|
|
The Pub For General Automotive Related Talk |
|
Thread Tools | Display Modes |
17-06-2021, 08:42 PM | #11 | ||
Away on leave
Join Date: Apr 2019
Location: ACT
Posts: 1,732
|
I thought I knew, but how wrong was I?
While probing the read by ID function (65K reads) in the Cluster, even before entering any special security mode, I got quite a few results. Some binary bits and bytes. 2 VINs, mine from the reprogrammed EEPROM, and the original. And some looked like Ford part numbers. I plugged the 4 part numbers I saw into the Ford "calibration files" download web-page and [just] one gave me a result. I've now got the Cluster "vbf executable" firmware! It has a text header, says Volvo along with quite a few other things. I removed the header (making the final binary file size what the text in the header said it should be) and after checking what was left, to cut a slightly longer story short, noticed the last 2 bytes in the file were some sort of checksum. Had to remove those, then add back 2 bytes up front to match the correct file size again. I had installed "Ghidra" and "Java 11" - made a new project, imported the binary file, selected options to say V850 code and it loads at 0x15000 (location is mentioned in the original vbf header) and it de-compiles nicely! I can see the seed-key function (value 0xC541A9, part of the algorithm, is a dead give-away there). I can see the read-by-ID routine too. Some of those readable IDs (out of 65K) have a 3rd byte sub-function though, so, oh - I don't have all the data I can possibly read yet. I was going to read the values out of my car tonight, but I'll hang off now until I can get them all. I do feel like I've just time-travelled about 3 months into the future though (Incidentally, I plugged the ICC part numbers I also got previously in, but got NOTHING back at all!) |
||
4 users like this post: |