NefMoto

Hi all!

UPDATE: Solved, but still interested in more info!

EDIT: Attached the dump!

I'm Looking to learn more about the offsets in DECRYPTED BOSCH RB4 instrument cluster dump. I'm ultimately looking for the PIN. Managed to identify a few parts so far:

(https://i.imgur.com/VLaKzn3.png)

Green appears to be the odometer value(s). Orange I believe to be the key data: 32 memory bytes, there are 8 keys possible and it takes 4 bytes per key if Im not mistaken. 3x4 Bytes are set, the rest is FF FF FF FF. Also I know there are 3 keys programmed, so it certainly appears like it could be key data. The red part is not encrypted, but also repeated 3 times - probably IMMO and/or config/coding related. Idk.

I'm not sure about the blue part.

I suspect the PIN to be in that blue part, so I tried all possible 2 Byte values from that row (in little endian ordering). I also tried a bunch of big endian combinations, but none worked so far:


Im testing with cluster on bench, using a rather primitive DIY wiring loom. Login PIN values above 9999 appear to kill communications, when entered in VCDS (marked "dies"); I then have to cycle ignition to get the cluster to respond again.

Also, Cluster Lock Out time (MVB 24) keeps rising and rising as I try them wrong numbers, the last mistaken attempt took 184mins to clear


Maybe somebody could give me a hint, please ?

Use vag epprom programeer 1.19 , it will give you the pin number , if you still want the location of it in the dump nd then search for it this way:

After you read the pin , change it from dec to hex and swap bytes

The pin has maximum 4 digits

I used VAG EEPROM Programmer 1.19g to extract the decrypted dump from the cluster EEPROM. I can use it to set mileage and that works fine. But it did not decode anything, ie PIN, IMMO Info etc are not showing up.

Because of that, I tried manually extracting 2 Byte numbers to find the pin, byte swapped and converted from HEX to DEC as shown in the list above.

But none of the 2 Byte combos I tried so far are working.

Any help appreciated.

Upload the dump

PIN 01387

sorry I didn't see the attachment thru taptalk , I agree witch kacza , it has to be 01387

Haha omg... I have that (Hex 056B) on my list, but swapped a digit during conversion (01378 instead of 01387) to Decimal - No wonder it didn't work!

But now all is well! YAY!  ;D  ;D  ;D

You're the best, folks!

Thanks a lot!!

NB: Could somebody perhaps comment on my thoughts about the Key memory bytes? Does anyone know more?

Hello Niston,

i just registered at NefMoto to say thank you.
I had the same issue with my dashboard and i can tell you that your solution works for me too  ;D.
I tried almost everything with different software but nothing worked until i read your post.

THANK YOU VERY MUCH  :D :D :D

Hey guys, i know I'm late to the party but having same issue with RB4 D22 dump(attached).  Does anyone care to tell me where the SKC is located or possibly give me PIN.  Much appreciated.  Thanks,

Would it be 06869?  Just comparing to the pin of the original dump in this post.

I will check it later but if you compared it to file above it has to be it ( adress 0x046 an 0x047 )

Yep, that's what I saw.  Thanks macxxx.  If you don't mind, just look over later for a sanity check, thanks.

Do I have to wait for lockout time to expire before I can even successfully log into the cluster?

yes, the lockout affects successful PINs too, otherwise it wouldn't be useful for much in terms of preventing brute force enumeration. lockout timer must be in EEPROM somewhere too but not sure any off the shelf tools can reset it. you are probably best off waiting for it to expire.