RomRaider

After looking at some CAN comm's from various tools. The UDS shows an encryption 8 and compression 2.

Vehicle: Infiniti
Model: Q50
Engine 3.7L
Stock file: 14GA0D
ECU: SH705927N

Flashing the stock file using commercial tooling, the encrypted payload's first 40 bytes being sent to the ECU are "7F 08 7A 90 15 CE CB F8 58 58 B7 33 44 76 B7 4C 8A D9 E8 30 E9 52 C3 47 39 A0 A6 B5 8D 0E C5 90 6C D6 68 F3 1F 52 8E 8D 02 77 83 2A EC AF E7 32 4A 2E E0 66 60 DB E4 8A 16 9E 96 84 EE 33 96 8A 7D 93 69 7A 75 99 AD 65 77 63 0C A6 D4 3F AF 8A"

I wanted to decrypt to compare the data in the stock file. I have checked with nisprog and the encode/decode does not seem to match correctly.

Anyone have any information regarding this or perhaps a working encode/decode.

Your question lacks detail... Which ECUID (mECUNO / mProgVer) ? full dump available somewhere ?

What is that "first 40 bytes" from, a log from an official NERS / consult reflash ? aftermarket thing ? Was it a SID 0x34 * frame ? something else ?

added more information to the first post.

Yes, it was the first payload sent after erasing using SID 0x34. The 40 bytes were taking from the frame after the SID request. Below is the first chunk:

Raw Payload: 0x34 0x82 0x00 0x82 0x00 0x80 0x7F 0x08 0x7A 0x90 0x15 0xCE 0xCB 0xF8 0x58 0x58 0xB7 0x33 0x44 0x76 0xB7 0x4C 0x8A 0xD9 0xE8 0x30 0xE9 0x52 0xC3 0x47 0x39 0xA0 0xA6 0xB5 0x8D 0x0E 0xC5 0x90 0x6C 0xD6 0x68 0xF3 0x1F 0x52 0x8E 0x8D 0x02 0x77 0x83 0x2A 0xEC 0xAF 0xE7 0x32 0x4A 0x2E 0xE0 0x66 0x60 0xDB 0xE4 0x8A 0x16 0x9E 0x96 0x84 0xEE 0x33 0x96 0x8A 0x7D 0x93 0x69 0x7A 0x75 0x99 0xAD 0x65 0x77 0x63 0x0C 0xA6 0xD4 0x3F 0xAF 0x8A 0x02 0x99 0x32 0xCA 0xF7 0x20 0x88 0xAB 0xCC 0x10 0x1D 0xB1 0xE3 0xE6 0x17 0xE0 0x04 0x54 0x91 0xEE 0x66 0x66 0xB2 0xA2 0x77 0x27 0xA8 0x83 0x25 0x69 0x8D 0xC0 0x8E 0x6A 0xBE 0xB6 0x6E 0xDA 0xA1 0x31 0x80 0x91 0x08 0xA2 0x6F 0xD4 0x16 0x8A 0x2F 0xBB

To be clear, were you trying to revert a tuned ECU back to stock ?
Did you provide your "commercial tooling" with an unencrypted stock .bin , or an official .dat file straight from Nissan ?

What I am asking, is the correct "decode" used to decrypt the file. It can also be used to decrypt the payload as that is just one of the chunks sent to the ECU.

The tooling takes an uncrypted bin, then apply's the encryption to the file. Same way your nisprog does. However, I tried the decode / encode on the payload and it did not give me any matched bytes in the stock file.

Follow?

Yes, I know what you're asking. And I said



because if you are, typical "commercial tools" modify the tuned ROM to make it more difficult to dump them, this can include using different keys or different algo completely. If this is your situation, nobody will help you to accomplish this on these forums (and not privately either, myself), for obvious reasons.



Please post this unencrypted stock bin (zipped), so we can see if Nissan changed their encryption methods.

Please post this unencrypted stock bin (zipped), so we can see if Nissan changed their encryption methods.[/quote]

14GA0D.zip = stock file

14GA0D_Full OBD Read.zip = full dump

well the good news is, your ECU already has a stock ROM on it :



The "14GA0D.o r i" (wtf romraider forum, why does it auto-replace 'o r i' with hex ?) file is identical to a subset of the 'full OBD read' (and this file has some excess padding at the end for some reason, size should be 1.5MB for SH7059)

any luck or thoughts?

I ran out of time unfortunately.