Hi guys,


After a lot of reading it seems that starting from 2011 VDO is using 24C64 with different algo compared to earlier 24C32 variants.
I found on this forum that mileage is stored as 32 bytes from 12A0 to 12BF.
I also read that the algo uses a unique key stored in the cpu, so a simple eeprom copy from a different cluster is not possible.

Using Tachosoft 23.1 I calculated the mileage as it is now (47613 km) and I must say that many bytes are same (and some are very similar).
The example I am looking at now has got 8 bytes which are identical and atleast 6 bytes which have only a difference of 1.
This leads me to believe the algo is not that much different, and if there is a unique per cpu key then this key isn't used to crypt the whole area of 32 bytes.

Now for my questions to you experts:
- Is there any public info about the algo used for this 2011 VDO NEC 24C64 cluster, like some sourcecode or documents?
- Is there any public info about the predecessor (24C32) algo ?
- Is it correct to say that this new algo uses a unique per cpu key?


Thanks for your info,

H2Deetoo

Only obd on these as key file encrypted in cpu

Thanks for your answer!
Strange, but I asked codecard.it and they say mileage can be changed with there tool using eeprom read (with clip) ?!


Rgs H2Deetoo

Then pay for fake magic.

Thanks for your answer!
Strange, but I asked codecard.it and they say mileage can be changed with there tool using eeprom read (with clip) ?!


Rgs H2Deetoo
Partly they are right
if you dint have working KEy then you need do a little trick via EEProm, that is why you need eeprom reader + CLIp

I not recommend "small software" from carcode , also tech support....
you can always try ......and complain if they will kill your dach.
all is up to you .

Passat except us version have no immo inside dash and this trick have no value by it.

Thanks for your answers!

So they only way to change mileage is to do it using CAN bus, but then you need to know 1) the UDS commands to use and 2) some security key to obtain access to your cluster.
I guess a CAN bus log of a cluster be changed would explain the UDS commands, but how to get the security key?


Rgs H2Deetoo

H2Deetoo my friend,you are speaking language that many here don't understand.
They are simply end user of tools.
To get access to protected area of cluster,key needs to emit correct CS-bytes.
Then you got full access to cluster over CAN.
If you don't have working key,cluster needs to go into service mode.
So answer to your question is that cluster is protected by password of 8 bytes(8th byte is unique to car group,eg. VW Seat Skoda or Audi) and other 7 bytes are unique to car.
When MCU decrypts the data it is stored in RAM,and that is where they change the data,which is then being then encrypted back and rewritten to eeprom.

Aha I am starting to understand it now I think :)
I got a reply from codecard.it and they confirm that if you don't have security key for your cluster, you need to read/write the eeprom externally.
So does anybody know how that trick works? Do they overwrite a part of the eeprom with a piece of data for which they know the key?

What exactly is "service mode" and what does it allow you to do?

I am sorry for so much questions, I am new to this but anxious to work it out ...



Rgs H2Deetoo

As autofan already explained. "service mode" does not apply on Passat dashboards.
It is also no service mode. All you do is corrupt the crypted immo data inside the eeprom.
If you have a working key you can enter bootloader mode. Without key it will refuse because of immo active.
With the corrupted data it will grant access to bootloader.

In bootloader mode a ram-loader will be uploaded to the dash so you can read the access key from the flash.
With the know known access key you can access the dash via OBD. It's an AES key and you will also need the seed/key algos for bootloader access, access with security key etc.
For sure you will not find them somewhere. Good luck with reverse engineering or obtaining code from other programs

Hi exe123, thanks for your explanation.
As my Passat dashboard doesn't have immo inside, how is it possible to get into bootloader mode then?

....... how is it possible to get into bootloader mode then?
if you use proper tools, it will boot cluster

Hi Maartinj,

I understand that if you buy a proper tool it will do that for you, but I am curious on how it is done.
So I understand that if you "damage" the eeprom, the cluster allows you to go into bootloader mode, so using what canbus command is that done then?
And what cmds are used to upload the RAM loader then?

I am still thinking about a "cheap" tool which can handle my cluster, and log all canbus commands.
But still deciding which one would be the best choice ...


Rgs H2Deetoo

If you mean tool to do mileage as you already have tool to sniff the canbus then just get a Digiprog. If you want tool that changes mileage and records canbus commands and allows you to then view them then good luck with that.

Nothing change with your passat dash. Bootloader can be writed(flashed in ram) after security access and it is only possible when all requirements all ok for flashing. That what write simaservice is wrong info. True login is AES key stored in flash.

88diablo, indeed I meant buying a tool like digiprog3 and logging all the canbus commands it sends using my own tool.
Also,

hi mate try this website bronken.de ? Handheld CAN Logger/Sniffer selber gebaut. Fahrzeugdatenbusse selber abh?ren. (http://bronken.de/canlogger/)

roundabout 80€ for a selfmade sniffer

br

Thanks, but I wrote my own CAN (logger) tool already, using a VagTacho 5.0 cable ;-)
The software wasn't useable on both my clusters, but atleast the cable I can use!


Rgs

Is the following the correct way to put NEC+C64 cluster in service mode?
[VAG with NEC MCU + 24C64 inside] - range 0x13A0 - 0x1450 in hex editor with FF FF ..

Or are there some other address aswell?


Rgs H2Deetoo

Yes ^^^^^^

There is simple two bytes checksum for mileage in all VDO UDS dashboards. Mileage/1000 nothing else.
However this checksum is encrypted in eeprom, so you will need to decrypt eeprom data first.
By changing the mileage record (32 bytes) in not encrypted part you can set mileage higher than actual :)
However the only way back is via OBD.

Btw, welcome on this forum ;-)

This thread is fascinating !
I have a 2015 Golf. I saved the eeprom and drove 800 km. Then i wrote back the old data that i saved, and after 5 minutes the current km showed again, so i can only assume that the km is not only in the eeprom.

Then you did something wrong for sure ;-)
Mileage is stored in eeprom on 5 different locations ^^

you can write dump from previous taking mileage back but wont work.

because you still need the key what you dont have.

You can always write an old dump, and set back mileage!
But you need to have a dump from your cluster, not some other.

This thread is fascinating !
I have a 2015 Golf. I saved the eeprom and drove 800 km. Then i wrote back the old data that i saved, and after 5 minutes the current km showed again, so i can only assume that the km is not only in the eeprom.


Then you did something wrong for sure ;-)
Mileage is stored in eeprom on 5 different locations ^^
He has 2015 which is GOLF 7. I do not think it is same as GOLF 6.
I think someone had same problem before.It looks like GOlf 7 has flash + eeprom Km.
Same problem in Magneti Marelli with NEC dash.

He has 2015 which is GOLF 7. I do not think it is same as GOLF 6.
I think someone had same problem before.It looks like GOlf 7 has flash + eeprom Km.
Same problem in Magneti Marelli with NEC dash.
golf 2015 can be GOLF 6 cabrio for example
seems ovner dont know lot of about car he did

H2Deetoo, it is the dump from the original clustet, untouched. I saved the data and tried to use it 800 km later, on the cluster i originaly read it. Not othet cluster ! It probably has a backup somewhere in the MCU, and i don't know of a way to read/write this MCU.

Ah maybe you have some newer part?
Please post exact partnumber and firmware version. Indeed latest Golf 7 clusters are completely different compared to previous generation.


Rgs H2Deetoo