私たちは楽器に行きます



マイレージを変更したり、ダッシュボードのメモリに入るのにどれくらいかかりますか?



見つける方法は1つだけです。自分で試してみてください。



問題の定式化



, . Python CAN-USB . CAN-. , , OBDII-. .



:

CAN- . CAN- , .



— .





, . / :



  • ( );
  • ;
  • ;
  • (, Hyundai Kia, Mitsubishi Citroen ..)


, :





Hyundai Solaris 2013 ..

: 94003-4l715

. , 4 . CAN-, "" .





Ford Focus 3 2012 ..

: BM5T-10849-BAE

. , CAN-.





Mitsubishi Lancer X 2008 ..

: 8100A117A



Mitsubishi, Citroen Peugeout. , , .



, .





, . : KWP2000 (Keyword Protocol 2000) UDS (Unified Diagnostic Services). KWP2000, UDS, . :



  • ;
  • / ;
  • / ;
  • ;
  • .


, , , .



: . , — . CAN -. :





. , . / .



. , "" .



, .



, , :



  1. ;
  2. (, , ..);
  3. (0x01, 0x03, 0x05 ..);
  4. (/ , ..)




.

Python-:





:



  • ;
  • + ;
  • , CAN ;
  • UDS-.




, . Python CAN-USB . , , CAN- .



: , , flow-control . , CAN- , , . , , - real-time .



, , caringcaribou, python-can.



CAN-USB, , , . , Vector VN1610 VN1611, Lawicel.

, c COM-, CAN- . , "CAN-USB stm32vldiscovery" .



, 12 . , CAN.



Hyundai Solaris





:





CAN:





: Solaris 4 , A, B, C, D.



:





:





, .

- , 0x03 UDS, 0x85 0x90 KWP2000.

, , , . , .





KWP2000 UDS ReadMemoryByAddress (0x23), . KWP2000 :



Byte # Value Parameter
0 23 Service ID
1-3 XX memoryAddress[3]
4 XX memorySize


, ID , . memoryIdentifier, (EEPROM, flash), 16 .



UDS:



Byte # Value Parameter
0 23 Service ID
1 XX addressAndLengthFormatIdentifier
~ XX memoryAddress[]
~ XX memorySize[]


, addressAndLengthFormatIdentifier, memorySize, — memoryAddress. , 32- memoryAddress 16- memorySize 24. memoryIdentifier.



, , . , , . , , . , :



Byte # Value Parameter
0 23 Service ID
1-4 XX memoryAddress[4]
5 XX memorySize[2]


: , KWP2000, addressAndLengthFormatIdentifier UDS . , : 0x00 - ( ):



TX: <7C6> (8)    07 23 00 00 00 00 00 04
RX: <7CE> (8)    05 63 80 07 00 07 00 00


0x04 EEPROM.



TX: <7C6> (8)    07 23 04 00 00 00 00 04
RX: <7CE> (8)    05 63 0d a8 00 00 00 00


- EEPROM
import can
import isotp
import logging
import time
import argparse

def process_stack_receive(stack, timeout=1):
    t1 = time.time()
    while time.time() - t1 < timeout:
        stack.process()
        if stack.available():
            break
        time.sleep(stack.sleep_time())
    return stack.recv()

def process_stack_send(stack, timeout=1):
    t1 = time.time()
    while time.time() - t1 < timeout:
        stack.process()
        if not stack.transmitting():
            break
        time.sleep(stack.sleep_time())

def my_error_handler(error):
    logging.warning('IsoTp error happened : %s - %s' % (error.__class__.__name__, str(error)))

def print_frame(frame):
    if frame:
        print(''.join(format(x, '02x') for x in frame))
    else:
        print("None")

bus = can.interface.Bus(bustype='slcan', 
                        channel="COM3", 
                        ttyBaudrate=115200, 
                        bitrate=500000)
addr = isotp.Address(isotp.AddressingMode.Normal_11bits, rxid=0x7ce, txid=0x7c6)
stack = isotp.CanStack(bus, address=addr, error_handler=my_error_handler, params = {'tx_padding':0})

parser = argparse.ArgumentParser()
parser.add_argument("-e", "--eeprom", help="read EEPROM", action="store_true")
parser.add_argument("-f", "--flash", help="read Flash", action="store_true")
args = parser.parse_args()

if args.eeprom:
    for addr in range(0x00000000, 0x000007ff, 0x10):
        addr0 = (addr >>  0) & 0xff
        addr1 = (addr >>  8) & 0xff
        array = [0x23, 0x04, 0x00, addr1, addr0, 0x00, 0x10]

        stack.send(bytearray(array))
        process_stack_send(stack)
        print_frame(process_stack_receive(stack))

if args.flash:
    for addr in range(0x00000000, 0x0003ffff, 0x10):
        addr0 = (addr >>  0) & 0xff
        addr1 = (addr >>  8) & 0xff
        addr2 = (addr >> 16) & 0xff
        array = [0x23, 0x00, addr2, addr1, addr0, 0x00, 0x10]

        stack.send(bytearray(array))
        process_stack_send(stack)
        print_frame(process_stack_receive(stack))

bus.shutdown()


