Dev Blog
Forum
Wiki
About
NefMoto
>
Technical
>
Cluster and Immobilizer
(Moderator:
ddillenger
) >
Decrypting VAG M/EDC17 Immobiliser Data
Pages: [
1
]
« previous
next »
Author
Topic: Decrypting VAG M/EDC17 Immobiliser Data (Read 4937 times)
navatar_
Newbie
Karma: +1/-1
Offline
Posts: 18
Decrypting VAG M/EDC17 Immobiliser Data
« on: November 21, 2019, 01:08:52 PM »
Hi everyone. I've recently been studying with how the immobiliser data (PIN, CS & MAC) is stored and encrypted on VAG EDC17 ECUs.
So far my understanding is as follows:
Every 17-series ECU has a unique OTP burned from factory in to its tricore flash at 0x17F00 and is a few lines long. The EEPROM is structured in blocks 0x80 bytes long and the first byte of the block signifies its category.
The blocks of interest for immo data are blocks 08, 09 and 0A and the immo data is repeated in these blocks. Each block also has 2 checksums: a 2 byte CRC near the beginning and 4 byte CRC at the tail of the block, these algos have very kindly been RE'd and documented with source by H2Deetoo and ozzy_rp elsewhere on this forum.
I understand that the immo data is ciphered with the OTP data and therefore the EEPROM immo data cannot be deciphered or altered without being accompanied with its respective flash read (obviously read must include the OTP section).
I am however at a total loss as to how to decrypt this small section of data. I thought it might be some sort of simple XOR/substitution and/or shuffling method but despite my many attempts, I have been unable to get this algo worked out. Have found 2 functions pointing to 0x17F10 using Ghidra but the one returns a bool and the other returns a single byte and I don't think either function/label is important.
If anyone could provide insight on the cipher or guidance in the right direction it would be hugely appreciated.
Logged
carservice
Newbie
Karma: +0/-1
Offline
Posts: 7
Re: Decrypting VAG M/EDC17 Immobiliser Data
« Reply #1 on: February 01, 2020, 06:30:41 AM »
hi
Have you succeeded in your research?
I'm also looking for this calculation.
In fact, it's only related to CPU HW ID。
Logged
sandor1987
Jr. Member
Karma: +5/-4
Offline
Posts: 46
Re: Decrypting VAG M/EDC17 Immobiliser Data
« Reply #2 on: February 03, 2020, 03:10:28 PM »
also here finding a solution!
Logged
rwgodoy
Newbie
Karma: +0/-0
Offline
Posts: 1
Re: Decrypting VAG M/EDC17 Immobiliser Data
« Reply #3 on: July 25, 2020, 09:16:18 AM »
I'm looking for a solution too. if someone got, pls e-mail me
ricardowermond@gmail.com
Logged
Pages: [
1
]
Print
« previous
next »
Jump to:
Please select a destination:
-----------------------------
General
-----------------------------
=> Introductions
=> General Discussion
-----------------------------
Noob Zone
-----------------------------
=> Noob Questions
=> Noob Guides and FAQs
-----------------------------
Technical
-----------------------------
=> NefMoto Software
=> Tuning
===> Documents & Helpers & How To's
===> Community Projects
=> Diagnostics
=> Flashing and Chipping
=> Cluster and Immobilizer
===> ECU EEPROM images
===> Original Cluster dumps
===> Original Cluster dump requests
=> Data Logging
=> Reverse Engineering
=> Communication Protocols
-----------------------------
ECU Files
-----------------------------
=> ECU Definition Files
===> ECU Definition File Requests
=> Original ECU Files
===> Original ECU File Requests
=> Checksum Update Requests
-----------------------------
Vehicles
-----------------------------
=> Vehicle Tech
=> Project Cars
-----------------------------
Regional
-----------------------------
=> Canadian Regional Discussion
=> US Regional Discussion
-----------------------------
Classifieds
-----------------------------
=> For Sale
=> Wanted
=> Services
-----------------------------
Miscellaneous
-----------------------------
=> Off Topic
=> Forum Tech Support
=> Bizarro Messages Posted by Bots and Spammers
Navigation
Home
Help
Login
Register
Personal Tools
March 28, 2024, 06:34:14 PM
Welcome,
Guest
. Please
login
or
register
.
Did you miss your
activation email?
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
Search
Advanced Search
Loading...