MicroHacker Forum

Online community for electronics and microcontroller reverse engineering
https://microhacker.denkdose.de/

Update IPC

https://microhacker.denkdose.de/viewtopic.php?t=33

Page 13 of 16

Re: Update IPC

Posted: 14 Dec 2019, 23:03
by Stevebe
Artist wrote: 14 Dec 2019, 20:57 The header is not important, it can be copied from another file or used eg. VBF Tool and create header there.
Beware of differences in vbf tool version 2.2 and 2.3.
Have you seen a version of vbf tool 2.3.

Re: Update IPC

Posted: 15 Dec 2019, 00:18
by Artist
No, but the original and recent files are version VBF 2.3. The older version is in the header version 2.2...
I meant vbf version not vbf tool.

Re: Update IPC

Posted: 15 Dec 2019, 00:39
by Stevebe
Artist wrote: 15 Dec 2019, 00:18 No, but the original and recent files are version VBF 2.3. The older version is in the header version 2.2...
I meant vbf version not vbf tool.
Lol no problem thanks for getting back to me

Re: Update IPC

Posted: 15 Dec 2019, 10:30
by Go4IT
As VBF format is an ever upcomming question, let's use the wiki to document all the experience and tools! https://mk4-wiki.denkdose.de/en/artikel/vbf/start
I try to add as much as possible there, but please point out what was missing.

Re: Update IPC

Posted: 24 Jan 2020, 12:17
by oscarboiro
Ursadon wrote: 25 May 2019, 16:38
oscarboiro wrote: 30 Apr 2019, 08:49
After copy on my arduino sketch have this error: expected initializer before 'LFSR'

i need a LFSR library? the code are only to C# or is valid to arduino?
Hi! I apologize for the delay - I finished my studies at the institute :)

This is pseudo C code
Here is C code, which you can use - https://gist.github.com/Ursadon/8c55972 ... efa037fabb

Also:
1) I cracked all secret keys for (probably) all modules in Ford - https://gist.github.com/Ursadon/8941ff5 ... e09f060eec
For IPC use second key.
2) I made my own CANhacker, so the development process will go faster :)
Hello, i try in my Arduino skect and work fine, in my kuga 1 need the key: (A8, 0, AF, 91, 24)
But im programming a tool to update my intrument cluster in a visual basic.
i try to convert the C code to visual basic, bit calculate a wrog code, i use this:

Code: Select all

  Private Function generate_seed_response(ByVal s1 As Integer, ByVal s2 As Integer, ByVal s3 As Integer, ByVal s4 As Integer, ByVal s5 As Integer, ByVal seed As Integer) As Integer

        Dim Or_ed_seed As Integer

        Or_ed_seed = ((seed And &HFF0000) >> 16) Or (seed And &HFF00) Or (s1 << 24) Or (seed And &HFF) << 16

        Dim mucked_value As UInt32 = &HC541A9

        Dim a_bit, v9, v8, v10, v11, v12, v13, v14 As UInt32

        For i As Int32 = 0 To 32 - 1

            a_bit = ((Or_ed_seed >> i) And 1 Xor mucked_value And 1) << 23

            v8 = v9 = v10 = (a_bit) Or (mucked_value >> 1)

            mucked_value = v10 And &HEF6FD7 Or
                ((((v9 And &H100000) >> 20) Xor ((v8 And &H800000) >> 23)) << 20) Or
                (((((mucked_value >> 1) And &H8000) >> 15) Xor ((v8 And &H800000) >> 23)) << 15) Or
                (((((mucked_value >> 1) And &H1000) >> 12) Xor ((v8 And &H800000) >> 23)) << 12) Or
                32 * ((((mucked_value >> 1) And &H20) >> 5) Xor ((v8 And &H800000) >> 23)) Or
                8 * ((((mucked_value >> 1) And 8) >> 3) Xor ((v8 And &H800000) >> 23))
        Next