, -? WriteMemoryByAddress (0x3d) , , — . :



Byte # Value Parameter
0 3d Service ID
1-4 XX memoryAddress[4]
5-N XX dataRecord


memorySize, .



. - 0x7d, :



TX: <7C6> (8)    06 3d 00 00 00 00 81 00
RX: <7CE> (8)    01 7d 00 00 00 00 00 00

TX: <7C6> (8)    07 23 00 00 00 00 00 04
RX: <7CE> (8)    05 63 80 07 00 07 00 00


, .. .



EEPROM :



TX: <7C6> (8)    06 3d 04 00 00 00 0e 00
RX: <7CE> (8)    01 7d 00 00 00 00 00 00

TX: <7C6> (8)    07 23 04 00 00 00 00 04
RX: <7CE> (8)    05 63 0e a8 00 00 00 00


0x0d 0x0e.



, : .





EEPROM . : , 1 , EEPROM . CAN-, . , , : , .



, 1 , :





EEPROM 0x20? .



"" 23 :





:



  1. 64
  2. p =
  3. 2 :

  4. :


0,1 2,3 4,5 6,7 8,9 A,B C,D E,F
-0x01 -0x02 -0x04 -0x08 -0x10 -0x20 -0x40 -0x80


, .



, 64890 , :



[13, F8, 27, F0, 4F, E0, 9F, C0, 3F, 81, 7F, 02, FE, 04, FC, 09]
[F8, 13, F0, 27, E0, 4F, C0, 9F, 81, 3F, 02, 9F, 05, 3E, 0A, 7C]
[13, F8, 27, F0, 4F, E0, 9F, C0, 3F, 81, 7F, 02, FE, 04, FC, 09]
[F8, 13, F0, 27, E0, 4F, C0, 9F, 81, 3F, 02, 9F, 05, 3E, 0A, 7C]


0- 2- :



[F8, 13, F0, 27, E0, 4F, C0, 9F, 81, 3F, 02, 7F, 04, FE, 09, FC]
[F8, 13, F0, 27, E0, 4F, C0, 9F, 81, 3F, 02, 9F, 05, 3E, 0A, 7C]
[F8, 13, F0, 27, E0, 4F, C0, 9F, 81, 3F, 02, 7F, 04, FE, 09, FC]
[F8, 13, F0, 27, E0, 4F, C0, 9F, 81, 3F, 02, 9F, 05, 3E, 0A, 7C]


FF, :



[07, EC, 0F, D8, 1F, B0, 3F, 60, 7E, C0, FD, 80, FB, 01, F6, 03]
[07, EC, 0F, D8, 1F, B0, 3F, 60, 7E, C0, FD, 60, FA, C1, F5, 83]
[07, EC, 0F, D8, 1F, B0, 3F, 60, 7E, C0, FD, 80, FB, 01, F6, 03]
[07, EC, 0F, D8, 1F, B0, 3F, 60, 7E, C0, FD, 60, FA, C1, F5, 83]


, 2- :



[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD80, FB01, F603]
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD60, FAC1, F583]
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD80, FB01, F603]
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD60, FAC1, F583]


:



[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD80, 1FB00, 3F600]
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD60, 1FAC0, 3F580]
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD80, 1FB00, 3F600]
[07EC, 0FD8, 1FB0, 3F60, 7EC0, FD60, 1FAC0, 3F580]


, ; , :



[07EC, 07EC, 07EC, 07EC, 07EC, 07EC, 07EC, 07EC]
[07EC, 07EC, 07EC, 07EC, 07EC, 07EB, 07EB, 07EB]
[07EC, 07EC, 07EC, 07EC, 07EC, 07EC, 07EC, 07EC]
[07EC, 07EC, 07EC, 07EC, 07EC, 07EB, 07EB, 07EB]


, FD7A (64890).



, EEPROM :





!



Ford Focus 3





:





CAN:





: Focus 2 CAN-: MS (Medium Speed) MM (Multimedia). MS CAN.



