after recently purchasing a 06 f250 it must have included the tinker bug with the sale, as a electronics tinker bug its made me want to figure out how exactly these after market "Power" tuners are able to flash the ecu's eeprom. So now that you know what started this nightmare here's what ive figured out so far lol.
===== To enter programming mode =====
- Turn key from OFF to ON position then apply 18 volt DC signal to pin 13 on J1962 connector to initiate PCM reprogramming.
This is where it gets tuff the ecu has a type of security (seed/key algorithm) to protect it from accidentally entering programing mode with code scanners ect..
With 18v on pin 18
- Step 1 The external device shall request a “seed” from the on-board controller by sending data bytes (27 01)
-The controller shall respond by sending a "Seed"(67 01 ==seed value==). A seed value of zero will indicate that the controller is currently unlocked.
- Step 2 The external device shall respond by returning a "Key" number back to the controller (27 02 ==key bytes==).
The controller shall compare this "Key" to one internally determined and issue Response. If the two numbers agree, then the controller shall enable ("Unlock") the external device's access to secured communication modes.
When it comes to a ford the challenges (seeds) and responses (keys) are both just 16 bits.
Ford uses a proprietary hash algorithm that requires two inputs to generate the Key. The two inputs are a 3 Byte Seed + 5 Byte Static Offset. The three Byte Seed is given to you at the start of the Unlock process. These 3 Bytes are generated by the controller. The 5 Byte Static Offset is specific to each controller. This allows Ford to use the same algorithm for each controller but have different result given the same Seed because the output is a function of the Seed + the Offset. The Seed changes each time it is requested, while the Offset does not change. To sum this process up we take the 3 Byte Seed we requested from the controller, the 5 Byte Static Offset and apply it to the security algorithm. This will yield a 3 Byte Key. We send this Key to the controller and voila, it's now unlocked and we can write data to its memory regions without restriction. So how do you get the 5 Byte Offset from the controller.
where im stuck at now is im needing a "dump/rom" of a fords ecu to decompile it and see if i can figure out the algorithm to generate the needed key to return...