|
RomRaider
Documentation
Community
Developers
|
| Author |
Message |
|
fenugrec
|
Post subject: CAN-only / "recent" ROMs  Posted: Thu Aug 04, 2016 10:17 pm |
|
 |
| Experienced |
 |
Joined: Wed Jan 08, 2014 11:07 pm
Posts: 652
|
I know some people are looking at more recent ROMs than I've worked on, here's a bit of stuff I observed that may help (or not at all). ***************** In 1KA6A, there's a weird trick with the vbr register and vector tables (no, this isn't one of those stupid ass "Local mom discovers weird trick to confuse IDA" etc) . This piece of code constructs a vector table in RAM at FFFF8500 : Code: ROM:000028C4 mov #h'FFFFFFE7, r5
ROM:000028C6 mov.w @(h'AC,pc), r7 ; r7 = h'FFFF8500
ROM:000028C8 extu.b r5, r5
ROM:000028CA mov.w @(h'AA,pc), r4 ; r4 = 0x2614 = &Poweron_Reset
ROM:000028CC mov #0, r6
ROM:000028CE
ROM:000028CE loc_28CE:
ROM:000028CE extu.w r6, r6
ROM:000028D0 mov r6, r0 ; whaaaat : prepare a RAM vector table !
ROM:000028D2 add #1, r6
ROM:000028D4 extu.w r6, r6
ROM:000028D6 shll2 r0
ROM:000028D8 cmp/gt r5, r6
ROM:000028DA bf/s loc_28CE
ROM:000028DC mov.l r4, @(r0,r7)
and then, in a few places in the ROM, you'll see vbr get set to FFFF8500 like this : Code: ROM:0000097C mov #-h'7B, r6 ;r6 = 0xFFFFFF85
ROM:0000097E mov.l r5, @r15 ;unrelated
ROM:00000980 shll8 r6 ;FFFF 8500 !
ROM:00000982 ldc r6, vbr ;and, boom.
************* Those recent ROMs have RIPEMD-160 code, and I'm still not sure of the details, but it's somehow related to that vector table at FFFF8500. The RP160 function itself calculates a 20-byte hash (in certain situations only ? or continuously ?). If I'm reading the code correctly, the hash is calculated over that table @ FFFF8500, but the length looks insane (0x2614 probably), and I'm not sure what that hash is compared to. Again from 1KA6A: Code: ROM:00000426 add r5, r14 ; r14 = [ffff8500]dd
ROM:00000428 stc gbr, r5 ; r4=ffff8500 also
ROM:0000042A add #h'10, r5 ; r5=ffff826e
ROM:0000042C bsr RIPEMD160 ; i: r4=&src?, r5=&dest?, r6:len?
ROM:0000042E mov r14, r6
So, I'm not sure any more if that RP160 hash is important for ROM modifications.
_________________
If you like nisprog + npkern, you can support me via https://liberapay.com/fenugrec/
For sending me encrypted/secure messages, use PGP key 0xBAC61AEB3A3E6531 available from pool.sks-keyservers.net
|
|
| Top |
|
 |
|
Sasha_A80
|
Post subject: Re: CAN-only / "recent" ROMs Posted: Thu Aug 04, 2016 11:19 pm |
|
|
| Senior Member |
Joined: Mon Jan 19, 2009 2:31 pm
Posts: 1615
Location: Moscow, Russia
|
|
This short length of the code verified may be applicable to a downloaded subroutine ( most probably the loder code ).
The idea may be to allow only "signed" subroutines to be loaded and started.
|
|
| Top |
|
|
|
Shuher
|
Post subject: Re: CAN-only / "recent" ROMs Posted: Sat Sep 10, 2016 4:38 pm |
|
|
| Experienced |
 |
Joined: Tue Oct 13, 2015 1:56 am
Posts: 141
Location: Russia, Voronezh
|
These CAN-type ROMs seem to be wierd - they accept almost every response to SID27 seed request. I got following sequence working good with absolutely any SID27 key value: - request seed by sending 0x27 0x81 to ECU (on CAN-type ECU it seems that another SID 27 service is used) - get a response 0x67 0x81 S3 S2 S1 S0 - make a calculation using the same algo as fenugrec posted for K-Line type ECUs - send a reply to ECU like 0x27 0x82 K3 K2 K1 K0 - get 0x67 0x82 positive reply from ECU And then, as usual, I suddenly noticed a mistake in my implementation of key algo, tried some random values as a key for calculating reply, etc - anyway I was getting positive reply from ECU  Interesting, what have I missed this time...
