RomRaider

Hey, great new stuff

Why don´t you poke me so I can react a little earlier..


At the moment I am a bit buisy, but I will look for the stuff I collect minetime on this function. I also start with a sniff of the CAN communication while forced regeneration.

With this sniffs, we allso found, that there is a security challage bevor your are able to enter the workshop functions.
ECUteks deltadash manages allready this challege, so you will find ( and can sniff) all you need at the deltadash-tool too.

Subarus workshop tool never uses SSMviaCAN, with is supported by RomRaider. This is the reason, why you cannot measure e.g. distance since last actice regeneration or the total count of active regeneration via RomRaider.
The SSM-III and SSM-IV use the Mode 0x22 and the PID you allready recoggnice.
I have a complete list of all used values and switches on the E5 GEN2 diesel, like your.

I can add this list, if it is usefull. It got some more values, then the SDC list..

I expact the same function-call at the EURO4 diesels, then the EURO5, but on EURO4 it should SSM-II (k-line) based.
So, it will be very good, to treat both gerenerations in paralllel und try the functions on both.
As I remember, Mode 0x22 does not work in EURO4 ECUs, so I am a bit surprised to read about this. But I need to confirm, because normaly I use K-Line in EURO4. SSMviaCAN is possible on E4..

I also expact the E5 functions on the E6 diesels too, because it is still a Mode 0x22 communication used and DENSO will not "discover the wheel the 2nd time..."

BR Jochen

FINALLY, I FOUND IT!

To enable the extra modes the following commands must be sent, even though the first one indicated an error:

mode 0x85, pid 0x02
mode 0x10, pid 0x01
mode 0x10, pid 0x03

Edit: this is slightly wrong, the mode 0x85 command comes after successful authentication

Now if you check the auth flag with mode 0x22, pid 0xf186 you should get a single byte return of 0x3

At this point the extra modes are enabled!!!!

See below the first time ever the Euro5 ECU has been authenticated by someone without a financial adjenda:


And just read out my #1 injector code:

Congratulations !
Is it sufficient to download and start an arbitrary kernels ?
Is this security state needed to upload the whole ROM by Extended mode 23 queries ?

It seems so! Mode 0x23 becomes available after the pre-auth.

I just managed a mode 3 auth also:



Edit: It looks like the command 0x3E 0x00, which the ECU responds to with 0x7E 0x00, is used as a keep alive for the authentication session, as it times out otherwise. My dump of the forced regen at subaru shows that after it completed there is just a ton of these messages, I assume this is while the car sat finished waiting for attention from a mechanic.

That is odd, these values were discovered quite some time ago by Martin from SDC
0x22 PID 0x1157 = DPF Regeneration Count



Really? From what I understand on the SDC website, it works just fine. See the page https://subdiesel.wordpress.com/generic ... 2-via-can/ where it states "This protocol is supported on Subaru Diesel Euro 4/5 as well as petrol models."

I believe the reason my dumps are missing this information is that the subaru tool perhaps talks on BOTH can and k-line, which would make it harder to trace.

Edit:

There is more to authenticate at the various access levels:

Level 1 = 0x27 0x01
Level 3 = 0x27 0x03
Level 5 = 0x27 0x05

So far we have levels 1 & 3 figured out, level 5 is a little trickier to call, but I just figured it out, need to perform some further testing to be sure of the order of commands. I believe I was getting booted out of level 1 auth, as you need to call mode 0x85 0x02 after each successful level of authentication, which also enables calling the level 5 auth, which has a different challenge again.

Edit:

I have figured out 0x05 auth, it was just a bit of shifting bytes around, same algorithm. I also discovered that the 0x85 0x02 command doesn't need to be present to auth, just the mode 0x10 calls. However, calling mode 85 after authenticating stops you loosing the level of access. It clearly plays a role in mode 0x10 calls also as there are extra features there to unlock with it... somehow

I believe I have the ECU entering kernel mode, the following set of commands is the sequence:



I am guessing this is kernel mode, the ECU no longer responds on the CAN bus, and the instrument panel lights up like a Christmas tree. Turning the ignition off and back on resets it back to normal.

Note that there is extensive checking on this code path, basically to ensure the vehicle is stopped, the engine is off and the battery voltage is sane. I am not that interested in this level of access at this point, I am more interested in getting the car to enter mode 10 43, which I believe enables the service routines.

Edit: Entering serivce mode (my primary goal) requires manipulation of a variable by means of calls to 0x31 0x01 0x50 0x00-0x04 after level 3 auth has been performed. This is the final piece of the puzzle, and it is infuriating as I believe it is beyond my abilities to unravel what is going on here.

It looks like I may have found a streamlined mode 0x22 command. 0x2C looks like it accepts a list of mode 0x22 PIDs to query and return in a single request, this is great news for people that are doing data logging. This is at the moment unconfirmed until I can get back to the house and plug into my car to test.

Edit:

New command identified! Clear Memory

Prerequisite: Auth Level 3
0x31 0x01 0xff 0x00 0x00 0x00
0x31 0x03 0xff 0x00

SSM4 scanner does use this streamline feature.

