Wie viel kostet es, den Kilometerstand zu ändern oder in den Speicher des Dashboards zu gelangen?
Es gibt nur einen Weg, dies herauszufinden - es selbst zu versuchen.
Formulierung des Problems
, . Python CAN-USB . CAN-. , , OBDII-. .
:
CAN- . CAN- , .
— .
, . / :
- ( );
- ;
- ;
- (, Hyundai Kia, Mitsubishi Citroen ..)
, :
Hyundai Solaris 2013 ..
: 94003-4l715
. , 4 . CAN-, "" .
Ford Focus 3 2012 ..
: BM5T-10849-BAE
. , CAN-.
Mitsubishi Lancer X 2008 ..
: 8100A117A
Mitsubishi, Citroen Peugeout. , , .
, .
, . : KWP2000 (Keyword Protocol 2000) UDS (Unified Diagnostic Services). KWP2000, UDS, . :
- ;
- / ;
- / ;
- ;
- .
, , , .
: . , — . CAN -. :
. , . / .
. , "" .
, .
, , :
- ;
- (, , ..);
- (0x01, 0x03, 0x05 ..);
- (/ , ..)
.
Python-:
- python-udsoncan ( , );
- python-can-isotp ( ISO 15765-2, 8 );
- python-can (API CAN-).
:
- ;
- + ;
- , CAN ;
- UDS-.
, . Python CAN-USB . , , CAN- .
: , , flow-control . , CAN- , , . , , - real-time .
, , caringcaribou, python-can.
CAN-USB, , , . , Vector VN1610 VN1611, Lawicel.
, c COM-, CAN- . , "CAN-USB stm32vldiscovery" .
, 12 . , CAN.
Hyundai Solaris
:
CAN:
: Solaris 4 , A, B, C, D.
:
:
, .
- , 0x03 UDS, 0x85 0x90 KWP2000.
, , , . , .
KWP2000 UDS ReadMemoryByAddress
(0x23), . KWP2000 :
Byte # | Value | Parameter |
---|---|---|
0 | 23 | Service ID |
1-3 | XX | memoryAddress[3] |
4 | XX | memorySize |
, ID , . memoryIdentifier
, (EEPROM, flash), 16 .
UDS:
Byte # | Value | Parameter |
---|---|---|
0 | 23 | Service ID |
1 | XX | addressAndLengthFormatIdentifier |
~ | XX | memoryAddress[] |
~ | XX | memorySize[] |
, addressAndLengthFormatIdentifier
, memorySize
, — memoryAddress
. , 32- memoryAddress
16- memorySize
24. memoryIdentifier
.
, , . , , . , , . , :
Byte # | Value | Parameter |
---|---|---|
0 | 23 | Service ID |
1-4 | XX | memoryAddress[4] |
5 | XX | memorySize[2] |
: , KWP2000, addressAndLengthFormatIdentifier
UDS . , : 0x00 - ( ):
TX: <7C6> (8) 07 23 00 00 00 00 00 04
RX: <7CE> (8) 05 63 80 07 00 07 00 00
0x04 EEPROM.
TX: <7C6> (8) 07 23 04 00 00 00 00 04
RX: <7CE> (8) 05 63 0d a8 00 00 00 00
import can
import isotp
import logging
import time
import argparse
def process_stack_receive(stack, timeout=1):
t1 = time.time()
while time.time() - t1 < timeout:
stack.process()
if stack.available():
break
time.sleep(stack.sleep_time())
return stack.recv()
def process_stack_send(stack, timeout=1):
t1 = time.time()
while time.time() - t1 < timeout:
stack.process()
if not stack.transmitting():
break
time.sleep(stack.sleep_time())
def my_error_handler(error):
logging.warning('IsoTp error happened : %s - %s' % (error.__class__.__name__, str(error)))
def print_frame(frame):
if frame:
print(''.join(format(x, '02x') for x in frame))
else:
print("None")
bus = can.interface.Bus(bustype='slcan',
channel="COM3",
ttyBaudrate=115200,
bitrate=500000)
addr = isotp.Address(isotp.AddressingMode.Normal_11bits, rxid=0x7ce, txid=0x7c6)
stack = isotp.CanStack(bus, address=addr, error_handler=my_error_handler, params = {'tx_padding':0})
parser = argparse.ArgumentParser()
parser.add_argument("-e", "--eeprom", help="read EEPROM", action="store_true")
parser.add_argument("-f", "--flash", help="read Flash", action="store_true")
args = parser.parse_args()
if args.eeprom:
for addr in range(0x00000000, 0x000007ff, 0x10):
addr0 = (addr >> 0) & 0xff
addr1 = (addr >> 8) & 0xff
array = [0x23, 0x04, 0x00, addr1, addr0, 0x00, 0x10]
stack.send(bytearray(array))
process_stack_send(stack)
print_frame(process_stack_receive(stack))
if args.flash:
for addr in range(0x00000000, 0x0003ffff, 0x10):
addr0 = (addr >> 0) & 0xff
addr1 = (addr >> 8) & 0xff
addr2 = (addr >> 16) & 0xff
array = [0x23, 0x00, addr2, addr1, addr0, 0x00, 0x10]
stack.send(bytearray(array))
process_stack_send(stack)
print_frame(process_stack_receive(stack))
bus.shutdown()
, -? WriteMemoryByAddress
(0x3d) , , — . :
Byte # | Value | Parameter |
---|---|---|
0 | 3d | Service ID |
1-4 | XX | memoryAddress[4] |
5-N | XX | dataRecord |
memorySize
, .
