Hi guys,
I've been playing around with Vagtacho 5.0 on my UDS cluster (3AA 920 880 A), and although it seems Vagtacho doesn't support my cluster it does show some interesting communications:
Command: 2E FD 11 01 -> WriteDataByIdentifier
Reply: 08 02 6E 02 AA AA AA AA AA -> Positve response
Command: 31 01 02 03 -> RoutineControl
Reply: 08 04 71 01 02 03 AA AA AA -> Seems like a positive response (71h=31h+40h)
Command: 10 03 -> Enter diagnostic sessios 03
Reply: 08 06 50 03 00 32 00 C8 AA -> Positve response
Command: 10 02 -> Enter diagnostic sessios 02 (programming mode)
Reply: 08 03 7F 10 78 AA AA AA AA -> busy
Reply: 08 06 50 02 00 32 2E E0 AA -> Positve response
Command: 27 11 -> request seed index 11
Reply: 08 06 67 11 3A 8B C9 BF AA -> seed received
Command: 27 12 B9 60 DB A9 -> send key index 11+1
Reply: 08 03 7F 27 35 AA AA AA AA -> 35 = invalid key
Command: 27 11
Reply: 08 06 67 11 3A 8B C0 96 AA
Command: 27 12 B9 69 F2 A9
Reply: 08 03 7F 27 35 AA AA AA AA
Now the funny thing is that in this mode (the cluster becomes dark btw) I can continuously ask for a seed and transmit a key.
There is no timeout or retry expiration which is normal in other modes.
The seed is changing (pseude randomly) so if I supply a fixed key I can brute it.
So I have a situation now where I could brute the correct key. I will make a test to see how fast this goes (if it is plausible to brute a valid key in my life span).
It seems Vagtacho does calculate a specific key for a given seed but it doesn't seem correct (7F xx 35 response). So I guess the seed/key algo for my cluster is unsupported.
I've left Vagtacho running for some time but ofcourse it doen't find the correct key, but when hitting the cancel button I see this:
Command: 34 01 44 03 FF 1E 96 00 00 00 70 -> RequestDownload to ECU (write to ECU)
Reply: 08 03 7F 34 7F AA AA AA AA -> 7F = Service or Subfunction not supported (in active Session)
or
Command: 34 01 44 03 FF 1E 96 00 00 00 70 -> RequestDownload to ECU (write to ECU)
Reply: 08 03 7F 34 33 AA AA AA AA -> 33 = Security access denied
I guess in a normal situation where it does answer with a valid key, its next step would be to upload something to the ECU.
I've read that most these tools seem to upload some loader application to RAM, then execute it and the loader will output (a part of) the flash, where important values/keys are stored.
If I could realise a valid key using brute, I could try to dump the firmware using command 35, and continue my investigations from there.
Unfortunately, the syntaxis for the 34 cmd used by VagTacho is different compared to the one explained here:
http://nefariousmotorsports.com/forum/index.php?topic=4983.15Does anyone have some documentation somewhere which might explain the correct syntax ? Or can add some other helpfull info?
Thanks in advance,
H2Deetoo
