Closed Mr-MIBonk closed 2 years ago
jilleb
commented
2 years ago Hi, thanks. Yes, our eyes were on this position as well, as it's basically the only one that's not declared in the template. I'm running some brute force tests on multiple files to determine what range the checksum is being calculated on. So far, no consistent luck there.
Mr-MIBonk
commented
2 years ago I think it could be XOR... for a limited amount of bytes. This is why i ask if you can flash testfiles to limit the bytes concerned. I think it is defently not the whole bytes from complete file.
jilleb
commented
2 years ago Yes, we flashed several test files. Changes in any location lead to checksum errors.
Mr-MIBonk
commented
2 years ago What is with the 00's and the ff's parts at the end part of the files and the part from 0002h up to the XLS checksum? When you change something in this parts is there any protection too? or only after the crc16 chksum?
I ask, because for XOR we need definitely the right range to find it...
jilleb
commented
2 years ago Yes there too.
I've spent some time going over the various CRC16CCITT ranges from 2 to EOF (and everything in between). There are some hits of course, but none are reproducable on other firmwares. a XOR hash could be it. I guess I could write a simple script that goes over all ranges and does the same trick for XOR
Mr-MIBonk
commented
2 years ago I found XOR in different Datasets. VAG, Audi etc. but always with different checksum, sometimes the byte sum is 0, in other files it was e.g. 55555555... I wrote me some 010 scripts for it. Feel free to let me know when i can help you with some input for it.
jilleb
commented
2 years ago Closing :-) fixed with 7e2f7b2dc8106736337ad0c29de7f56b6367f206
Here you can see, that checksum for VIN Mask is with high probability in adress 0000h-0001h. I have some idea for this, but we need more information about the possible range. I have no 5E FW file, so i can't test it myself. Can you flash 5F test files to enclose the range for this part?