Pages: [1]
Author Topic: MKIV VW Bosch/Motometer RB8 Cluster Seed/Key Algorithm  (Read 5500 times)
gmenounos
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 11


« on: October 28, 2020, 11:46:48 PM »

This is not the exact algorithm used by the cluster but works about 50% of the time so you can usually succeed within 2 or 3 tries and get access to the EEPROM. I reverse engineered it by writing an RB8 simulator that returned specific simple seeds (e.g. 0x00000000, 0x00000001, etc.) and then had VAG K+CAN Commander try to access the simulator while I observed the keys being sent in response to the various seeds. It works fine on the two RB8 1J0920926C clusters that I have. No idea if it works on other RB8 clusters.

Code:
static uint CalcRB8Key(uint seed)
{
    uint key =
        0xFB4ACBBA
        + (seed & 0x07DA06B8)
        + (~seed | 0x07DA06B8)
        - 2 * (seed & 0x00004000);
    return key;
}
Logged
mdccode5150
Full Member
***

Karma: +13/-4
Offline Offline

Posts: 122


« Reply #1 on: October 07, 2021, 01:55:33 AM »

Interesting.  Smiley
Logged
gmenounos
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 11


« Reply #2 on: March 02, 2022, 12:54:07 AM »

This is not the exact algorithm used by the cluster but works about 50% of the time so you can usually succeed within 2 or 3 tries and get access to the EEPROM. I reverse engineered it by writing an RB8 simulator that returned specific simple seeds (e.g. 0x00000000, 0x00000001, etc.) and then had VAG K+CAN Commander try to access the simulator while I observed the keys being sent in response to the various seeds. It works fine on the two RB8 1J0920926C clusters that I have. No idea if it works on other RB8 clusters.

Code:
static uint CalcRB8Key(uint seed)
{
    uint key =
        0xFB4ACBBA
        + (seed & 0x07DA06B8)
        + (~seed | 0x07DA06B8)
        - 2 * (seed & 0x00004000);
    return key;
}

Spent a few more hours on this today, and with the help of the Z3 theorem prover (good info here: https://www.enigmatos.com/hacking-cars-with-z3/) and some trial and error, came up with the exact algorithm:

Code:
static uint CalcRB8Key(uint seed)
{
    uint key = 0x03249272 + (seed ^ 0xf8253947);
    return key;
}

So far it's worked every time...
« Last Edit: March 06, 2023, 06:41:00 PM by gmenounos » Logged
666tdi
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 12


« Reply #3 on: May 15, 2022, 01:09:16 PM »

Did you try to read only EEP or RAM, FLASH too?
Logged
gmenounos
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 11


« Reply #4 on: May 15, 2022, 05:09:55 PM »

Only the EEPROM. I don't know much about the RB8 cluster (e.g. memory map, which kwp1281 commands are supported for reading RAM/ROM, etc.)
I can probably figure some of this out by trial and error when I have time, but I'm mostly focused on the VDO clusters. But if you have any RB8 info you want to share, please do!
Logged
666tdi
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 12


« Reply #5 on: May 15, 2022, 10:31:46 PM »

But if you have any RB8 info you want to share, please do!

I haven't tested anything with that cluster but maybe its the same command with different address range?...
Logged
gmenounos
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 11


« Reply #6 on: September 10, 2022, 09:47:29 AM »

Got hold of an Audi RB4 crypto cluster (8E0920950L) and found out that this same seed/key algorithm works for it.
Logged
stuydub
Full Member
***

Karma: +25/-12
Offline Offline

Posts: 230


« Reply #7 on: September 17, 2022, 10:53:42 AM »

I haven't tested anything with that cluster but maybe its the same command with different address range?...

The mk4 RB8s just need binning the only thing u can do with these is change mileage and enable MTE ..hence why everyone has upgraded to VDO....all data is stored on the MMU and to read that well no point been tried before and found zero
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.019 seconds with 18 queries. (Pretty URLs adds 0.001s, 0q)