Pages: [1]
Author Topic: SecurityAccess Subfunctions 3D/3E?  (Read 4405 times)
jamesconway
Newbie
*

Karma: +0/-5
Offline Offline

Posts: 17


« on: June 01, 2019, 04:51:12 PM »

I have a W213 E 63 S AMG. I have a handheld OBD-II lowering module that throws the car into diagnostics mode, then tries to write some data + perform SecurityAccess subfunctions to 0x744 on the CAN network. Here's a trace I have:

Handling START_744_DIAGNOSTIC_SESSION_03
Handled START_744_DIAGNOSTIC_SESSION_03
Handling START_638_DIAGNOSTIC_SESSION_03
Handled START_638_DIAGNOSTIC_SESSION_03
Handling READ_HEAD_UNIT_PART_NUMBER
Handled READ_HEAD_UNIT_PART_NUMBER
Handling READ_SCREEN_BUFFER
Handled READ_SCREEN_BUFFER
Handling START_7E0_DIAGNOSTIC_SESSION_03
Handled START_7E0_DIAGNOSTIC_SESSION_03
Handling READ_VIN
Handled READ_VIN
Handling ACTIVATE_ROUTINE_0112
  Offset  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  31 01 12 09 00 04 31 2F 32 20 43 75 72 3A 20 46  1.....1/2 Cur: F
00000010  61 63 74 6F 72 79 20 53 65 6C 3A 20 46 61 63 74  actory Sel: Fact
00000020  6F 72 79 20 00                                   ory .          

Handled ACTIVATE_ROUTINE_0112
00000010  61 63 74 6F 72 79 20 53 65 6C 3A 20 4C 6F 77 20  actory Sel: Low
00000020  20 20 20 20 00                                       .          
00000000  31 01 12 09 00 04 53 65 63 75 72 69 74 79 20 41  1.....Security A
00000010  63 63 65 73 73 2E 00                             ccess..        
Handling WRITE_DATA_F100
00000000  2E F1 00 7D A5 09 68 6C D9 82 71 FD 52 00 B9 FC  .ñ.}¥.hlقqýR.¹ü
00000010  D1 CE 00 C7 01 74 AD F6 28 0D 38 FA B3 BD 24 C8  ÑÎ.Ç.t­ö(.8ú³½$È
00000020  9A F8 B7 DC D8 BE 36 37 9A 75 47 7D D2 CB 8C 06  šø·Üؾ67šuG}Òˌ.
00000030  B0 03 1A 98 C4 06 E8 8A AA D4 F7 4C E5 F4 B7 69  °..˜Ä.芪Ô÷Låô·i
00000040  AA 7B E0 BB D4 9E CC 99 64 55 3F 0B 1D 4E 76 78  ª{à»ÔžÌ™dU?..Nvx
00000050  93 35 27 DC 9C AF DD 0E B8 3D F4 E0 2F 10 1C 61  “5'ܜ¯Ý.¸=ôà/..a
00000060  1F DB 7A CF B9 65 95 6E 94 9B C0 3A B5 DB DB B9  .ÛzϹe•n”›À:µÛÛ¹
00000070  A6 41 EF 11 8E 0B E7 6C BC 3A D9 6A C9 8D D0 C0  ¦Aï.Ž.çl¼:ÙjɍÐÀ
00000080  43 A7 FC C0 E3 B7 9B 1C 37 24 97 6B DA 62 6C 73  C§üÀ㷛.7$—kÚbls
00000090  2D 35 B9 BD 9E AE 4F EC CE B6 32 13 34 B3 72 00  -5¹½ž®Oìζ2.4³r.
000000A0  B7 1D 3D 2F B5 DA 13 E0 28 14 6D 52 46 DC 87 0B  ·.=/µÚ.à(.mRF܇.
000000B0  28 87 57 76 CE 54 96 3A 16 25 C4 21 F7 CE 32 9C  (‡WvÎT–:.%Ä!÷Î2œ
000000C0  FD 60 2D 05 FB A8 2F 53 33 7F 3A 75 3F 46 13 77  ý`-.û¨/S3:u?F.w
000000D0  04 8C 70 22 AB 9C E0 79 B5 82 D2 79 32 1A 41 AE  .Œp"«œàyµ‚Òy2.A®
000000E0  5A 63 8D 65 CB 95 F4 5E DF 23 D1 1C F0 37 B2 3D  Zce˕ô^ß#Ñ.ð7²=
000000F0  82 82 C2 D9 A8 80 02 E0 A9 49 C1 DE A8 B5 48 43  ‚‚ÂÙ¨€.à©IÁÞ¨µHC
00000100  76 FE 48                                         vþH            
Handled WRITE_DATA_F100 0 (repeats 7 times)
Handling SECURITY_ACCESS_3D
Handled SECURITY_ACCESS_3D
Handling SECURITY_ACCESS_3E
Handled SECURITY_ACCESS_3E
Handling ACTIVATE_ROUTINE_0103
Handled ACTIVATE_ROUTINE_0103

