nisprog reflash utility

Shuher · **Posted:** Wed Nov 01, 2017 12:15 pm

On more recent ECUs it's also a part of QR code on the sticker. 2D barcodes don't have it.

bradsm87 · **Joined:** Thu Apr 14, 2011 8:16 am **Posts:** 425

brett s wrote:

runkernel e:\nisprog\npk_7055_18.bin

I always assumed early TB48 VC264 and VC266 were 7055_35. That's the one I was going to try first on my VC264 (even though it's a 2004 model).

fenugrec wrote:

you'll need a regular dump first to extract the keys from the ROM.

I have my ROM. How do I extract the keys?

fenugrec · **Joined:** Wed Jan 08, 2014 11:07 pm **Posts:** 652

bradsm87 wrote:

VC264

I have my ROM. How do I extract the keys?

Actually you might not even have to, I think nisprog has keys for it already, you could just try.

bradsm87 · **Joined:** Thu Apr 14, 2011 8:16 am **Posts:** 425

fenugrec wrote:

bradsm87 wrote:

VC264

I have my ROM. How do I extract the keys?

Actually you might not even have to, I think nisprog has keys for it already, you could just try.

At what point would I know if the guessed key was wrong?

Is there a way to know if an ECU is 7055_18 or 7055_35? Is there any risk initiating a flash with the wrong one or will it definitely not write anything and safe to kernelstop after error?

fenugrec · **Joined:** Wed Jan 08, 2014 11:07 pm **Posts:** 652

bradsm87 wrote:

At what point would I know if the guessed key was wrong?

Very early, you won't even be able to run the kernel.

Quote:

Is there a way to know if an ECU is 7055_18 or 7055_35? Is there any risk initiating a flash with the wrong one or will it definitely not write anything and safe to kernelstop after error?

Pre 2004 is almost guaranteed to be 350nm. It's also possible to verify by looking at the ROM dump.
Very low risk in using the wrong kernel, the flash process is so different. There is a check before it even attempts to erase, but even without that check the erase wouldn't do anything.

bradsm87 · **Joined:** Thu Apr 14, 2011 8:16 am **Posts:** 425

fenugrec wrote:

bradsm87 wrote:

At what point would I know if the guessed key was wrong?

Very early, you won't even be able to run the kernel.

Quote:

Is there a way to know if an ECU is 7055_18 or 7055_35? Is there any risk initiating a flash with the wrong one or will it definitely not write anything and safe to kernelstop after error?

Pre 2004 is almost guaranteed to be 350nm. It's also possible to verify by looking at the ROM dump.
Very low risk in using the wrong kernel, the flash process is so different. There is a check before it even attempts to erase, but even without that check the erase wouldn't do anything.

Excellent. So in summary:

- The kernel won't run without the correct keys. If kernel does run, you know you used the correct keys. Submit keys to fenugrec if your ECU is not in the database.

- If attempting to flash fails immediately with the error posted above, it's safe to run stopkernel

stirkac · **Joined:** Tue May 22, 2018 4:33 am **Posts:** 22

Hey guys,
finally received my kkl cable, and I have the dreaded sid27 problem... my rom is not yet in the database.
I figured it won't be since the car is european spec 2005 with ECU code CD800.

I tried all of candidate keys and none work. This is my nisprog log:

Code:

L1 debug is 0x8C: READ WRITE DATA
diag_l1.c:156:  _send: len=5 P4=5 l0flags=0x1011; 0x81 0x10 0xFC 0x81 0x0E
diag_l1.c:254:  _recv request len=1024, timeout=70;got 7 bytes, 0x83 0xFC 0x10 0
xC1 0x5D 0x8F 0x3C
diag_l1.c:254:  _recv request len=1017, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:254:  _recv request len=1024, timeout=100;
Connected to ECU !
Using short headers.
diag_l1.c:156:  _send: len=4 P4=0 l0flags=0x1011; 0x02 0x1A 0x81 0x9D
diag_l1.c:254:  _recv request len=1024, timeout=60;got 9 bytes, 0x07 0x5A 0x31 0
x43 0x44 0x38 0x30 0x30 0xB1
diag_l1.c:254:  _recv request len=1015, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
ECUID: CD800
Key candidate   dist (smaller is better)
0: 0x7B472BD1   0
1: 0x705A2287   6
2: 0x968148AD   15

