Originally Posted by
ndjur
Hello,
This is not about a car engine at all, but I'm still hoping somebody may have some idea. It's a Mercury marine engine, controlled by Mortorola PCM555 ECU. I think some Ford engines may use the same ECU, but I'm not 100% sure.
I'm trying to understand the security access to this ECU. It looks a bit different from the usual seed-key method, unless the seed is really long number.
I have Mercury OEM scanner that uses RS485 and of course knows what the algorithm is. Every time scanner connects a different stream of bytes is sent from the ECU.
One of the logic analyzer logs shows the following:
Scanner (Hex) ECU (Hex)
FD,02,01 DF,05
FD,02,01 8A,E5
FD,02,01 52,79
FD,02,01 B0,98
FD,02,01 38,48
FC,27,CC 02,01
Every log I have shows different number of FD,02,01 commands and different response from the ECU. After unknown number of FD,02,01 requests, scanner always sends FC,XX,YY, where XX and YY are always different values.
So, I have two unknowns: first - how does the scanner know how many FD,02,01 commands to send and second - how if knows which value to send with FC command.
It would be really great if any of you can give me some hint on this one. Have you ever seen similar protocol or even better - any chance you have some info on the algorithm used?
Thanks in advance,
Nick