RomRaider

I've been looking into the OBD routines in a few ROMs to see if there's anything that we can make use of in RR Logger.
For those interested, the pointers to the various OBD routines are in a long list something like the SSM pointers. There's a few extra values to help the lookup process select the correct routine to invoke. The list is in a couple of places depending on the ROM. Early 32bit ROMs the list is just before the table of DTC switches. In later ROMs the list is after the DTC subroutines table.

If you do a search for the third instance of the CAL ID in a ROM, you will have found the data bytes that are retrieved by the OBD Mode 09 PID 02 call. If you follow the references backwards in IDA you will get to the subroutine that gets those bytes to send them to the scan tool. The sub routine itself can be followed back to the end of the OBD routine list I mentioned above.

If you are curious about how the CVN is calculated, find the first instance of the CAL ID, around 0x2000. There will be a data reference associated with a location about 0x2034 to 0x2038. Follow that reference and then to the subroutine that uses it. Here you can see that the CVN is made up of two separate calculations over two separate ranges of the ROM.

I'm not quite sure what to use these OBD routines for yet, but I'm open to suggestions. I'm not interested in making the RR Logger another OBD logging tool, especially when SSM has so much more flexibility.

It would be cool to be able to see progress through some of the drive cycle readiness tests.


PS. OBD

I want to try and figure out how to use the 15765-3 UDS (ISO 14229 ) stuff (assuming its implemented in my 2011 wrx rom). I haven't seen the full spec, but from the snippets I have been able to find there is some interesting stuff in there.

I have been trying to figure out how to use the mode "ReadMemoryByAddress" mode 0x23 service, but haven't had any luck. I suspect I need to start a diagnostic session and keep it alive or something.

Some other services I would like to test (if I knew what they did) are the mode 0x31 "Routine Control" and the IO control mode 0x2F.

Having access to the spec would make life easier but its expensive, might have to start looking at my rom instead.

http://www.emotive.de/en/de/doc/car-dia ... ols/dp/uds

canadians, french being, sentence flip often order around, eh?

Fixed... even though I'm not French the influence from across the river has an impact, oh and a French gf does too

I'd have to look again but I don't remember seeing that mode in the ROM. Not all modes are mandatory, I think

My testing seems to confirm this. Using CAN it just doesn't seem to respond to those modes. If it were implemented but was blocking due to security etc I would have thought it would send a negative response.

I started disassembling my rom last night, but I think it might be a while before I could make any significant discoveries

I did manage to find my SSM base, so off to a decent start.