Page 3 of 6
Re: Vin protection
Posted: 09 Jan 2020, 10:28
by leader
DGAlexandru wrote: ↑09 Jan 2020, 09:27
leader wrote: ↑09 Jan 2020, 08:38
So after unpacking and reversing the .NET source code
I tried this a long time ago but couldn't get a pseudo code that I could understand in order to build a working seed key calculator.
In the most recent version of ILProtector used by m0rtal decrypts/unpacks the functions at runtime when the function is called.
Same years ago I created an emulator to emulate the CAN responses for m0rtal tools, and this way I was able to get the source code for the most important functions.
There are other tools from m0rtal for different Radio/IPC units which contains the seed key and some interest functions for these modules also....
Re: Vin protection
Posted: 09 Jan 2020, 18:36
by tasicky
Im trying to decrypt or take by can sniffing, custom sbl from tpms patch. I think that this sbl changing some configuration of write limitations to eprom.
Re: Vin protection
Posted: 09 Jan 2020, 19:15
by Gwe89
tasicky wrote: ↑09 Jan 2020, 18:36
Im trying to decrypt or take by can sniffing, custom sbl from tpms patch. I think that this sbl changing some configuration of write limitations to eprom.
Yes it changes in eeprom 5 bytes
Re: Vin protection
Posted: 09 Jan 2020, 19:32
by Stevebe
Gwe89 wrote: ↑09 Jan 2020, 19:15
tasicky wrote: ↑09 Jan 2020, 18:36
Im trying to decrypt or take by can sniffing, custom sbl from tpms patch. I think that this sbl changing some configuration of write limitations to eprom.
Yes it changes in eeprom 5 bytes
These turn on the menu commands for the TPMS that isn’t factory fitted
Re: Vin protection
Posted: 09 Jan 2020, 19:50
by Gwe89
Stevebe wrote: ↑09 Jan 2020, 19:32
Gwe89 wrote: ↑09 Jan 2020, 19:15
tasicky wrote: ↑09 Jan 2020, 18:36
Im trying to decrypt or take by can sniffing, custom sbl from tpms patch. I think that this sbl changing some configuration of write limitations to eprom.
Yes it changes in eeprom 5 bytes
These turn on the menu commands for the TPMS that isn’t factory fitted
Yes that is what the Tpms part of the mod does, there is Tpms in the main but with out these byte changes in eeprom it wont work,
When have elmloader mod with Tpms you have
Data (flash)
Exe (main)
Tpms (this part patches the bytes in eeprom)
Re: Vin protection
Posted: 10 Jan 2020, 06:15
by Go4IT
Stevebe wrote: ↑09 Jan 2020, 19:32
Gwe89 wrote: ↑09 Jan 2020, 19:15
tasicky wrote: ↑09 Jan 2020, 18:36
Im trying to decrypt or take by can sniffing, custom sbl from tpms patch. I think that this sbl changing some configuration of write limitations to eprom.
Yes it changes in eeprom 5 bytes
These turn on the menu commands for the TPMS that isn’t factory fitted
Nice. One thing that currently puzzles me is, that when i set breakpoints in the I2C handling routines with my J-Link Commander, they never get cought, even if restart from 0x0000 (use 'r' or 'setpc 0'). What i try to do is to find the handlers accessing the EEPROM to find out what all the contents are used for. I think there should be some memcpy method somewhere, surging all EEPROM data into RAM.
Re: Vin protection
Posted: 10 Jan 2020, 11:20
by tasicky
Gwe89 wrote: ↑09 Jan 2020, 19:15
Yes it changes in eeprom 5 bytes
Ok. Thanks for the information. I will prepare a VBF changing these bytes and check if the whell assigment working.
Re: Vin protection
Posted: 10 Jan 2020, 11:40
by DGAlexandru
You can use the CCC function from ELM Config / UCDS / ForScan and maybe others to do this: download your current CCC, modify the options, then upload CCC only to IPC (back-up module).
Re: Vin protection
Posted: 10 Jan 2020, 12:50
by tasicky
Without runing tpms patch, but enabled tpms in ccc menu is enabled but when try assign tires IPC rebooting. After apply patch assigment working. I think that assigning writing to protected area and rebooting.
Re: Vin protection
Posted: 10 Jan 2020, 16:21
by paxtonix
leader wrote: ↑09 Jan 2020, 10:28
the most recent version of ILProtector used by m0rtal decrypts/unpacks the functions at runtime when the function is called.
I tested debugging an ILProtected assembly to see what actually happened at runtime.
1.JPG
I went past a program that tracks and saves the decoded modhelper archive in real time. I will try to simulate the installation on an IPC clone.
If this method works, extracting data from Modhelper will be just a formality.