|
Title: MKIV VW Bosch/Motometer RB8 Cluster Seed/Key Algorithm Post by: gmenounos on October 28, 2020, 11:46:48 PM This is not the exact algorithm used by the cluster but works about 50% of the time so you can usually succeed within 2 or 3 tries and get access to the EEPROM. I reverse engineered it by writing an RB8 simulator that returned specific simple seeds (e.g. 0x00000000, 0x00000001, etc.) and then had VAG K+CAN Commander try to access the simulator while I observed the keys being sent in response to the various seeds. It works fine on the two RB8 1J0920926C clusters that I have. No idea if it works on other RB8 clusters.
Code: static uint CalcRB8Key(uint seed) Title: Re: MKIV VW Bosch/Motometer RB8 Cluster Seed/Key Algorithm Post by: mdccode5150 on October 07, 2021, 01:55:33 AM Interesting. :)
Title: Re: MKIV VW Bosch/Motometer RB8 Cluster Seed/Key Algorithm Post by: gmenounos on March 02, 2022, 12:54:07 AM This is not the exact algorithm used by the cluster but works about 50% of the time so you can usually succeed within 2 or 3 tries and get access to the EEPROM. I reverse engineered it by writing an RB8 simulator that returned specific simple seeds (e.g. 0x00000000, 0x00000001, etc.) and then had VAG K+CAN Commander try to access the simulator while I observed the keys being sent in response to the various seeds. It works fine on the two RB8 1J0920926C clusters that I have. No idea if it works on other RB8 clusters. Code: static uint CalcRB8Key(uint seed) Spent a few more hours on this today, and with the help of the Z3 theorem prover (good info here: https://www.enigmatos.com/hacking-cars-with-z3/ (https://www.enigmatos.com/hacking-cars-with-z3/)) and some trial and error, came up with the exact algorithm: Code: static uint CalcRB8Key(uint seed) So far it's worked every time... Title: Re: MKIV VW Bosch/Motometer RB8 Cluster Seed/Key Algorithm Post by: 666tdi on May 15, 2022, 01:09:16 PM Did you try to read only EEP or RAM, FLASH too?
Title: Re: MKIV VW Bosch/Motometer RB8 Cluster Seed/Key Algorithm Post by: gmenounos on May 15, 2022, 05:09:55 PM Only the EEPROM. I don't know much about the RB8 cluster (e.g. memory map, which kwp1281 commands are supported for reading RAM/ROM, etc.)
I can probably figure some of this out by trial and error when I have time, but I'm mostly focused on the VDO clusters. But if you have any RB8 info you want to share, please do! Title: Re: MKIV VW Bosch/Motometer RB8 Cluster Seed/Key Algorithm Post by: 666tdi on May 15, 2022, 10:31:46 PM But if you have any RB8 info you want to share, please do! I haven't tested anything with that cluster but maybe its the same command with different address range?... Title: Re: MKIV VW Bosch/Motometer RB8 Cluster Seed/Key Algorithm Post by: gmenounos on September 10, 2022, 09:47:29 AM Got hold of an Audi RB4 crypto cluster (8E0920950L) and found out that this same seed/key algorithm works for it.
Title: Re: MKIV VW Bosch/Motometer RB8 Cluster Seed/Key Algorithm Post by: stuydub on September 17, 2022, 10:53:42 AM I haven't tested anything with that cluster but maybe its the same command with different address range?... The mk4 RB8s just need binning the only thing u can do with these is change mileage and enable MTE ..hence why everyone has upgraded to VDO....all data is stored on the MMU and to read that well no point been tried before and found zero |