When you click on links to various merchants on this site and make a purchase, this can result in this site earning a commission. Affiliate programs and affiliations include, but are not limited to, the eBay Partner Network.
This means we need to find a way to send the data that "they want to see" when it calls for a calibration number.
Already possible if you read this.......
Originally Posted by Biggiesacks
This is the 94170015 ROM code that computes the final checksum value.
This CPU instruction 9b 84 loads the word length value stored @ 0x00037842 to CPU Register 11 This CPU instruction 3a bc sums the value stored in CPU Register 11 with the Value Stored in Register 10, Then it writes the sum back into Register 10 This CPU Instruction 2c a1 writes the value stored in CPU Register 10 to RAM Address 0xFFFF8E7C(C.V.N.)
The instruction 3a bc can be changed to 6a b3. Instead of adding R11 to R10 this instruction will tell the CPU to write Register 11 to Register 10 (R10 == R11) This has the effect of writing what ever value is stored @ Rom address 0x00037842 to RAM Address 0xFFFF8E7C
P.S. If someone wants to post the XML for this mod that's cool. I haven't done so on purpose. Please don't message me asking for XML. That's the easy part, you can figure it out, I believe in you.
Last edited by CDrinkH2O; Jul 17, 2021 at 08:52 AM.
Reason: add post
I really wanted to do a nice how-to with lots of pictures and make it super easy mode. With the way things are going, I just didn't feel comfortable doing that. I tried to set the bar low, and I even color coded it. If you know how ECUFlash definitions work, all the information you need to implement the mod is there. Even easier would be to just use a hex editor.
Last edited by Biggiesacks; Jul 17, 2021 at 07:00 PM.
0000BEEF is just someone teasing, putting a silly bunch of hex values as a CVN. hex values are 0-9, a-f (so you don't have many letters to spell something)
reminds me of the music player I use in linux "deadbeef"
does this hack work for evo 9's?
i know with some expensive scan tools you can scan your car and view the cvn, I have been thinking of getting an autel with bidirectional controls (for troubleshooting purposes on all cars)- it would be possible to verify this hack will work this way (assuming I am on the right track)
0000BEEF is just someone teasing, putting a silly bunch of hex values as a CVN. hex values are 0-9, a-f (so you don't have many letters to spell something)
reminds me of the music player I use in linux "deadbeef"
does this hack work for evo 9's?
i know with some expensive scan tools you can scan your car and view the cvn, I have been thinking of getting an autel with bidirectional controls (for troubleshooting purposes on all cars)- it would be possible to verify this hack will work this way (assuming I am on the right track)
It would have been deadbeef, but the 9417 roms only have a 16 bit cvn. Its a common pattern programmers use because it's easy to spot amongst a bunch of other hex values (and other reasons I'm sure). It's used here to demonstrate the effect of the mod. No expensive tools required to get the cvn. The free trial version of pcmscan with an openport 2.0 will get it.
I haven't looked at the code for the 9. My guess is it's very similar and probably would work with some tweaking. I don't have an evo 9 ecu to work with. I am hoping someone familiar with the newer rom versions will port this mod and share it.
Maybe I was not clear, but I want to buy an autel because one of my hobbies is troubleshooting (and modifying) cars - and these types of scan tools can be critically handy when it comes to figuring things out on newer cars. My 9 has a modified rom, but I'm not sure which one because I flashed my 'force pass' years ago (2015) and I haven't flashed since then.
Maybe I was not clear, but I want to buy an autel because one of my hobbies is troubleshooting (and modifying) cars - and these types of scan tools can be critically handy when it comes to figuring things out on newer cars. My 9 has a modified rom, but I'm not sure which one because I flashed my 'force pass' years ago (2015) and I haven't flashed since then.
Originally Posted by Jp7
i know with some expensive scan tools you can scan your car and view the cvn
That's all I was responding to. I'm sure the autel would be very useful. With right to repair starting to pick up steam I'm hoping these tools keep getting better and cheaper too.