. - 0x7d, :
TX: <7C6> (8) 06 3d 00 00 00 00 81 00
RX: <7CE> (8) 01 7d 00 00 00 00 00 00
TX: <7C6> (8) 07 23 00 00 00 00 00 04
RX: <7CE> (8) 05 63 80 07 00 07 00 00
, .. .
EEPROM :
TX: <7C6> (8) 06 3d 04 00 00 00 0e 00
RX: <7CE> (8) 01 7d 00 00 00 00 00 00
TX: <7C6> (8) 07 23 04 00 00 00 00 04
RX: <7CE> (8) 05 63 0e a8 00 00 00 00
0x0d 0x0e.
, : .
EEPROM . : , 1 , EEPROM . CAN-, . , , : , .
, 1 , :
EEPROM 0x20? .
"" 23 :
:
- 64
- p =
- 2 :
- :
0,1 | 2,3 | 4,5 | 6,7 | 8,9 | A,B | C,D | E,F |
---|---|---|---|---|---|---|---|
-0x01 | -0x02 | -0x04 | -0x08 | -0x10 | -0x20 | -0x40 | -0x80 |
, .
, 64890 , :
[13, F8, 27, F0, 4F, E0, 9F, C0, 3F, 81, 7F, 02, FE, 04, FC, 09]
[F8, 13, F0, 27, E0, 4F, C0, 9F, 81, 3F, 02, 9F, 05, 3E, 0A, 7C]
[13, F8, 27, F0, 4F, E0, 9F, C0, 3F, 81, 7F, 02, FE, 04, FC, 09]
[F8, 13, F0, 27, E0, 4F, C0, 9F, 81, 3F, 02, 9F, 05, 3E, 0A, 7C]
0- 2- :
[F8, 13, F0, 27, E0, 4F, C0, 9F, 81, 3F, 02, 7F, 04, FE, 09, FC]
[F8, 13, F0, 27, E0, 4F, C0, 9F, 81, 3F, 02, 9F, 05, 3E, 0A, 7C]
[F8, 13, F0, 27, E0, 4F, C0, 9F, 81, 3F, 02, 7F, 04, FE, 09, FC]
[F8, 13, F0, 27, E0, 4F, C0, 9F, 81, 3F, 02, 9F, 05, 3E, 0A, 7C]
FF, :
[07, EC, 0F, D8, 1F, B0, 3F, 60, 7E, C0, FD, 80, FB, 01, F6, 03]
[07, EC, 0F, D8, 1F, B0, 3F, 60, 7E, C0, FD, 60, FA, C1, F5, 83]
[07, EC, 0F, D8, 1F, B0, 3F, 60, 7E, C0, FD, 80, FB, 01, F6, 03]
[07, EC, 0F, D8, 1F, B0, 3F, 60, 7E, C0, FD, 60, FA, C1, F5, 83]
, 2- :
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD80, FB01, F603]
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD60, FAC1, F583]
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD80, FB01, F603]
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD60, FAC1, F583]
:
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD80, 1FB00, 3F600]
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD60, 1FAC0, 3F580]
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD80, 1FB00, 3F600]
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD60, 1FAC0, 3F580]
, ; , :
[07EC, 07EC, 07EC, 07EC, 07EC, 07EC, 07EC, 07EC]
[07EC, 07EC, 07EC, 07EC, 07EC, 07EB, 07EB, 07EB]
[07EC, 07EC, 07EC, 07EC, 07EC, 07EC, 07EC, 07EC]
[07EC, 07EC, 07EC, 07EC, 07EC, 07EB, 07EB, 07EB]
, FD7A (64890).