|
|
| Top |
|
|
|
Sasha_A80
|
Post subject: Re: CAN-only / "recent" ROMs Posted: Sun Sep 11, 2016 6:26 am |
|
|
| Senior Member |
Joined: Mon Jan 19, 2009 2:31 pm
Posts: 1615
Location: Moscow, Russia
|
|
Does that mean you are able to upload this CAN-only ROM via OBD mode23 with incorrect security init ?
|
|
| Top |
|
|
|
Shuher
|
Post subject: Re: CAN-only / "recent" ROMs Posted: Sun Sep 11, 2016 6:45 am |
|
|
| Experienced |
|
Joined: Tue Oct 13, 2015 1:56 am
Posts: 141
Location: Russia, Voronezh
|
|
Not yet, for the moment I've just reached the authorization step and managed to pass it (at least 67 82 reply means this).
The next step require CAN exchange which my ELM327 device cannot do, so I need to find something more suitable here, maybe VAG K+CAN adapter.
|
|
| Top |
|
|
|
LarsonicD
|
Post subject: Re: CAN-only / "recent" ROMs Posted: Wed Dec 14, 2016 6:27 am |
|
|
| Newbie |
Joined: Wed Dec 14, 2016 5:56 am
Posts: 2
|
|
Hi. After reading through all the great Nissan progress made in this section (thanks to all involved) , I've been trying to figure out how to find the SID27 key in a given ROM once it has been read out of an ECU. I'm new to IDA but I figured a good starting point would be to try to find an already found key in a ROM. I chose to start with the Juke ROM 1KA6A which reportedly has an SID27 key of E5D097FC. I can see this is in a data section of the ROM at address 0x32DBC-0x32DBF. But I can see nothing showing in IDA as linking to that address or anything near it. This makes me wonder if my IDA definition isn't set up properly or something.
I saw the following comment made by the amazingly helpful fenugrec:
SID27key : I usually find it by looking for “cmp/eq 0x27”, find the SID27 handler that calls “prepkey” before setting ‘keystate=1’
Looking for "cmp/eq 0x27" in the 1KA6A ROM after disassembly with IDA it seems to pop up in two places - 0x00AF8 (function sub_91c) and 0x2CF3E (function sub_2CE3C). But it didn't take me long to get lost from here. I certainly didn't find my way to where the key is at 0x32DBC-0x32DBF. Does anyone feel like pointing me in the right direction from here?
|
|
| Top |
|
|
|
fenugrec
|
Post subject: Re: CAN-only / "recent" ROMs Posted: Thu Dec 15, 2016 10:07 pm |
|
|
| Experienced |
|
Joined: Wed Jan 08, 2014 11:07 pm
Posts: 652
|
LarsonicD wrote: But I can see nothing showing in IDA as linking to that address or anything near it. This makes me wonder if my IDA definition isn't set up properly or something. Possibly... it can take some tweaking to get all the code to be recognized as such, with proper xrefs etc. Quote: Looking for "cmp/eq 0x27" in the 1KA6A ROM after disassembly with IDA it seems to pop up in two places - 0x00AF8 (function sub_91c) and 0x2CF3E (function sub_2CE3C). But it didn't take me long to get lost from here. Heh. You'll need to be quite familiar with SH assembly, and spend more time with IDA (hours and hours...) to get a feel of how xrefs work in IDA etc. (hint - try pressing 'x' on function names, and View->Graphs->Xrefs to/from)
Last edited by fenugrec on Fri Dec 16, 2016 10:54 am, edited 1 time in total.
|
|
| Top |
|
|
|
LarsonicD
|
Post subject: Re: CAN-only / "recent" ROMs Posted: Fri Dec 16, 2016 1:43 am |
|
|
| Newbie |
Joined: Wed Dec 14, 2016 5:56 am
Posts: 2
|
|
Thanks for the reply fenugrec. I know you've already spent countless hours on Nissan disassembly with IDA and given away far more than your fair share of information you've learned here on Rom Raider and the wiki you set up. Is your crowdsupply campaign still the best way to show support for your efforts?
|
|
| Top |
|
|
|
pirelli2006
|
Post subject: Nisprog ECU 705519n Posted: Fri Feb 01, 2019 4:21 am |
|
|
| Experienced |
Joined: Tue Apr 03, 2018 6:56 am
Posts: 124
|
|
@fenugrec.
I can use your nisprog, its great work. Thank you so much!!! I very much liked the prog as saves a lot of my time. Earlier because of any change in an insertion it was necessary to sew 512 Kb 15 minutes, and now only the necessary area, but in advance only to govern checksum.
I understood that this pog is made for k-line. I want to be connected to block 705519n (nissan qashqai, tiida, note) and there is no connection. Though is according to the scheme k-line at this block. Or there are blocks which connect only on can? What to me to make? what log? 23701EM63B for example. special loader80; bad altcks ?, CAN only - means it will not turn out to use this program?
You do not have the required permissions to view the files attached to this post.
|
|
| Top |
|
|
|
fenugrec
|
Post subject: Re: Nisprog ECU 705519n Posted: Fri Feb 08, 2019 10:48 am |
|
|
| Experienced |
|
Joined: Wed Jan 08, 2014 11:07 pm
Posts: 652
|
pirelli2006 wrote: Though is according to the scheme k-line at this block. Or there are blocks which connect only on can? What to me to make? what log? 23701EM63B for example. special loader80; bad altcks ?, CAN only - means it will not turn out to use this program? EM63B is CAN only, so if your ECU is EM63B, then nisprog will not work. Also, your questions are extremely difficult to understand. Maybe try some (other) translation software, or ask help from someone. No offense intended, it's just very hard to communicate.
_________________
If you like nisprog + npkern, you can support me via https://liberapay.com/fenugrec/
For sending me encrypted/secure messages, use PGP key 0xBAC61AEB3A3E6531 available from pool.sks-keyservers.net
|
|
| Top |
|
|
|
pirelli2006
|
Post subject: Re: Nisprog ECU 705519n Posted: Tue Feb 12, 2019 3:30 pm |
|
|
| Experienced |
Joined: Tue Apr 03, 2018 6:56 am
Posts: 124
|
Quote: can-only ecu, can I connect to them? Not with nisprog. It's based on the backend of freediag (libdiag) which has no CAN support. Even if it did, the kernel transfer method is untested on CAN ECUs and would probably not work as-is.
|
|
| Top |
|
|
|
pirelli2006
|
Post subject: Re: Nisprog ECU 705519n Posted: Fri Feb 15, 2019 9:46 am |
|
|
| Experienced |
Joined: Tue Apr 03, 2018 6:56 am
Posts: 124
|
|
logs read/write to CAN-ecu.
You do not have the required permissions to view the files attached to this post.
|
|
| Top |
|
|
|
pirelli2006
|
Post subject: Re: CAN-only / "recent" ROMs Posted: Wed Feb 20, 2019 4:04 am |
|
|
| Experienced |
Joined: Tue Apr 03, 2018 6:56 am
Posts: 124
|
|
some more logs can-only ecu. this is logs with consult 3 plus.
@a33b .dat w/o boot with consult write to ecu.
You do not have the required permissions to view the files attached to this post.
|
|
| Top |
|
|
|
pirelli2006
|
Post subject: Re: CAN-only / "recent" ROMs Posted: Thu Feb 21, 2019 11:17 am |
|
|
| Experienced |
Joined: Tue Apr 03, 2018 6:56 am
Posts: 124
|
|
.dat file what i flash and made log.
You do not have the required permissions to view the files attached to this post.
|
|
| Top |
|
|
|
a33b
|
Post subject: Re: CAN-only / "recent" ROMs Posted: Fri Feb 22, 2019 5:12 pm |
|
|
| Experienced |
Joined: Sat Jun 24, 2017 2:23 pm
Posts: 315
|
Took a look at the flash log and here's how the ECU/tester communicate to flash a .dat Code: 44,487 7E0 8 02 10 C0 FF FF FF FF FF C0 hi
44,488 7E8 8 02 50 C0 00 00 00 00 00 hello
44,498 7E0 8 02 21 10 FF FF FF FF FF who are you?
44,499 7E8 8 10 0D 61 10 31 45 4D 36 first frame 1EM6 of ECUID
44,500 7E0 8 30 00 00 FF FF FF FF FF flow control send remaining frames like this...