Using best choice, SID27 key=7B472BD1, SID36 key1=8F7577FC
Use "setkeys" to change keyset.
now using 7055.
Using 3932 byte payload, padding with garbage to 3936 (0x0F60) bytes.
diag_l1.c:156:  _send: len=4 P4=0 l0flags=0x1011; 0x02 0x27 0x01 0x2A
diag_l1.c:254:  _recv request len=1024, timeout=60;got 5 bytes, 0x03 0x7F 0x27 0
x95 0x3E
diag_l1.c:254:  _recv request len=1019, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
got bad 27 01 response : General_Error, Requested_SID_securityAccess Error_Unkno
wn Response code
sid27 problem
... same for other 2 keys

EDIT: found a thread with same issue: viewtopic.php?f=45&t=14548

Is there anything I can do but to slow-dump my rom and hope someone can disassemble the keys for me?

fenugrec · **Joined:** Wed Jan 08, 2014 11:07 pm **Posts:** 652

stirkac wrote:

my rom is not yet in the database.

Not exactly; "distance 0" means there was a perfect/near-perfect match in the DB. Your problem is just before the key echange;

Code:

0x03 0x7F 0x27 0x95 0x3E

So it's that 0x95 error again, still a mystery. The conditions that set this error are complex.
Next time you're connected, please try

Code:

watch 0xffff966D
watch 0xffff854a
watch 0xffff96c4

each for a few seconds just to make sure the data is stable (those poll 4 bytes at a time; I'm only interested in the first one)

stirkac · **Joined:** Tue May 22, 2018 4:33 am **Posts:** 22

hmm, seems ok?
car is showing no codes, tried warm and cold and result is same...

Log...

Code:

[size=85]
nisprog> watch 0xffff966D

Monitoring 0xFFFF966D; press Enter to interrupt.
diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0xAC 0x81 0x83 0xFF 0xFF
 0x96 0x6D 0x83 0xFF 0xFF 0x96 0x6E 0x83 0xFF 0xFF 0x96 0x6F 0x83 0xFF 0xFF 0x96
 0x70 0x59
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x2C 0x00 0x2C 0x00 0x40
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF966D: 2C 00 2C 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x96 0x6D 0x83 0xFF 0xFF 0x96 0x6E 0x83 0xFF 0xFF 0x96 0
x6F 0x83 0xFF 0xFF 0x96 0x70 0x59
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x2C 0x00 0x2C 0x00 0x40
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF966D: 2C 00 2C 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x96 0x6D 0x83 0xFF 0xFF 0x96 0x6E 0x83 0xFF 0xFF 0x96 0
x6F 0x83 0xFF 0xFF 0x96 0x70 0x59
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x2C 0x00 0x2C 0x00 0x40
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF966D: 2C 00 2C 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x96 0x6D 0x83 0xFF 0xFF 0x96 0x6E 0x83 0xFF 0xFF 0x96 0
x6F 0x83 0xFF 0xFF 0x96 0x70 0x59
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x2C 0x00 0x2C 0x00 0x40
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF966D: 2C 00 2C 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x96 0x6D 0x83 0xFF 0xFF 0x96 0x6E 0x83 0xFF 0xFF 0x96 0
x6F 0x83 0xFF 0xFF 0x96 0x70 0x59
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x2C 0x00 0x2C 0x00 0x40
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF966D: 2C 00 2C 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x96 0x6D 0x83 0xFF 0xFF 0x96 0x6E 0x83 0xFF 0xFF 0x96 0
x6F 0x83 0xFF 0xFF 0x96 0x70 0x59
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x2C 0x00 0x2C 0x00 0x40
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF966D: 2C 00 2C 00