, EEPROM :
!
Ford Focus 3
:
CAN:
: Focus 2 CAN-: MS (Medium Speed) MM (Multimedia). MS CAN.
:
:
, UDS . 0x01 , 0x02 0x03 . ReadMemoryByAddress
/WriteMemoryByAddress
, DID ReadDataByIdentifier
.
DID, , DID 0x61BB 3-, :
RX: <720> (8) 03 22 61 bb 00 00 00 00
RX: <728> (8) 06 62 61 bb 00 e9 20 00
WriteDataByIdentifier
, 0x03.
. "" 3 , . , Beneath the Bonnet: a Breakdown of Diagnostic Security Adventures in Automotive Networks and Control Units.
0x03, , 1 :
RX: <720> (8) 02 10 03 00 00 00 00 00
RX: <728> (8) 06 50 03 00 32 01 f4 00
RX: <720> (8) 02 27 03 00 00 00 00 00
RX: <728> (8) 05 67 03 XX XX XX 00 00
RX: <720> (8) 05 27 04 XX XX XX 00 00
RX: <728> (8) 02 67 04 00 00 00 00 00
RX: <720> (8) 06 2e 61 bb 00 e9 21 00
RX: <728> (8) 03 6e 61 bb 00 00 00 00
, :
RX: <720> (8) 03 22 61 bb 00 00 00 00
RX: <728> (8) 06 62 61 bb 00 e9 21 00
. ?.. :
RX: <720> (8) 02 10 03 00 00 00 00 00
RX: <728> (8) 06 50 03 00 32 01 f4 00
RX: <720> (8) 02 27 03 00 00 00 00 00
RX: <728> (8) 05 67 03 XX XX XX 00 00
RX: <720> (8) 05 27 04 XX XX XX 00 00
RX: <728> (8) 02 67 04 00 00 00 00 00
RX: <720> (8) 06 2e 61 bb 00 e9 20 00
RX: <728> (8) 03 7f 2e 31 00 00 00 00
0x31 requestOutOfRange
, . , .
, reprogrammingSession
. , Ford . , . EEPROM?
(Secondary Bootloader) : SBL , SBL, / - . :
Ford VBF Volvo Binary Format. : , ; .
SBL :
DiagnosticSessionControl
: 0x02;SecurityAccess
: e 0x01;RequestDownload
: 0x03ff0000 ( ), VBF-;TransferData
: ;RequestTransferExit
: ;RoutineControl
: 0x0301, SBL.
- : RequestUpload
RequestDownload
.
import can
import isotp
import time
import binascii
from udsoncan.connections import PythonIsoTpConnection
from udsoncan.client import Client
from udsoncan import Response, MemoryLocation, DataFormatIdentifier
from ford_glfsr import calculate_key
download_payload_size = 0xc8
upload_payload_size = 0x20
def my_error_handler(error):
logging.warning('IsoTp error happened : %s - %s' % (error.__class__.__name__, str(error)))
bus = can.interface.Bus(bustype='slcan',
channel="COM3",
ttyBaudrate=115200,
bitrate=125000)
tp_addr = isotp.Address(isotp.AddressingMode.Normal_11bits, txid=0x720, rxid=0x728)
stack = isotp.CanStack(bus=bus,
address=tp_addr,
params = {'tx_padding':0},
error_handler=my_error_handler)
conn = PythonIsoTpConnection(stack)
# wake up the IPC
ping_msg = can.Message(arbitration_id=0x080,
data=[0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00],
is_extended_id=False)
bus.send(ping_msg)
time.sleep(0.2)
with Client(conn) as client:
# TesterPresent
client.tester_present()
# ChangeSession
client.change_session(0x02)
time.sleep(0.3)
# SecurityAccess
response = client.request_seed(0x01)
seed_int = int.from_bytes(response.service_data.seed, "little")
key_int = calculate_key(seed_int, 0x01)
key_bytes = key_int.to_bytes(3, byteorder="big")
client.send_key(0x01, key_bytes)
# RequestDownload
memloc = MemoryLocation(address=0x03ff0000,
memorysize=0x54d4,
address_format=32,
memorysize_format=32)
dfi = DataFormatIdentifier(compression=0, encryption=0)
client.request_download(memory_location=memloc, dfi=dfi)
# TransferData
f = open("BM5T-14C025-AD.bin", "rb")
ipc_sbl = f.read()
f.close()
end_block = 0x6d # memorysize/upload_payload_size
print("DOWNLOAD END BLOCK:", (hex(end_block)))
# sequence should start with "0x01", not "0x00"
for block_num in range(0x01, end_block + 0x01):
print(hex(block_num))
start_i = (block_num - 0x01) * download_payload_size
end_i = start_i + download_payload_size
client.transfer_data(block_num, ipc_sbl[start_i:end_i])
# TransferExit
client.request_transfer_exit()
# StartRoutine
client.start_routine(0x0301, data = b'\x03\xff\x00\x00')
# RequestUpload
memloc = MemoryLocation(address=0x00007000,
memorysize=0x000f9000,
address_format=32,
memorysize_format=32)
dfi = DataFormatIdentifier(compression=0, encryption=0)
client.request_upload(memory_location=memloc, dfi=dfi)
upload_result = bytearray()
end_block = 0x7c80 # memorysize/upload_payload_size
print("UPLOAD END BLOCK:", (hex(end_block)))
# sequence should start with "0x01", not "0x00"
for block_num in range(0x01, end_block + 0x01):
print(hex(block_num))
response = client.transfer_data(block_num % 0x100)
upload_result.extend(response.service_data.parameter_records)
f = open("flash_dump.bin", "wb")
f.write(upload_result)
f.close()
# TransferExit
try:
client.request_transfer_exit()
except:
pass
# ECUReset
client.ecu_reset(1)
, , SBL EEPROM. SBL, . — . ?