44,500 7E8 8 21 33 42 30 30 30 30 30 cons. frame 3B
44,512 7E0 8 02 21 81 FF FF FF FF FF readDataByLocalIdentifier 81 (VIN)
44,513 7E8 8 10 15 61 81 53 4A 4E 46 SJNF
44,513 7E0 8 30 00 00 FF FF FF FF FF
44,515 7E8 8 21 43 41 45 31 31 55 32 CAE11U2
44,516 7E8 8 22 32 30 38 32 38 37 5E 208287
44,518 7E8 8 23 A4 00 00 00 00 00 00
44,527 7E0 8 02 21 FE FF FF FF FF FF readDataByLocalIdentifier FE (ROM Version)
44,528 7E8 8 10 1A 61 FE 30 30 30 30
44,529 7E0 8 30 00 00 FF FF FF FF FF
44,529 7E8 8 21 30 30 41 06 04 31 43 00A 1C this is the first string in the .dat
44,530 7E8 8 22 4D 43 37 51 50 44 34 MC7QPD4
44,531 7E8 8 23 30 31 00 00 00 00 00 01
44,541 7E0 8 02 21 83 FF FF FF FF FF readDataByLocalIdentifier 83 (ECU ID short version)
44,541 7E8 8 10 1A 61 83 45 4D 36 33 EM63
44,542 7E0 8 30 00 00 FF FF FF FF FF
44,542 7E8 8 21 42 00 41 06 04 00 00 B
44,543 7E8 8 22 00 00 00 00 00 00 00
44,544 7E8 8 23 00 00 00 00 00 80 00
44,554 7E0 8 02 10 FB FF FF FF FF FF Diag Session FB
44,555 7E8 8 02 50 FB 00 00 00 00 00
44,562 7E0 8 07 23 00 07 FF 84 00 04 RMBA 7FF84 4 bytes
44,563 7E8 8 05 63 4E 48 55 F9 00 00 4E 48 55 F9
44,572 7E0 8 02 21 F0 FF FF FF FF FF readDataByLocalIdentifier F0
44,572 7E8 8 10 1A 61 F0 42 54 38 30 BT80
44,572 7E0 8 30 00 00 FF FF FF FF FF
44,573 7E8 8 21 41 01 41 06 04 31 43 A 1C
44,574 7E8 8 22 4D 43 37 51 34 30 30 MC7Q400
44,575 7E8 8 23 31 00 00 00 01 80 00
44,585 7E0 8 02 21 F1 FF FF FF FF FF readDataByLocalIdentifier F1
44,585 7E8 8 10 1A 61 F1 01 02 03 04
44,586 7E0 8 30 00 00 FF FF FF FF FF
44,586 7E8 8 21 05 44 41 42 43 44 4E DABCDN
44,588 7E8 8 22 4F 44 45 78 00 00 01 MDE
44,590 7E8 8 23 01 10 11 5C FF FF 00
44,601 7E0 8 02 21 FF FF FF FF FF FF readDataByLocalIdentifier FF (HW ID)
44,602 7E8 8 10 1A 61 FF 00 00 00 00
44,602 7E0 8 30 00 00 FF FF FF FF FF
44,603 7E8 8 21 00 52 30 30 30 30 43
44,604 7E8 8 22 4F 4E 2D 33 05 14 04
44,605 7E8 8 23 04 00 00 5C BE 0D 00
44,614 7E0 8 02 10 81 FF FF FF FF FF Diag Session Standard
44,614 7E8 8 02 50 81 00 00 00 00 00
34,022 7E0 8 02 10 C0 FF FF FF FF FF Diag Session C0
34,023 7E8 8 02 50 C0 00 00 00 00 00
34,029 7E0 8 02 21 FE FF FF FF FF FF readDataByLocalIdentifier FE (Product Num)
34,030 7E8 8 10 1A 61 FE 30 30 30 30
34,030 7E0 8 30 00 00 FF FF FF FF FF
34,031 7E8 8 21 30 30 41 06 04 31 43
34,032 7E8 8 22 4D 43 37 51 50 44 34
34,033 7E8 8 23 30 31 00 00 00 00 00
34,043 7E0 8 02 21 FF FF FF FF FF FF readDataByLocalIdentifier FF
34,043 7E8 8 10 1A 61 FF 00 00 00 00
34,043 7E0 8 30 00 00 FF FF FF FF FF
34,046 7E8 8 21 00 52 30 30 30 30 43
34,046 7E8 8 22 4F 4E 2D 33 05 14 04
34,047 7E8 8 23 04 00 00 5C BE 0D 00
34,057 7E0 8 02 21 F1 FF FF FF FF FF readDataByLocalIdentifier F1
34,057 7E8 8 10 1A 61 F1 01 02 03 04
34,058 7E0 8 30 00 00 FF FF FF FF FF
34,058 7E8 8 21 05 44 41 42 43 44 4E
34,059 7E8 8 22 4F 44 45 78 00 00 01
34,060 7E8 8 23 01 10 11 5C FF FF 00
34,180 7E0 8 02 10 85 FF FF FF FF FF Request programming session
34,180 7E8 8 02 50 85 00 00 00 00 00
35,390 7E0 8 02 27 81 FF FF FF FF FF knock knock
35,393 7E8 8 06 67 81 1B 0E C7 DB 00 what's the password?
