|
Welcome to the Australian Ford Forums forum. You are currently viewing our boards as a guest which gives you limited access to view most discussions and inserts advertising. By joining our free community you will have access to post topics, communicate privately with other members, respond to polls, upload content and access many other special features without post based advertising banners. Registration is simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. Please Note: All new registrations go through a manual approval queue to keep spammers out. This is checked twice each day so there will be a delay before your registration is activated. |
|
The Pub For General Automotive Related Talk |
|
Thread Tools | Display Modes |
16-05-2021, 08:03 PM | #421 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
That's the most expensive fix I've ever heard of!
Maybe FADI75 from ASL has something to add? If you actually read this thread you would know, all the units will have the same issue (SAT NAV or not, even though they have larger flash memory chips) because they only repair bad blocks on a reboot, which sadly, rarely happens. For the record, for the last 2 weeks, I've been sending in codes to the "super user" mode request on one of these units, I'm up to 0x00017A from what looks like a limited subset of request-response messages. I only need one to match to take this further (to brute force some key matches). Sad that I'm wasting 25w of power doing this though over what might be a while, Ford could just fix it quickly, really. |
||
3 users like this post: |
17-05-2021, 12:47 PM | #422 | ||
Donating Member
Join Date: Mar 2007
Location: Heading thru Hell (Corner)
Posts: 8,307
|
Hey Jason, you may have missed my earlier post, but is there a way for us general users to force a reboot? If the repair only happens on a reboot, I'm thinking about incorporating it into a regular 'service'.
__________________
Labels are for jars, not for people. Life is a journey, not a destination. ~~~~~~~~~~~~~~ Daily: 2013 FGII EcoLPi in Winter White Play: 2015 FG X XR8 in Emperor Show' N Shine thread Gone, but not forgotten: 2015 SZII petrol Titanium Territory in Emperor |
||
17-05-2021, 05:02 PM | #423 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
Forscan can do it (with a license, probably, not sure I tried before I applied my license). Watching the shutdown process (when I type "shutdown") it goes to a lot of trouble to terminate all programs properly, takes about 10 seconds... Watching Forscan do it, it's more of a "reboot now, don't wait" thing... So I'm not sure how nasty that is, but it's got to be a whole lot better than disconnecting the battery (to everything in the car). You don't lose any settings either.
I've got WiFi in my unit now, so I can VNC into a R-Pi or connect a terminal from my PC and do updates (terminal Y-Modem file transfer, I've been busy) and run commands. Don't even need to unplug my music USB anymore to stick program updates in from another USB. The VNC client was a bit buggy at first (I thought it all worked, on the bench, so I installed it) but it crashed once and took out the WiFi. I was faced with pulling the battery, or pulling the ICC out, then I remembered Forscan and ran the routine. WiFi back up and I could update the VNC software again. VNC crashing will now do an automatic slow/proper reboot too. But it's never happened again, but then I was in music-video mode (Kodi on the Pi) at the time, which I don't really use while I'm driving. |
||
2 users like this post: |
25-05-2021, 05:14 PM | #424 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
I got my first super-user mode match today... request AE 14 25 unlocks with response 00 00 BC
I was excited, but an hour later that excitement has all but faded. I plugged in the request-response data into a brute force secret key generator (which is 5 bytes) and there are 65,536 different secret keys that will unlock that one match (out of 1,099,511,627,776). Now I need to wait for a 2nd match to find a reduced set of secret keys (maybe 256 or less of them???). I could also just change the program now and send in the 65K different translations (may take less than 21 days, which is where I'm up to now) but I'd like a 2nd confirmed match from my current program anyway (as I now know it's working). I say I got one match today, but I actually got two matches... But they were the same request-response... You can see it took 21 days and the counter to reach BC (or 188 in people-speak) which means (24 hours * 21 days = 504 ...so... 504 hours / 188 = 2.68) so on average it's asking for the same request every few hours. At first, when I saw the two identical matches when I got home from work, I thought I had a bug in the program. Then it dawned upon me, I'll be seeing more of this same match over the coming days/weeks. The specific counter for a specific request doesn't increase for a positive match - so no bugs. |
||
2 users like this post: |
25-05-2021, 08:23 PM | #425 | |||
FF.Com.Au Hardcore
Join Date: Mar 2012
Posts: 963
|
[QUOTE=dexr6;6578838]
Quote:
Jason I admire your work, but have absolutely no idea what any of the technical jargon means.. Do we have any resolution forthcoming where a repair isn't going to cost a limb or similar? |
|||
25-05-2021, 09:14 PM | #426 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
Thanks, to all of you, for the support. Yes, this thread already has solutions to this problem... but, I also recognise it's a tough situation to have to pull your car apart to fix Ford's misjudgement on installing throw away (within 3-8 years) components. Just read about Tesla's 6 year estimate on their in-built car-puter's life expectancy...
