Pages: [1]
Author Topic: KWP2089: security access and basic settings  (Read 6050 times)
jonnykl
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


« on: November 01, 2021, 11:42:11 AM »

What is the format of a security access request? I find much information about the seed/key procedure, but nothing about a way to send a PIN to the controller (like in VCDS). If anyone has VCDS and a logic analyzer, traces of doing a security access request would also help me a lot.

Also I couldn't find any information how a basic setting request looks like. I only found the SID + parameter for "normal" group readings. And again, traces would help a lot.
Logged
prj
Hero Member
*****

Karma: +1072/-482
Offline Offline

Posts: 6039


« Reply #1 on: November 01, 2021, 12:15:08 PM »

KWP2000 specification is not working?
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
jonnykl
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


« Reply #2 on: November 01, 2021, 01:27:16 PM »

KWP2000 specifies only the seed/key method which doesn't require the "user" to enter a PIN. I tried sending the PIN as 4, 3 and 2 bytes using accessMode 2 (sendKey). I also tried sending the request "27 01" (requestSeed). The control unit (Bosch 5.7 ABS/ESP) always replied with "7F 27 11".

Do I have to use an accessMode in the range of 0x81-0xFF as these are manufacturer specific according to the KWP2000 specification?
Logged
prj
Hero Member
*****

Karma: +1072/-482
Offline Offline

Posts: 6039


« Reply #3 on: November 02, 2021, 02:15:44 AM »

You need to read the spec more. Like a lot more. Instead of trying random stuff.

27 01 is for level 1. Why do you assume this ECU has level 1?

In case of "PIN" then that's added to the seed unsigned and that's the key.

Also, if you get SNS reply then depending on Control unit it can be supported in a different session...
But for sure not in the one you are trying.
« Last Edit: November 02, 2021, 02:18:31 AM by prj » Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
jonnykl
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


« Reply #4 on: November 02, 2021, 03:17:24 PM »

The spec says "the values of the parameter key are not defined in this document". Do I miss something?

Now I also tried all other security levels, but the ECU always responds with a SNS reply. I also tried other sessions (all values for the parameter of the startDiagnosticSession request), but for all values except 0x89 the ECU replies with SNS. What am I doing wrong?
Logged
prj
Hero Member
*****

Karma: +1072/-482
Offline Offline

Posts: 6039


« Reply #5 on: November 02, 2021, 04:00:16 PM »

What you are doing wrong is making a million assumptions and not reading the spec.

UDS has a 0x7F code, which means Service Not Supported In Active Session.
KWP2000 has no such thing, it can only ever send 0x11.
So if you are 100% no other session succeeds apart from 0x89 and you get 0x11 there then this control unit does not support SA at all.

SA is not the only way to gain authorization, you have also $31, that can do whatever the implementation likes.

If you are sure it is possible to access this somehow with VCDS then by far the easiest way is to sniff the VCDS traffic instead of reinventing the wheel.
Everything else is significantly harder.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
jonnykl
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


« Reply #6 on: November 03, 2021, 06:38:54 PM »

I make assumptions of things I don't know and can't find in the spec or are not in the spec (like VCDS stuff) .. thats correct. For example the calculation of the key where the spec says its not defined there. So I have no other option to try everything which could work unless I have enough information.

Thanks anyway so far. Then my ECU does not support SA (I assumed it should support it because VCDS has function called "Security Access" which works with this ECU .. another assumption but how should I know what VCDS does if it's not documented and I don't have traces, so the KWP securityAccess request seems appropriate in the first place).

As I already said in the first post, if anyone has VCDS(-Lite) and a ECU supporting KWP2089 and could capture some traces of doing a security access and/or basic settings, it would help me a lot Smiley
Logged
prj
Hero Member
*****

Karma: +1072/-482
Offline Offline

Posts: 6039


« Reply #7 on: November 04, 2021, 03:10:20 AM »

I make assumptions of things I don't know and can't find in the spec or are not in the spec (like VCDS stuff) .. thats correct.
Actually no. Not understanding what 0x11 means and sending key before getting a seed is lack of understanding of KWP2000 basics and not reading the spec.
Nothing to do with VCDS here.

Also, nobody is going to sniff anything for you, buy the relevant adapters and do it yourself.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
jonnykl
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


« Reply #8 on: November 04, 2021, 04:11:50 AM »

Spec and implementation are two different things and I'm just not sure if the ECU implements everything according to the spec. So I try what could be reasonable.

If I would buy the software I would not need to write it myself, that's why I am asking here ...
Logged
prj
Hero Member
*****

Karma: +1072/-482
Offline Offline

Posts: 6039


« Reply #9 on: November 04, 2021, 04:14:26 AM »

Spec and implementation are two different things and I'm just not sure if the ECU implements everything according to the spec. So I try what could be reasonable.

If I would buy the software I would not need to write it myself, that's why I am asking here ...

VCDS Lite is free from Ross-tech. What are you on about?

Also, KWP2089 is KWP2000 with a few modifications, and no spec and implementation are not two different things there as far as VAG is concerned.
BMW is a different story.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
jonnykl
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


« Reply #10 on: November 04, 2021, 04:51:26 AM »

VCDS Lite is free from Ross-tech. What are you on about?

The free version of VCDS-Lite is limited. You can connect to any ECU, read fault codes, clear them but cannot use the "Security Access" or "Basic Setting" functions.

Also, KWP2089 is KWP2000 with a few modifications, and no spec and implementation are not two different things there as far as VAG is concerned.
BMW is a different story.

Ok, that's a useful information.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.019 seconds with 17 queries. (Pretty URLs adds 0s, 0q)