:





:





, UDS . 0x01 , 0x02 0x03 . ReadMemoryByAddress/WriteMemoryByAddress , DID ReadDataByIdentifier.





DID, , DID 0x61BB 3-, :



RX: <720> (8)    03 22 61 bb 00 00 00 00
RX: <728> (8)    06 62 61 bb 00 e9 20 00


WriteDataByIdentifier , 0x03.



. "" 3 , . , Beneath the Bonnet: a Breakdown of Diagnostic Security Adventures in Automotive Networks and Control Units.



0x03, , 1 :



RX: <720> (8)    02 10 03 00 00 00 00 00
RX: <728> (8)    06 50 03 00 32 01 f4 00

RX: <720> (8)    02 27 03 00 00 00 00 00
RX: <728> (8)    05 67 03 XX XX XX 00 00
RX: <720> (8)    05 27 04 XX XX XX 00 00
RX: <728> (8)    02 67 04 00 00 00 00 00

RX: <720> (8)    06 2e 61 bb 00 e9 21 00
RX: <728> (8)    03 6e 61 bb 00 00 00 00


, :



RX: <720> (8)    03 22 61 bb 00 00 00 00
RX: <728> (8)    06 62 61 bb 00 e9 21 00


. ?.. :



RX: <720> (8)    02 10 03 00 00 00 00 00
RX: <728> (8)    06 50 03 00 32 01 f4 00

RX: <720> (8)    02 27 03 00 00 00 00 00
RX: <728> (8)    05 67 03 XX XX XX 00 00
RX: <720> (8)    05 27 04 XX XX XX 00 00
RX: <728> (8)    02 67 04 00 00 00 00 00

RX: <720> (8)    06 2e 61 bb 00 e9 20 00
RX: <728> (8)    03 7f 2e 31 00 00 00 00


0x31 requestOutOfRange, . , .





, reprogrammingSession. , Ford . , . EEPROM?



(Secondary Bootloader) : SBL , SBL, / - . :





Ford VBF Volvo Binary Format. : , ; .



SBL :



  1. DiagnosticSessionControl: 0x02;
  2. SecurityAccess: e 0x01;
  3. RequestDownload: 0x03ff0000 ( ), VBF-;
  4. TransferData: ;
  5. RequestTransferExit: ;
  6. RoutineControl: 0x0301, SBL.


- : RequestUpload RequestDownload.



- ( VBF )
import can
import isotp
import time
import binascii
from udsoncan.connections import PythonIsoTpConnection
from udsoncan.client import Client
from udsoncan import Response, MemoryLocation, DataFormatIdentifier
from ford_glfsr import calculate_key

download_payload_size = 0xc8
upload_payload_size = 0x20

def my_error_handler(error):
   logging.warning('IsoTp error happened : %s - %s' % (error.__class__.__name__, str(error)))

bus = can.interface.Bus(bustype='slcan', 
                        channel="COM3", 
                        ttyBaudrate=115200, 
                        bitrate=125000)
tp_addr = isotp.Address(isotp.AddressingMode.Normal_11bits, txid=0x720, rxid=0x728)
stack = isotp.CanStack(bus=bus, 
                       address=tp_addr, 
                       params = {'tx_padding':0}, 
                       error_handler=my_error_handler)
conn = PythonIsoTpConnection(stack)

# wake up the IPC
ping_msg = can.Message(arbitration_id=0x080, 
                       data=[0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00], 
                       is_extended_id=False)
bus.send(ping_msg)
time.sleep(0.2)

with Client(conn) as client:
    # TesterPresent
    client.tester_present()

    # ChangeSession
    client.change_session(0x02)
    time.sleep(0.3)

    # SecurityAccess
    response = client.request_seed(0x01)
    seed_int = int.from_bytes(response.service_data.seed, "little")
    key_int = calculate_key(seed_int, 0x01)
    key_bytes = key_int.to_bytes(3, byteorder="big")
    client.send_key(0x01, key_bytes)

    # RequestDownload
    memloc = MemoryLocation(address=0x03ff0000, 
                            memorysize=0x54d4, 
                            address_format=32, 
                            memorysize_format=32)
    dfi = DataFormatIdentifier(compression=0, encryption=0)
    client.request_download(memory_location=memloc, dfi=dfi)

    # TransferData
    f = open("BM5T-14C025-AD.bin", "rb")
    ipc_sbl = f.read()
    f.close()

    end_block = 0x6d  # memorysize/upload_payload_size
    print("DOWNLOAD END BLOCK:", (hex(end_block)))
    # sequence should start with "0x01", not "0x00"
    for block_num in range(0x01, end_block + 0x01):
        print(hex(block_num))
        start_i = (block_num - 0x01) * download_payload_size
        end_i = start_i + download_payload_size
        client.transfer_data(block_num, ipc_sbl[start_i:end_i])

