OBD_II You asked for experiences

[Wayne.MacDonald at zurich.com.au]

I have three of the new Triumph fuel injected motorcycles and got pissed
off that they
would not sell me the diagnostic tool for the bike, This tool allows you to
 set things like
the off-idle mixture and reset TPS shutoff position etc. The cool thing it
allowed was a
download of a new "program" into the computer, I suspect that this program
download
is in fact just new fuel and spark maps.
Last month I was doing a little fiddle with the TPS signal and kept causing
 the ECU to go
into limp home mode, each time I had to go to the dealer to get the ECU
reset, after doing
this a number of times I decided to try and reverse engineer the diag tool,
 With some
research I found it used the OBD_II interface so I built an adapter to
connect a laptop
inline before the SAE-J1962 plug, I wrote a program to trace all the
traffic then got the
dealer to use the diagnostic tool to reset/read some of the sensors (He
didn't know I had
a PC connected), I then spent the next couple of days at the standards
office going through
the data I had gathered, I found that the first thing the diag tool did was
 request that
the ECU unlock, to this the ECU responds with a two byte seed value, the
diag tool then responds
with the correct key for this seed value and the ECU is unlocked. The
standards states that
the ECU should apply a delay of 10 seconds between subsequent requests if
an incorrect key is
entered twice in a row. This means it would take more than 1300 years if
you tried to use a
brute force attack on the codes. When I discovered this I thought I had
been whipped.
I went to the dealer again to try and get a sample base of the codes so I
could try and crack
the algorithm used, I managed to get them to let me use the tool by myself
and proceeded to
plug it in and out 347 times (until arthritis set in).
Once I had these codes I wrote some programs to arrange the data in
different orders, once I
did this I noticed that the second byte of the seed translated into the
second byte of the key
I then wrote a prog to create a translation table using the sample data, I
found that when I
printed the translation table that the data was ordered within the rows,
This allowed me to fill
in the blanks into the table, Knowing how to resolve the second byte means
the brute force time
had dropped to a bit more than 5.3 years (better but still a long time).
I decided to write the brute force program and give it a go, The first
thing I did was wire up
one of my ECU's on a board powered by a battery charger.
When I started to test the program I noticed that Triumph had not
implemented the 10 second rule
instead they allow three attempts then you need to reset the connection and
 try again, this means
that I can try three codes every 5 seconds instead of one every ten
seconds, this had sliced the
time to not much more that ten months.
I decided I don't need all he codes, if I have a large enough sample so
that the unlock process
does not take more than a minute that is good enough, to this end I have
currently got my brute
force program running, It displays the number of times it has unlocked
along with the average
time and max time to unlock, Currently it has 800 codes and the average
time to unlock is 2:42
and the max unlock time is 15 minutes. It finds a new code every 10
minutes.
I have recorded two downloads of different tunes and once I have enough
codes I will try and
work out what values effect what, To do this I will use my bench ECU, this
ECU doesn't use an EGO
sensor it uses MAP,TPS,RPM,Coolant temp and air temp. I have replaced all
the sensors except the
crank sensor with resistors (to give repeatable values) I have the crank
wheel driven off a hobby
motor and am using a 68HC11 to time the injector pulse width. I intend to
drive the motor from
the PC and have a program that can run through the rev and tps range and
build a map, then I will
change one value and repeat, using this process I will be able to isolate
the range that the
new value effects. By using a PC prog to build the maps I should be able to
 get repeatable values.

If anyone can help with some ideas I am all ears.

I hope I have not been a bore.

Wayne Macdonald.