----


nisprog> watch 0xffff96c4

Monitoring 0xFFFF96C4; press Enter to interrupt.
diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0xAC 0x81 0x83 0xFF 0xFF
 0x96 0xC4 0x83 0xFF 0xFF 0x96 0xC5 0x83 0xFF 0xFF 0x96 0xC6 0x83 0xFF 0xFF 0x96
 0xC7 0xB5
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x30 0x04 0x60 0x78 0xF4
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF96C4: 30 04 60 78diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x96 0xC4 0x83 0xFF 0xFF 0x96 0xC5 0x83 0xFF 0xFF 0x96 0
xC6 0x83 0xFF 0xFF 0x96 0xC7 0xB5
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x30 0x04 0x60 0x78 0xF4
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF96C4: 30 04 60 78diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x96 0xC4 0x83 0xFF 0xFF 0x96 0xC5 0x83 0xFF 0xFF 0x96 0
xC6 0x83 0xFF 0xFF 0x96 0xC7 0xB5
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x30 0x04 0x60 0x78 0xF4
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF96C4: 30 04 60 78diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x96 0xC4 0x83 0xFF 0xFF 0x96 0xC5 0x83 0xFF 0xFF 0x96 0
xC6 0x83 0xFF 0xFF 0x96 0xC7 0xB5
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x30 0x04 0x60 0x78 0xF4
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF96C4: 30 04 60 78diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x96 0xC4 0x83 0xFF 0xFF 0x96 0xC5 0x83 0xFF 0xFF 0x96 0
xC6 0x83 0xFF 0xFF 0x96 0xC7 0xB5
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x30 0x04 0x60 0x78 0xF4
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF96C4: 30 04 60 78diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x96 0xC4 0x83 0xFF 0xFF 0x96 0xC5 0x83 0xFF 0xFF 0x96 0
xC6 0x83 0xFF 0xFF 0x96 0xC7 0xB5
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x30 0x04 0x60 0x78 0xF4
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF96C4: 30 04 60 78diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x96 0xC4 0x83 0xFF 0xFF 0x96 0xC5 0x83 0xFF 0xFF 0x96 0
xC6 0x83 0xFF 0xFF 0x96 0xC7 0xB5
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x30 0x04 0x60 0x78 0xF4
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF96C4: 30 04 60 78diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x96 0xC4 0x83 0xFF 0xFF 0x96 0xC5 0x83 0xFF 0xFF 0x96 0
xC6 0x83 0xFF 0xFF 0x96 0xC7 0xB5
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x30 0x04 0x60 0x78 0xF4
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF96C4: 30 04 60 78

----

nisprog> watch 0xffff854a

Monitoring 0xFFFF854A; press Enter to interrupt.
diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0xAC 0x81 0x83 0xFF 0xFF
 0x85 0x4A 0x83 0xFF 0xFF 0x85 0x4B 0x83 0xFF 0xFF 0x85 0x4C 0x83 0xFF 0xFF 0x85
 0x4D 0x89
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x09 0x00 0x00 0x00 0xF1
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF854A: 09 00 00 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x85 0x4A 0x83 0xFF 0xFF 0x85 0x4B 0x83 0xFF 0xFF 0x85 0
x4C 0x83 0xFF 0xFF 0x85 0x4D 0x89
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x09 0x00 0x00 0x00 0xF1
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF854A: 09 00 00 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x85 0x4A 0x83 0xFF 0xFF 0x85 0x4B 0x83 0xFF 0xFF 0x85 0
x4C 0x83 0xFF 0xFF 0x85 0x4D 0x89
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x09 0x00 0x00 0x00 0xF1
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF854A: 09 00 00 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x85 0x4A 0x83 0xFF 0xFF 0x85 0x4B 0x83 0xFF 0xFF 0x85 0
x4C 0x83 0xFF 0xFF 0x85 0x4D 0x89
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x09 0x00 0x00 0x00 0xF1
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF854A: 09 00 00 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x85 0x4A 0x83 0xFF 0xFF 0x85 0x4B 0x83 0xFF 0xFF 0x85 0
x4C 0x83 0xFF 0xFF 0x85 0x4D 0x89
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x09 0x00 0x00 0x00 0xF1
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF854A: 09 00 00 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x85 0x4A 0x83 0xFF 0xFF 0x85 0x4B 0x83 0xFF 0xFF 0x85 0
x4C 0x83 0xFF 0xFF 0x85 0x4D 0x89
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x09 0x00 0x00 0x00 0xF1
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF854A: 09 00 00 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x85 0x4A 0x83 0xFF 0xFF 0x85 0x4B 0x83 0xFF 0xFF 0x85 0
x4C 0x83 0xFF 0xFF 0x85 0x4D 0x89
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x09 0x00 0x00 0x00 0xF1
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF854A: 09 00 00 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x85 0x4A 0x83 0xFF 0xFF 0x85 0x4B 0x83 0xFF 0xFF 0x85 0
x4C 0x83 0xFF 0xFF 0x85 0x4D 0x89
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x09 0x00 0x00 0x00 0xF1
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF854A: 09 00 00 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x85 0x4A 0x83 0xFF 0xFF 0x85 0x4B 0x83 0xFF 0xFF 0x85 0
x4C 0x83 0xFF 0xFF 0x85 0x4D 0x89
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x09 0x00 0x00 0x00 0xF1
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF854A: 09 00 00 00diag_l1.c:156:  _send: len=24 P4=0 l0flags=0x1011; 0x16 0
xAC 0x81 0x83 0xFF 0xFF 0x85 0x4A 0x83 0xFF 0xFF 0x85 0x4B 0x83 0xFF 0xFF 0x85 0
x4C 0x83 0xFF 0xFF 0x85 0x4D 0x89
diag_l1.c:254:  _recv request len=1024, timeout=60;got 4 bytes, 0x02 0xEC 0x81 0
x6F
diag_l1.c:254:  _recv request len=1020, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
diag_l1.c:156:  _send: len=6 P4=0 l0flags=0x1011; 0x04 0x21 0x81 0x04 0x01 0xAB