I really wanted to do a nice how-to with lots of pictures and make it super easy mode. With the way things are going, I just didn't feel comfortable doing that. I tried to set the bar low, and I even color coded it. If you know how ECUFlash definitions work, all the information you need to implement the mod is there. Even easier would be to just use a hex editor.
seeing how tuners are still locking their Flexfuel tunes, not like I would have to worry about being able to do any this anyway. I will leave it up to them. Weird for me because I'm so used to handling my own stuff...
add to that the fact that my car no longer lives in California, I don't even have a real way to ensure that it works. I would like to have it set up to pass because when I go to sell it it will most likely go to a new owner in California
0000BEEF is just someone teasing, putting a silly bunch of hex values as a CVN. hex values are 0-9, a-f (so you don't have many letters to spell something)
reminds me of the music player I use in linux "deadbeef"
does this hack work for evo 9's?
i know with some expensive scan tools you can scan your car and view the cvn, I have been thinking of getting an autel with bidirectional controls (for troubleshooting purposes on all cars)- it would be possible to verify this hack will work this way (assuming I am on the right track)
If you really know any of the stuff you just posted, you could EASILY figure out what Biggiesacks posted.
Spoofing the original factory ROM CVN is 1000000% doable. We aren't the first to do it. Other tools have had it for years now.
You can view your CVN without insanely priced medicore tools. It's 2021. My $35 borescope from amazon has better fidelity and features than a $1,400 Snap-On borescope.
Originally Posted by kaj
add to that the fact that my car no longer lives in California, I don't even have a real way to ensure that it works. I would like to have it set up to pass because when I go to sell it it will most likely go to a new owner in California
Any tool that can scan the CVN can tell you if it works or not. California is the first. Other states will follow suit. Ironically I moved away from California after 35 years and now in New York, which will probably be the next state to add this to inspections.
Last edited by razorlab; Jul 18, 2021 at 05:06 PM.
I really wanted to do a nice how-to with lots of pictures and make it super easy mode. With the way things are going, I just didn't feel comfortable doing that. I tried to set the bar low, and I even color coded it. If you know how ECUFlash definitions work, all the information you need to implement the mod is there. Even easier would be to just use a hex editor.
Just like how you unlock a locked flex fuel tune 🤫
If I'm understanding correctly, hypothetically of course, you modify the XML definition file to expose address 0x37842. Then write the CVN there. Then after flashing the ROM, use something like an OBD library in python to send command 6a B3.
Or, is the ROM a series of commands with associated data like assembly instructions? And that means just literally changing the hex in an editor? I always thought it was a pure data dump.
Last edited by Segfault; Jul 19, 2021 at 07:22 PM.
If I'm understanding correctly, hypothetically of course, you modify the XML definition file to expose address 0x37842. Then write the CVN there.
Yes exactly
Originally Posted by Segfault
Then after flashing the ROM, use something like an OBD library in python to send command 6a B3.
No, it's pretty much the same as the other step. Except you are changing the processor instruction @H'00037738 from 3a bc to 6a b3. That's Rom address 0x00037738 ( hexadecimal ) for those wondering what the "@H" stuff is.
And that's it, the mod is literally changing one 16-bit value at one address and another 16 bit value at a different address.
Or, is the ROM a series of commands with associated data like assembly instructions? And that means just literally changing the hex in an editor? I always thought it was a pure data dump.
Yeah that's right, just a bunch of processor commands and data. The compiled machine code. You can open the ROM in a hex editor and change anything you want. All the info you need to understand it is right here https://www.evoscan.com/technical-ve...u-dissassembly.
It is dump of the entire EEPROM on the chip.
Last edited by Biggiesacks; Jul 19, 2021 at 08:32 PM.
Yeah that's right, just a bunch of processor commands and data. The compiled machine code. You can open the ROM in a hex editor and change anything you want. All the info you need to understand it is right here https://www.evoscan.com/technical-ve...u-dissassembly.
It is dump of the entire EEPROM on the chip.
Thanks for all the info. Using the sh2dis python script and HxD, I could get a better picture of what was going on.
