Key Fob / Reverse Engineering

I just wanted to give a brief update of my key fob project. Maybe you remember that, following a recent paper, it seems as if the firmware of VW ECUs contains a master key that can be used to clone arbitrary keys by overhearing a single transmission. I already blogged about that earlier.

In the meantime, my Comfort Control Unit arrived. I’m pretty confident that this is the ECU in question since it’s also made by Hella, the company that sells the keys. Here are some photos from the board.


The board comes with two microcontrollers, one from Amis/Hella (labeled 0728YSE SIFB / 740 377-00 / SIFB-PAA) and another one from Fujitsu (labeled MB90347AS-137 / 790 343-01 / VW 4.03 / 0727 K74).

For the Fujitsu there are datasheets online, but for the Hella controller, I couldn’t find anything.

Next steps

Unfortunately, I don’t know much about ECUs, but from what I read, there are two ways to proceed.

One option is to figure out the pinout of the connector and use the CAN port to communicate with the controllers. With Unified Diagnostic Services (UDS), I might be able to read the memory of the controller. However, this seems to be a lot of work since I couldn’t find a good Open Source tool for UDS and might have to start from scratch. While this is clearly plan B, I already bought a USBtin USB to CAN interface and played a bit around.

The better option would be to connect an ECU hardware debugger like the BDM 100. As far as I see, this allows extraction of the whole firmware. (With UDS, there may be security measures in place that allow accessing only parts of the firmware.)

Looking at the back of the board (see above), there are pins that could be a BDM connector. Therefore, I decided to give this a try first and ordered a debugging cable that I’m still waiting for. I hope it’s as easy as it looks in this video, where a guy flashes the engine controller.