, DID , ; EEPROM, , , . , . - .
: - 4294967 .
"" , . , "nop":
, :
TX: <720> (8) 02 10 03 00 00 00 00 00
RX: <728> (8) 06 50 03 00 32 01 f4 00
TX: <720> (8) 02 27 03 00 00 00 00 00
RX: <728> (8) 05 67 03 XX XX XX 00 00
TX: <720> (8) 05 27 04 XX XX XX 00 00
RX: <728> (8) 02 67 04 00 00 00 00 00
TX: <720> (8) 03 22 61 bb 00 00 00 00
RX: <728> (8) 06 62 61 bb 01 e2 40 00
TX: <720> (8) 06 2e 61 bb 01 38 d5 00
RX: <728> (8) 03 6e 61 bb 00 00 00 00
TX: <720> (8) 03 22 61 bb 00 00 00 00
RX: <728> (8) 06 62 61 bb 01 38 d5 00
, :
, , .
, , . , .
, GIMP raw- , , . (), "/ 1 ", .
16 , ( 1, 2, 3, 4, 5, 6). Ford, . , , , . :
? F Ford. , :
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 FC 00 FE 00 FF 80 E3 80 C1 C0 C0 40 C0 60 E0 60 E0 20 70 30 18 30 00 30 00 30 00 30 80 30 C0 20 F0 60 38 60 1C 60 0C 60 06 60 03 C0 C1 C0 20 C0 20 C0 C0 C0 00 C0 01 C0 01 80 01 80 01 80 03 80 03 80 03 80 07 80 07 80 07 80 07 80 0F 80 0F 80 0F 80 07 80 07 80 07 80 03 80 03 C0 01 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 C0 00 C0 00 C0 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 7E 00 FF 80 FF C0 E1 E0 C0 70 C0 30 80 10 80 00 80 01 C0 01 C0 03 E0 03 F0 01 F0 11 78 08 3C 04 1F 84 0F C4 07 E4 01 FE 80 3F C0 0F E0 07 78 03 FC 02 FF 82 CF C2 03 C2 01 E2 00 63 00 66 00 29 80 00 80 40 E0 60 F8 C0 7F C0 1F 00 06 00 07 80 83 C0 E1 E0 F0 60 FC 70 3E F0 1F E0 07 80 0F 80 39 C0 70 E0 70 F0 31 F0 31 E0 19 00 FC 00 FE 00 FF 80 1F 80 07 C0 01 E0 00 E0 00 70 80 70 C0 E0 E0 E0 FF 80 7F 80 3F E0 0F F0 07 FC 80 7E C0 1F E0 0F 60 03 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 03 00 03 00 07 00 07 00 07 00 07 00 03 00 03 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 00 00 01 00 03 00 07 00 07 00 07 00 07 00 07 00 03 00 03 00 03 00 01 00 00 00 00 00 00 00 04 00 07 00 07 00 07 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 07 00 0F 00 0E 00 0E 00 0E 00 06 00 07 00 03 00 07 00 0F 00 0F 00 0C 00 0C 00 06 00 07 00 03 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
, 114x48 , 6 , GIMP. , :
.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FC 00 FC 00 FC 00 FC 00 FC 00 FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FC 00 FC 00 FC 00 FC 00 FC 00 FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF F0 01 F8 00 7C 00 7C 00 FC 00 FC 01 FC FF FC FF F8 FF F0 FF E0 FF C0 FF 00 00 00 00 00 00 00 3C 80 FF C0 FF E0 FF F0 FF F8 FF F8 C3 F8 81 F8 00 F8 00 F8 00 F8 00 F0 81 E0 C3 F8 FF F8 FF F8 FF F8 FF F8 FF 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF E0 C3 F0 81 F8 00 F8 00 F8 00 F8 00 F8 81 F8 C3 F8 FF F0 FF E0 FF C0 FF 80 FF 00 3C 00 00 00 00 00 00 F8 FF F8 FF F8 FF F8 FF F8 FF F8 FF E0 03 F0 01 F8 00 78 00 7C 00 FC 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 00 00 00 00 00 00 00 00 00 00 00 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 00 00 00 00 00 00 00 00 01 00 03 00 07 00 0F 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 0F 00 07 00 1F 00 1F 00 1F 00 1F 00 1F 00 00 00 00 00 00 00 00 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 07 00 0F 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 0F 00 07 00 03 00 01 00 00 00 00 00 00 00 00 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Mitsubishi Lancer X
:
: , .. .
