Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: Retrofit ACC VW T6

  1. #11
    Verified VCDS User
    Join Date
    Mar 2015
    Location
    Australia
    Posts
    384
    Post Thanks / Like
    Quote Originally Posted by cilitkas View Post
    are you sure all t6 had CP? i have bought BCM and navi from late 2015 T6, fitted to my 2012 t5 and all works fine, no CP errors...
    PQ platform vehicles' CP scheme doesn't include BCM like it does in MQB platform vehicles..
    2011 Skoda Octavia vRS TDI DSG wagon|Revo Stage 1|Race Blue|Leather|Dynamic Xenons w 6000K|THA475 Amp+active sub|Whiteline ALK|RVC|Discover Media
    2009 R36 wagon|Biscay Blue|RVC|Tailgate|ECU and DSG tune|LED DRL/Indicators|Full colour MFD|Quad LED tail rings| Climatronics upgrade| Dynaudio retrofit | B7 RLine Flat Steering Wheel|3AA CCM|B7 Adaptive Cruise with Front Assist|TPMS Direct|Discover Media retrofit|PLA 2.0|Lane Assist|BCM Retrofit|HBA/FLA

  2. #12
    Verified VCDS User
    Join Date
    Jan 2019
    Location
    Germany
    Posts
    66
    Post Thanks / Like
    So, for PQ25/PQ35 Car's with Component Protection Master inside the Cluster i figured out the Code.
    You need a ACC Radar and Cluster which are already configured with the right Swap Codes and CP Data from a working or broken T6 for Example.
    It is possible to read out the encrypted Component Protection Data from the Cluster, 20 Bytes @ Offset 0x1540 in Eeprom
    Decrypt it, and than Encrypt it for the your Car.
    With the Component Protection "Transfered", the Swap Codes from the original Car stays and everything works.
    For this you need to be able to read out the 2 Mbyte Firmware of the Cluster @ offset 0x10034 is the 16 Byte CBC AES Key for CP Eeprom Data encryption
    @ 0x1540 in Eeprom there are 20 Bytes, first 4 bytes are CRC32 of the next 16 Byte "Data" (but only after decryption)
    The AES is only calculated over the first 16 byte.

    So do a AESCBC Decryption of Byte 0-15, than you can do a crc32 over Decrypted Byte 4-15 and original Bytes 16-19 from eeprom, this should be identical to Decrypted Bytes 0-3.
    Than you can encrpt the data for the new cluster.
    Done

    Took me 3 Month of Cluster Firmware Reverse-Engineering ....
    I am aware that this way of copying the cp Data is already known by some people, but due to for me unknown circumstances this was not made public by them.
    I like to share this information now publicly. Be happy with it.

    Attached a real Use Case Picture for Better understanding.
    Last edited by dnoermann; 02-24-2020 at 11:45 AM.

  3. Likes NEtech, myounus, downtime, m87a, Uwe liked this post

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •