-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not an issue, Simos 18.4 question inside. #85
Comments
It will flash fine if it's unlocked, it's the same UDS protocol as any other Simos18 and the AES keys are already in the project, but I need to finish an unlocking patch. The big issue with doing so is that no commercial tool has bench/boot support. I made progress on making my Simos18_SBOOT project work, but FlexRay interfaces are expensive. I removed the unlocking patch I had written because I couldn't test it and had one report that it was buggy and caused a brick. Writing an unlock patch should be simple (it's virtually the same as Simos18.10 with some locations changed), but without the ability to recover, writing a working unlocking patch is an expensive and difficult testing proposition. |
Ohhh, I forgot about this ecu being FlexRay based. The ECU is OEM locked as of now. If I could be of any help then I would like to volunteer as a tester. Soldering or setting up raspberrypi based bench equipment is not a problem (gathering a FlexRay interface seems to be the main problem). Consider the "issue" closed. Thanks for your time and answer! |
Bitbox have a protocol for simos18 in Bootmode. |
I wanted to add to this in case other people stumble upon it and see "..had one report it was buggy.." and decide to give it a shot like I did. Long story short, the included 18.41 patch resulted in a brick for me as well. I figure I might as well add some additional information and raise some questions regarding SIMOS18.41 in case anyone has some thoughts or insight 🙂. Let me know if I should split this off into a new issue, or if there is a better forum for this discussion. I flashed the ECU from 8W0906259J_0002 to 80A906259F_0008 then attempted the unlock flash. Once it started flashing*, it ran to completion including the patched block, however the ECU never came back after the final reset (no comm). To me this sounds like the flash process is fine, however the resulting ASW was invalid and the ECU never makes it to a working CBOOT.
I'm planning on giving this a second shot soon, but I want to understand why it failed first to hopefully reduce my chances of making a second (or third) brick 🤞. So far, I've noticed a few differences about the sample flag / mode. For instance, SIMOS18.1 (and SIMOS18.10) uses the memory location b000218c (and b00035f0), where as SIMOS18.41 seems to have two memory locations b00035f0 (same as 18.10) and b00035f5 (!!!). I found these two locations by following the patch_cboot() logic found in patch_cboot.py and following the references in the two "set sample mode" functions. I'm hoping someone can shed some light on the difference between the two "set sample mode" functions in 18.1/.10 and why we patch both in patch_cboot() but only patch one in patchXXXX.bin. If only the 2nd function needs to be patched, why do we bother patching both in patch_cboot(). Given that SIMOS18.41 seems to use two separate flags, each set by one of the two functions, should we be patching both functions in patch_1841.bin? Or should we be patching the other function at 8080dc16 (so as to change b00035f0 as with SIMOS18.10)? My hunch is that this difference wouldn't cause a brick, maybe just a locked ECU. If anyone has any hintsor direction as to where to look next that would also be helpful! Thanks in advance, cheers! Some additional information:
|
Sorry for causing a brick. Thanks. I'll update the documentation and perhaps pull the patch for now.
One of these functions is in the flash bootloader and one is in the RAM bootloader. We only patch one in patchXXXX.bin because it is only necessary to patch the RAM bootloader in the patch, as that is what we are jumping into. Once we write the main bootloader into Flash, we patch both locations.
I agree, I doubt this is the actual problem. My suspicion is that the 18.41 patch was not injected into the correct place in Flash - that the series of |
No problem at all, all part of the process!
Ahh gotcha, that makes sense. Curious as to why 18.41 uses different memory locations for these two functions then. Still digging into this, hopefully I'll see something :)
That would make sense. I'll have a crack at that as well -- It will get a little expensive to blindly try all nop sleds |
I would start from the SBOOT side of things, as you mentioned checking all od the NOP sleds could get pretty expensive 😅 If @bri3d would be interested maybe we could setup some kind of donation for him to buy FlexRay interface and other required equipment. Just my two cents 🙂 |
Turns out there are only 3 nop sleds (ending with dsync), and the remaining 2 are both in ASW1*. Won't be too expensive to try them both. Edit: Current hook is in ASW1, there is 1 other in ASW1 Thinking I'll start with a simpler patch and just copy CBOOT as is with no patching |
I would usually identify the "correct" (for some definition) nop sled by the nearby presence of a |
But making SIMOS18_SBOOT work with FlexRay ECUs would enable brick recovery and would be useful when creating ASW code patches to recover said bricks. If @bri3d would be interested in pursuing the project I'm willing to be the lab rat 🙂 |
Would be nice to make use of my growing pile of paperweights 😅 I did find this, one of these days I'll hook up a logic analyser and do a bit of sniffing. Maybe we can just "bitbang" the protocol with a sufficiently fast MCU and appropriate transceiver |
Cheapest MCU FlexRay capable hardware which you can get is Devkit for 100GBP (It used to cost 50GBP before pandemic) It should be possible to get basic hardware setup from NXP by downloading their Autosar drivers and then digging out the C/CPP pieces for MPC5744 FlexRay setup. I also saw a Comma.ai repository in the past with MPC57xx implementing FlexRay, but can't find it anymore. Or here is the FlexRay based on FTDI MPSSE, no idea if it works I am working on the same problem. I have here Simos 18.4, Vector hardware, MPC5748 (with Ethernet), MPC5744 and TC1798 devkits, all have FlexRay. Currently I am stuck on the fact that I don't know following:
What is FIBEX for SBOOT? Is SBOOT able to coldstart FlexRay bus or not? |
@jared52005 check your email. Overall, I think getting the WriteWithoutErase/CBOOT exploit going on an ECU in a car (behind a gateway) would be an amazing help here. We can use the exploit and a custom diagnostic handler ("High Speed Logging" style patch) to dump things we're missing, like production SBOOT and especially the public keys from OTP. And, once we "unlock" an ECU in a car this way, we can dump the passwords from flash and get in via CAN BSL, so as long as we can get one ECU working we have an "unbrickable" test bench. |
Thank you, as I described in the email, it is more straightforward with little bit of math and you can use also bricked/immo locked ECUs. |
Have you been able to interact (log / listen) with the FlexRay bus of a running car / ECU? Or are the parameters for that unknown as well? Could they have just reused the same interface on SIMOS18.41 like they reused ISO-TP for other SIMOS18 SBOOT implementations? I would assume the CBOOT/ASW FlexRay parameters are available from the flash (Follow the ERAY registers) or just logging the vehicle bus with a logic analyser. |
If you have tools, you can listen to the FlexRay bus (baudrate is enough), see here https://github.com/jared52005/Monitor if you want to interact with FlexRay, you need to know the FIBEX. The FIBEX is different for each OEM manufacturer. FlexRay is configuration heavy and each ECU needs to know the length of the carousel in advance (aka, which FR cycle and in which timeslot of a cycle it should transmit and when it should be quiet). This configuration must be exactly same in each ECU in the system. That means that when you take ECU from BMW, it won't work with ECU from VAG, because the systems are different (slots, ECU counts) and thus configurations are different. This also means that setup from SBOOT and generic VAG FIBEX will be different too and applying a VAG FIBEX which can have N ECUs on SBOOT which was likely intended as 2 or 3 ECU network is not going to work. You can try to figure out VAG FIBEX from logs here: https://github.com/robbederks/q8_flexray_dumps It is much simpler, as you are hinting, to just take bootloader, let the emulator fill the registers and then just parse what is inside to get back FIBEX. |
That makes sense. Sounds like it is definitely easier to get the CBOOT exploit working then dumping / emulating a production SBOOT. |
Hi guys, |
Unfortunately, the current implementation doesn't work with Simos 18.4. and if you dig up the old S18.4 patch from previous commits it will brick your ECU :( If you had a working unlock patch (from where!?) I'm sure some of us would be interested in comparing it! |
Hello, first and foremost big thanks to all of you involved in this project!
I have a question about flashing Simos 18.4, as I have been reading and looking through commits I saw that 18.4 simos was removed from GUI and also from github description, but it is still referenced in readme.md. The methods provided and .frf files for unlock reference SCG and SC8 codes.
My ECU is 8W0906259D so SCB50S00 cboot according to the box_codes.csv provided.
I would like to ask as of today, is flashing of Simos 18.4 possible in any way?
The text was updated successfully, but these errors were encountered: