本文提供了一套详尽的指南,教你如何通过发送特定的CAN消息来判断控制器是否存储VIN代码,并在支持的情况下使用服务3B进行VIN代码的写入。包括使用Brute Force方法猜测解锁控制器所需的密钥,以及成功写入VIN代码后的流程。
Good news you can. Well sort of. The VIN stored in controllers is writable (well maybe). But in some cases its difficult and some impossible. So I am hear to give you some tips to make life a little easier.
First find out if the controller stores the VIN. This can usually be done on OBD II controllers by sending a CAN message formatted like this:
ARBID = 7E0 DATA = 02 09 02 00 00 00 00 00.
This will get the first part of the VIN if it is on the controller. So a typical response might look like this:
ARBID = 7E8 DATA = 10 13 49 02 31 39 48 31.
You could send a Flow Control Message ( 7E0 30 00 00 00 00 00 00 00) to get the remainder of the data bytes but our goal is only to see if this controller stores the VIN. If we get a negative response ( 7E8 03 7F 02 12) then we know it does not and we and thus we cannot change something that isn’t there.
So now we know the controller supports VIN, this is where things get OEM specific. So in the interest of brevity I will give an example of setting VIN on a GM CAN BUS vehicle (GMLAN).
GM employs the GMLAN diagnostic protocol for enhanced diagnostics. So you may want to do some reading of the GMW 3110 spec (downloadable from IHS). So we know how to read the VIN, but how do you write it. The VIN is stored in the controller as a Data Identifier (DID). Service 3B is used to write DIDs. However as VIN is considered a protected DID, you will need to “unlock” the controller using Security access first. But of course you don’t have the security access algorithm do you? I didn’t think so. So we must use a Brute Force technique to guess the correct Key to unlock the controller.
To brute force the Key you must send a Seed request to the controller ( 7E0 02 27 01 00 00 00 00). This request must be done first before you send a key. On GM the Seed is static, it doesn’t change each time that it is requested. So this means we must increment the Key one at a time until the controller responds back with a positive response ( 7E0 01 67). So let’s get cracking.
First send the Seed Request then send a Key ( 7E0 04 27 02 00 01; where 00 01 is the two byte key). Most likely the first key you choose will not be the correct key for the seed. So you will see a negative response from the controller indicating that we have an incorrect key (7E8 03 7F 27 35). This will mean we must try again. But we know we have the wrong key so add 1 to the previous Key (00 01 + 1 = 00 02). So send the seed request and another Key request. Now we might get another negative response with saying wrong key, but we might get a message stating that we have exceed the number of attempts ( 7E8 03 7F 27 36). This would indicate that we cannot send any more seed or key request until we have reset the power on the controller. So manually or automatically, reset the power on the controller. Now we can try again. Send a seed request, but this time check for a negative response from the request ( 7E8 03 7F 27 37). This means that the required time delay has not passed. Keep sending the seed once or twice a second until the error goes away. This delay is an internal timer that acts as a security method for brute forces the key. There is no simple way around it, so we must endure it. When we get a positive response, then we send the key ( 7E0 03 27 02 00 02).
That’s it, we just loop through this until we get a positive response from the controller after a key request.
Please not that in the worst case this could take up to 9 days! So you need to be a bit patient. But once you have the Key it will work for this controller every time. Unfortunately just this controller.
But now you have been able to successfully unlock the controller and you can now use Service 3B to write the VIN. So make three messages that look like this:
7E0 10 13 3B 90 31 31 31 31
-- Wait here for flow Control frame ( 7E8 30 00 00) --
7E0 21 31 31 31 31 31 31 31
7E0 22 31 31 31 31 31 31 31
The 31’s are The VIN digits 1-17, the 90 is the VIN DID (On GM controllers) the 3B is the service, the 013 is the length of the data in hexadecimal, and the 1, 21, and 22 are the ISO 15765 Diagnostic Layers.
If the VIN is written successfully then you should get a positive response:
7E8 02 7B 90
First find out if the controller stores the VIN. This can usually be done on OBD II controllers by sending a CAN message formatted like this:
ARBID = 7E0 DATA = 02 09 02 00 00 00 00 00.
This will get the first part of the VIN if it is on the controller. So a typical response might look like this:
ARBID = 7E8 DATA = 10 13 49 02 31 39 48 31.
You could send a Flow Control Message ( 7E0 30 00 00 00 00 00 00 00) to get the remainder of the data bytes but our goal is only to see if this controller stores the VIN. If we get a negative response ( 7E8 03 7F 02 12) then we know it does not and we and thus we cannot change something that isn’t there.
So now we know the controller supports VIN, this is where things get OEM specific. So in the interest of brevity I will give an example of setting VIN on a GM CAN BUS vehicle (GMLAN).
GM employs the GMLAN diagnostic protocol for enhanced diagnostics. So you may want to do some reading of the GMW 3110 spec (downloadable from IHS). So we know how to read the VIN, but how do you write it. The VIN is stored in the controller as a Data Identifier (DID). Service 3B is used to write DIDs. However as VIN is considered a protected DID, you will need to “unlock” the controller using Security access first. But of course you don’t have the security access algorithm do you? I didn’t think so. So we must use a Brute Force technique to guess the correct Key to unlock the controller.
To brute force the Key you must send a Seed request to the controller ( 7E0 02 27 01 00 00 00 00). This request must be done first before you send a key. On GM the Seed is static, it doesn’t change each time that it is requested. So this means we must increment the Key one at a time until the controller responds back with a positive response ( 7E0 01 67). So let’s get cracking.
First send the Seed Request then send a Key ( 7E0 04 27 02 00 01; where 00 01 is the two byte key). Most likely the first key you choose will not be the correct key for the seed. So you will see a negative response from the controller indicating that we have an incorrect key (7E8 03 7F 27 35). This will mean we must try again. But we know we have the wrong key so add 1 to the previous Key (00 01 + 1 = 00 02). So send the seed request and another Key request. Now we might get another negative response with saying wrong key, but we might get a message stating that we have exceed the number of attempts ( 7E8 03 7F 27 36). This would indicate that we cannot send any more seed or key request until we have reset the power on the controller. So manually or automatically, reset the power on the controller. Now we can try again. Send a seed request, but this time check for a negative response from the request ( 7E8 03 7F 27 37). This means that the required time delay has not passed. Keep sending the seed once or twice a second until the error goes away. This delay is an internal timer that acts as a security method for brute forces the key. There is no simple way around it, so we must endure it. When we get a positive response, then we send the key ( 7E0 03 27 02 00 02).
That’s it, we just loop through this until we get a positive response from the controller after a key request.
Please not that in the worst case this could take up to 9 days! So you need to be a bit patient. But once you have the Key it will work for this controller every time. Unfortunately just this controller.
But now you have been able to successfully unlock the controller and you can now use Service 3B to write the VIN. So make three messages that look like this:
7E0 10 13 3B 90 31 31 31 31
-- Wait here for flow Control frame ( 7E8 30 00 00) --
7E0 21 31 31 31 31 31 31 31
7E0 22 31 31 31 31 31 31 31
The 31’s are The VIN digits 1-17, the 90 is the VIN DID (On GM controllers) the 3B is the service, the 013 is the length of the data in hexadecimal, and the 1, 21, and 22 are the ISO 15765 Diagnostic Layers.
If the VIN is written successfully then you should get a positive response:
7E8 02 7B 90
Good luck and let me know if you have any questions!
转载自:www.canbushack.com/blog/index.php?title=change-the-vin&more=1&c=1&tb=1&pb=1
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