        For j As Integer = 0 To 32 - 1

            v11 = ((((s5 << 24) Or (s4 << 16) Or s2 Or (s3 << 8)) >> j) And 1 Xor mucked_value And 1) << 23
            v12 = v11 Or (mucked_value >> 1)
            v13 = v11 Or (mucked_value >> 1)
            v14 = v11 Or (mucked_value >> 1)

            mucked_value = v14 And &HEF6FD7 Or
                ((((v13 And &H100000) >> 20) Xor ((v12 And &H800000) >> 23)) << 20) Or
                (((((mucked_value >> 1) And &H8000) >> 15) Xor ((v12 And &H800000) >> 23)) << 15) Or
                (((((mucked_value >> 1) And &H1000) >> 12) Xor ((v12 And &H800000) >> 23)) << 12) Or
                32 * ((((mucked_value >> 1) And &H20) >> 5) Xor ((v12 And &H800000) >> 23)) Or
                8 * ((((mucked_value >> 1) And 8) >> 3) Xor ((v12 And &H800000) >> 23))

        Next

        Return ((mucked_value And &HF0000) >> 16) Or 16 * (mucked_value And &HF) Or ((((mucked_value And &HF00000) >> 20) Or ((mucked_value And &HF000) >> 8)) << 8) Or ((mucked_value And &HFF0) >> 4 << 16)
    End Function
any user can help me to find a bug? i replace the C operator " ^ " to " Xor " and i try some options but all generate a wrong code.

Re: Update IPC

Posted: 24 Jan 2020, 21:35
by oscarboiro
i found the problem in source code of visual basic:

i need write the v8, v9 and v10 separatly

Code: Select all

            v8 = (a_bit) Or (mucked_value >> 1)
            v9 = (a_bit) Or (mucked_value >> 1)
            v10 = (a_bit) Or (mucked_value >> 1)
I run a test aplication and work fine

Code: Select all

  Private Function generate_seed_response(ByVal s1 As Integer, ByVal s2 As Integer, ByVal s3 As Integer, ByVal s4 As Integer, ByVal s5 As Integer, ByVal seed As Integer) As Integer

        Dim Or_ed_seed As Integer

        Or_ed_seed = ((seed And &HFF0000) >> 16) Or (seed And &HFF00) Or (s1 << 24) Or (seed And &HFF) << 16

        Dim mucked_value As UInt32 = &HC541A9

        Dim a_bit, v9, v8, v10, v11, v12, v13, v14 As UInt32

        For i As Int32 = 0 To 32 - 1

            a_bit = ((Or_ed_seed >> i) And 1 Xor mucked_value And 1) << 23

            v8 = (a_bit) Or (mucked_value >> 1)
            v9 = (a_bit) Or (mucked_value >> 1)
            v10 = (a_bit) Or (mucked_value >> 1)

            mucked_value = v10 And &HEF6FD7 Or
                ((((v9 And &H100000) >> 20) Xor ((v8 And &H800000) >> 23)) << 20) Or
                (((((mucked_value >> 1) And &H8000) >> 15) Xor ((v8 And &H800000) >> 23)) << 15) Or
                (((((mucked_value >> 1) And &H1000) >> 12) Xor ((v8 And &H800000) >> 23)) << 12) Or
                32 * ((((mucked_value >> 1) And &H20) >> 5) Xor ((v8 And &H800000) >> 23)) Or
                8 * ((((mucked_value >> 1) And 8) >> 3) Xor ((v8 And &H800000) >> 23))
        Next




        For j As Integer = 0 To 32 - 1

            v11 = ((((s5 << 24) Or (s4 << 16) Or s2 Or (s3 << 8)) >> j) And 1 Xor mucked_value And 1) << 23
            v12 = v11 Or (mucked_value >> 1)
            v13 = v11 Or (mucked_value >> 1)
            v14 = v11 Or (mucked_value >> 1)

            mucked_value = v14 And &HEF6FD7 Or
                ((((v13 And &H100000) >> 20) Xor ((v12 And &H800000) >> 23)) << 20) Or
                (((((mucked_value >> 1) And &H8000) >> 15) Xor ((v12 And &H800000) >> 23)) << 15) Or
                (((((mucked_value >> 1) And &H1000) >> 12) Xor ((v12 And &H800000) >> 23)) << 12) Or
                32 * ((((mucked_value >> 1) And &H20) >> 5) Xor ((v12 And &H800000) >> 23)) Or
                8 * ((((mucked_value >> 1) And 8) >> 3) Xor ((v12 And &H800000) >> 23))