What I'm trying to do now is get to a point where you can do your own fixes with a USB stick and a OBD2 dongle. No disassembly required. Though I have to admit, getting the SD card reader working on these units (which needs an SD socket soldered in) is eventually going to be what keeps it working long-term. All my units (4 of them) run the software off an SD card now. If I can crack the protection (with or without Ford's help, and I would really appreciate it if Ford chimed in!) which is what I'm doing now, so your can run crowd-sourced software, then cheap (or free!) fixes are on the horizon. Don't expect any businesses to help though :( |
||
11 users like this post: |
29-05-2021, 01:18 PM | #427 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
A quick update: I have not seen another match yet, but plenty of the same one I already have the "key" for (request=seed, response=key according to the people who designed this). I.E. request/seed AE 14 25 unlocks with response/key 00 00 BC
Well, seeing no others, and being the weekend where I have more time, I devised a new program (a few actually) to get the 65K of secret keys I knew existed and plug them in one by one. The damn thing unlocked first go. Must have been a bug in the software. All my debug statements were enabled to see what was happening, but again, on the next run, unlocked first go. The device is telling me "yep" that's the code/key I needed - debug statements confirmed it. The penny drops, so I write another program to check if the 65K of secret keys I have all produce the same key for any given seed. They do. So I have 65,536 working keys. I modified the program to show me the ones that are "readable"... Got quite a few, but I'm going with... pLaRM And this confirms Ford updated the keys back in 2011/12 when they got hacked, but they didn't change the seed-key algorithm. Now I just have to be real careful, so I don't run the clear-flash command while the device is unlocked. I may have to spend some time working out how to dump the V850 firmware before I start sending in random commands. |
||
29-05-2021, 05:43 PM | #428 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
Too...many...beers... (so not much more progress for tonight)
But here's a command that wasn't doing anything before I could unlock the device (31 AB 00 is the command to initiate the USB Update process that's on all these devices - which isn't the one I want, as I want the one that runs a custom shell script off the USB stick): Here you can see my attempt to run the command previously, enter mode FA (81=standard, 85=super, 87=enhanced, FA=update... super-user mode completely resets the device as soon as you leave it, not sure what's going on there, but with the new unlock code I can remain in that mode as long as I want and execute commands no other modes have). Condition not correct means I have not entered the required key for the security mode yet when I attempt 31 AB 00. When I do though, things start working... Console output mentions line 322 has failed to kill something (not to worry though) and soon after it detect the USB stick doesn't contain the files it wants: You can barely make out the script reference at line 322 (kill) & 329 (Waiting for USB storage device) ^^^ and right at the bottom (very blurry) "USB storage device not found" Getting close though |
||
8 users like this post: |
30-05-2021, 01:02 PM | #429 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
So my USB device has a recore.sh script in the correct directory (image-usb-recore). All it says is "echo Hello World". 31 AB 01 executes it! Then you are locked out from doing it again, until you reset - so I added a reset command too, to my program that is driving the arduino Nano. I guess I'm going to have to learn how to control an ODB2 dongle from a custom Windows application now. (So you don't have to own a whole lot of electronics to do this.) |
||
31-05-2021, 02:01 PM | #430 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
