RomRaider

So @Pytrex has been asking me for some help on the CANBUS side of Nissan things.
I wrote a program, looked through this forum for the last few days or so.
But I currently have a non-working bench setup
Just no communication on the 2007 Altima ECU I have, or any of the other CANBUS ECUs I normally bench flash, I am thinking its an issue with my dupont cables.
So if anyone has an OP2 and a car from 2007ish to 2013ish would do me a solid
and try and communicate using the app, it would be greatly appreciated if you are feeling bold try dumping the rom.
I read through the log files that were posted in a couple of the threads, and from my understanding doesn't require a
security context to read from anywhere in the rom, so it should be setup to dump 1mb roms currently
I haven't quite got around to adding the other sizes, but that's next on the list.
I will be releasing the software open source here as soon as I can verify I get good reads and
will be working on writing afterwards. Lets get these CANBUS ECUs reading and writing.

I managed to get 1mb roms reading, but its incredibly slow.
Takes about 30 minutes to dump a 1mb rom.
I have tried every possible way I could think to speed up the read time,
I'm not sure if its how I wrote it, or if the ECU is just slow to respond to bigger SID23 commands.
I tried making the loop run faster, lowering timeouts, etc.
If you want to give it a try; currently the only processors setup to dump are 1mb files.
you need a OP2 or other j2534 device.
I'll finish up adding the other canbus based processors for dumping then move on to working on writing.
Lets get these nissans rolling.

kaspersky refers to the VHO Trojan virus: Trojan.MSIL.Staser.gen

You've definitely got some optimization to do, a full read on 1mb ecu should only take you about 3-4 minutes.

Write (and read for some) process also changes once you get to the 2mb stuff.

The program is not obfuscated, take a look for yourself.

I tested today with a 1.5mb file, and it read in about 5 minutes using the same methods.
The difference i noticed were that the 1.5mb ecus were much much faster to read, as they just responded on the first SID23 message
vs the 1mb ecu im using requiring 3 messages before i get the proper data back. (The echo, the start of message, then the actual data)
Not sure if its just this altima ecu
it also could be a bit faster if I were to read full sized dumps because iirc the max you can read is 63 bytes, and i am reading into
an even package so we don't have to have an uneven sized read at the end.

But thanks for the tip, ill dig deeper into it to try and optimize 1mb again.

https://github.com/Nii-Saan/Nii-Saan-Can-Utils
Source posted.
I just started working on writing this ecu, after going over a few threads.
Looking at the back and forth between a33b and fenugrec.
I am using a33bs bruteforce method, and haven't gone beyond that.
I can get ecus erasing, and i believe the request transfer exit is working correctly.

Want to help send a PR.

Awesome, glad to see this.

Thanks fenugrec, the last bit it needs to be able to write is figuring out how to do the SID 34 transfer because it's non standard. Generally. Mode 34 is setup where you set block sizes, and address and length of writing then use sid 36.
So I'm confused with it.

You've seen the full CAN reflash log posted here somewhere, right ?
It's non-standard but fairly self-explanatory as I recall.

BTW, the next release of RR with CAN logging support will have a CLI tool that reads and writes over CAN.

Reads and writes can roms?
That's great news and would have saved me a few days of working on this