NefMoto

One of my big gripes with my car is being forced to go to a dealer if I want to swap certain parts.  That just bothers me for all sorts of reasons.

The more I look into it, the more confused I get.  Nobody is talking about this system.  Not on this board, or anywhere else.  I can't even find a high level description of how it works, other than "it has to be adapted via a FAZIT link".  It seems like ABrites is the only tool that can work with it at all, and even they don't have it completely figured out.

Maybe it's just because I'm still new to the VAG world, but I'm surprised nobody seems willing to even talk about it, let alone try to crack it.  There's so many talented people and innovative hacks, but CP is like the dragon nobody wants to poke.   Is it because it's just too complex, or are people afraid of legal action from VW?

If it's some crazy complex encryption scheme, fine.  It's just be nice if someone with knowledge of the topic would say so.

What components are we talking about?

Please do not use "component protection" unless you are referring to BTS

http://www.audi-resource.com/componentprotection.php

vag brought this in to stop the sale of stolen parts, IE , make you spend more if you want to update the parts in your car , remember that if you buy a cheap part from the guy on the corner or the local car boot sale  , we on;y have ourselves to blame for this , that's why I don't like the section on here on how to defeat , i lost my keys , i got the car with no keys , the dog eat them , it just rings alarm bells , now that I have said that , I am going to lose my 2 sets of keys  :P

There is no discussion because people make money with this.
Most of the other boards have threads where people have access to GEKO and selling their service.

I would like to start this discussion.
I know a little about CP protection with the cluster (which seems to be the master) and the Discovery Media (radio unit).
Once they're both authorized by the dealer tool, they both write some crypted data into their internal eeproms.

This data contains atleast some unique ID from the counterpar, so they can only work together, you can't swap them.

So there are basically 2 ways to bypass this:
1) Find out what is stored in each devices eeprom, and how it is crypted, so you can write the correct data yourself.
2) Find out what commands to send to the master (and slaves) so that they write the correct data to their internal eeprom. These data use challenge responses and have crypted data blocks as well.


Rgs H2Deetoo

I've found some Audi and VW SSPs that say the J533 CAN Gateway is the CP master.  Every time terminal 15 comes on, it compares the CP data in each participating module to the data it has in its EEPROM.  If it doesn't match, the offending modules throw a component protection error, and go to a low or no functionality mode.

That's the only concrete info I have. Nobody is willing or able to say how the EEPROM data is generated, or what the communication flow between modules looks like. 

Cars like mine are going on 10 years old now.  I'm willing and able to do my own repairs and retrofits with used parts, and it's absurd that I'm forced to pay a dealer a $150 (or more) "tax" to do nothing more than activate parts that I legally own. 

Ideally, there'd be a custom gateway reflash that just kills the system entirely.

This should be the cheapest tool for the job.

http://translate.google.com/translate?sl=de&tl=en&u=http%3A%2F%2Fwww.car-commander.tk%2F

1. buy software for 130€
2. trace what its doing
3. reverse engineer the software

Is there anybody who would like to jump down that rabbit hole if I buy the software?

https://motherboard.vice.com/en_us/article/d3zbnz/the-government-wants-to-permanently-legalize-the-right-to-repair

Car-commander is fake, dont buy it!!!
It´s a big cheat, they even write experience in some boards to make the fake perfect. There was a lot of person cheated...

Anyway there are a lot of different kinds of CP. For your car(i think A6 2007?!?) you can use AVDI for some modules. Most you have to open and read eeprom, and less OBD. For some other CP, for example A4 air condition from 2002-> it´s just done by write some value to adaptions channel and it will be learned, even VCDS can do it, and its even documentated inside VCDS. Latest PQ35 with Discover infotainmant and CP is only between instrument cluster and infotainment. It´s same if you would say "how adapt immo in vw/audi..." You cannot give a answer because there are too many generations. You have to look to exact the car type you have, and other model will be different again...
I think CP from PQ35 infotainment, MQB and A6 2012-> and similar cars are not possible with any tool in the moment...

My focus is on the B8, since that's what I have.   It seems like Audi introduced a lot of new stuff on the B8, including the online-only Gen 5 immobilizer. 

It'd be nice to completely crack CP and be able to properly adapt the modules, but I'm fine with just disabling it too. 

I'm willing to do some experiments on my own car, and I've bought a pile of parts from eBay to build an extensive bench test kit. 

This all started because I want to install the MMI 3G+ system in my car, and that means doing CP removal for at least 4 modules.  I really, really do not want to involve a dealer in this. 

Reverse engineering stuff is more fun anyway.

Hello guys. To add to this component protection thread was wondering if someone might be able to point me in the right direction here. I have a ccm module from Audi a6 4f. I need to decode this because it is under component protection in my car and I need to see where I can input my gateway info. I'll post what I have here if someone can help me with this I'd appreciate it.

For what it's worth, the little information I have:

The Audi radio unit (4G1035053) has the component protection information at offsets 0x7A66-7AB5 and/or 0x7FB0-0x7FFF.
The eeprom is a standard 24c256 which should be readable by a CH341A usb programmer in-circuit if you can get the wires connected.

Supposedly, copying over that bit of information from one radio unit to the other is enough to make it work in a different car.

For VW PQ platform I can say that units which are matched share the same key.
This shared key is stored in the eeprom of the unit but not in plain format but encrypted with a unique key for each unit.
So copying eeprom data (that area where the share key would be stored) will not work.

The handshake is initiated by the master (=cluster) and sends some encrypted data back and forth so both parties can verify if the use the same key.

I believe the VW MQB platform uses a similar (if not same) approach but there the gateway is the master.
(But I haven't studied this further though.)


Rgs H2Deetoo

H2Deetoo, did you make any more progress with this yet? On later PQ based cars such as Caddy and T6 Transporter the cluster is the master, the infotainment and distance control (radar) modules are the participants. I'm still wondering if the data can be manually copied from the original cluster and written to a replacement cluster and the CP scheme still work okay for the other modules.