Tuners Rejoice! Free Tuning For M4.4!


Recommended Posts

A liitle app to safely insert or remove my software AC mod for M4.3 cars

http://www.meditekst.nl/downloads/ACmod.zip

Do not use this mod together with the hardware mod.

You have to restore the ECU in it's original condition first!!

The has to saved again first after loading into tunerpro, to get the checksum right.

Otherwise there will be a DTC code set.

I will update the app later on so it will update the checksum directly.

Edited by Piet
  • Upvote 1
Link to comment
Share on other sites

@WhizzMan:

Older unprotected CPUs like in M1.3 and M4.3 can be read by putting a program to read lower address space in external ROM at a higher address than internal ROM.

M4.4 is better protected. Software in external ROM cannot read internal rom.

Brute force verification could be an option ,but I believe I calculated the time needed to something like 10000 years.

But if you use a synchronized pair of CPUs, you can run nearly single commands in internal ROM and guess what they were by the results they had on registers.

If you're lucky you can find code that can be exploited to read itself.

post-15104-0-15282100-1425933968_thumb.j

Link to comment
Share on other sites

Ah the older ones simply didn't have the "protect" bit set then? My hope would be that the chip wouldn't let you first upload a full image and then eventually display a result, but give an error the moment you would send one wrong byte to it. Once it does that, you iterate through 256 values max per byte and you have brute forced the next byte. It wouldn't take more than about a day to get all the contents that way.

tjwasiak: the location of the "bridges" is on pictures in the first 30 pages of this thread. My question is what component to solder on that. These aren't bare metal wire bridges or blobs of solder, so there should be a component I can order to do it properly.

Link to comment
Share on other sites

On C517A you have to send 16 bytes before they are verified. Then continue with the next 16 bytes.

If verification fails, I believe you will have to start from the beginning and re-send all the bytes you have already verified.

But It is possible that the 10000 years was for something else, and I have mixed the memories.

Link to comment
Share on other sites

I've had luck with de-soldering the ROM and MCU multiple times from one ECU without any problems. I don't think it is too difficult since fortunately the ECU was manufactured before ROHS when they were still using leaded solder.

Edited by Tightmopedman9
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share