Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sniffing Mems 2J

Started by kangaroomadman , Apr 11 2018 05:19 PM

Prev

Please log in to reply

23 replies to this topic

#16 jamesportman

Just On Tickover

Noobies
7 posts

Location: MCR

Posted 23 May 2020 - 10:49 AM

Just to say that I will pick this up and try to get it working,

I have working code for MEMS 1.3,1.6,1.9 and partially for MEMS 3 ECUs so far..

I think the part you are missing is ISO 14229

0x27 is "Security Access" - it is trying to authenticate with the ECU,

27 01 is asking for the "seed"

67 01 is the ECU replying

then 27 02 is the device replying with a "key" which must be correct.

There will be some secret way to convert from the seed to a viable key, it could be brute forced but there will be 65535 possible combinations..

Hopefully it's something easy since these are old ECUs...

Back to top

#17 kangaroomadman

Stage One Kit Fitted

Noobies
66 posts

Location: Southampton

Posted 23 May 2020 - 12:16 PM

That’s exactly where I got stuck! I tried to work it out but couldn’t and then life took over!

If we can get past this hurdle then I’ll try and find some time to continue to assist.

Back to top

#18 jamesportman

Just On Tickover

Noobies
7 posts

Location: MCR

Posted 26 May 2020 - 09:22 PM

Well I got it partly working.

I'm just not sure about some of the data/values you posted.

I just have an ECU on the bench so no sensors connected, but even so, it's not behaving the same as some older and newer ECUs..

Here are the ones I tried with comments:

IAT - always shows as 0, other ECUs normally show 35 degrees with sensor unplugged

MAP - flipping back and forward between (approx) 1300 then 10,000

TPS - always 64834 which is about 99% of what it could go up to - probably right with sensor unplugged

RPM - always 0 - probably right

O2 voltage - always 10,000, other ECUs default to 435 or 440 mv, does 10,000 mean 500mv?

Battery voltage is spot on - 12.26v

Back to top

#19 kangaroomadman

Stage One Kit Fitted

Noobies
66 posts

Location: Southampton

Posted 27 May 2020 - 07:17 AM

Good work!

I'm confident I have the correct command bytes from my analysis of the ACR4 requests. The conversion of data needs calculating.

Whilst I was testing, I put together a list of hex values and their displayed values on the ACR4 in my simulator code (but never got around to committing it):