*** WARNING - THEORETICAL SOFTWARE ATTACHED ***
*** WARNING - THIS SOFTWARE IS NOT FOR ACTUAL USE *** I'll repeat that in other words: If you use this software and wreck your car, it's on YOU! Don't PM me, don't post here about your sadness. You have been warned. Attached are files called "FG2ICCComms.txt", "z.txt" and "recore.txt" The real names are called "FG2ICCComms.exe", "z.sh" and "recore.sh" The .exe is for Windows. The .sh files are shell-scripts edited in Notepad++ (UNIX End-Of-Line convention - See Notepad++'s Edit-menu's EOL Conversion options). If you are silly enough to run this software, you will see this screen: COM allows you to select your ELM327 dongle, one which has a physical switch for HIGH-SPEED and MEDIUM-SPEED. It needs to be on medium throughout using the software, the car's accessories also need to be on so the ICC is on. Leave the baud rate as 38400 unless you know your device is different. A USB stick needs to be formatted as FAT32, the "z.sh" file copied into the root along with creating a directory called "image-usb-recore" - which is where the "recore.sh" file needs to be copied. If you are silly enough to connect everything up, you might be tempted to press "Connect" in the software, wait a few seconds, see some initial comms to the ELM327, then press the "Recore" button and watch the ICC screen as it fills with text. DON'T DO IT!! What's in the files? recore.sh has these lines, to copy z.sh from the USB root into /packages (off the USB stick, because it needs to be remounted as read-write). command -v hmiShow.sh >/dev/null && . hmiShow.sh "Custom script is running!" cp -f /fs/usb0/z.sh /packages/z.sh cd / /packages/z.sh & So it would now be running z.sh which has the following: command -v hmiShow.sh >/dev/null && . hmiShow.sh "Setting up to write to USB stick..." umount -f /fs/usb0 slay devb-umass devb-umass cam pnp blk cache=2m,auto=partition,automount=hd0@dos:/fs/usb0,rw dos exe=all sleep 10 command -v hmiShow.sh >/dev/null && . hmiShow.sh "Copying files to USB now..." cd fs/usb0 cp -LR /etfsRoot . cp -LR /packages . cp -LR /proc/boot . ls -lR /etfsRoot > ./etfsRoot.txt ls -lR /packages > ./packages.txt ls -lR /proc/boot > ./boot.txt command -v hmiShow.sh >/dev/null && . hmiShow.sh "Script is finished, please reboot!" This would give you a copy of all the files on the ICC (not the symbolic links though - which is why I also added 3 complete directory listings as text files). When the ICC screen says "please reboot!" it means press the "Reset" button in the software. *** BUT DO NOT DO ANY OF THIS! *** Since no-one will ever do this, I didn't bother cleaning up the /packages/z.sh file that was copied, it wouldn't be noticed if it were left behind after all. |
||
31-05-2021, 04:58 PM | #431 | ||
Donating Member
Join Date: Feb 2006
Location: Roxby Downs, SA
Posts: 1,439
|
You are a legend mate. This is so interesting.
Sent from my SM-G998B using Tapatalk
__________________
ZG Fairlane 500 351 - First car - Now restoring! - LOOKING FOR ZG PARTS - BLACK AUTO CONSOLE - BLACK DASH PAD - BLACK SEAT BELTS (WITH THE METAL BUCKLES) - RIGHT REAR CHROME TRIM XF Falcon S Update EFI - SOLD EL2 XR8 - SOLD BF F6 RSPEC #139 - SOLD Now rocking the SZ Territory Titanium Petrol Family Beast |
||
This user likes this post: |
31-05-2021, 06:01 PM | #432 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
Thanks man.
To be honest, I'm hanging out for someone with an ASL unit with the "new" SAT-NAV upgrade to run the above software, and to post their firmware on github... Just to see if it somehow strangely has the same edits I did a number of pages back. But that would imply the software attached in the above post is fully operational. And I'm not confirming or denying that. Actually, if you have a black screen unit - you might as well run it, can't make that any worse - and you will probably be able to tell if it's self-repairable (if you get all the files stored to the USB stick like I did with my broken unit, and compare to the ones I posted on github, where some can be seen to be corrupt). I don't want this thread turning into a "how can I upgrade my SAT-NAV maps" though. That's what happened to the Jeep thread on another site. Maybe though, ASL will be in trouble, having given stern assurances that units would come back to them for any map upgrade. Makes you think, eh. |
||
01-06-2021, 01:41 PM | #433 | ||
Starter Motor
Join Date: Sep 2010
Posts: 23
|
Thanks @JasonACT. Despite your good advice I gave it a crack and the ICC didn't start scrolling through text. Just the last line on the following photo (10FA) came up on the app
Maybe my screen is stuffed, or dongle not working properly. Anyway thanks for sharing all the work and your expertise on these units. Cheers |
||
2 users like this post: |
01-06-2021, 02:16 PM | #434 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
Looks to be a dongle problem, you can see the commands going in, which is good, but the dongle is also meant to also say "OK" if it processed them properly (or give an error if it didn't) - you got nothing.