CAN:
:
:
, : . . 2000-, KWP2000 DaimlerChrysler-Mitsubishi, Dodge, Chrysler, Jeep, Mitsubishi, Mercedes-Benz Smart. , .
— defaultSession
, , . , . extenedDiagnosticSession
, . ReadDataByLocalIdentifier
.
, .. ReadDataByLocalIdentifier
0xFF , ReadDataByIdentifier
0xFFFF.
DID 0xAD :
TX: <6A0> (8) 02 21 ad 00 00 00 00 00
RX: <514> (8) 05 61 ad d0 18 03 00 00
WriteDataByLocalIdentifier
1 , :
TX: <6A0> (8) 05 3b ad d1 18 03 00 00
RX: <514> (8) 03 7f 3b 12 00 00 00 00
0x12 "Sub Function Not Supported" — , .
: , ? , . " OBD ", Mitsubishi . , , (0x01, 0x07 0x09). :
TX: <6A0> (8) 02 10 92 00 00 00 00 00
RX: <514> (8) 02 50 92 d0 18 03 1e 00
TX: <6A0> (8) 02 27 01 00 00 00 00 00
RX: <514> (8) 06 67 01 XX XX XX XX 00
TX: <6A0> (8) 06 27 02 XX XX XX XX 00
RX: <514> (8) 03 67 02 34 1c ad 4f 00
TX: <6A0> (8) 02 27 07 00 00 00 00 00
RX: <514> (8) 06 67 07 XX XX XX XX 00
TX: <6A0> (8) 06 27 08 XX XX XX XX 00
RX: <514> (8) 03 67 08 34 36 74 26 00
TX: <6A0> (8) 02 27 09 00 00 00 00 00
RX: <514> (8) 06 67 09 XX XX XX XX 00
TX: <6A0> (8) 06 27 0a XX XX XX XX 00
RX: <514> (8) 03 67 0a 34 9f 1f f5 00
TX: <6A0> (8) 05 3b ad d1 18 03 00 00
RX: <514> (8) 03 7f 3b 12 9f 1f f5 00
. , , - . - ?
, . , , OBDII . , .
, : ECUFlashReprogrammingSession
(0x85) , .
EEPROM, , .
, , - - .
, Mitsubishi , KWP2000 UDS , :
KWP2000 DaimlerChrysler-Mitsubishi, "" KWP2000 UDS 2006 .
, , . , , : DisableNormalMessageTransmission
/ EnableNormalMessageTransmission
CommunicationControl
. StartRoutineByLocalIdentifier
/ StopRoutineByLocalIdentifier
/ RequestRoutineResultsByLocalIdentifier
, RoutineControl
.
, , KWP2000 StartDiagnosticSession
, StopDiagnosticSession
. , , ISO 14230-3, StartDiagnosticSession
0x81.
, AccessTimingParameter
, SecuredDataTransmission
, LinkControl
.
— ReadECUIdentification
, : VIN, .. UDS ReadDataByIdentifier
, DID 0xF1. VIN KWP2000 0x1A90, UDS — 0x22F190. , , .
, — , EEPROM. , , . , .
, , UDS 14229-1:2020, Authentication
(0x29) . IoT , verschiedene Schutzmechanismen wie sicherer Start, Anti-Rollback-Firmware usw.
Es ist also wahrscheinlich, dass es 10 Jahre später schwieriger wird, einen ähnlichen Trick auszuführen.