Anyone have a copy of this that works with a KTAG clone? Looking to do a full dump of a MED17.1 ECU with TPROT enabled. Could also use the damos file or xdf if available for a CBFA 2012 GTI VW.

Eh just following paths down this rabbit hole as I try to learn about RE ECUs and general tuning. Never messed with ECUs before but I'd like to dump the firmware off this spare ECU for learning purposes and my research has lead to this being the next step in my path. Apologies if I violated a rule, wasn't looking explicitly for cracked software.

Yeah that was a mistake on my end. I wasn't thinking about it being cracked software, won't happen again.

That being said, I did hook up the KTAG to the ECU, pried it open for the SBOOT pin, and attempted to read it but the Aliexpress special KTAG couldn't do a full dump, only the maps and some config data. I was hoping to get everything but from what I read the TPROT and 2.25 software couldn't do it exactly. I read about the psuedorandom number generator vulnerability as well so I know the KTAG with the correct protocol would probably be using that to dump it but I wasn't able to get it to work. That's how I ended up looking for 3.37.

I wanted to eventually wire up a raspberry pi with a CAN Hat module to see if I could write dumping/writing software with python but that's more of a long term project as I don't have the time to dedicate to it right now. Thank you for the hint, I think I tried that but maybe my probe wasn't making good enough contact or something. I'll have to try it again with a clamp in place.

If there's any information you could share as to how Cobb and the other aftermarket tuners are able to flash tunes without opening the ECU I would appreciate it. That's one piece I haven't really figured out how they're doing. My assumption is they probably use that psuedorandom number generator vulnerability to extract the key to temporarily disable TPROT to then flash over the map files but I don't actually know if this is correct. My goal is slightly different in that I don't just want to access the map files but the entire firmware to learn more about how it all works. I know there are Tricore emulators so I figure if I can get the dump then I can attempt to debug it using an emulator or do static analysis with Ghidra.

I also have the tricore 1796 manual so theoretically I should be able to dig through that to for the raspberry pi CAN hat DIY setup. I'm new to the ECU world and real time OS but not to vulnerability/exploitation and software development.

Appreciate it and sorry again, didn't mean to ask for cracked software.