10FA is the start of the recore command, but it probably wasn't sent, so got no response to continue with the rest of them. Have you got any details on your dongle to share? |
||
2 users like this post: |
01-06-2021, 03:02 PM | #436 | ||
Starter Motor
Join Date: Sep 2010
Posts: 23
|
Thanks mate, I tried all the different baud rates with no difference. The dongle that I have is just one that I got with an app that I bought called BMWhat a few years ago when my young bloke had a BMW. Have you got a dongle that you prefer? Anyway, thanks again, I didn't mean to waste your time.
|
||
01-06-2021, 03:09 PM | #437 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
Needs a medium speed switch, mine looks like this (not sure if this is who I bought it off though):
https://www.ebay.com.au/itm/18480009...item2b06f19fb3 |
||
01-06-2021, 04:56 PM | #438 | ||
Regular Member
Join Date: Dec 2010
Location: North Qld
Posts: 403
|
Jas...im going to send mine to ASL to get the New Sat nav upgrade on it.
__________________
2015 FGX XR6T Ute - Aero Blue - Leather Trim - 6 Speed Manual 1966 Mustang Convertible - Wimbledon White - 289ci Windsor - C4 Auto - Power Hydraulic Roof / Factory AC Previous Fords: - 2012 FGII XR6 Manual Ute - Kinetic - 1984 XF Fairmont Ghia - Olympic Gold - 1987 XF S Pak - White- 1994 ED Falcon Classic V8 - Polynesian Green - 1999 AU1 Falcon S - Hot Chilli Red - 2009 LV Focus Zetec 5sp Manual - Black Sapphire |
||
This user likes this post: |
01-06-2021, 05:40 PM | #439 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
Awesome
Other random thoughts about all this: . The QNX OS doesn't like script files edited in Windows - so do use Notepad++ and ensure the line endings are correct (UNIX) . If you have a blank screen, use a USB stick with an LED so you can monitor its progress. . etfsRoot is full of links to /packages so don't expect many actual files in there (why I did the directory listings). . boot is a read-only directory (initial file system used to boot) and there's 3 copies protected by a CRC so if your unit boots, those files are "good". . boot has different kernels for the Non-Nav unit and the Nav units (128MB flash vs 1GB flash chips installed). . I made a mistake (or according to Cav, a mmmmmmmmmmm) by assuming the dongle would report errors for my program . The original idea was to make a backup, which is what the scripts do, then later on make another and check there's no differences (fix them if there are, one by one) ** . These non-Nav units have only 128MB of flash and are almost full, which means if it does get a chance to reboot and repair, it ends up using the same bad flash cells... With some symbolic links you could delete 2 themes (keeping the one you like) and sym-link the other two to the remaining one. This would free a lot of flash and keep the unit going much longer. The Sat-Nav ones don't have this issue. . Sat-Nav units have enough space to keep the old maps when you install new maps, from memory I copied over new maps into a new area and renamed the directories once I was done before rebooting. If it went bad, I could just rename them back and reboot again. I never had that problem though. ** It's best not to assume the 3 versions I have on github will help your unit, I expect there are a lot of different versions, which will make it hard to tell what's gone wrong. I had to keep some old files when I upgraded all my versions, which you can only tell there's a problem by watching the console when the unit boots. You can't do that without pulling the ICC apart. I use WinDiff (someone has a standalone download on the 'net for this) to check if entire directories have no differences. You may see differences in settings and boot-count files, but feel free to reset the boot-counter if you like Last edited by JasonACT; 01-06-2021 at 06:05 PM. |
||
4 users like this post: |
07-06-2021, 05:57 PM | #440 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
I've had a "spare" FG2 instrument cluster circuit board (without its speaker/alarm, I desoldered it, to keep my sanity) sitting on the dining room table for the past 4 (solid) days. Hitting it with keys to its seeds on the security request. Didn't get a single duplicate request in that time, so unlike the ICC it "goes through" all combinations. Still, my program should actually like this better, in that it took 3 weeks to get an ICC match, but it should only take 2 weeks on this unit.
