Open ECU?

[jedibow]

Quote:

Originally Posted by pozer

Check the BRZedit thread

we are discussing openecu, or romraider here, not ecuedit. Not to get into the differences too much, but one is a purchased ROM editor that cannot be altered (ecuedit), and the other is completely user defined.

We need all the tuning options we can get however, this is two different platforms. To clarify ecuedit would be closer to ecutek, than openecu.

[Dimman]

Quote:

Originally Posted by jedibow

we are discussing openecu, or romraider here, not ecuedit. Not to get into the differences too much, but one is a purchased ROM editor that cannot be altered (ecuedit), and the other is completely user defined.

We need all the tuning options we can get however, this is two different platforms. To clarify ecuedit would be closer to ecutek, than openecu.

You're back at this? Nice.

How are things?

[jedibow]

Quote:

Originally Posted by Dimman

You're back at this? Nice.

How are things?

I will be now...LOL

Good, made it to Canada, loved it! Herniated my bicep so had to pull out of ninja warrior, and converted the Evo to a dedicated time attack car. LOL

Now time for some 86 love...

George

[D-VO]

http://www.ft86club.com/forums/showthread.php?t=3603

=D

[ItsRealFast]

Hey I would like to Thank everyone for this development info into the FRS ecu. I am new here

Well I would like to provide some insight here on exactly what I have planned. My FRS ecu just arrived and my buddy is a Master Tech at Toyota. He has access to all sort of tools. This weekend I will sniff the CAN lines along with K and L lines to see whats really going on the bus. I will gather logs with the car off, logs with the ignition on, logs with the car running, and logs with the dealer tool connected. This way i can filter out idle data vs dealer tool data.

I will then write a program to communicate to my custom hardware which will emulate dealer equipment. I would then connect the Stock ecu and try to reproduce messages and hope to get the same responses.

I know a lot about can bus, hacking ecus, dumping, and protocol stuff. I am still educating myself about about dissembling ecu code to find table data.

I am looking to team up with a couple of people to make this a group effort.

Thanks

Marc

[xjohnx]

Quote:

Originally Posted by ItsRealFast

Hey I would like to Thank everyone for this development info into the FRS ecu. I am new here

Well I would like to provide some insight here on exactly what I have planned. My FRS ecu just arrived and my buddy is a Master Tech at Toyota. He has access to all sort of tools. This weekend I will sniff the CAN lines along with K and L lines to see whats really going on the bus. I will gather logs with the car off, logs with the ignition on, logs with the car running, and logs with the dealer tool connected. This way i can filter out idle data vs dealer tool data.

I will then write a program to communicate to my custom hardware which will emulate dealer equipment. I would then connect the Stock ecu and try to reproduce messages and hope to get the same responses.

I know a lot about can bus, hacking ecus, dumping, and protocol stuff. I am still educating myself about about dissembling ecu code to find table data.

I am looking to team up with a couple of people to make this a group effort.

Thanks

Marc

YES! I wish I could help, but I'm more of an infrastructure guy than a developer, but I'm sure you'll find a couple people here that will be able to assist.

[ft_sjo]

I hope you're a crypto expert as well.

[ItsRealFast]

Quote:

Originally Posted by ft_sjo

I hope you're a crypto expert as well.

Actually I noticed the CPU is a 32bit instruction and with the newer cars the seed and key level of security has also increased with sub levels. So i have been doing some reading about 32bit encryption and I noticed there could be a possibility that the Seed and Key access is 16 or 32 bit public encryption. Which is not an easy task to unlock. There are different levels of Encryption access.

This is due because they may want certain features available to one group of people such as locksmiths who may need to add a new key to the vehicle while still keeping the other levels secure.

So a typically Security Access transaction will have sub-functions that will essentially be the level that you wish to access.

Really tricky stuff. There could be over 4 billion different combinations. And if this process is Dynamic even worst.

But with a team we can reverse which sub security seed and key algorithm to grant us access to the reprogramming section.

I have a Plan for this, But I will not discuss it openly until I've confirmed my speculations this weekend.

Anybody care to shed some light?

Thanks
Marc

[Deepseadiver]

Quote:

Originally Posted by ItsRealFast

Actually I noticed the CPU is a 32bit instruction and with the newer cars the seed and key level of security has also increased with sub levels. So i have been doing some reading about 32bit encryption and I noticed there could be a possibility that the Seed and Key access is 16 or 32 bit public encryption. Which is not an easy task to unlock. There are different levels of Encryption access.