Yes, that´s true, but RomRaider does NOT support Mode 0x22 yet.
See my threats concerning Mode 0x22 in this forum..

btw.: not discovered by Martin alone
There are more PIDs availible, then posted at the SDC side




two differend things:

SSMviaCAN is NOT simular Mode 0x22 !
SSM-III talks Mode 0x22 NOT SSMviaCAN

So, SSMviaCAN is supported in E4, Mode 0x22 isn´t
Visaverse E6 Diesel: SSMviaCAN isn´t supported, Mode 0x22 is.

E5 Diesel both are, so you can read E5 with SSMviaCAN (but not all values, like "distance between reg" etc) and Mode 0x22 (distance between reg" is availible)



SSM-III talks Mode 0x22 and k-Line, but not SSMviaCAN.
Just read my threats concering Mode 0x22.



Don´t know, if you decribe more combilcated as it is:
"Level 1" IMO is just "start setion"
Is is send on every communication start. Also nessessary, if you just start reading measuring values.

"Level 3" is "security challange" witch enables workshop functions.
See attached a sniff of resetting oil dilutaion via SSM-III on E5 Diesel



Don´t get me wrong, I reallye appreciate your work, but this isn´t true.
I start working on this for years, but noone take over the results into RomRaider logger.
I sniffed all functions, you are looking for and re-engineering now, we only sticked at the securtiy challange, with cannot hacked by have a few sniffs..
Sadly my harddisk crashed meentime, so a lot infos and sniffs are gone...


Yes it is. Seem my Mode 0x22 threat..
The question is, is "Level 3" security challange "win" is enough to enable Mode 0x23 ROM read.
I cannot test, because of missing algorithmus of the challange and SSM-III does not support reading, so no sniff is availble

BR Jochen

Thanks for the information, but as I stated, the first time in the pubic domain that I am aware of that a Euro5 has authenticated with open software.

I have all the algorithms for the challenges and responses now. I am sorry if others have found this stuff, but there is very (and I literally mean very) little public information on how any of this works.

For example, mode 22 supports streamlining multiple values, I only just figured this out, perhaps I missed it on the SDC website or somewhere else, but it explains a ton of the data in my dumps I could not attribute for... for example, this was in my dump:



This is actually four requests for mode 22 values



The reply is all three together in one message




EDIT

SUCCESS! I just triggered a DPF regeneration!

Not sure on this part, it seems to be required but it is not obvious in the assembly


And here is the magic sauce!

#1: well done and good to know
#2: I fight with this issue since years..

I am (felt) the only one, how still works on the subaru diesels since years ( ECU-deffinitons, logger def., workshop functions)
I public all infos here and in a german subaru technic forum.
I was a member of SDC in the early beginning, but also this block isn´t public at all, even for the members at eatch other.
If you look at RomRaider forum I often requed support, knowleedgetransfer to collect all little pices concering the Diesels and put them together, but NO replay.

We need to implementate the Mode 0x22 into RomRaider even for future support of WRX/STI, BRZ and EURO6 Diesel.
But noone did yet. I think all info are availible, as Tactric Stande-alone-Logger or Torque app will do the job meantime.




I know
"streamlinig", "DAQ-list-logging", "free-running" call it, as you want, but this is much faster than stand-alone-logger or Torque-app will do, using polling mode.

SSM-III uses DAQ-lists for measuring values reading and reads all (!) availible values and switches in a sample rate of 250Hz (13 samples in 50ms for one DAQ list).
If you like to have a CAN-siff of it, shoot me a mail





Well done

Do we have a change to get this functionality in RomRaider logger ?

(as well, as Oil-dulitions reset, DPF values read/wirte, DPF reset, read/wirte injector codes etc... )

Jochen

I just updated my post with the details of generating a DPF regen.

I am not personally interested in adding this to RomRaider as I am using a completely self written and developed platform, but I have no issues with sharing the code so someone else may incorporate it into RR.

Personally I am very new to ECU hacking/editing, I have never flashed an ECU, changed a map, or even pretend to understand them yet... I simply had a need to fix a problem. But now I have, I am VERY interested in learning.

For me, it seems to be a simple Mode 0x22 request of PID 1031 and 1030.
This values are not part of my list jet, but they seemt to be switches or status values
Forced regeneratios is only possible, if the smoos ration is lower then 130%.
Maybe it is a request, if froced regeneration is possible.



Thanks for sharing.
to take it over or us it as code for a CAN-tool e.g., the service mode 3 auth (security challange) needs to be calculated. Is a seed-and-key communcation.

As I unterstand, you match it. Are you willing to share this too ?

What I also expact, is a Stop section sequence, after finising the sequenz:


And to be fine with the conditions, read engine, speed, AGTs and smooms ratio, as well as regeneration switch during forced regeneration

BR Jochen

As to me I would like to finally understand what is really needed for:

- mode 22 and mode 22 batch logging
- mode 23 ecu reading

These allows useful logging and algorithm\calibration analysis to be done.

Sure! Here it is



This is stuff that is generally already known and will answer a level 1 auth, but for level 3 you also need to swap some bytes around.

c = the 32bit challenge sent by the ECU for a level 3 auth
a = the calculated answer



Level 5 needs the following transformation instead





Correct, these should be done, I have only provided the minimum to issue a regeneration. As for the 'stop' sequence, all this does is de-authenticate the session, there is no need to issue this (although a good idea for completeness), just removing the key from the ignition (ecu reset) will do this.



Incorrect, this is an artificial limit imposed by the SSM3 suite, the car will do a forced regeneration at any level.

I also believe the following code can be used to poll the forced regeneration status