leader wrote: ↑09 Jan 2020, 08:38
So after unpacking and reversing the .NET source code
I tried this a long time ago but couldn't get a pseudo code that I could understand in order to build a working seed key calculator.
In the most recent version of ILProtector used by m0rtal decrypts/unpacks the functions at runtime when the function is called.
Same years ago I created an emulator to emulate the CAN responses for m0rtal tools, and this way I was able to get the source code for the most important functions.
There are other tools from m0rtal for different Radio/IPC units which contains the seed key and some interest functions for these modules also....
Im trying to decrypt or take by can sniffing, custom sbl from tpms patch. I think that this sbl changing some configuration of write limitations to eprom.
tasicky wrote: ↑09 Jan 2020, 18:36
Im trying to decrypt or take by can sniffing, custom sbl from tpms patch. I think that this sbl changing some configuration of write limitations to eprom.
Yes it changes in eeprom 5 bytes
You do not have the required permissions to view the files attached to this post.
tasicky wrote: ↑09 Jan 2020, 18:36
Im trying to decrypt or take by can sniffing, custom sbl from tpms patch. I think that this sbl changing some configuration of write limitations to eprom.
Yes it changes in eeprom 5 bytes
These turn on the menu commands for the TPMS that isn’t factory fitted
tasicky wrote: ↑09 Jan 2020, 18:36
Im trying to decrypt or take by can sniffing, custom sbl from tpms patch. I think that this sbl changing some configuration of write limitations to eprom.
Yes it changes in eeprom 5 bytes
These turn on the menu commands for the TPMS that isn’t factory fitted
Yes that is what the Tpms part of the mod does, there is Tpms in the main but with out these byte changes in eeprom it wont work,
When have elmloader mod with Tpms you have
Data (flash)
Exe (main)
Tpms (this part patches the bytes in eeprom)
tasicky wrote: ↑09 Jan 2020, 18:36
Im trying to decrypt or take by can sniffing, custom sbl from tpms patch. I think that this sbl changing some configuration of write limitations to eprom.
Yes it changes in eeprom 5 bytes
These turn on the menu commands for the TPMS that isn’t factory fitted
Nice. One thing that currently puzzles me is, that when i set breakpoints in the I2C handling routines with my J-Link Commander, they never get cought, even if restart from 0x0000 (use 'r' or 'setpc 0'). What i try to do is to find the handlers accessing the EEPROM to find out what all the contents are used for. I think there should be some memcpy method somewhere, surging all EEPROM data into RAM.
You can use the CCC function from ELM Config / UCDS / ForScan and maybe others to do this: download your current CCC, modify the options, then upload CCC only to IPC (back-up module).
Without runing tpms patch, but enabled tpms in ccc menu is enabled but when try assign tires IPC rebooting. After apply patch assigment working. I think that assigning writing to protected area and rebooting.
leader wrote: ↑09 Jan 2020, 10:28
the most recent version of ILProtector used by m0rtal decrypts/unpacks the functions at runtime when the function is called.
I tested debugging an ILProtected assembly to see what actually happened at runtime.
1.JPG
I went past a program that tracks and saves the decoded modhelper archive in real time. I will try to simulate the installation on an IPC clone.
If this method works, extracting data from Modhelper will be just a formality.
You do not have the required permissions to view the files attached to this post.
