Pages: [1]
Author Topic: VAG ME17.5 (2009 - Security Exploit Not Fixed)  (Read 9512 times)
zer0hz
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


« on: April 18, 2014, 08:37:24 AM »

Hey guys,

So, I've been reading around the forums here, and I've been doing research on my ECU for a few weeks.

My car is an 09 VW Rabbit - 2.5L - Engine Code: CBUA

I thought originally that the ECU was a Bosch ME7.1.1, but I came to find out (thanks to the folks at GolfMKV and Jeff Atwood at UM) that there were several ECU's used in the MKV 2.5L's.

Apparently, the MY09 model has the ME17.5 ECU, with a security exploit that was fixed with the MY2010+ models.  Flipping through major tuning companies has revealed that there are companies that offer 09 2.5L tuning through the OBD port, however, since this is apparently the unicorn of ECU's, none of the tools that I've looked for list the 2.5L as an ME17.5 CAN, they just list it as a ME7.1.1 K/CAN, which is a pity, seeing as I don't have a K-Line. 

So, my next step was to start looking at trying to program the ECU myself to tell it to dump the memory for me.  I looked at the VAG Seed-Key Response Algorithm via CAN Bus post here on NefMoto, but it's looking like the read algorithm (Seed + dec. 70,000) and the write algorithm (Seed <<5 XOR 0xFB DB 5D BD [or whatever it was, I don't have that right in front of me at the moment]) is unfortunately not the same algorithm used for the ME17.5's...

So, after trying and failing many times, going through 3 different cables and an unimaginable number of programs to try and do this, I just want to know:

What tool/software would I need to read/write this ECU?  I'm really at a loss, and I don't have the time to go through .NET API documentation for interfacing with serial COM ports, as I work 60 miles away from home and most of my time is eaten up by work/commuting. 

Any help would be greatly appreciated!

Worth noting: If it ends up that I need to yank the ECU and bench flash it, so be it, but I'd much rather be able to do it through the OBD port.  I've thought about getting Unitronic's UniConnect cable and reverse engineering the program, but, like I said before, I don't have much free time to take on a project of that caliber.

Edit: Also, if anyone knows what ECU's are similar to the ME17.5, that' d be a great bit of information as well.  I have an MPPS cable, VAG K+CAN Commander cable, OBDLink SX Cable (just for logging), and access to a Genuine Ross-Tech Hex/CAN cable
« Last Edit: April 18, 2014, 08:41:48 AM by zer0hz » Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #1 on: April 10, 2021, 05:35:29 AM »

If anyone has some info on how to access ME17.5 by OBD I'm interested Smiley


Rgs H2deetoo
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #2 on: April 10, 2021, 07:53:35 AM »

If anyone has some info on how to access ME17.5 by OBD I'm interested Smiley


Rgs H2deetoo

Define "Access" and then define "protocol".
Logged
overspeed
Sr. Member
****

Karma: +21/-5
Offline Offline

Posts: 387



« Reply #3 on: April 10, 2021, 08:09:59 AM »

If anyone has some info on how to access ME17.5 by OBD I'm interested Smiley


Rgs H2deetoo

Original KESS can do (did a few).

You´ll have problens finding definitions for those
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #4 on: April 10, 2021, 08:12:20 AM »

I haven't had the pleasure to encounter an ME17.5 because they don't seem to be common where I live, but are often used in Brazil.
So I haven't been able to test anything myself which leaves me with some unknowns:

- what seed/key algo is used for readng? The +12233 used for MEDC17 or the xor 5FBD5DBDh for ME7x ?
- Are interesting address ranges blocked or readable?
- Is there any known way to read immo by OBD?

>Original KESS can do (did a few).
This uses the Bosch service mode bench solution like KTM?
Or does KESS use standard TP20 to read?


Rgs H2Deetoo
Logged
_nameless
Hero Member
*****

Karma: +342/-466
Offline Offline

Posts: 2800



« Reply #5 on: April 10, 2021, 10:24:31 AM »

can confirm, kess will read and write threw port
 
Logged

Giving your mom a tuneup
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #6 on: April 10, 2021, 11:53:03 AM »

I haven't had the pleasure to encounter an ME17.5 because they don't seem to be common where I live, but are often used in Brazil.
So I haven't been able to test anything myself which leaves me with some unknowns:

- what seed/key algo is used for readng? The +12233 used for MEDC17 or the xor 5FBD5DBDh for ME7x ?
- Are interesting address ranges blocked or readable?
- Is there any known way to read immo by OBD?

>Original KESS can do (did a few).
This uses the Bosch service mode bench solution like KTM?
Or does KESS use standard TP20 to read?


Rgs H2Deetoo


1.Seed should be common as on other vag cars. Not 100% sure though but even if it isn't finding the algo is easy..
2.Address ranges can be unlocked easily from a certain array so RMBA can have access to those ranges, usually needs boot/bench read for that.
3.Once you unlock the range you can see everything ( Even immo vars ) .

One definition that is missing is if the ecu is tp20 or uds
« Last Edit: April 11, 2021, 04:08:07 AM by gt-innovation » Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #7 on: April 11, 2021, 02:12:38 AM »

>3.Once you unlock the range you can see everything ( Even immo vars ) .

So as with most other ecu's the important memory ranges are locked and can be unloced by modifying that table in flash.

Ok....
Logged
overspeed
Sr. Member
****

Karma: +21/-5
Offline Offline

Posts: 387



« Reply #8 on: April 11, 2021, 12:30:27 PM »

Yes, live in Brazil... not a regular car here... there is some few here...

it use the same old protocol for MED17.5 (265 I guess)...so it´s TP20 for sure...

Logged
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« Reply #9 on: April 11, 2021, 02:14:39 PM »


- what seed/key algo is used for readng? The +12233 used for MEDC17 or the xor 5FBD5DBDh for ME7x ?


Level 3 SeedKey is +0x16248
Chinese Kess allows reading and writing Med17.5 TP2.0 2.0TSI (Golf GTI for example). Impossible to read/write 1.8TSI via OBD

http://nefariousmotorsports.com/forum/index.php?topic=15137.0title=
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #10 on: April 16, 2021, 10:25:50 AM »

Got it all working now!

Yes it is TP20 but level 3 seedkey is +79153 (13531h).
I was able to read crypted immo in ram using standard TP20 and MCUID using CCP protocol so I was able to decrypt the immo Smiley
(Ecu was TPROT_V03.00.00)


Regards,
H2Deetoo
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.042 seconds with 17 queries. (Pretty URLs adds 0s, 0q)