Got a match today. Seed BA 3F B8 is unlocked by key 00 00 00 <-- you see it never got to try 00 00 01 on any seed. And "my chosen" secret key is: (out of 65K of them) DoWZy Now, I have no idea what that might unlock in the cluster. I spent the whole weekend trying to read the firmware and memory locations on the ICC while it was unlocked - AND GOT NOTHING! Even some of the "protected" blocks and "memory by IDs" (which I can read) still can't be written (like the VIN number) while unlocked. Hopefully, the Cluster is a little more friendly to my tinkering (since the ICC doesn't really care about VINs, but the cluster certainly does). Anyway, some more thoughts on the ICC... . I said not to do this because, these units "seem to break" due to the battery being changed, but I reckon it's just the reset and re-boot that fails. So I don't want to be responsible for anyone doing a reset on a unit that has already lost its marbles. (Just before a battery change is a good time to save the firmware though.) . Comparing files to known good ones: if the file size is different on any particular file, it's a different firmware version. . If you have a corrupt file, you will probably see the start and end of the file are identical, but somewhere in the middle you will see obvious corruption - like a misspelt word in there somewhere, though with binary bits you may not notice it so obviously. . To copy back files from the USB stick, you don't need the two stage shell script (recore.sh -> z.sh). It can all go in the recore.sh... Just like the cp command to copy z.sh to /packages - you would create a list of cp (-f = force, in case it's an in-use file) commands to do each one. . The Terry unit I got that was dead had a lot of theme file errors, and I have to admit, I just copied the whole lot back with the -R (recursive) flag for cp. (Has the FPV gauges blue and red LEDs installed too .) Last edited by JasonACT; 07-06-2021 at 06:12 PM. Reason: pictures, or it didn't happen... |
||
4 users like this post: |
10-06-2021, 05:20 PM | #441 | ||
Regular Member
Join Date: Oct 2015
Posts: 240
|
|
||
10-06-2021, 05:58 PM | #442 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
On an FG and FG2 yes, there's no micro-controller on the buttons circuit board, so the smaller circuit board in the FDIM is doing all the CAN-BUS work.
On an FGX there is a micro-controller on the buttons circuit board, so the assumption is it's generating the button CAN signals. Probably because the FGX uses the Sync-2 module which is common for a lot of Fords of the time, where the buttons may not have been common between many of them. In unrelated research, entering security mode (UDS function 0x27) which I've now got keys for the ICC and Cluster, may have different "levels" where you can request a 2nd function 0x27... Both the ICC and Cluster respond with "give me the key to 00 00 00" which to me looks like a fixed key is needed. I did this by accident on the ICC and the normal generated key "works" (though I'm not sure if that unlocked anything extra) but the Cluster tells me "Invalid key" so I'm doing another brute force scan. Apparently, this 2nd unlock request enables the write functions (which I've so far been unsuccessful in performing). |
||
This user likes this post: |
10-06-2021, 06:04 PM | #443 | ||
DIY Tragic
Join Date: Apr 2018
Location: Sydney, more than not. I hate it.
Posts: 22,354
|
So you’re getting closer to being able to fully “virginise” a cluster?
|
||
10-06-2021, 06:24 PM | #444 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
All I know is, there's some guy on ebay that can clone your cluster into another for $200. I assumed he reads the EEPROM, either by desoldering or via CAN messages, and programs up a new EEPROM. I tried that, I.E. the desoldering route, and the car starts and isn't immobilised, but when you stop the engine you need to reset the door locks using the ICC door lock button.
I've read a lot of data out of this test cluster (which has a copy of my EEPROM in it) and I can see two VIN numbers (mine and the old one)... So the flash memory in the V850 chip has that original VIN still. You can see where I'm going though. I want to replace any differing data with what I read out of mine (I have not read mine yet, but I will if I ever take the next step). I like your wording though |
||
10-06-2021, 06:31 PM | #445 | ||
DIY Tragic
Join Date: Apr 2018
Location: Sydney, more than not. I hate it.
Posts: 22,354
|
I think it comes from the French expression virginisé, really. The Peugeot/Citroën body modules were offered as “virginised” in addition to actually new units.
|
||
11-06-2021, 06:31 PM | #446 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
Well, I own a few (or more) ICC units (many more than the one Falcon I own) and the ones that "fit" I've recoded to my car using Forscan... That's the ACM module (radio/cd/amp). I "recorded" the CAN signals of two of them (this was 18 months ago - and I had no idea what to make of what I saw at the time) but I went back to check today...
