Pages: [1]
Author Topic: Help with RB4 DECRYPTED Dump  (Read 8105 times)
niston
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 12


« on: January 01, 2018, 09:17:32 PM »

Hi all!

UPDATE: Solved, but still interested in more info!

EDIT: Attached the dump!

I'm Looking to learn more about the offsets in DECRYPTED BOSCH RB4 instrument cluster dump. I'm ultimately looking for the PIN. Managed to identify a few parts so far:



Green appears to be the odometer value(s). Orange I believe to be the key data: 32 memory bytes, there are 8 keys possible and it takes 4 bytes per key if Im not mistaken. 3x4 Bytes are set, the rest is FF FF FF FF. Also I know there are 3 keys programmed, so it certainly appears like it could be key data. The red part is not encrypted, but also repeated 3 times - probably IMMO and/or config/coding related. Idk.

I'm not sure about the blue part.

I suspect the PIN to be in that blue part, so I tried all possible 2 Byte values from that row (in little endian ordering). I also tried a bunch of big endian combinations, but none worked so far:

Quote
2Bytes Little Endian
0000 00000 nope
0CB9 03257 nope
B9BA 47546 dies
BA23 47651 dies
236C 09068 nope
6CE7 27879 dies
E75F 59231
5FB5 24501
B505 46341
056B 01378 nope
6B12 27410
1200 04608 nope
000A 00010
A003 40963
03FF 01023 nope
FFFF 65535


Wild guess (2 bytes proven to be from odometer value)
1146 04422 nope
1147 04423 nope


Desperation sets in (2Bytes Big Endian)
03A0 00928
05B5 01461
23BA 09146
126B 04715 nope

Im testing with cluster on bench, using a rather primitive DIY wiring loom. Login PIN values above 9999 appear to kill communications, when entered in VCDS (marked "dies"); I then have to cycle ignition to get the cluster to respond again.

Also, Cluster Lock Out time (MVB 24) keeps rising and rising as I try them wrong numbers, the last mistaken attempt took 184mins to clear


Maybe somebody could give me a hint, please ?
« Last Edit: January 02, 2018, 08:24:12 PM by niston » Logged
macxxx
Sr. Member
****

Karma: +29/-1
Offline Offline

Posts: 498


« Reply #1 on: January 02, 2018, 01:37:53 AM »

Use vag epprom programeer 1.19 , it will give you the pin number , if you still want the location of it in the dump nd then search for it this way:

After you read the pin , change it from dec to hex and swap bytes

The pin has maximum 4 digits
Logged
niston
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 12


« Reply #2 on: January 02, 2018, 10:57:19 AM »

Use vag epprom programeer 1.19 , it will give you the pin number , if you still want the location of it in the dump nd then search for it this way:

After you read the pin , change it from dec to hex and swap bytes

The pin has maximum 4 digits

I used VAG EEPROM Programmer 1.19g to extract the decrypted dump from the cluster EEPROM. I can use it to set mileage and that works fine. But it did not decode anything, ie PIN, IMMO Info etc are not showing up.

Because of that, I tried manually extracting 2 Byte numbers to find the pin, byte swapped and converted from HEX to DEC as shown in the list above.

But none of the 2 Byte combos I tried so far are working.

Any help appreciated.
« Last Edit: January 02, 2018, 11:03:35 AM by niston » Logged
macxxx
Sr. Member
****

Karma: +29/-1
Offline Offline

Posts: 498


« Reply #3 on: January 02, 2018, 11:03:45 AM »

Upload the dump
Logged
Kacza
Full Member
***

Karma: +20/-6
Offline Offline

Posts: 213


« Reply #4 on: January 02, 2018, 12:06:50 PM »

PIN 01387
Logged
macxxx
Sr. Member
****

Karma: +29/-1
Offline Offline

Posts: 498


« Reply #5 on: January 02, 2018, 01:01:19 PM »

sorry I didn't see the attachment thru taptalk , I agree witch kacza , it has to be 01387
Logged
niston
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 12


« Reply #6 on: January 02, 2018, 06:11:00 PM »

Haha omg... I have that (Hex 056B) on my list, but swapped a digit during conversion (01378 instead of 01387) to Decimal - No wonder it didn't work!

But now all is well! YAY!  Grin  Grin  Grin

You're the best, folks!

Thanks a lot!!

NB: Could somebody perhaps comment on my thoughts about the Key memory bytes? Does anyone know more?
« Last Edit: January 03, 2018, 03:23:32 AM by niston » Logged
Penni
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 1


« Reply #7 on: April 09, 2019, 12:01:04 AM »

Hello Niston,

i just registered at NefMoto to say thank you.
I had the same issue with my dashboard and i can tell you that your solution works for me too  Grin.
I tried almost everything with different software but nothing worked until i read your post.

THANK YOU VERY MUCH  Cheesy Cheesy Cheesy
Logged
claytech
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 23


« Reply #8 on: June 05, 2020, 05:42:28 AM »

Hey guys, i know I'm late to the party but having same issue with RB4 D22 dump(attached).  Does anyone care to tell me where the SKC is located or possibly give me PIN.  Much appreciated.  Thanks,
Logged
claytech
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 23


« Reply #9 on: June 05, 2020, 06:06:30 AM »

Would it be 06869?  Just comparing to the pin of the original dump in this post.

Logged
macxxx
Sr. Member
****

Karma: +29/-1
Offline Offline

Posts: 498


« Reply #10 on: June 05, 2020, 07:23:24 AM »

I will check it later but if you compared it to file above it has to be it ( adress 0x046 an 0x047 )
Logged
claytech
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 23


« Reply #11 on: June 05, 2020, 07:51:03 AM »

Yep, that's what I saw.  Thanks macxxx.  If you don't mind, just look over later for a sanity check, thanks.
Logged
claytech
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 23


« Reply #12 on: June 05, 2020, 09:14:55 AM »

Do I have to wait for lockout time to expire before I can even successfully log into the cluster?
Logged
d3irb
Full Member
***

Karma: +131/-1
Offline Offline

Posts: 185


« Reply #13 on: June 05, 2020, 11:24:40 AM »

Do I have to wait for lockout time to expire before I can even successfully log into the cluster?

yes, the lockout affects successful PINs too, otherwise it wouldn't be useful for much in terms of preventing brute force enumeration. lockout timer must be in EEPROM somewhere too but not sure any off the shelf tools can reset it. you are probably best off waiting for it to expire.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.021 seconds with 17 queries. (Pretty URLs adds 0s, 0q)