Quote:
Originally Posted by JasonACT
In unrelated research, entering security mode (UDS function 0x27) which I've now got keys for the ICC and Cluster, may have different "levels" where you can request a 2nd function 0x27... Both the ICC and Cluster respond with "give me the key to 00 00 00" which to me looks like a fixed key is needed. I did this by accident on the ICC and the normal generated key "works" (though I'm not sure if that unlocked anything extra) but the Cluster tells me "Invalid key" so I'm doing another brute force scan.
Apparently, this 2nd unlock request enables the write functions (which I've so far been unsuccessful in performing). |
Still here?
Ok, so the
ICC accepted the key generated from seed 00 00 00, but the Cluster didn't.
Many attempts were made over many days (and program changes made also, mostly because the Cluster has some strange timing going on, so I needed a more chain like approach to guessing keys rather than timed based messages [I'll probably post a link to Fleetwood Mac's "The Chain" sometime] because I clocked the 3 byte key a couple of times without a match)...
It struck me though, when it asks for the key to seed 00 00 00 - maybe I should send in the last key I used again. And that works, no more "Invalid key" error. But I'm not sure if it unlocks anything extra, yet.
Interesting though, this little quirk, so I thought I'd post about it. Anyway, back to getting no-where with dumping the firmware on the Cluster (but, anyone who somehow already has the FG2 Cluster firmware, feel free to give it to me!!!).