Page 1 of 2
Re: Update IPC
Posted: 24 Jun 2019, 15:16
by Ursadon
ELM327 is not currently supported. Only ELS27
Stevebe wrote: ↑24 Jun 2019, 14:49
tried v1.2.0 with FL14xx reads eeprom fine the file i loaded intp EEprom direct is on left the file read with your reader on right
this was a Diesel convers 14xx a converted to Petrol so has moded code. the mph to kmph as you know 097 00p 01 km i think i have found the flagg byte
for the 6k Diesel 8k petrol ill confirm later.
Glad my program brings help!
I think, we need to create online spreadsheet with descriptions of offsets. I started here
https://docs.google.com/spreadsheets/d/ ... Gq-dkXssh0
Also, the mileage is stored in the next lines:
0770: xx xx xx xx 32 D1 xx xx 32 D1 xx xx 32 D1 xx xx
0780: 32 D1 xx xx 32 D1 xx xx xx xx xx xx xx xx xx xx
where the next bytes:
32 D1 - is a mileage in km, calculated with using XOR-table
Re: Update IPC
Posted: 24 Jun 2019, 21:16
by Go4IT
Awesome, Ursadon!
I try to use it, but your tool claims about a wrong identifier when trying to access my TRE27 from Tunnelratselectronics.
Just curious, what protocol do you use?
Goof info of the mileage. Yes, i read somewjere else that vendors place the value multiple time inside the eeprom or flash.
So, did you find it by readout after driven a mile?
And what about the XOR „encryption“? Do you know how the value is calculated and where this XOR Lookuptable is in the eeprom?
What km does the odo show with the value given as example?
And, is it possible to read the on chip bootloader code? I would need this to restore a bricked/locked odo.
Re: Update IPC
Posted: 25 Jun 2019, 05:41
by Go4IT
Mileage can't be two bytes, because this could only cover 65535 KM. I think the mileagedata is split up into more bytes.
Re: Update IPC
Posted: 26 Jun 2019, 12:42
by Go4IT
Artist wrote: ↑26 Jun 2019, 09:51
Km raid would be enough to set eg. to 1km. There is no problem upward editing through Forscan, Ucds, Elmconfig.
So it would be enough to add "Set IPC to 1km" ...
Agreed, this is a possible solution. I also thought about this option, but here, we are not so pracmatic aligned, so we will also look for the algo to set it as we want
Thanks for providing the right "codes".
But again, i'm curios about how two bytes can make up a counter with a range to 999.999 (or more?)? This makes no sense to me. The two bytes are simply repeated 6 times.
Re: Update IPC
Posted: 26 Jun 2019, 21:01
by Go4IT
I've played around with the mileage. First of all, i strongly beliefe that it is stored as KM not Miles. Miles is only calculated from KM.
Also, i can confirm the places of the bytes. When i simply change one of them to another value, or all repeats to the same values (pairwise), i get Mileage of 999.999 KM
My ODO has 249.501 KM:
Code: Select all
xx xx xx xx 79 D9 xx xx 79 D9 xx xx 79 D9 xx xx
79 D9 xx xx 79 D9 xx xx xx xx xx xx xx xx xx xx
I can tell, that using the value 32 D1 from the above TachoSoft-Example, results in 999.999 km (error). But i may be for a totally different car/odo.
It seems that the numbers always repeat 5 times. So we have 5 16-Bit values (WORDs, or better UINT16)
Re: Read and write mileage from IPC (EEPROM)
Posted: 04 Jul 2019, 06:21
by Go4IT
Hey guys!
I finally cracked the mileage coding algorithm. Well, with at least a "little" help from other German users working on the same task.
I now know how to decode the bytes of the EEPROM to a mileage and how to code a random mileage to bytes. I need to prepare some things to show you soon
I also learned a lot about how the IPC works. It loads the EEPROM content on boot and from then on it will work with mileage in RAM. From time-to-time it will store the values inside the EEPROM. But this must be rarely done, because the 24C16 used has only 1 million write cycles before possibly fail. So it only writes the value back every kilometer.
I also found out which CAN message to send, to increase the mileage. I needed this for testing. But - all about later, now i need to sort it out first.
This is also because i splitted this into a separate topic.
Re: Read and write mileage from IPC (EEPROM)
Posted: 04 Jul 2019, 06:47
by Ursadon
Go4IT wrote: ↑04 Jul 2019, 06:21
Hey guys!
I finally cracked the mileage coding algorithm. Well, with at least a "little" help from other German users working on the same task.
I now know how to decode the bytes of the EEPROM to a mileage and how to code a random mileage to bytes. I need to prepare some things to show you soon
I also learned a lot about how the IPC works. It loads the EEPROM content on boot and from then on it will work with mileage in RAM. From time-to-time it will store the values inside the EEPROM. But this must be rarely done, because the 24C16 used has only 1 million write cycles before possibly fail. So it only writes the value back every kilometer.
I also found out which CAN message to send, to increase the mileage. I needed this for testing. But - all about later, now i need to sort it out first.
This is also because i splitted this into a separate topic.
Awesome!
Well, then share your knowledge, why the value is duplicated 5 times, or the algorithm itself
I also found out which CAN message to send, to increase the mileage
Only for increase? What type of message do you send?
Re: Read and write mileage from IPC (EEPROM)
Posted: 09 Jul 2019, 21:39
by Go4IT
Just as teaser a view "impressions". So, how about a really biiig mileage?
IMG_3244.JPG
Or, do you want a brand new car? Here you are:
mileage_000000.jpeg
Re: Read and write mileage from IPC (EEPROM)
Posted: 12 Jul 2019, 12:52
by Ursadon
Yes, i cracked it too
As i suggested before:
32 D1 - is a mileage in km, calculated with using XOR-table
- it is xor-based (crc-based) algorithm.
Resulting value is 5 times of divided odometer (lsb 12 bits + 4 bits of crc. Polynome looks like x^3+1) + inverted odo msb (4 bits) + 0x0f + remainder (7 bits + crc-1(x+1 polynome, aka "parity"))
Thank God that we have IDA Pro
1.png
2.png
ipc.jpg
odometer.png
Re: Read and write mileage from IPC (EEPROM)
Posted: 13 Jul 2019, 15:17
by Go4IT
Yes, you're right. Even the algo you formed is more compact than mine, but it is exactly the same. Reverse engineered from IPC firmware.
There is another one at 0x778 as 4 bytes. Coded with parity and CRC, multiplied by 10, giving two numbers behind comma. This seems the one shown in the TEST modus of the IPC. I only miss the one for the trip odo. It must be there also. Just for completeness
BTW: Did you manage to write the EEPROM via CAN now?