RomRaider

First attempt, but just noticed I did not read the instructions properly and missed the 'Select' part. So attached may not be useful. Will try proper method next.

At least it does get seed from TCU so one step ahead but calculated key was wrong so take one step back

Ah, excellent! Thanks @AJ08H65EAT. The TCU is now speaking CAN. A big step forward and a small step back.

I think I have fixed the bug with the 0x27 step. And I've extended the code to jump into the kernel and attempt a ROM dump from the kernel. If the kernel ROM dump works then flashing is basically inevitable.

New versions to try:
- first get a new protocol.cfg from here
- FastECU_34_short here - does a test dump of 1024 bytes to default.bin. FastECU may crash afterwards, nothing to worry about (that's the known issue).
- FastECU_34_long here - does a test dump of the whole TCU to default.bin. FastECU may crash afterwards, nothing to worry about (that's the known issue). The first 0x8000 bytes will be 0xff due to a self-dumping restriction that the kernel applies.

If it all works, the TCU will be left in a state where it is running from its on board kernel and it will require a power cycle to get back to normal operation. This should just be on/off with the ignition key. No erasing or flashing will occur (unless a bug somehow replicates the exact erasing / flashing commands, which is highly unlikely).

Edit: @ajayel - whilst the iso14230 dump was protected in your ROM, this approach should work, so feel free to try.

Take a look at attached and see if it is useful. I don't think successful - but perhaps another step forward?

Thanks again!

Definitely a step forward! Perhaps two steps. Security algo successfully passed. And jump to kernel successful. ROM dump command didn't work. Not sure why, I suspect something to do with its length (256+ bytes per RXd message). Please try the updated FastECU_34_short.exe in the same repo location. Definitely getting closer now...

Here's the output from FastECU_34_short.exe v0.2 on my car with the latest protocols file. Added the .txt extension to upload the bin file.

Thanks @ajayel. Are you able to post the log window as text or a pic?

Looks like you entered the TCU ROM successfully, but the dump command didn't work fully. We only got 8 bytes instead of 1024.

@ajayel - looks like it’s not passing the security key stage. Your ROM could have different encryption words. What is your TCU ID? RR will report this, or higher up in the log window it will be reported. Based on what happened with ECUs, different chips (Hitachi vs Denso) had different encryption words.

Hi, Romraider logger, and FastECU shows my TCU with ID TCU 0217500 with the transmission physically labeled TG5D7CVDBA.

Ok, another version to try.

This one (FastECU_34_short.exe here) will:
- save the log window to log.txt to avoid having to snip pics. if log.txt already exists, the new log will append to the prior file, so you will need to delete log.txt if you want a clean log
- tries a different approach to capturing the 256+ byte response from the TCU.

@ajayel - that TCU ID looks quite different to the ones I have dug into (which are like ACD1A06000), so I suspect different encryption words. I will see if I can find a ROM image with a similar TCU ID in order to find the different encryption words. If you can run again and send me the log.txt file that may also provide some clues.

Thanks!

Thanks for updated .exe. Latest attempt attached. Log file worked, so no pic this time. Some carriage returns in the log might be nice if it is not difficult to implement.

Super, thanks again @AJ08H65EAT. Receiving long iso15765 messages is now working. The decryption failed, not sure why because it's working code borrowed from elsewhere, but I have fixed a null pointer bug that may have caused it. Please try the new FastECU_34_short.exe. I've also updated FastECU_34_long.exe if you want to try it, but no need to - I don't want to waste your time with a long dump before I've confirmed the short version is working ok.

Let me know if you need more testers. I have a 2011 Forester S-Edition with the 5EAT aswell.

Hi @riksk, yep, the more the merrier.

Yours will most likely be CAN based, so try the FastECU_34_short mentioned in the post above. Instructions on setting up FastECU are also shown higher up in this thread. It will be interesting to see if a 2011 era 5EAT has the same encryption words as a 2008 era. Thanks.