Hi. Soo... Getting into the world of working on embedded systems. The car I am testing with is a VW Golf 6. It is using MED 9.5 for ECU.

I've read a ton about what can be done with the older clusters..

Can anybody tell me what kind of information can be extracted from the dump of a VDO cluster, with NEC microcontroller with 24C64 EEPROM?? PIN? CS? Seed key?

Also, what kind of tools out there are actually working with these new clusters?

I know the NEC microcontroller is encrypting some of the data written to the EEPROM. I'm looking at the encrypted EEPROM dump, and it has a lot of Siemens VDO part numbers in it (in plain text), as well as the VW part number for the cluster.

Any information would be appreciated! :)

If I should take my questions to a different part of the forum, tell me that too!

I attached the EEPROM dump just in case someone wants to have a look see.

Thanks in advance!
-Kyle

Anybody? Bueller?

What do you want to do and why?
What equipment have you?
What experience have you in automotive electronics?
And finally, if you're not a professional in this field why exactly should we help you?
Ronan

What do you want to do and why?
What equipment have you?
What experience have you in automotive electronics?
And finally, if you're not a professional in this field why exactly should we help you?
Ronan

Ronan, thanks for answering me back.

Answering your questions in order.

I'm wanting to get into the aftermarket world of tuning vehicles. My first and foremost intention was to learn how to manipulate the embedded systems of my vehicles. Eventually would like to get into developing hacks to allow a vehicle to do more than it was originally intended (Comfort systems mostly, not engine performance related). Who knows, start a business one day, and give back to the community.

Equipment:
VCDS MicroCAN USB cable
Old Vagcom cable, DB8 to OBD style
BusPirate v3.6
Arduino UNO
Microchip CAN bus analyzer Part #APGDT002
O-scope


Experience in Automotive Electronics:
Besides doing engine swaps, wiring swaps, troubleshooting electrical problems....not much. I do mess around with vagcom quite a bit. Learning more and more everyday. I'm using arduino's I2C library, and bus pirate's I2C library to do I2C EEPROM dumps.
Other experience: I work as a systems engineer in IT, well versed in TCP/IP, protocol stacks, etc. Retired military. Have my undergrad in Physics, and worked with FPGA (Xilinx) in the lab I worked in. Currently doing Post Baccalaureate (night classes) work in digital electronics. I'm learning on a Altira CPLD currently through class, and next semester is with 8051 series microcontrollers.

I'm not a professional, there is no doubt. Nor am I a noob. I'm a surprisingly effective outside the box problem solver and I pick things up very fast.. This area of electronics is held in such secrecy... Let me in the secret club? I'll even learn the secret handshake!

Thanks in advance!
-Kyle

Please post the dump of the flash 512kb the eprom dump is useless :-)

Verstuurd van mijn GT-N7000 met Tapatalk

Hi Dr Peter,

Please can you say wich tool is able to read flash ?
Not possible with nec isn't it ?

regards,

The posted dump is not useless. You just need to know the format. Just remove first three rows, and delete column 1 to 9, and 42, 43. With this you're getting regular dump of 16 Bytes wide. This way I calculated 3656km for this dump. Correct? The .hex is used for AVR code development chain. Quite unusual on this forum.

Hi Dr Peter,

Please can you say wich tool is able to read flash ?
Not possible with nec isn't it ?

regards,

Yes flash read of nec is possible

Hi,

Please can you say me wich tool do you use?
regards

Smok xcan have the possibilty to read out the flash, but function is not to find in the standard programm

I tested read flash with xcan but it doesn't work.
file is corrupted.
:(

The posted dump is not useless. You just need to know the format. Just remove first three rows, and delete column 1 to 9, and 42, 43. With this you're getting regular dump of 16 Bytes wide. This way I calculated 3656km for this dump. Correct? The .hex is used for AVR code development chain. Quite unusual on this forum.


You sir, are absolutely correct on the mileage.

My EEPROM readers dump hex in text format, so I found a program that I can use to strip out the text editing, and then I saved it out in hex format. Couldn't readily find a program that will dump my hex out to a .bin format that everybody here likes to use!

