MicroHacker Forum

Yesterday i got an FX-Plus, which i bought used because imnever had such a device to play with for longer. It is the one with video input from an Kuga (8V4T-18K931-BA).

What makes me curios was, that it don't requires a PIN code on poweron, it just starts. Maybe there is a patch onto it to make this happen, because i'm shure the PIN security can't be turned off on the FX, this was only possible on NX. Also the FX has no Engineering-Menu, only the Service-Menu. But please tell more if you know...

Now, i'm going to dump the firmware off to see if i can compare it whith one from an similar device having the PIN dialog.

Hi. A few years ago, a friend bought a new NX, through Ford. when he installed it in his kuga, he did not ask for the PIN, nor did he have a VIN number.
When reading the browser configuration with the ELMConfig, the "Keycode activated" box was deactivated, once we activated it with the ELMConfig, it could not be deactivated anymore.

I spent some time trying to activate it again through the CAN-BUS, the Focus2 platform, C-Max and Kuga, the modules are configured through As-Built codes, some time ago I was able to decode the code frame and make my own generator of As-Built codes. So starting from my generator, I made my own AS-Built with the code that deactivates the PIN, with the arduino module and CAN-BUS shield I tried to send the configuration to the NX, but it must have a protection that only lets activate but not deactivate.
My data frame CAN-Bus to change the configuration of the NX works well with the other parameters, for that reason I rule out a failure of mine in the data frame.

The same goes for the KMs in the instrument cluster, it lets rise but does not go down.

I was looking on the internet, and there is a Polish company that sells a device, similar to the J-Tag, which is very expensive, but it reads the rom and takes out the PIN code of the NX

http://shop.martech.pl/pl/

regards

This all sounds very interesting to me and i would love if you present your work here, both, the one with the IPC mileage (please inot IPC board) and the NX setups.

By the way, what are those settings? In Mondeo the Asbuilt is similar but more menu driven in ELmConfig than for the Focus part or in FoCCCus. I also decoded the CCC and CAN frames to transfer (see my wiki). Maybe you could add your knowledge for completeness?!
For now i am not aware of any settings in the Mondeo CCC which influences the Radio.

I know the NX once had an option to disable PIN code checking, but it seems only some radios have it. Maybe it was removed in a specific version. If i had time i install different servicepacks on one of my NXes to see if i can find the feature. If someone finds it, he could turn it on and off (i am pretty shure, but not absolutely) and diff the dumps afterwarts to look what changed. If this is found it should be applicable to other Nx also and we may have a patch to disable it on likes.

I'm going to start with steps. first I will explain the "AS-Built" that uses the Focus MK2, C-Max and Kuga, which means each digit, to understand all the steps that I will describe in this post.
This is As-Built Of my Car to Standard 6000 Radio CD:
727-01-01 0102 184B
727-02-01 5746 3052 58A8
727-02-02 5847 4344 52AA
727-02-03 3943 3838 3655
727-02-04 3933 A0

the first digits are to identify the data frame:

727-01-01

The following correspond to configuration and verification number, which are the last 2 digits

0102 184B

We are going to do a practice to calculate the verification digits, we need a HEX calculator and we do the following sum:

7+27+01+01+01+02+18 = 4B---> 4B are the last digits of the AS-Built File

ok, now we know the first and the last digist of the AS-Built code:

727-01-01 0102 18 4B
727-02-01 5746 3052 58 A8
727-02-02 5847 4344 52 AA
727-02-03 3943 3838 36 55
727-02-04 3933 A0

Now let's know where the module configuration is encoded and where the vin number is configured:

To configuration:
727-01-01 0102 18 4B
if the first numbers are to identify and the last is verify number, next numbers are to configure module, and it this:

010218
In kuga have next oiptions to configure:
this code is diveded into 3 parts:
01

02

18, the key code activation is in the last pars "18"

in this 2 digits is possible activae or deactivate 4 options
each option has a value

front wofers = 80
rear wofers = 40
front tweeters = 20
rear tweeters = 10
keycode activated = 8
SpeedLock activatey = 4
Not used = 2
Not used = 1

Look at the screen shot to see this options. now to calculate only need sum the values in HEX calculator.
if you need activate all options:

front wofers = 80
rear wofers = 40
front tweeters = 20
rear tweeters = 10
keycode activated = 8
SpeedLock activatey = 4
Not used = 2
Not used = 1
----------------------------------------
Total in HEX = FF

Now how to deactivate PIN code with AS-Built or deactivate any option? is easy, only need rest value of the table with HEX calculator.
now i take my original AS-Built and edit to remove PIN code, and this is the operation:

727-01-01 0102 184B -> take a 18, the key code are in this block, and rest 8-> 18 - 8 = 10, now edit all AS Built and change verification code:
727-01-01 0102 1043

The problem is, when you actiavte keycode and speedlock, then you can never activate, the firmware of the unit dont acept deactivate.



To VIN Number:
727-02-01 5746 3052 58 A8
727-02-02 5847 4344 52 AA
727-02-03 3943 3838 36 55
727-02-04 3933 A0

if the first numbers are to identify and the last is verify number, next numbers are to configure module, and it this:
5746 3052 58
5847 4344 52
3943 3838 36
3933

Now put all numbers in line:

57 46 30 52 58 58 47 43 44 52 39 43 38 38 36 39 33

Now conver hex number to decimal

57=87, 46=70, 30=48, 52=82, 58=88, 58=88, 47=71, 43=67, 44=68, 52=82, 39=57, 43=67, 38=56, 38=56, 36=54, 39=57, 33=51.

this is the complete numbers in Decimal:

87 70 48 82 88 88 71 67 68 82 57 67 56 56 54 57 51.