        Next

        Return ((mucked_value And &HF0000) >> 16) Or 16 * (mucked_value And &HF) Or ((((mucked_value And &HF00000) >> 20) Or ((mucked_value And &HF000) >> 8)) << 8) Or ((mucked_value And &HFF0) >> 4 << 16)
    End Function
Thank you Urdason!!! if you want copy the visual basic source code in your github account!!!

my next steep is write my IC

Re: Update IPC

Posted: 13 Feb 2020, 23:21
by oscarboiro
i start to program my own software to update Kuga MK1 IPC, im usin a genuine ELS27, but after set up AT and ST comands y try to write, my problem comes when i write SBL or Firmware, the serial port return "STOPPED" i read a data sheet of ELM327, and some times the problem comes when write the serial port before received ">" bit if i program delay have same problem, anther probles is, when 1 send some lines, ej: 20, 21, 22, 23 only write 20, 22 ....

to solve this probles i write a blanc line, but to write all instrument cluster need 18 minutes and if i use elmconfig need only 4.

any suggestion to write my ic? i need program any especific AT or ST comand? i need write any prompt or similar?

thanks

Re: Update IPC

Posted: 14 Feb 2020, 07:43
by DGAlexandru
You can use ElmConfig to sniff their way of doing this - press the "Log" button then check "Full Information" and then check "Write to file" and choose a file.
This way you'll get all the info you need. You can stop the process after the SBL was sent.. if you don't want to wait for the full writing process to end.
elm_fullInfo.jpg

Code: Select all

< AT L0
> AT L0
> OK
< AT E0
> AT E0
> OK
< AT H0
> OK
< AT S1
> OK
< AT D0
> OK
< AT AT0
> OK
< AT ST40
> OK
< AT TP6
> OK
< AT SH720
> OK
< AT AL
> OK
< AT CAF0
> OK
< 720 03 22 E6 10 00 00 00 00 
> CAN ERROR
< AT WS
> ELM327 v1.4a

Re: Update IPC

Posted: 14 Feb 2020, 07:59
by oscarboiro
DGAlexandru wrote: 14 Feb 2020, 07:43 You can use ElmConfig to sniff their way of doing this - press the "Log" button then check "Full Information" and then check "Write to file" and choose a file.
This way you'll get all the info you need. You can stop the process after the SBL was sent.. if you don't want to wait for the full writing process to end.
elm_fullInfo.jpg

Code: Select all

< AT L0
> AT L0
> OK
< AT E0
> AT E0
> OK
< AT H0
> OK
< AT S1
> OK
< AT D0
> OK
< AT AT0
> OK
< AT ST40
> OK
< AT TP6
> OK
< AT SH720
> OK
< AT AL
> OK
< AT CAF0
> OK
< 720  03 22 E6 10 00 00 00 00
> CAN ERROR
< AT WS
> ELM327 v1.4a
Good morning

I look this option and I have same configuration, but in my software don’t run with same speed.

My software are written in Visual Basic and to send commands need use a serialwrite commmand, example:

Serialwrite(“03 22 E6 10 00 00 00 00” & vbcr)

But if I send another can string need waith very long time or causes a STOPPED message.en need write in serial next:

Serialwrite(“ ” & vbcr)



And I don’t now why. If I sniff with ucds my software and elmconfig show same strings with speed difference

Re: Update IPC

Posted: 14 Feb 2020, 08:46
by Ursadon
Linending or lenght wrong
All times are UTC
Page 13 of 16

Powered by phpBB® Forum Software © phpBB Limited