Eventually, ACTIVATE_ROUTINE_0103 is called and for some reason, despite a successful mocked response, the controller thinks it is a failure + restarts the entire process.

Does anybody have insight into what these subfunctions are / what responses should look like?

SECURITY_ACCESS_3D: {
    requests: [
      { id: 0x744, data: buildBuffer('02273D5555555555') }, // Security Access Routine 3D?
    ],
    responses: [
      { id: 0x724, data: buildBuffer('03673D00AAAAAAAA') } // Success?
    ]
  },
  SECURITY_ACCESS_3E: {
    requests: [

    ],
    responses: [
      { id: 0x724, data: buildBuffer('03673E00AAAAAAAA') } // Success?
    ]
  },
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #1 on: June 02, 2019, 10:29:33 AM »

I have a W213 E 63 S AMG. I have a handheld OBD-II lowering module that throws the car into diagnostics mode, then tries to write some data + perform SecurityAccess subfunctions to 0x744 on the CAN network. Here's a trace I have:

Handling START_744_DIAGNOSTIC_SESSION_03
Handled START_744_DIAGNOSTIC_SESSION_03
Handling START_638_DIAGNOSTIC_SESSION_03
Handled START_638_DIAGNOSTIC_SESSION_03
Handling READ_HEAD_UNIT_PART_NUMBER
Handled READ_HEAD_UNIT_PART_NUMBER
Handling READ_SCREEN_BUFFER
Handled READ_SCREEN_BUFFER
Handling START_7E0_DIAGNOSTIC_SESSION_03
Handled START_7E0_DIAGNOSTIC_SESSION_03
Handling READ_VIN
Handled READ_VIN
Handling ACTIVATE_ROUTINE_0112
  Offset  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  31 01 12 09 00 04 31 2F 32 20 43 75 72 3A 20 46  1.....1/2 Cur: F
00000010  61 63 74 6F 72 79 20 53 65 6C 3A 20 46 61 63 74  actory Sel: Fact
00000020  6F 72 79 20 00                                   ory .          

