EDC17 Immo remove, work in progress

**elektro128** · 30th January, 2014, 11:14 PM

arvedo
I tried to help you.
I told you - send me a photo from fgtech software - maybe immo exist in OTP area.

you not sent photo

**elektro128** · 30th January, 2014, 11:17 PM

soxten

I do not know

software exist to calc cs

algo - who explain?

**elektro128** · 30th January, 2014, 11:18 PM

gttuning

upload files from ecu

regards

**gttuning** · 30th January, 2014, 11:23 PM

Originally Posted by elektro128

gttuning

upload files from ecu

regards

check i cant see
thanks

**elektro128** · 30th January, 2014, 11:45 PM

place ready

**gttuning** · 30th January, 2014, 11:49 PM

thanks i check this out!

**bearheroes** · 31st January, 2014, 12:01 AM

8B022022 is repeated many times.Similar to F00FF480208B022022 only once...Which of all should be changed?

**yugo45** · 31st January, 2014, 12:55 AM

Originally Posted by elektro128

soxten

I do not know

software exist to calc cs

algo - who explain?

Tango New update can do this.

**elektro128** · 31st January, 2014, 09:56 AM

arvedo

file to test

regards

**soxten** · 2nd February, 2014, 11:27 PM

Is immo of working by changing byte?

**Nio** · 3rd February, 2014, 01:22 AM

I check on edc17c09 psa group and i did not find F00FF480208B022022.. BR.

**chli1976** · 3rd February, 2014, 06:17 AM

I found only in bootmode read in VAG
Try to search 0F F4 80 20 8B 02 20 22

**soxten** · 3rd February, 2014, 06:59 AM

Ok, sounds to simple to work.
I get ECUVonix next week. And hope it works on VAG.

**ALVARES** · 3rd February, 2014, 12:43 PM

100$ works vag
I tried it on different vehicle. Great support from team ecuvonix. I had problems checksum file PSA. They arranged for me to file for free in a few hours.

**fsvsunix** · 3rd February, 2014, 02:32 PM

Originally Posted by svrecar

Here is tested solution for EDC 17 !

tested on...vw,audi,seat,skoda,citroen,ford,opel,renault, fiat and peugeot.

Immo is in MPC

search for this sequence in whole or just part of it:

F00FF480208B022022

Change it to:

F00FF4802000008212

done,

immo is off!

so you wont have to buy it elsewhere.

Press thanks!

Br,

Hello svrecar and thanks for pointing out this solution.

As i see in the code after a quick dissasemble there is a not equal operation that is nullified and the return operand that you are changing.

I assume that this is he part of the code that checks if the immo code i wrong.

But i have also found out that the search string that people has to search here is the 0FF480208B022022 without the F0 infront since F0 is part of the previous routine code.Actualy it is the part of a complete memory address that stores the a vlaue(probably immo code) for comparsion in the next lines..In some case there was en E0 or 11 before the actual hex string...

For example in one case there is 19 0f 74 11 "0F F4 80 20 8B 02 20 22"

The 19 0f 74 11 is part of the same function and the code is saving the memory contents of 74 11(0x1474) to the (x)15 register

So to sume up the actual byte of the code we are searching for is "0F F4 80 20 8B 02 20 22" .In some med17 ecu versions we will find it more then once but i assume it will always be the first code that does this comparsion.

Another thing that i was thinking is if the 00 00 00 00 is not the correct way to nullify the not equal (ne) function.Is the cpu accepting those zeros correctly or we are just saved by an exception handler?

I assume that the complete code of the hex string is this

ld32.w d15, [a0]0x1474 <---- memory address that changes some times from firmware to firmware
and32 d2, d4, d15
ne d2, d2, #0 <----nullified code
ret16