forked from AndyWhittaker/IDAProBoschMe7x
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathProgramming Via OBD-II.txt
118 lines (96 loc) · 2.04 KB
/
Programming Via OBD-II.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
From http://www.streetcarforums.com/showthread.php?t=52923&page=10
Let's assume you have a KWP2000 connection with your VAG group ECU
Then let's go send these messages:
82 : 2 data bytes
01
F1
1A : ISO 14230-3 ReadECUIdentification
92 : systemSupplierSpecific
20 : CRC
The ECU should respond with
87 : 7 data bytes
F1
01
5A : ISO 14230-3 positive reply
92 : systemSupplierSpecific
VV
WW
XX
YY
ZZ
CS : CRC
Now compute the following
ecuid = (VV+WW+XX+YY+ZZ) & 0x3f
Then send:
82 : 2 data bytes
01
F1
27 : ISO 14230-3 SecurityAccessRequest
01 : Request Seed
9C : CRC
The ECU should respond with
86 :6 data bytes
01
F1
67 : ISO 14230-3 positive reply
01 : Request Seed
WW : Seed MSB
XX
YY
ZZ : Seed LSB
CS : CRC
Now compute the following
Seed = (WW<<24)+(XX<<16)+(YY<<8)+(ZZ)
unsigned int table[64] =
{
0x0A221289,0x144890A1,0x24212491,0x290A0285,
0x42145091,0x504822C1,0x0A24C4C1,0x14252229,
0x24250525,0x2510A491,0x28488863,0x29148885,
0x422184A5,0x49128521,0x50844A85,0x620CC211,
0x124452A9,0x18932251,0x2424A459,0x29149521,
0x42352621,0x4A512289,0x52A48911,0x11891475,
0x22346523,0x4A3118D1,0x64497111,0x0AE34529,
0x15398989,0x22324A67,0x2D12B489,0x132A4A75,
0x19B13469,0x25D2C453,0x4949349B,0x524E9259,
0x1964CA6B,0x24F5249B,0x28979175,0x352A5959,
0x3A391749,0x51D44EA9,0x564A4F25,0x6AD52649,
0x76493925,0x25DE52C9,0x332E9333,0x68D64997,
0x494947FB,0x33749ACF,0x5AD55B5D,0x7F272A4F,
0x35BD5B75,0x3F5AD55D,0x5B5B6DAD,0x6B5DAD6B,
0x75B57AD5,0x5DBAD56F,0x6DBF6AAD,0x75775EB5,
0x5AEDFED5,0x6B5F7DD5,0x6F757B6B,0x5FBD5DBD
};
for (int i=0; i<5; i++)
{
if ((seed & 0x80000000) == 0)
{
seed = (table[ecuid]) ^ (seed << 1);
}
else
{
seed = (seed << 1);
}
}
Then send:
88 : 8 data bytes
01
F1
27 : ISO 14230-3 SecurityAccessRequest
02 : Send Key
WW : (seed >> 24 ) & 0xff
XX : (seed >> 16 ) & 0xff
YY : (seed >> 8 ) & 0xff
ZZ : (seed ) & 0xff
00
00
CS : CRC
The ECU should respond with
83 : 3 data bytes
01
F1
67 : ISO 14230-3 positive reply
02 : Send Key
34 : Not sure what this means
12 : CRC
Secure access granted, now you can read/write anything (eeprom etc.)
Enjoy!