    # TransferExit
    client.request_transfer_exit()

    # StartRoutine
    client.start_routine(0x0301, data = b'\x03\xff\x00\x00')

    # RequestUpload
    memloc = MemoryLocation(address=0x00007000, 
                            memorysize=0x000f9000, 
                            address_format=32, 
                            memorysize_format=32)
    dfi = DataFormatIdentifier(compression=0, encryption=0)
    client.request_upload(memory_location=memloc, dfi=dfi)

    upload_result = bytearray()
    end_block = 0x7c80  # memorysize/upload_payload_size
    print("UPLOAD END BLOCK:", (hex(end_block)))
    # sequence should start with "0x01", not "0x00"
    for block_num in range(0x01, end_block + 0x01):
        print(hex(block_num))
        response = client.transfer_data(block_num % 0x100)
        upload_result.extend(response.service_data.parameter_records)

    f = open("flash_dump.bin", "wb")
    f.write(upload_result)
    f.close()

    # TransferExit
    try:
        client.request_transfer_exit()
    except:
        pass

    # ECUReset
    client.ecu_reset(1)


, , SBL EEPROM. SBL, . — . ?





, DID , ; EEPROM, , , . , . - .



: - 4294967 .



"" , . , "nop":





, :



TX: <720> (8)    02 10 03 00 00 00 00 00
RX: <728> (8)    06 50 03 00 32 01 f4 00

TX: <720> (8)    02 27 03 00 00 00 00 00
RX: <728> (8)    05 67 03 XX XX XX 00 00
TX: <720> (8)    05 27 04 XX XX XX 00 00
RX: <728> (8)    02 67 04 00 00 00 00 00

TX: <720> (8)    03 22 61 bb 00 00 00 00
RX: <728> (8)    06 62 61 bb 01 e2 40 00

TX: <720> (8)    06 2e 61 bb 01 38 d5 00
RX: <728> (8)    03 6e 61 bb 00 00 00 00

TX: <720> (8)    03 22 61 bb 00 00 00 00
RX: <728> (8)    06 62 61 bb 01 38 d5 00


, :





, , .





, , . , .



, . , GIMP .



, GIMP raw- , , . (), "/ 1 ", .



16 , ( 1, 2, 3, 4, 5, 6). Ford, . , , , . :





? F Ford. , :





Ford
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 FC 00 FE 00 FF 80 E3 80 C1 C0 C0 40 C0 60 E0 60 E0 20 70 30 18 30 00 30 00 30 00 30 80 30 C0 20 F0 60 38 60 1C 60 0C 60 06 60 03 C0 C1 C0 20 C0 20 C0 C0 C0 00 C0 01 C0 01 80 01 80 01 80 03 80 03 80 03 80 07 80 07 80 07 80 07 80 0F 80 0F 80 0F 80 07 80 07 80 07 80 03 80 03 C0 01 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 C0 00 C0 00 C0 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 7E 00 FF 80 FF C0 E1 E0 C0 70 C0 30 80 10 80 00 80 01 C0 01 C0 03 E0 03 F0 01 F0 11 78 08 3C 04 1F 84 0F C4 07 E4 01 FE 80 3F C0 0F E0 07 78 03 FC 02 FF 82 CF C2 03 C2 01 E2 00 63 00 66 00 29 80 00 80 40 E0 60 F8 C0 7F C0 1F 00 06 00 07 80 83 C0 E1 E0 F0 60 FC 70 3E F0 1F E0 07 80 0F 80 39 C0 70 E0 70 F0 31 F0 31 E0 19 00 FC 00 FE 00 FF 80 1F 80 07 C0 01 E0 00 E0 00 70 80 70 C0 E0 E0 E0 FF 80 7F 80 3F E0 0F F0 07 FC 80 7E C0 1F E0 0F 60 03 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 03 00 03 00 07 00 07 00 07 00 07 00 03 00 03 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 00 00 01 00 03 00 07 00 07 00 07 00 07 00 07 00 03 00 03 00 03 00 01 00 00 00 00 00 00 00 04 00 07 00 07 00 07 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 07 00 0F 00 0E 00 0E 00 0E 00 06 00 07 00 03 00 07 00 0F 00 0F 00 0C 00 0C 00 06 00 07 00 03 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


, 114x48 , 6 , GIMP. , :





.