Calibration - Reset Radio Code Error { 0x727, 8, { 0x02, 0x10, 0x87, 0x00, 0x00, 0x00, 0x00, 0x00 } }, // ........ { 0x72F, 8, { 0x02, 0x50, 0x87, 0x00, 0x00, 0x00, 0x00, 0x00 } }, // .P...... { 0x727, 8, { 0x02, 0x27, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00 } }, // .'...... { 0x72F, 8, { 0x05, 0x67, 0x01, 0xED, 0x16, 0xA0, 0x00, 0x00 } }, // .g...... { 0x727, 8, { 0x05, 0x27, 0x02, 0x45, 0xE0, 0x2D, 0x00, 0x00 } }, // .'.E.-.. { 0x72F, 8, { 0x02, 0x67, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00 } }, // .g...... { 0x727, 8, { 0x03, 0x22, 0xE2, 0x31, 0x00, 0x00, 0x00, 0x00 } }, // .".1.... { 0x72F, 8, { 0x07, 0x62, 0xE2, 0x31, 0x47, 0x28, 0x58, 0x00 } }, // .b.1G(X. { 0x727, 8, { 0x07, 0x2E, 0x82, 0x00, 0x26, 0x95, 0x00, 0x00 } }, // ....&... { 0x72F, 8, { 0x03, 0x6E, 0x82, 0x00, 0x00, 0x00, 0x00, 0x00 } }, // .n...... { 0x727, 8, { 0x03, 0x22, 0xD1, 0x00, 0x00, 0x00, 0x00, 0x00 } }, // ."...... { 0x72F, 8, { 0x04, 0x62, 0xD1, 0x00, 0x87, 0x00, 0x00, 0x00 } }, // .b...... { 0x727, 8, { 0x02, 0x10, 0x81, 0x00, 0x00, 0x00, 0x00, 0x00 } }, // ........ { 0x72F, 8, { 0x02, 0x50, 0x81, 0x00, 0x00, 0x00, 0x00, 0x00 } }, // .P...... 1087 = enter update mode 2701 = enter security mode 2702 45E02D = respond with the key to the requested seed 22E231 = read data by ID (I assume this is the model - both were the same though) 2E8200 26950000 = write data by ID (I assume this is the same for all MKII units to "virginise" them) 22D100 = read data by ID (what security mode are we in = 87) 1081 = exit update (87) mode And the secret 5 byte code is: Janis I know it is, because the other recording & security key decodes with that secret key - AND - I can see it in the Forscan dat file. FYI - Two of the ICC units I own drive the factory sub-woofer module, which is one good reason to own them (I also have a spare sub-woofer module, for that high-series spare ICC which isn't in my car). |
||
3 users like this post: |
11-06-2021, 09:22 PM | #447 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
|
||
16-06-2021, 09:04 PM | #448 | |||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
Quote:
Ok, so the ICC accepted the key generated from seed 00 00 00, but the Cluster didn't. Many attempts were made over many days (and program changes made also, mostly because the Cluster has some strange timing going on, so I needed a more chain like approach to guessing keys rather than timed based messages [I'll probably post a link to Fleetwood Mac's "The Chain" sometime] because I clocked the 3 byte key a couple of times without a match)... It struck me though, when it asks for the key to seed 00 00 00 - maybe I should send in the last key I used again. And that works, no more "Invalid key" error. But I'm not sure if it unlocks anything extra, yet. Interesting though, this little quirk, so I thought I'd post about it. Anyway, back to getting no-where with dumping the firmware on the Cluster (but, anyone who somehow already has the FG2 Cluster firmware, feel free to give it to me!!!). |
|||
4 users like this post: |
16-06-2021, 09:23 PM | #449 | ||
Regular Member
Join Date: Oct 2015
Posts: 240
|
How would you "get into" the cluster eeprom via CAN?
|
||
16-06-2021, 09:55 PM | #450 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,735
|
Good question, since I'm using a hot air desoldering station on my EEPROM...
https://mhhauto.com/Thread-Instrumen...g-with-VEDIAMO Enjoy reading through that link, and pages 12 & 13 talk about security and the 2nd request entering an even more secure mode, which is where I'm up to... So, I can't answer this, yet. |
||
This user likes this post: |