Reverse engineer ECU

#62
Finally I managed to completely disable the EGR by analyzing a lot of factory firmwares (thanks to ZakhooiTM). No more activity and no more fault codes. :) In addition I identified the subroutine and the structure that generates the fault codes, so theoretically it is possible to deactivate other fault codes either.
I also updated the old comparison table: https://drive.google.com/file/d/1Wvv9kqkgvJtO3bo4QTMeacG7UaEMbuhE/view
More details here: https://z22sevectra.blogspot.com/2019/01/ecu-14.html
 

Rick201i

Regular Member
#63
Finally I managed to completely disable the EGR by analyzing a lot of factory firmwares (thanks to ZakhooiTM). No more activity and no more fault codes. :) In addition I identified the subroutine and the structure that generates the fault codes, so theoretically it is possible to deactivate other fault codes either.
I also updated the old comparison table: https://drive.google.com/file/d/1Wvv9kqkgvJtO3bo4QTMeacG7UaEMbuhE/view
More details here: https://z22sevectra.blogspot.com/2019/01/ecu-14.html
Are you in the UK then?
 
#66
For getting the EGR off with a Tech2 up the year to 2004 in the VIN (W0L0TGF4825083014 = 2002 W0L0TGF4845083014 = 2004)
Then go through the SPS process as normaly, with the Tech2 make sure you select 2004 or higher, else you get the No Engine Management message.
So after the ECU flashed, the VIN will be changed as well. Does it means I have to match my immo to the new VIN? or I can Hex edit the VIN(on TECH2's flash card) back to W0L0TGF4825083014 before I flash it?
 
#67
Finally I managed to completely disable the EGR by analyzing a lot of factory firmwares (thanks to ZakhooiTM). No more activity and no more fault codes. :) In addition I identified the subroutine and the structure that generates the fault codes, so theoretically it is possible to deactivate other fault codes either.
I also updated the old comparison table: https://drive.google.com/file/d/1Wvv9kqkgvJtO3bo4QTMeacG7UaEMbuhE/view
More details here: https://z22sevectra.blogspot.com/2019/01/ecu-14.html
That is really a remarkable work. (respect) I tried to read your blogs but I don't understand Hungaryian. Do you mean simply altering the code at address (0xccf0-0xcd33) would completely get rid of the EGR valve without falut code?
 
#68
So after the ECU flashed, the VIN will be changed as well. Does it means I have to match my immo to the new VIN? or I can Hex edit the VIN(on TECH2's flash card) back to W0L0TGF4825083014 before I flash it?
Only your immo and your ECU have to be paired. If you haven't changed them then there will be no task about it. I don't know whether TECH2 alter anything during or before the flashing, but if you write the raw binary then it is irrelevant what was in it at that section. The old info will be replaced at every write process. As I said you can even delete the whole section.
 
#69
Only your immo and your ECU have to be paired. If you haven't changed them then there will be no task about it. I don't know whether TECH2 alter anything during or before the flashing, but if you write the raw binary then it is irrelevant what was in it at that section. The old info will be replaced at every write process. As I said you can even delete the whole section.
Due to I don't have mpps but only TECH2. What I am going to try is directly alter the raw binary from my TECH2's card then flashing it. Or I will try the way ZakhooiTM has suggested.
 
#70
That is really a remarkable work. (respect) I tried to read your blogs but I don't understand Hungaryian. Do you mean simply altering the code at address (0xccf0-0xcd33) would completely get rid of the EGR valve without falut code?
I think it is quite readable with a translator:
https://translate.google.com/transl.../z22sevectra.blogspot.com/2019/01/ecu-14.html
Have you tried to read in this way?
So far I have 3 methods to disable the EGR functioning:
- By setting all the EGR map values to 0.
- By changing only one byte at 0xd3f3 (the address can be different in other versions). This is what I call bypass switch since it would not let program to enter to that section where the EGR map is processed.
- By changing the 0xccf0-0xcd33. The two above is not used in any factory firmwares, but this one is the same for all. So I think that this is the factory solution. Probably it would be enough to alter only the first 3 byte or one of these 3 but I haven't tried that.

However this was the first part. The check engine light should be disabled either. It could be done by altering the 0xdae2 value, especially its 7th bit. This modification is independent from the EGR functioning. It will disable the fault code generation even if the EGR is still functioning.
 
#71
Due to I don't have mpps but only TECH2. What I am going to try is directly alter the raw binary from my TECH2's card then flashing it. Or I will try the way ZakhooiTM has suggested.
Most of the time you can reprogram the VIN with the tech2.
But it doesnt realy matter anyway, immo doesnt care. That only cares if the secret between the immo box and itself is order and if the immo gives the all clear message
 
#72
Most of the time you can reprogram the VIN with the tech2.
But it doesnt realy matter anyway, immo doesnt care. That only cares if the secret between the immo box and itself is order and if the immo gives the all clear message
Hi ZakhooiTm~ Thank you very much for the hint. The Security Code issue is exactly what I don't understand. Isn't the IMMO security code "calculated" as per VIN or it is a "fixed" code by the factory and never changed even VIN is altered?
 
#73
Hi ZakhooiTm~ Thank you very much for the hint. The Security Code issue is exactly what I don't understand. Isn't the IMMO security code "calculated" as per VIN or it is a "fixed" code by the factory and never changed even VIN is altered?
Code and VIN are assigned at the factory, after that you could even change the code to your postal code if you want, you would need to get new transponders though.
 
Top