This numbers are ASCII character, only need convert numbers to characters and you have a VIN number

87=W, 70=F, 48=0, 82=R, 88=X, 88=X, 71=G, 67=C 68=D, 82=R 57=9, 67=C 56=8, 56=8, 54=6, 57=9, 51=3.

And now we have my VIN number:

W F 0 R X X G C D R 9 C 8 8 6 9 3.

Tomorrow more......

First of all, thank you very much oscarboiro for this explaination. I've gone through this a while ago and wrote down a lot in my Wiki: https://mk4-wiki.denkdose.de/artikel/fa ... on/asbuilt

Before we dig deeper into this, where did you get that notation from? Did you check this is really the contents of the CAN frames? Please always note if values are given in HEX (prepend "0x" to it), BINARY (prepend "0b" to it) or DEC (prepend nothing), cause it helps reading.

To get ASCII chars from byte values, there is no need to transform them to decimal, you just need an ASCII table or an hex-editor

If will post some basics on the CAN board for explaination, because i see you seem not to know some concepts and therefore misinterpret data.

Now, i want to sort some things out, you might not know yet...

• The CCC itself is a stream of 256 bytes, containing flags (on/off) and values (options) of car configuration parameters. This part is called "Config-Block".
• It is concatenated after an also 256 bytes large "Info-Block" containting the VIN and mostly 0 bytes.
• Both parts together make up the *.elm file which is used by ELMConfig. Also both parts can be wrapped into a Asbuilt format and make up the *.as file used by Ford IDS.

For now, this is only a file. To get it into the Flash of a car module (BCM, IPC, ...) it must be transferred via CAN. This is most often done using the ODB-II protocol. For this the CCC data is sliced into the payload of OBD frames. And the OBD-Frames are packed into the payload of CAN-Frames which are send onto the CAN-Bus. This is an important point and is similar to other network technologies like Ethernet, where data is put into TCP packages (segmented), which are in turn packed into IP packages, which are put into Ethernet frames. Think of a Matrjoschka puppet... in IT terminologies it is called OSI layers.

I will explain how you can request the configuration that the NX has, how to record a new configuration and how to reset the unit. all through the CAN-BUS.
This Explain works in travelpilot of Focus MK2, C-Max, and Kuga, i don´t try in Mondeo-S-max units.

To read Configuration need send next sequence in CAN-BUS:
727 02 3E 02 00 00 00 00 00
litlle delay and send next code, im use 100Ms
727 02 21 00 00 00 00 00 00

After send this commands, the units request in 72F, example after send commands in my unit:

72F 03 7F 21 78 00 00 00 00

72F 05 61 00 16 02 0C 00 00-> in this file have the configuration, is this 16 02 0C

this is the 3 blocks of AS-Built, if you calculate my unit have activated KEy code and speed lock, the value are 8 + 4
use HEX calculator and the result is: C, only need put 0 first and result is 0C.
the rest of numbers of the block are to rest of options.

Now to write config is similar first need write:

727 02 3E 02 00 00 00 00 00-> this is the same code of the first steep
litlle delay and send next code, im use 100Ms, if dont work to write, put more time 500Ms
727 05 3B 00 16 02 0C 00 00-> in teory to deactivate key code and speed lock need rest C, to this configuration the result to deactivate is this:
727 05 3B 00 16 02 00 00 00-> only need rest the value in hex calculator

If the writing are ok receibe next code:
72F 03 7F 3B 78 00 00 00 00
72F 02 7B 00 00 00 00 00 00

If the program are not ok receibe this code:
72F 03 7F 3B 78 00 00 00 00
72F 03 7F 3B 31 00 00 00 00

To reset unit, im reset always after write ney configuration, and i use this code:

727 02 3E 02 00 00 00 00 00
litlle delay and send next code, im use 100Ms
727 02 11 01 00 00 00 00 00

Regards!!!!

A small video of how to program the browser with arduino using CAN-BUS shield:

Great job! I try to match this with Mondeo. As both cars uses the same radios i gues the CAN messages are applicable on both also.
The ECU ID 0x727 is the same on both cars. On Mondeo the radio module is called "ACM" (Audio Control Module) whereas on Focus it's called "ACU" (Audio Control Unit) and the Mondeo part of ELMConfig does not offer any settings here, especially not the LOCK settings.
But the software also warns in switching it on: so it really could be true that it is write-once somehow. But it will shure be stored somewhere in flash or eeprom, so if we had a unit where it is not programmed, read flash and eeprom (just to be safe), activate it, read again and compare, we should be able to find it.

Maybe it's worth trying to use ELMConfig in Focus-Mode with an Mondeo-Radio attached to the ELM327. This should do.

Hey guys!
I finally managed to get my hand on a PIN decoder routine. It was unprotected in an Android-App
With it it is possible to decode PIN codes of radios with the Bosch Type number of "7 612 *** 5**" (having the so called "A05" algo).

You can paste this into any tool which can execute Javascript (e.g. https://playcode.io/): The tool should output a legal PIN. Compare and make some test.
I've added a small tool to my Wiki: https://mk4-wiki.denkdose.de/artikel/na ... calculator

I've looked inside some Firmwareimages to may find the secret hash array above, but no luck.

I have seen somewhere similar java code extracted from android application.