RomRaider

Does anybody know if Subaru requires a seed-key (challenge-response) to open any security before flashing an ECU? I know other manufacturers do. For those who may not know exactly what I am talking about, here are the steps for a challenge-response:

1.)Have your scanner/diagnostic device request seed bytes from an ECU.
2.)Your diagnostic device receives these bytes, and then runs the proprietary algorithm that uses the seed bytes.
3.)Send these result (in hex) from the diagnostic device to the ECU.
4.)The ECU responds with an pos or neg response to the diagnostic device.

If you do know this algorithm, where can I find it?

Thanks!

I believe the Subaru ecu does require it.

It's built into the ecuflash program.

What flash ecuflash program? Where do I look for this? Thanks!

Romraider is a rom editor and datalogger. It doesn't flash the ecu.

ecuflash is the flashing software. Go to http://www.openecu.org for more information.

Thanks for the post.

Am I able to view ECUFlash source? I found a security algorithm in the sourcepreview.zip c++ files at:

http://forums.openecu.org/viewtopic.php?p=919#919

The algorithm contained data tables that must have been mined by somebody from somewhere, most likely from some Subaru data files. I'm a developer doing something very, very similar for another manufacturer, and it would be great to chat with the guy who got this algorithm and Subaru data. I hear the name Colby a lot?

Colby said this is how he did it:

"Once you hace dissassembled a complete dump of the ECU code areas (including the TPU code), you can see what is required to get the ECU to load your kernel (including challenge-response queries in the 04/05 models, and checksumming of your kernel). You also have examples in that code of using the serial port and keeping the watchdog timer happy. The procedure for erasing and reflashing blocks of flash in the 68HC916Y5 is detail in the chip docs available on this site. I followed the manufacturer's procedure exactly. "

I would love to read more of that, where is it posted?
EDIT: Nevermind, I just followed the link above and found out that he didn't say much more He's a hard man to get a hold of!

FWIW the cars that use the wrx02 flash method don't have the seedkey.

Andy

The ecu explorer code includes an old version of the ecuflash code that writes 04's you should be able to find what you need there.

http://code.google.com/p/ecuexplorer/