Title: Help with RB4 DECRYPTED Dump Post by: niston on January 01, 2018, 09:17:32 PM Hi all!
UPDATE: Solved, but still interested in more info! EDIT: Attached the dump! I'm Looking to learn more about the offsets in DECRYPTED BOSCH RB4 instrument cluster dump. I'm ultimately looking for the PIN. Managed to identify a few parts so far: (https://i.imgur.com/VLaKzn3.png) Green appears to be the odometer value(s). Orange I believe to be the key data: 32 memory bytes, there are 8 keys possible and it takes 4 bytes per key if Im not mistaken. 3x4 Bytes are set, the rest is FF FF FF FF. Also I know there are 3 keys programmed, so it certainly appears like it could be key data. The red part is not encrypted, but also repeated 3 times - probably IMMO and/or config/coding related. Idk. I'm not sure about the blue part. I suspect the PIN to be in that blue part, so I tried all possible 2 Byte values from that row (in little endian ordering). I also tried a bunch of big endian combinations, but none worked so far: Quote 2Bytes Little Endian 0000 00000 nope 0CB9 03257 nope B9BA 47546 dies BA23 47651 dies 236C 09068 nope 6CE7 27879 dies E75F 59231 5FB5 24501 B505 46341 056B 01378 nope 6B12 27410 1200 04608 nope 000A 00010 A003 40963 03FF 01023 nope FFFF 65535 Wild guess (2 bytes proven to be from odometer value) 1146 04422 nope 1147 04423 nope Desperation sets in (2Bytes Big Endian) 03A0 00928 05B5 01461 23BA 09146 126B 04715 nope Im testing with cluster on bench, using a rather primitive DIY wiring loom. Login PIN values above 9999 appear to kill communications, when entered in VCDS (marked "dies"); I then have to cycle ignition to get the cluster to respond again. Also, Cluster Lock Out time (MVB 24) keeps rising and rising as I try them wrong numbers, the last mistaken attempt took 184mins to clear Maybe somebody could give me a hint, please ? Title: Re: Help with RB4 DECRYPTED Dump Post by: macxxx on January 02, 2018, 01:37:53 AM Use vag epprom programeer 1.19 , it will give you the pin number , if you still want the location of it in the dump nd then search for it this way:
After you read the pin , change it from dec to hex and swap bytes The pin has maximum 4 digits Title: Re: Help with RB4 DECRYPTED Dump Post by: niston on January 02, 2018, 10:57:19 AM Use vag epprom programeer 1.19 , it will give you the pin number , if you still want the location of it in the dump nd then search for it this way: After you read the pin , change it from dec to hex and swap bytes The pin has maximum 4 digits I used VAG EEPROM Programmer 1.19g to extract the decrypted dump from the cluster EEPROM. I can use it to set mileage and that works fine. But it did not decode anything, ie PIN, IMMO Info etc are not showing up. Because of that, I tried manually extracting 2 Byte numbers to find the pin, byte swapped and converted from HEX to DEC as shown in the list above. But none of the 2 Byte combos I tried so far are working. Any help appreciated. Title: Re: Help with RB4 DECRYPTED Dump Post by: macxxx on January 02, 2018, 11:03:45 AM Upload the dump
Title: Re: Help with RB4 DECRYPTED Dump Post by: Kacza on January 02, 2018, 12:06:50 PM PIN 01387
Title: Re: Help with RB4 DECRYPTED Dump Post by: macxxx on January 02, 2018, 01:01:19 PM sorry I didn't see the attachment thru taptalk , I agree witch kacza , it has to be 01387
Title: Re: Help with RB4 DECRYPTED Dump Post by: niston on January 02, 2018, 06:11:00 PM Haha omg... I have that (Hex 056B) on my list, but swapped a digit during conversion (01378 instead of 01387) to Decimal - No wonder it didn't work!
But now all is well! YAY! ;D ;D ;D You're the best, folks! Thanks a lot!! NB: Could somebody perhaps comment on my thoughts about the Key memory bytes? Does anyone know more? Title: Re: Help with RB4 DECRYPTED Dump Post by: Penni on April 09, 2019, 12:01:04 AM Hello Niston,
i just registered at NefMoto to say thank you. I had the same issue with my dashboard and i can tell you that your solution works for me too ;D. I tried almost everything with different software but nothing worked until i read your post. THANK YOU VERY MUCH :D :D :D Title: Re: Help with RB4 DECRYPTED Dump Post by: claytech on June 05, 2020, 05:42:28 AM Hey guys, i know I'm late to the party but having same issue with RB4 D22 dump(attached). Does anyone care to tell me where the SKC is located or possibly give me PIN. Much appreciated. Thanks,
Title: Re: Help with RB4 DECRYPTED Dump Post by: claytech on June 05, 2020, 06:06:30 AM Would it be 06869? Just comparing to the pin of the original dump in this post.
Title: Re: Help with RB4 DECRYPTED Dump Post by: macxxx on June 05, 2020, 07:23:24 AM I will check it later but if you compared it to file above it has to be it ( adress 0x046 an 0x047 )
Title: Re: Help with RB4 DECRYPTED Dump Post by: claytech on June 05, 2020, 07:51:03 AM Yep, that's what I saw. Thanks macxxx. If you don't mind, just look over later for a sanity check, thanks.
Title: Re: Help with RB4 DECRYPTED Dump Post by: claytech on June 05, 2020, 09:14:55 AM Do I have to wait for lockout time to expire before I can even successfully log into the cluster?
Title: Re: Help with RB4 DECRYPTED Dump Post by: d3irb on June 05, 2020, 11:24:40 AM Do I have to wait for lockout time to expire before I can even successfully log into the cluster? yes, the lockout affects successful PINs too, otherwise it wouldn't be useful for much in terms of preventing brute force enumeration. lockout timer must be in EEPROM somewhere too but not sure any off the shelf tools can reset it. you are probably best off waiting for it to expire. |