35,510 7E0 8 06 27 82 6F A3 D7 68 FF here it is; 6F A3 D7 68
35,511 7E8 8 02 67 82 00 00 00 00 00 access granted
35,756 7E0 8 05 31 81 82 F0 5A FF FF start routine by LID 82F05A
35,758 7E8 8 03 71 81 01 00 00 00 00
36,080 7E0 8 03 31 81 01 FF FF FF FF
36,082 7E8 8 03 71 81 01 00 00 00 00
... It appears the ECU does some stuff (clears RAM) and the tester is told to wait as this repeats for a while
41,987 7E8 8 03 71 81 02 00 00 00 00 ECU ready! $02 seems to indicate this
42,322 7E0 8 10 88 34 82 00 82 00 80 request download $82 start load .dat after first 80 15 FC @ 008200 x80 bytes
42,322 7E0 8 21 2C A4 0D 06 23 6B EC
42,322 7E8 8 30 01 00 00 00 00 00 00
42,323 7E0 8 22 CA 55 44 7F 33 D1 3E
42,323 7E8 8 30 01 00 00 00 00 00 00
...
42,333 7E0 8 23 9F 3C 70 CB FF FF FF last 2 bytes 70 CB (CRC16)
42,336 7E8 8 02 74 02 00 00 00 00 00 4 bytes before each xx 80 15 FC in dat are not flashed (xx is cksum-8 including 80 15 FC)
42,342 7E0 8 10 88 34 82 00 82 80 80 set new flash block target It then flashes the contents of the .dat 0x80 bytes at a time. When it is done it does this... Code: 56,055 7E0 8 03 31 82 00 FF FF FF FF start routine by LID
56,056 7E8 8 03 71 82 01 00 00 00 00
56,376 7E0 8 03 31 82 01 FF FF FF FF
56,376 7E8 8 03 71 82 02 00 00 00 00
56,534 7E0 8 10 38 34 83 00 00 00 30 3483 write 30 bytes at ????
56,534 7E8 8 30 01 00 00 00 00 00 00
56,535 7E0 8 21 FF FF FF FF FF FF FF
56,535 7E8 8 30 01 00 00 00 00 00 00
56,535 7E0 8 22 FF FF FF FF FF FF FF
56,536 7E8 8 30 01 00 00 00 00 00 00
56,536 7E0 8 23 FF FF FF FF FF FF FF
56,536 7E8 8 30 01 00 00 00 00 00 00
56,537 7E0 8 24 FF FF FF FF FF FF FF
56,537 7E8 8 30 01 00 00 00 00 00 00
56,537 7E0 8 25 FF FF FF FF FF FF FF
56,537 7E8 8 30 01 00 00 00 00 00 00
56,538 7E0 8 26 FF FF FF FF FF FF FF
56,538 7E8 8 30 01 00 00 00 00 00 00
56,538 7E0 8 27 FF FF FF FF FF FF B9 2 bytes chksum?
56,539 7E8 8 30 01 00 00 00 00 00 00
56,539 7E0 8 28 BC FF FF FF FF FF FF
56,543 7E8 8 02 74 02 00 00 00 00 00
56,548 7E0 8 02 10 81 FF FF FF FF FF Diag Session Standard
56,549 7E8 8 02 50 81 00 00 00 00 00 Seems mostly straightforward to replicate. Questions that remain are: How does the tester know to look at 7FF84? From one of the responses or from an internal database? This address is correct for 512 kB roms, but would be FFF84 for 1 MB roms.
What are the LID query responses used for?
How is the LID determined to initiate the download?
There is a 2 byte checksum? at the end of every 0x80 block sent. How is it calculated?
There are 4 bytes between each block of 0x80 in the .dat that doesn't show up in the flash routine. Last byte is 8 bit checksum for previous 140 byte block
|
|
| Top |
|
|
Who is online |
Users browsing this forum: No registered users and 0 guests |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
|
|
