operation to help fill in some blanks I'm chasing. I'm a bit green at this sort of stuff, I'm hoping some of you might be able to provide a guiding hand and help me...

I think I will be able to utilise the ReadMemoryByAddress ($23) Service. From page 118 GMW3110

The purpose of this service is to retrieve data from a contiguous range of ECU memory addresses.... The ReadMemoryByAddress service is only available as a one shot request-response service.... If any of the addresses (that fall in the range of the request message) have security restrictions then the request shall be rejected unless the tester had previously successfully accessed security.

It is possible that some or all of the RAM addresses may be protected. I understand in that case I'll have to first unlock the TCM using the SecurityAccess ($27) Service and persist a tester present connection. Is the seed / key algo known for T43? I'd presume same as e38?

Time for the part where I need help. I'm interested in reading ram address 0x003fc846. This post should have me sorted for the connection and I can fire my message from the VPW console. Is the format of the message as per the documentation? My message is as follows:

Code: Select all

Service => Memory Address => Memory Size 
0x23 0x003fc846 0x0002
Message => 23003fc8460002

Is it that all I need to do?

To summarise, with all other settings left as default:

Code: Select all

Settings => J2534 Device => MDI
         => Protocol => CAN 
         => PCM => 7E2
VPW Console => 23003fc8460002

[kur4o]

Here are some dumps+scripts that might get you started for logging.

The unlock script needs raw CAN connection in j-console.
The other script will work in vpw console connected with tcm ids, and the script needs updating the IDs for tcm, now is configured for e78 pcm.
The unlock algo needs to be changed too to t43, I can`t find it now, but if you have a seed/key pair the algo can be found.


Here is some mode 23 command example
00 00 07 E0 23 40 00 00 00 00 10
[00 00 07 E0] id
[23] mode
[40 00 00 00] address
[00 10] length of requested data max is 10, some modules can accept upto 80.



There is an option to log ram as dinamic pids, just like in vpw, but it is not yet implemented.

[hjtrbo]

Thank you kur40, I will digest it.

[hjtrbo]

kur40, I appreciate providing support is time consuming and can sometimes be tedious if you are having to repeat information that you have explained previously.

Is there detailed documentation on script commands? Some are self explanatory. If so, please just let me know and I will go hunting for it.

VPW Console Script:

Code: Select all

globaldelay:50                                // Does this mean every command is delayed 50ms??? E.g even inside a loop each command is delayed 50ms? 

00 00 01 01 FE 01 28:1                        // What do the modifiers mean? :1
00 00 01 01 FE 01 3E:0:50                     // What do the modifiers mean? :0:51

loop:768                                      // Number of loops
getseed:7:algo                                // ??? Does 7 mean the algo type? If I know it how can I implement it? 
                                              // Or is the seed always the same therefore I can prefill the key? 
00 00 07 E2 02 27 01 FF FF FF FF FF
break:7:AA                                    // Exit loop if...???
00 00 07 E2 04 27 02 key FF FF FF             // Insert key here
variable:algo:0:+1                            // ???
00 00 01 01 FE 01 3E
delay:2000
00 00 01 01 FE 01 3E
delay:2000
00 00 01 01 FE 01 3E
delay:2000
00 00 01 01 FE 01 3E
delay:2000
00 00 01 01 FE 01 3E
delay:2000
endloop

# line comment                                // Is this a line comment???

variable:var1:1:80                            // Create variable var1. Don't know what :1:80 is?

loop:2                                        // Loop 2 times
00 00 07 E2 02 1A var1 FF FF FF FF FF:100:100
variable:var1:1:+1                            // Do something with var1, maybe var1++;?
delay:2000
00 00 01 01 FE 01 3E:0:500
delay:1000
00 00 01 01 FE 01 3E:0:500
delay:500
endloop

[04colyZQ8]

I’m interested in this never had any luck using mode 23 on the can stuff. Mode 35 on vpw works amazingly well can even read registers and ram.

I have a e67 j tagged and still cannot rear the ram!! Should be two different Ram sections I can read and program the slaves, flash serial number, but cannot read the ram which is unfortunate!

[04colyZQ8]

However the issue I found with vpw is that mode 35 resets the controller and uses the ram to execute the read functions. Over writing the ram, the ram dump is practically useless and only shows the variable states when in mode 35.

To actually see a live snap shot the j tagged ram dump works perfectly. On the vpw modules I do something repeated like hold down an input switch or keep a sensor steady with a resister, then plug I. The j tag dump and you can see the exact state the sensor held steady is reading.

Most like mode 23 of you can get it to work will reset the controller and you’ll loose the state of the variable you are seeking.

Another trick is to write a function to store the variable you’re after onto the eeprom area, then dump that, after reset if you’re lucky it will stay the same, but don’t power off. Most eeproms need a special function to make the newly added code permanent.

