RomRaider

@a33b why you want use flash a .dat files? As I looked, the consult sends it in the .dat format and apparently later decrypts the consult in module VI2. I’ll say differently - consult sends .dat entirely to the VI2 module, then we don’t need a diagnostic tool at all, I was so hung up, but the programming was still performed. Above, I sent a log of third-party software when programming. It's pretty clear there.

That's the "NHU." (4e 48 55 f9) signature present in pretty much every ROM, I think it's always in the same place for all ROMs of a given size. I haven't done a comprehensive study of this, but it seems to be the case as far as I remember.


I would imagine it takes that time to copy its builtin kernel to RAM.



can't remember if I looked at those. I had made a crude unpack tool https://github.com/fenugrec/nissutils/b ... npackdat.c but didn't implement the CRC + cks fields. I'm guessing either CRC16 or the silly 16-bit sum they have for K-line SID 27 (nisprog/np_cli.c::encrypt_buf() ) , plus a basic 8bit sum.

I see the download of the rom file in the VI2 module, here it is waiting for it.

It requires less development to use tools that are already in place in the ECU. In theory we could:

- read the ROM via a RMBA routine
- modify the ROM
- re-pack in a .dat
- flash the modified .dat using the ECU's built-in kernel

How long did it take to read that ROM? 2 minutes?
How long did it take to re-flash that ROM? 3 minutes?

If only the changed data was flashed, re-flashing would only take a few seconds!

100% agreed. I don't think NERS is free anymore though? Or did I misunderstand, and you have in mind another solution for software?

I wonder how much the NERS software actually did? It must check the HWID vs the ROM to make sure it is flashing a valid .dat, look up the key based on the HWID, starts the bootloader, then it sends the .dat in CAN packets to the ECU. Maybe I'm missing some key pieces, but your tools do most of that already in one form or another. I'm not saying YOU have to do it, but with enough time even a bloke such as myself might be able to hack something together.

True, not that much. Mostly giving a nice ui and framework, error reporting, and security access.


I have no doubt !

Has anyone tried reflashing an ECU DAT file with NERS and the Tactrix cable (via KLine or CAN)?

Mine on 350Z ECU using CD002.DAT over KLine seemed to only get through to uploading the Nissan bootloader part of the DAT and then would stop and fail.

I suspect one of the API calls inside NERS to the Tactrix cable is not compatible but did not investigate further (since Nisprog reflashes anyway)

Next step is I wanted to log and monitor the CAN transactions, but not sure of the Tactrix cable will work with NERS with CAN

You can just find and install a j2534 "shim" driver (ptshim or j2534-logger ?), those should transparently log all the API calls.

44,562 7E0 8 07 23 00 07 FF 84 00 04 RMBA 7FF84 4 bytes
44,563 7E8 8 05 63 4E 48 55 F9 00 00 4E 48 55 F9
...

Does that mean OBD mode 23 is working for CAN enabled ROM ?
Does it really require a security section to be passed ?

Based on that log it doesn't appear any security is required, just start requesting 64 byte blocks and go!

That is wonderful...
ROM reading may be done directly without security issue thru CAN extended OBD mode 23.
I have to analyze the code if the whole ROM is allowed to be uploaded.

Cheap VAG-K+CAN cable or ELM clone may be used for upload saying nothing about OP2, etc.

In the "read.txt" upload from Pirelli, you will see that the whole ROM is read using mode 23 in 64 byte chucks.

mode 23 executive found

from 1 to 63 bytes maybe requested, I do not see address limits

UDS_23_sub_7595C: ; DATA XREF: ROM:0001289Co
ROM:0007595C mov.l r9, @-r15
ROM:0007595E mov.l r11, @-r15
ROM:00075960 mov.l r12, @-r15
ROM:00075962 mov.l r13, @-r15
ROM:00075964 sts.l pr, @-r15
ROM:00075966 stc.l gbr, @-r15
ROM:00075968 mov.w @(h'13A,pc), r0 ; [00075AA6] = h'FFFFA43C
ROM:0007596A ldc r0, gbr
ROM:0007596C mov.b @r4, r2
ROM:0007596E mov.w @(h'136,pc), r9 ; [00075AA8] = h'FFFFA0C8
ROM:00075970 extu.b r2, r13
ROM:00075972 mov.b r13, @r9
ROM:00075974 mov.b @(1,r4), r0
ROM:00075976 mov r4, r12
ROM:00075978 extu.b r0, r2
ROM:0007597A mov r2, r0
ROM:0007597C mov.b r0, @(1,r9)
ROM:0007597E mov.b @(2,r4), r0
ROM:00075980 shll16 r13
ROM:00075982 extu.b r0, r4
ROM:00075984 mov r4, r0
ROM:00075986 mov.b r0, @(2,r9)
ROM:00075988 mov.b @(3,r12), r0
ROM:0007598A extu.b r0, r7
ROM:0007598C mov r7, r0
ROM:0007598E mov.b r0, @(3,r9)
ROM:00075990 mov.b @(4,r12), r0
ROM:00075992 shll8 r13
ROM:00075994 extu.b r0, r1
ROM:00075996 mov.b @(5,r12), r0
ROM:00075998 shll8 r1
ROM:0007599A extu.b r0, r6
ROM:0007599C add r6, r1
ROM:0007599E mov r1, r0
ROM:000759A0 shll16 r2
ROM:000759A2 mov.w r0, @(4,r9)
ROM:000759A4 add r2, r13
ROM:000759A6 shll8 r4
ROM:000759A8 extu.w r5, r0
ROM:000759AA add r4, r13
ROM:000759AC cmp/eq #6, r0
ROM:000759AE mov #0, r11
ROM:000759B0 bt/s loc_759B8
ROM:000759B2 add r7, r13
ROM:000759B4 bra loc_75AAE
ROM:000759B6 nop
ROM:000759B8 ; ---------------------------------------------------------------------------
ROM:000759B8
ROM:000759B8 loc_759B8: ; CODE XREF: UDS_23_sub_7595C+54j
ROM:000759B8 extu.w r1, r2
ROM:000759BA mov #1, r6
ROM:000759BC cmp/ge r6, r2
ROM:000759BE bf loc_75AAE
ROM:000759C0 mov #h'3F, r6 ; '?'
ROM:000759C2 cmp/gt r6, r2
ROM:000759C4 bt loc_75AAE

Thank you VERY much for posting the Consult log (read.txt) dumping the ECU!