diag_l1.c:254:  _recv request len=1024, timeout=60;got 8 bytes, 0x06 0x61 0x81 0
x09 0x00 0x00 0x00 0xF1
diag_l1.c:254:  _recv request len=1016, timeout=23;
diag_l1.c:254:  _recv request len=1024, timeout=50;
0xFFFF854A: 09 00 00 00
nisprog>[/size]

fenugrec · **Joined:** Wed Jan 08, 2014 11:07 pm **Posts:** 652

stirkac wrote:

Code:

0xFFFF966D: 2C

0xFFFF96C4: 30
0xFFFF854A: 09

ok. Did a bit of digging. On your ROM, error 0x95 is triggered if the state variable at 0xFFFF966D has bits 4 or 5 set -- in your case it's bit 5 (0x20). I cross-referenced this to the Renault ZB060 ROM and its A2L def. : the relevant bits are also 4 and 5 but the state variable is at FFFF8a87 . Luckily the A2L file defines them, thus:

Code:

  /begin MEASUREMENT    fLOAD2
      "LOAD2 SW"
....
    /begin MEASUREMENT    fLOADSW
      "LOAD SW"
...

The other bits in that state variable are for other loads such as headlights on, position lights, neutral switch, etc. so that gives a hint as to what the 0x95 error means. I would suggest checking those, and other stuff like fans or A/C.

You could try that "watch 0xffff966d" command again (but disable debugging first) and play with switches to see if you can clear bit 5, e.g. 0x0C instead of 0x2C. If you can't get that value to change, there's no point in retrying runkernel.

stirkac · **Joined:** Tue May 22, 2018 4:33 am **Posts:** 22

fenugrec wrote:

The other bits in that state variable are for other loads such as headlights on, position lights, neutral switch, etc. so that gives a hint as to what the 0x95 error means. I would suggest checking those, and other stuff like fans or A/C.

What an absolute legend! Got it working first try by turning off dome light, headunit and ventilation - not sure which one of these is the actual cause...
Great to see your thought process too, instead of simply screaming "turn off your accessories dummy" :lol:

I'll send a beer your way

TomC · **Joined:** Thu Oct 26, 2017 4:11 am **Posts:** 34

fenugrec you are a hero! I will do the watch adress next time I try this and relay back the information.

Could you please clear up some stuff for me on how you did this? Where did you get the 3 adresses from to watch? And what is stored here? Also can you reveal how you went from 0xFFFF966D in the CD800 rom to FFFF8a87 in the Renault ZB060 rom?

fenugrec · **Joined:** Wed Jan 08, 2014 11:07 pm **Posts:** 652

TomC wrote:

Could you please clear up some stuff for me on how you did this?

