Tag: discovery-3-can-bus
-
Discovery 3 CAN Bus, Part 10: The EXML Files and What We’re Still Hunting
SDD stores diagnostic configuration in EXML — JLR’s proprietary encrypted XML format. We cracked the Triple DES encryption, decrypted 2,033 EXML files, and found the RLM’s diagnostic data map. But the real prize — the calibration amplitude vs offset parameters — is still out there.
-
Discovery 3 CAN Bus, Part 7: Cracking the Ford Security Algorithm
Before you can write calibration data to an ECU, you need to pass Security Access. We found the Ford KeyGenMkI algorithm, confirmed the 24-bit LFSR seed in SecAlg.dll, and extracted the RLM’s secret diagnostic keys from SDD’s encrypted Security.exml.
-
Discovery 3 CAN Bus, Part 6: Reverse Engineering JLR SDD for Air Suspension Diagnostics
Going deeper into the Discovery 3 air suspension: we downloaded JLR SDD 130, extracted the dealer diagnostic VM, and found the service action plugins, VERONA CAN protocol layer, and the DLLs that control the Ride Level Control Module.
-
Discovery 3 CAN Bus, Part 9: Building Our Own UDS Diagnostic Tool
Building a Python UDS diagnostic tool for the Discovery 3 air suspension RLM module. Using a LilyGO ESP32 CAN board with full ISO-TP transport, Ford KeyGenMkI security unlock, auto CAN-ID scanning across HS-CAN and MS-CAN, and an interactive UDS shell.
-
Discovery 3 CAN Bus, Part 8: The LilyGO CAN Transceiver TX Saga
We spent weeks trying to transmit CAN frames from the LilyGO ESP32 board. Frames were received perfectly but nothing would transmit. The fix? Two GPIOs we never knew existed: ME2107_EN (GPIO16) and CAN_SPEED_MODE (GPIO23).