Handled ACTIVATE_ROUTINE_0112
00000010  61 63 74 6F 72 79 20 53 65 6C 3A 20 4C 6F 77 20  actory Sel: Low
00000020  20 20 20 20 00                                       .          
00000000  31 01 12 09 00 04 53 65 63 75 72 69 74 79 20 41  1.....Security A
00000010  63 63 65 73 73 2E 00                             ccess..        
Handling WRITE_DATA_F100
00000000  2E F1 00 7D A5 09 68 6C D9 82 71 FD 52 00 B9 FC  .ñ.}¥.hlقqýR.¹ü
00000010  D1 CE 00 C7 01 74 AD F6 28 0D 38 FA B3 BD 24 C8  ÑÎ.Ç.t­ö(.8ú³½$È
00000020  9A F8 B7 DC D8 BE 36 37 9A 75 47 7D D2 CB 8C 06  šø·Üؾ67šuG}Òˌ.
00000030  B0 03 1A 98 C4 06 E8 8A AA D4 F7 4C E5 F4 B7 69  °..˜Ä.芪Ô÷Låô·i
00000040  AA 7B E0 BB D4 9E CC 99 64 55 3F 0B 1D 4E 76 78  ª{à»ÔžÌ™dU?..Nvx
00000050  93 35 27 DC 9C AF DD 0E B8 3D F4 E0 2F 10 1C 61  “5'ܜ¯Ý.¸=ôà/..a
00000060  1F DB 7A CF B9 65 95 6E 94 9B C0 3A B5 DB DB B9  .ÛzϹe•n”›À:µÛÛ¹
00000070  A6 41 EF 11 8E 0B E7 6C BC 3A D9 6A C9 8D D0 C0  ¦Aï.Ž.çl¼:ÙjɍÐÀ
00000080  43 A7 FC C0 E3 B7 9B 1C 37 24 97 6B DA 62 6C 73  C§üÀ㷛.7$—kÚbls
00000090  2D 35 B9 BD 9E AE 4F EC CE B6 32 13 34 B3 72 00  -5¹½ž®Oìζ2.4³r.
000000A0  B7 1D 3D 2F B5 DA 13 E0 28 14 6D 52 46 DC 87 0B  ·.=/µÚ.à(.mRF܇.
000000B0  28 87 57 76 CE 54 96 3A 16 25 C4 21 F7 CE 32 9C  (‡WvÎT–:.%Ä!÷Î2œ
000000C0  FD 60 2D 05 FB A8 2F 53 33 7F 3A 75 3F 46 13 77  ý`-.û¨/S3:u?F.w
000000D0  04 8C 70 22 AB 9C E0 79 B5 82 D2 79 32 1A 41 AE  .Œp"«œàyµ‚Òy2.A®
000000E0  5A 63 8D 65 CB 95 F4 5E DF 23 D1 1C F0 37 B2 3D  Zce˕ô^ß#Ñ.ð7²=
000000F0  82 82 C2 D9 A8 80 02 E0 A9 49 C1 DE A8 B5 48 43  ‚‚ÂÙ¨€.à©IÁÞ¨µHC
00000100  76 FE 48                                         vþH            
Handled WRITE_DATA_F100 0 (repeats 7 times)
Handling SECURITY_ACCESS_3D
Handled SECURITY_ACCESS_3D
Handling SECURITY_ACCESS_3E
Handled SECURITY_ACCESS_3E
Handling ACTIVATE_ROUTINE_0103
Handled ACTIVATE_ROUTINE_0103

Eventually, ACTIVATE_ROUTINE_0103 is called and for some reason, despite a successful mocked response, the controller thinks it is a failure + restarts the entire process.

Does anybody have insight into what these subfunctions are / what responses should look like?

SECURITY_ACCESS_3D: {
    requests: [
      { id: 0x744, data: buildBuffer('02273D5555555555') }, // Security Access Routine 3D?
    ],
    responses: [
      { id: 0x724, data: buildBuffer('03673D00AAAAAAAA') } // Success?
    ]
  },
  SECURITY_ACCESS_3E: {
    requests: [

    ],
    responses: [
      { id: 0x724, data: buildBuffer('03673E00AAAAAAAA') } // Success?
    ]
  },


This is a well known module that certain companies are re-selling and the creators if i remember correctly are from Russia..Obd dongle shaped and vin locked..
Now i don`t think someone here will tell you how SA is done and further more for the reason you are trying to do it...Would be easier and more noble to decode the factory procedure and re-create that to lower your suspension...
Logged
jamesconway
Newbie
*

Karma: +0/-5
Offline Offline

Posts: 17


« Reply #2 on: July 03, 2019, 07:43:18 PM »

For anybody else, I was able to figure it out. The security check is useless. It readjusts your ride height sensors and I was able to spoof the VIN to get around the VIN lock.
Logged
jamikeca
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 1


« Reply #3 on: April 28, 2021, 03:38:05 AM »

For anybody else, I was able to figure it out. The security check is useless. It readjusts your ride height sensors and I was able to spoof the VIN to get around the VIN lock.

James, message me. I have a question. mykalroyal@aol.com or 917-463-6045
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.02 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)