This is due because they may want certain features available to one group of people such as locksmiths who may need to add a new key to the vehicle while still keeping the other levels secure.

So a typically Security Access transaction will have sub-functions that will essentially be the level that you wish to access.

Really tricky stuff. There could be over 4 billion different combinations. And if this process is Dynamic even worst.

But with a team we can reverse which sub security seed and key algorithm to grant us access to the reprogramming section.

I have a Plan for this, But I will not discuss it openly until I've confirmed my speculations this weekend.

Anybody care to shed some light?

Thanks
Marc

Can you shed any new information?

[ItsRealFast]

Hey all

Well here's my update. I know its been a longer than I said but I was kinnda waiting for others to chime in on the discussion. I did monitor the thread but I saw only silence. I am really looking for some developers along with some mathematician cryptographic knowledge. Seems no one is serious.

Further findings, there are different levels of security for sure. I was able to send different seed and key request and I did notice the many secure levels.

I went to the dealer and connected to the TIS Techstream tool to gather some logs in a FRS and on my bench ecu. I was able to gather a couple of seed and keys. But the weekends are very busy there and my time during the week is very slim.

Here is a small list I was able to gather while I was there.

SEEDs - KEYs
00000000 - A4 71 2F 96
00000001 - A2 31 4E EE
00000002 - B0 BC 54 F7
00000003 - 38 FF 61 28
00000004 - 76 41 5F E0
00000005 - 0F 47 F4 83
00000006 - FE 96 D8 29
00000007 - 0A EE C5 A8
00000008 - 8C 05 F8 95
00000009 - 26 1D FA 8F
0000000A - 20 75 C5 D7

Its a 32bit encryption so here are the possible number of combinations 4294967295. Yea that's a lot. Algorithm cracking time. I did get the algorithm recreation quoted by a couple of creditable US companies and the average price is 8500 bukcs. Yea that's also a lot of money. Last on my list.

The Seed request always changes when called. Which makes it so tough to actually get a crack at memory address inside the ECU. The list above shows a sequence list which I was able to acquire.

Attach is a picture of my bench setup Took me about 4 hours to get it working on the bench without frying the ecu. I am a very caution with electronics especially since these ecu's are hard to find...

Well lets keep this going. Also Lets Go Heat!!

[xjohnx]

Quote:

Originally Posted by ItsRealFast

Well lets keep this going. Also Lets Go Heat!!

great work, and i can't stand the heat, but if them winning is what it takes to get this thing moving, then by all means, go heat!

i wonder if we could raise the funds needed to crack the algorithm from forum members, maybe via a site like kickstarter (although, i'm pretty sure something like this would violate Kickstarter's TOS.), i'm assuming there's another similar site.

[xwd]

I would maybe head over to the Romraider or openecu forums since they have been down this road before. The short is people have reversed engineered the 16 and 32 bit Subaru ECUs in the past including the comm protocols. The roms are not encrypted , people have figured out how to dump the roms without using the SSM protocol and then disassembled from there. Ecutek and BRZEdit (epifan) have obviously done this already but I don't think they are going to share.

[Lonewolf]

Quote:

Originally Posted by xjohnx

great work, and i can't stand the heat, but if them winning is what it takes to get this thing moving, then by all means, go heat!

i wonder if we could raise the funds needed to crack the algorithm from forum members, maybe via a site like kickstarter (although, i'm pretty sure something like this would violate Kickstarter's TOS.), i'm assuming there's another similar site.

Hell, I'd chip in 5-10 bucks to help out the community, and I'm sure many others would as well. I would just want to know estimated lead times for cracking...if it's going to take over a year...

[Sensisnow]

Quote:

Originally Posted by xjohnx

great work, and i can't stand the heat, but if them winning is what it takes to get this thing moving, then by all means, go heat!

i wonder if we could raise the funds needed to crack the algorithm from forum members, maybe via a site like kickstarter (although, i'm pretty sure something like this would violate Kickstarter's TOS.), i'm assuming there's another similar site.

I'd happily throw in $100 to get this thing cracked! I have a background in IT, but this cryptography is WAY above my head, so I can't offer anything else.