Well, I already knew where the SID 27 errors were generated, I had just never backtracked to find the cause for 0x95. So I looked at the disasm for CD800;

Code:

ROM:00014AD6 60 50                 mov.b   @r5, r0     ;r5 was set to FFFF966D a few lines before
ROM:00014AD8 C8 30                 tst     #h'30, r0         ;this is the test
ROM:00014ADA 89 03                 bt      loc_14AE4
ROM:00014ADC E4 27                 mov     #h'27, r4 ; '''
ROM:00014ADE E5 95                 mov     #h'FFFFFF95, r5     ;preparing to send the "27 95" error

Then, I sortof took a tangent that ended up being useless : I looked for code that set those bits in FFFF966D and found those other two state variables. Then I remembered to check in the ZB060 ROM since it has that awesome A2L def; the 0x95 error code was equally easy to find and with an almost identical conditional:

Code:

ROM:0003840E 84 51                 mov.b   @(1,r5), r0   ;here, accessing ffff8a87
ROM:00038410 C8 30                 tst     #h'30, r0     ;testing the same bits
ROM:00038412 89 03                 bt      loc_3841C
ROM:00038414 E4 27                 mov     #h'27, r4 ; '''
ROM:00038416 E5 95                 mov     #h'FFFFFF95, r5

And I got lucky that FFFF8A87 is "important enough" to have been defined in the A2L file. A lot of internal state variables are not defined in there.

SwiftXvenom · **Joined:** Fri Jun 22, 2018 11:58 pm **Posts:** 3

well, i just got my cable and I was trying to dump my ecu, but im getting that sid 27 error so currently im doing a non kernel dump but im just wondering what I should do with this kernal? and how do i get the keys?

this is what nisprog is saying

Code:

diag_os_gethrt() resolution <= 0us, avg ~0us
diag_os_getms() resolution: ~16ms.
diag_os_chronoms() : resolution: ~16ms
Calibrating timing, this will take a few seconds...
Calibration done.
nisprog v1.02
nisprog: Interface set to default: DUMB
nisprog: Type HELP for a list of commands
nisprog: Type SCAN to start ODBII Scan
nisprog: Then use MONITOR to monitor real-time data
nisprog: **** IMPORTANT : this is beta software ! Use at your own risk.
nisprog: **** Remember, "debug all -1" displays all debugging info.
interface is now DUMB
Note concerning generic (dumb) interfaces : there are additional
options which can be set with "set dumbopts". By default
"K-line only" and "MAN_BREAK" are set.
port set to: \\.\COM24
dumbopts set to:    72
testerid: using 0xFC
destaddr: using 0x10
Connected to ECU !
Using short headers.
ECUID: 8J160
Key candidate   dist (smaller is better)
0: 0x7B472BD1   7
1: 0x7C2300FA   9
2: 0x968148AD   15

Using best choice, SID27 key=7B472BD1, SID36 key1=8F7577FC
Use "setkeys" to change keyset.
        p3 set to 0 (0x0).
Using 38377 byte payload, padding with garbage to 38400 (0x09600) bytes.
got bad 27 01 response : General_Error, Requested_SID_securityAccess Error_Unknown Response code
sid27 problem
nisprog: Settings loaded from nisprog.ini
nisprog> dm maxaltima.bin 0 524288
Starting dump from 0x00000000 to 0x0007FFFF.
reading @ 0x00006D50 ( 94 %,   118 B/s, ~  70:05 remaining

SwiftXvenom · **Joined:** Fri Jun 22, 2018 11:58 pm **Posts:** 3

So I have found my scode, but I am getting this wierd error

Code:

Now using SID27 key=5414CDA6, SID36 key1=E303BF23
Using 38377 byte payload, padding with garbage to 38400 (0x09600) bytes.
SID 27: seed = 0x00 0x00 0x85 0x5B ; using NPT_DDL algo (scode=0x5414CDA6),
SUXXESS !!
SID 34 80 done.
SID36 block 0x02FE/0x04AF doneno response @ blockno 2FF
sid 36 problem

I have no idea what this could be, any thoughts? and I'd love to donate to you fenu, this is a wonderful tool and if you want to email me at (max j correa) 2(broken up) at (gmail) id love to contribute.

RomRaider

Forum rules

nisprog reflash utility

Who is online