[kur4o]

getseed:7:algo // ??? Does 7 mean the algo type? If I know it how can I implement it?
// Or is the seed always the same therefore I can prefill the key?
00 00 07 E2 02 27 01 FF FF FF FF FF
break:7:AA // Exit loop if...???
00 00 07 E2 04 27 02 key FF FF FF // Insert key here
variable:algo:0:+1

getseed:7:algo //get seed from byte 7 on next response, algo is special handling variable

break:7:AA break loop if byte 7 from next response equals AA

variable:algo:0:+1 //variable: special process, algo = variable name, 0 = can`t remember[maybe initial algo number], +1 = increase the test algo number by 1

00 00 07 E2 04 27 02 key FF FF FF // key= special variable, insert calculated key here[program calculates it based on the algo being used]




variable:var1:1:80 // variable = special process, var1= variable name, 1 = size of variable in bytes, 80 = initial value of variable
variable:var1:1:+1 // variable = special process, va1= variable name, 1= variable size, +1 increase the variable value by 1

# = skip that line/ comment
00 00 01 01 FE 01 3E:0:500 //0 = expected responses, 500 = special timeout

some more example with fixed algo number

getseed:6:1db //get seed from byte 6 and calculate key using algo number 1db
00 00 07 E0 27 01 //line to get seed response
00 00 07 E0 27 02 key //insert calculated key here at key variable

[hjtrbo]

Thanks

[hjtrbo]

May I ask some more questions? Remember this is all new to me. I'm hoping though my detailed questions will answer questions for many others just starting out as well.

• Clarification required on the response script parameter is required. For example, DisableNormalCommunication ($28) Service
  00 00 01 01 FE 01 28:1
  In your example script the expected response is 1, however the documentation says a positive response is $68 in data byte 1. Would the construction not be:
  00 00 01 01 FE 01 28:68 ???

• If using the expected result script parameter and in the case that the response is not as expected, what is the action? I.e. does the script exit?

• For testerPresent message, if we are idle we must send testerPresent < 3000ms to maintain node mode condition. However, if we are interacting with the node at intervals << 3000ms, we do not need to send the testerPresent message; Is that right?

Crickey, bit to get through...
As a first example script to test with, is this syntax ok for vpw console? Purpose is looking to see what seed value I get back for now just to get my feet wet.

Code: Select all

##############################################
# Determine if controller is locked
##############################################
# If a device supports security, but is already unlocked (MEC > 0 or the vulnerability flag is = $FF) when a
# SecurityAccess requestSeed message is received, that node shall respond with a SecurityAccess
# requestSeed positive response message service with a seed value of $0000. A tester shall use this method to
# determine if a node is locked by checking for a non-zero seed.
##############################################
# Example can frame, standard addressing
#      __ Padding
#     |      __ Can address
#     |     |   __ Data length (bytes, max = 7)
#     |     |  |   __ Service
#   --|   --|  |  |   __ Data
#  |  |  |  |  |  |  |
# 00 00 07 E2 02 27 01 __ __ __ __ __ (up to data byte 7)
#
# Example can frame, extended addressing
#      __ Padding
#     |      __ Can address
#     |     |   __ Extended address
#     |     |  |   __ Data length (bytes, max = 6)
#   --|   --|  |  |   __ Data
#  |  |  |  |  |  |  |
# 00 00 01 01 FE 01 28 __ __ __ __ __ (up to data byte 6)


# Delay of 50ms between messages
globaldelay:50                                


# DisableNormalCommunication ($28) service
# $101 => All can nodes (extended address scheme)
# $FE  => All functional systems
# $01  => PCI (Network Layer Protocol Control Information) Datalength (DL) = 1 
# 28   => Mode 28 DisableNormalCommunication service
# :1   => Expected response with DL = 1 if ok. If negative response DL would be >1 ??? Thought a positive response is $68 ???
00 00 01 01 FE 01 28:1 


# TesterPresent ($3E) Service sent to all can nodes
# Expected response = 0
# Delay 50ms
00 00 01 01 FE 01 3E:0:50


# Request seed using SecurityAccess ($27) Service
# $01 = SPSrequestSeed
00 00 07 E2 02 27 01


# Wait...
delay:500 


# ReturnToNormalMode ($20) Service
00 00 01 01 FE 01 20


# End

[kur4o]

Response count just look for a response, doesn`t process it, so it will look for 1 message response,
If no response is got it will timeout and move to next line, using the defined timeout.

On the test script you are mixing 2 protocols.
Raw CAN and iso15675 formatted can format.

vpw console only work in iso15675 mode with predefined module IDs,[filters are set based on that]

j-console works with any protocol / filters you configure.
The test script is using raw CAN, but some of the lines are less than 12 bytes so they need padding to full length in RAW can.


Maybe we can focus on initial connection and filter setup for both protocols in j-console and than move from there.

Or start playing in ISO15765 in vpw-console with predefined filters set.