For those following along at home. The 1st row was setting up the .hex file format. The 2nd and 3rd row were just FF'd, most likely straight from the EEPROM manafacturer. Row 1-9 are the memory addresses, and the last two fields are most likely the checksums? Then that leaves you with just 16 bytes wide. In this format, it would be 16 bytes wide and 512 bytes long. Since we stripped out the first two rows of FFs, that leaves us with 510 bytes long.

Mr. Lidahus, the man of the hour... First let me thank you for replying with some good info! Keep it coming, and I'd be more than happy to compensate you with beer or the equivalent of beer!

Along with that good info... If you feel like sharing more! I'd love to know how you determined the format? Were you snooping the I2C when miles were being added to the cluster? Some other way of decoding the info? XOR'd with something?

Not sure how much you know about this smogsm fellow and software.. Do you know why that guy has you FF'ing a couple addresses to "immo off" the cluster? Understanding what that is doing with the cluster as well as talking to the ECU would help explain a lot.

Also, there is talk (in this thread) of dumping out the flash of the NEC microcontroller, which I'm almost positive is a Renesas V850E/Dx3 [uPD70F3426GJ(A)]. It was previously stated that there is 512KB of flash, but that's not true in this case (probably one older generation of clusters has 512KB). Looks like there is 2MB of flash and 84KB of RAM.

In this thread, being asked for a dump of the flash, the same as dumping the flash of this micro? Also, this micro has the ability to do AES and RSA encryption, is it even used in this case? If so, the flash dump would hold the decryption keys? I also assume there is a security bit set to protect certain parts of that flash (decryption keys?).
Then self-programming feature built into the chip would allow dumping of the flash without caring about the security bit. I'm assuming that is what is being spoke of, in order to get a "dump" of the flash? Can you confirm?

Sorry for the long winded post.. Just a little excited to talk to somebody that can provide some insight. Also, please feel free to send me any links to any good articles/stuff to read up on!

Thanks for everyone that has contributed! If I can help any of you guys, feel free to ask!

-Kyle

Here ist your .hex as .bin

AVDI can read the flash from NEC via OBD

@Dolph181: Had staging been activated on your cluster since new?

If you sniff I2C you will find out that encrypted area had been made by AES192. You already had some good readings about the data sheets of Renesas. That's a lot to read. But there isn't much about implementation. Everything found is just by comparing dumps and try-and-error principles.

@Dolph181: Had staging been activated on your cluster since new?

If you sniff I2C you will find out that encrypted area had been made by AES192. You already had some good readings about the data sheets of Renesas. That's a lot to read. But there isn't much about implementation. Everything found is just by comparing dumps and try-and-error principles.

Staging was activated from the factory.

Sorry took me so long to reply.. I have family in town because of Hurricane Sandy. So I had to entertain them.

I found an old thread that you posted up in, giving a decent explanation of the techniques used to decrypt mileage. I'm going over the math in it now.

As a consellation prize.. I've got a virgin color cluster here. It uses the same microcontroller that the white cluster uses. I posted the Renesas part number earlier in this thread.. The prize being.. a dump of the virgin EEPROM. I figured out how to dump out to binary finally. Hopefully this might help someone.. somehow...

Two more questions for now!
The Smok company or whatever, when they are gaining access to the dashboard (youtube video of it), they FF a couple lines in the EEPROM (they read the EEPROM directly), write back the modified EEPROM, and then it let's them dump the flash on the dash through OBD2. What are they FFing, and why? I wanna do that!

Last question.. It seems everybody has all of those super expensive interface cables that work on 234987234 different kinds of cars. Any cable/solution that you (or anybody) can recommend that will be able to dump the flash from these new NEC + 24c64 clusters, without breaking my piggy bank? I don't need any of the old K line stuff, just the newest CAN only stuff for VAG.

Thanks in advance guys!

-Kyle

Pics for clicks!

http://www.lionsdenu.com/wp-content/uploads/2010/09/hot_asian_girls_on_facebook_044.jpg

VAG KM+IMMO TOOL BY OBD2 can change mileage vw golf 6 2012 match ???
i try with super vag c+can but notink change he read value bat cant change value

VAG KM+IMMO TOOL BY OBD2 can change mileage vw golf 6 2012 match ???
i try with super vag c+can but notink change he read value bat cant change value


What site are you sourcing that tool from?

Thanks!

-Kyle

site china
and just now i try with vag km+immo tool by obd i cant read value
i see mesage
this feature is not autorized please contact your dealer
what mean this ??
thx