Hi all!
UPDATE: Solved, but still interested in more info!
EDIT: Attached the dump!
I'm Looking to learn more about the offsets in DECRYPTED BOSCH RB4 instrument cluster dump. I'm ultimately looking for the PIN. Managed to identify a few parts so far:
Green appears to be the odometer value(s). Orange I believe to be the key data: 32 memory bytes, there are 8 keys possible and it takes 4 bytes per key if Im not mistaken. 3x4 Bytes are set, the rest is FF FF FF FF. Also I know there are 3 keys programmed, so it certainly appears like it could be key data. The red part is not encrypted, but also repeated 3 times - probably IMMO and/or config/coding related. Idk.
I'm not sure about the blue part.
I suspect the PIN to be in that blue part, so I tried all possible 2 Byte values from that row (in little endian ordering). I also tried a bunch of big endian combinations, but none worked so far:
2Bytes Little Endian
0000 00000 nope
0CB9 03257 nope
B9BA 47546 dies
BA23 47651 dies
236C 09068 nope
6CE7 27879 dies
E75F 59231
5FB5 24501
B505 46341
056B 01378 nope
6B12 27410
1200 04608 nope
000A 00010
A003 40963
03FF 01023 nope
FFFF 65535
Wild guess (2 bytes proven to be from odometer value)
1146 04422 nope
1147 04423 nope
Desperation sets in (2Bytes Big Endian)
03A0 00928
05B5 01461
23BA 09146
126B 04715 nope
Im testing with cluster on bench, using a rather primitive DIY wiring loom. Login PIN values above 9999 appear to kill communications, when entered in VCDS (marked "dies"); I then have to cycle ignition to get the cluster to respond again.
Also, Cluster Lock Out time (MVB 24) keeps rising and rising as I try them wrong numbers, the last mistaken attempt took 184mins to clear
Maybe somebody could give me a hint, please ?