I am trying to write some software to read (and write) the eeprom of a specific module in my VW Passat car.
It is the door/window module, which is reachable using the OBD connector and uses KWP2000/TP20 protocol.
I can communicate with it already (requesting ident) but I am having troubles reading eeprom.
I am doing something like this:
-> 10 84 (Go to diagnostic mode 84)
<- 50 84 (Positive response)
-> 27 03 (Request seed)
<- 67 03 AA BB CC DD (Seed response)
-> 27 04 11 22 33 44 (Send key)
<- 67 04 34 (Positive key response)
-> 23 40 00 00 10 (Request 16 bytes of memory from address 400000h)
<- 7F 23 11 (Negative response: Service not supported in this session)
The problem I am facing is that there are too many possible variables:
- Which diagnostic session to use? -> I made a list of valid values and tried them all
- Which seed/key index to use? -> I haven't tried them all, but only 03/04 seemed valid at first
- Which seed/key algo to use? -> I found a static login value (simple addition) which works. Perhaps not the correct one for reading eeprom
- Which command is used to read eeprom? -> I am trying with KWP2000 command 23, but perhaps this module uses a different or even custom command
- Which address is used to access eeprom? -> I just tried different values like 000000 and 200000 and 400000 ...
Does anyone have a valid log of any eeprom read of any KWP2000/TP20 device?
Any log will be helpfull at this point I suppose.
sent you a PM