    // ???
    {0x00, 20U},
    // ECT
    {0x01, 2U},
    // Oil temperature
    {0x02, 2U},
    // IAT
    // 0x0000 = -273
    // 0x000A = -272
    // 0x0014 = -271
    // 0x0064 = -263
    // 0x00C8 = -253
    // 0x0AF9 = 7
    // 0x0AAA = 0
    {0x03, 2U},
    // Fuel rail temperature
    {0x05, 2U},
    {0x06, 10U}, // ???
    // MAP Sensor
    // 0x00 = 0
    // 0x0A = 0.1
    // 0x14 = 0.2
    // 0x3E8 = 10
    // 0X2710 = 100.0
    {0x07, 2U},
    // Throttle position
    // 0x00 = 0
    // 0x0A = 0.1
    // 0x14 = 0.2
    // 0x64 = 1.0
    // 0x1C2 = 4.5
    // 0x1194 = 45.0
    {0x08, 2U},
    // RPM
    // 0x000A = 10
    // 0x0064 = 100
    // 0x09C4 = 2500
    {0x09, 2U},
    // O2 volts bank 1
    // 0x00000000 = 0.00
    // 0x0000000A = 0.01
    // 0x00000064 = 0.10
    // 0x000000FF = 0.26
    // 0x00000FA0 = 4.00
    {0x0A, 4U},
    // Coil 1 charge time (Is this also coil 2?)
    // 0x00 = 0.00, 0.00
    // 0x01 = 0.00, 0.00
    // 0x0A = 0.01, 0.00
    // 0x64 = 0.10, 0.00
    // 0x6464 = 25.7, 0.00
    // 0xFFFF = -0.00, 0.00
    // 0x7FFF = 32.77, 0.00
    {0x0B, 2U},
    // Injector 2 pulse width (Is this also injector 4?)
    {0x0C, 2U},
    // Status (Throttle Switch = Bit 2)
    {0x0F, 2U},
    // Battery volts
    // 0x00 = 0.0
    // 0x0A = 0.0
    // 0x64 = 0.1
    // 0xC8 = 0.2
    // 0x3458 = 13.4
    {0x10, 2U},
    // Status (CAM = Bit 2, Crank Sync = Bit 3, Also ignition switch?? and air con req?)
    {0x11, 2U},
    // Stepper position
    // 0x00 = 0
    // 0x0A = 5
    // 0x14 = 10
    // 0x42 = 33
    {0x12, 2U},
    // F/Back bank 1
    {0x13, 2U},
    // Error codes
    // 0x00000001 = 06 M.A.P. SENSOR CIRCUIT, LOGGED, SENSOR OUTPUT VOLTAGE TOO LOW.
    // 0x00000002 = 07 INLET AIR TEMPERATURE SENSOR CIRCUIT, LOGGED, SENSOR OUTPUT VOLTAGE TOO LOW.
    // 0x00000004 = 08 THROTTLE POTENTIOMETER CIRCUIT, LOGGED, SENSOR OUTPUT VOLTAGE TOO LOW.
    // 0x00000008 = No errors
    // 0x00000010 = 09 O2 SENSOR 1 CIRCUIT, LOGGED, SENSOR OUTPUT VOLTAGE TOO LOW.
    // 0x00000020 = No errors
    // 0x00000040 = No errors
    // 0x00000080 = 11 BATTERY VOLTAGE, LOGGED, SENSOR OUTPUT VOLTAGE TOO LOW.
    // 0x00000100 = 01 E.C.M. SUPPLY, CAN BE TRIGGERED BY DISCONNECTING E.C.M, LOGGED, SENSOR OUTPUT VOLTAGE TOO LOW.
    // 0x00000200 = No errors
    // 0x00000400 = 02 COOLANT TEMPERATURE SENSOR CIRCUIT, LOGGED, SENSOR OUTPUT VOLTAGE TOO LOW.
    // 0x00000800 = No errors
    // 0x00001000 = No errors
    // 0x00002000 = 05 SENSOR SUPPLY CIRCUIT, LOGGED, SENSOR OUTPUT VOLTAGE TOO LOW.
    // 0x00004000 = No errors
    // 0x00008000 = No errors
    // 0x00010000 = No errors
    // 0x00020000 = No errors
    // 0x00040000 = No errors
    // 0x00080000 = No errors
    // 0x00100000 = No errors
    // 0x00200000 = No errors
    // 0x00400000 = No errors
    // 0x00800000 = No errors
    // 0x01000000 = No errors
    // 0x02000000 = No errors
    // 0x04000000 = No errors
    // 0x08000000 = No errors
    // 0x10000000 = No errors
    // 0x20000000 = No errors
    // 0x40000000 = No errors
    // 0x80000000 = No errors
    {0x19, 4U},
    // REQRD.CAM PER (also MEASD.CAM PER?)
    {0x25, 2U}

The first value is the command byte, and the second is the number of bytes returned from the ECU. Comments show the mapping of some byte values to displayed measurements.

What was the seed/key algorithm in the end?

Back to top

#20 jamesportman

Just On Tickover

Noobies
7 posts

Location: MCR

Posted 27 May 2020 - 07:46 AM

It might be a bit slow asking for all of those bits of data individually,

the older ECUs have 2x large data packets with a load of stuff in each, I would guess that's probably what the 10 and 20 byte packets are,

not sure how to figure them out without just running a car and logging all of the data...

Back to top

#21 kangaroomadman

Stage One Kit Fitted

Noobies
66 posts

Location: Southampton

Posted 27 May 2020 - 07:49 AM

Yeah, I assumed that's what they were for but strangely the ACR4 tends just to use the single commands. It can only display 4 values at once anyway so it only queries those.

Back to top

#22 jamesportman

Just On Tickover

Noobies
7 posts

Location: MCR

Posted 27 May 2020 - 09:31 AM

I have put up the vaguely half working application online now - it works directly from the website using Google chrome browser if you have a "good" cable (the FTDI based ones or PL based ones I make too)

https://rovermems.com/web-app/

Back to top

#23 jamesportman

Just On Tickover

Noobies
7 posts

Location: MCR

Posted 03 June 2020 - 12:58 PM

Found some more bits that might help. I think... it's the same style of ECU:

https://github.com/h...tree/master/app

https://github.com/E.../Ekaitza_Itzali

Back to top

#24 g0myw

Mini Mad

Just Joined
108 posts

Location: marlow

Posted 05 August 2020 - 06:58 PM

just had an interesting time trying out android RoverMems on an MPI mini (1999) mems2J

https://play.google....m.jmp.rovermems

James has been most helpful & done a couple of updates that is getting data for these MPi cars.
Worth a try out if you need to check things out [don't we all]