Habr
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FC 00 FC 00 FC 00 FC 00 FC 00 FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FC 00 FC 00 FC 00 FC 00 FC 00 FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF F0 01 F8 00 7C 00 7C 00 FC 00 FC 01 FC FF FC FF F8 FF F0 FF E0 FF C0 FF 00 00 00 00 00 00 00 3C 80 FF C0 FF E0 FF F0 FF F8 FF F8 C3 F8 81 F8 00 F8 00 F8 00 F8 00 F0 81 E0 C3 F8 FF F8 FF F8 FF F8 FF F8 FF 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF E0 C3 F0 81 F8 00 F8 00 F8 00 F8 00 F8 81 F8 C3 F8 FF F0 FF E0 FF C0 FF 80 FF 00 3C 00 00 00 00 00 00 F8 FF F8 FF F8 FF F8 FF F8 FF F8 FF E0 03 F0 01 F8 00 78 00 7C 00 FC 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 00 00 00 00 00 00 00 00 00 00 00 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 00 00 00 00 00 00 00 00 01 00 03 00 07 00 0F 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 0F 00 07 00 1F 00 1F 00 1F 00 1F 00 1F 00 00 00 00 00 00 00 00 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 07 00 0F 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 0F 00 07 00 03 00 01 00 00 00 00 00 00 00 00 00 1F 00 1F 00 1F 00 1F 00 1F 00 1F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


Mitsubishi Lancer X





:





: , .. .



CAN:





:





:





, : . . 2000-, KWP2000 DaimlerChrysler-Mitsubishi, Dodge, Chrysler, Jeep, Mitsubishi, Mercedes-Benz Smart. , .



defaultSession, , . , . extenedDiagnosticSession , . ReadDataByLocalIdentifier .





, .. ReadDataByLocalIdentifier 0xFF , ReadDataByIdentifier 0xFFFF.



DID 0xAD :



TX: <6A0> (8)    02 21 ad 00 00 00 00 00
RX: <514> (8)    05 61 ad d0 18 03 00 00


WriteDataByLocalIdentifier 1 , :



TX: <6A0> (8)    05 3b ad d1 18 03 00 00
RX: <514> (8)    03 7f 3b 12 00 00 00 00


0x12 "Sub Function Not Supported" — , .



: , ? , . " OBD ", Mitsubishi . , , (0x01, 0x07 0x09). :



TX: <6A0> (8)    02 10 92 00 00 00 00 00
RX: <514> (8)    02 50 92 d0 18 03 1e 00

TX: <6A0> (8)    02 27 01 00 00 00 00 00
RX: <514> (8)    06 67 01 XX XX XX XX 00
TX: <6A0> (8)    06 27 02 XX XX XX XX 00
RX: <514> (8)    03 67 02 34 1c ad 4f 00

TX: <6A0> (8)    02 27 07 00 00 00 00 00
RX: <514> (8)    06 67 07 XX XX XX XX 00
TX: <6A0> (8)    06 27 08 XX XX XX XX 00
RX: <514> (8)    03 67 08 34 36 74 26 00

TX: <6A0> (8)    02 27 09 00 00 00 00 00
RX: <514> (8)    06 67 09 XX XX XX XX 00
TX: <6A0> (8)    06 27 0a XX XX XX XX 00
RX: <514> (8)    03 67 0a 34 9f 1f f5 00

TX: <6A0> (8)    05 3b ad d1 18 03 00 00
RX: <514> (8)    03 7f 3b 12 9f 1f f5 00


. , , - . - ?



, . , , OBDII . , .



, : ECUFlashReprogrammingSession (0x85) , .



EEPROM, , .



, , - - .





, Mitsubishi , KWP2000 UDS , :





KWP2000 DaimlerChrysler-Mitsubishi, "" KWP2000 UDS 2006 .



, , . , , : DisableNormalMessageTransmission / EnableNormalMessageTransmission CommunicationControl. StartRoutineByLocalIdentifier / StopRoutineByLocalIdentifier / RequestRoutineResultsByLocalIdentifier, RoutineControl.



, , KWP2000 StartDiagnosticSession, StopDiagnosticSession . , , ISO 14230-3, StartDiagnosticSession 0x81.



, AccessTimingParameter , SecuredDataTransmission , LinkControl .



ReadECUIdentification, : VIN, .. UDS ReadDataByIdentifier, DID 0xF1. VIN KWP2000 0x1A90, UDS — 0x22F190. , , .





, — , EEPROM. , , . , .



, , UDS 14229-1:2020, Authentication (0x29) . IoT , セキュアブート、アンチロールバックファームウェアなどのさまざまな保護メカニズム。



したがって、同様のトリックを10年後に実行するのがより困難になる可能性があります。




All Articles