Man I just started coding, this is so impressive! I dont understand much of what you said, but I read it all. Good work man!So I've been a happy VCDS user since buying my Golf in 2003 (it had 65000 miles on it so it conveniently needed an immediate timing belt replacement, hence needing VCDS - though it was named VAG-COM way back then).
However there are things that VCDS doesn't do, such as pulling the SKC from an instrument cluster, changing the odometer of a used cluster, reading/writing bytes in the CCM, retrieving a used radio's Safe code, etc.
Since I have a part-time "business" (really more like a hobby at this point) involving fixing up MKIV instrument clusters and reselling them, VagTacho or similar (VAG Commander, VAGdashCOM, VAG EEPROM Programmer, etc.) is a necessity. The problem is that legitimate copies of these tools cost hundreds of dollars and require special dedicated cables. You can find cheap pirated copies of many of these, but some still require special cables and you never know what malware might be lurking on the plain white mini-CDs that the software comes on. (I eventually did by a real copy of VAGdashCOM after having lots of trouble with flaky eBay VagTacho cables). And it's not only me that needs these tools. If I sell a cluster to someone, they need to know their SKC in order to install it. If I set the odometer to 0, they can adjust it to the correct value with VCDS, but no VagTacho, no SKC, no start.
I've also always wanted to use VDS-PRO to enable the "Roll windows up/down with key fob" CCM feature and other options, but it only runs on DOS and hasn't been maintained in many years. I've had lots of trouble getting it to run at all on newer computers.
Fast forward to a couple of months ago: I bumped into Mike Naberezny's GitHub page: https://github.com/mnaberez/vwradio
Mike has done the amazing job of reverse engineering 8 (so far) VW/Seat/Skoda radios and has found various hidden commands and discovered ways to retrieve the Safe code from most of them via the K-Line and some open-source hardware/software that he created. He's made all the info available for free. The only downside is that his software runs on a custom circuit board and that's a barrier to most people.
So that got me thinking that maybe I could do something similar in software that runs on a PC and a generic cable. I was able to find a good bit of info about VW's proprietary KW1281 K-Line protocol here and learned some more by reading Mike's code. I bought a Saleae logic analyzer and was able to use it to spy on the K-Line while using various cluster tools and VDS-PRO in order to figure out which KW1281 commands were being used to read/write the EEPROM, reboot the cluster, etc.
I was then able to write a program that could wake up a module and send simple commands over the K-Line. Eventually I got it to the point where it could read/write bytes in the CCM EEPROM like VDS-PRO and retrieve the Safe code from a VW Premium V radio like Mike's tool. The big thing missing was the ability to read/write the cluster EEPROM. That required performing a successful challenge/response with the cluster. The commercial tools all know how to do that but it's not documented anywhere that I could find. Finally with some pointers from Mike, I was able to partially disassemble the cluster ROM in order to find how the challenge/response works and am now able to dump the entire cluster EEPROM to a file for editing. I only just got this working yesterday so I haven't tried writing the EEPROM back yet but that should be pretty straightforward to get working.
I uploaded all the source code to GitHub: https://github.com/gmenounos/kw1281test
You can download the source code and build it yourself or there's a .zip file containing a precompiled version that runs on Windows 10 here:
Currently it just runs from the command line but that might be just fine for now. It requires a dumb KKL cable, basically something with an OBD connector on one end and that looks like a serial port to the PC. I've successfully used a KKL cable I bought 7 years ago that connects to an actual serial port on my really old laptop. I've also used a genuine VCDS cable configured to run in VCP (Virtual COM Port mode). I've only run it on an old Dell laptop that runs 32-bit Windows 10. It should work fine on 64-bit Windows 10 but I haven't actually tried that yet. It's written in C# for .NET Core, which is cross-platform, so it might also run on Macs and Linux but I haven't tried either. You're welcome to give it a shot and let me know.
To run the tool, you have to know what COM port your cable is using, what baud rate to use, what controller address to connect to and what command you want to send. A fancier tool like VCDS will automatically detect the baud rate of the controller but I was too lazy to figure out how to do that so you must know the baud rate. I can tell you that the cluster uses 10400.
Here's the tool reading a cluster's software version:
Maybe not too exciting, but here's it dumping the cluster EEPROM to a file:Code:
PS C:\> .\kw1281test.exe com4 10400 17 ReadSoftwareVersion Opening serial port com4 Sending wakeup message Reading sync byte Keyword Lsb $01 Keyword Msb $8A Protocol is KW 1281 (8N1) ECU: 3B7920946E KOMBI+WEGFAHRSP VDO V095 Sending Custom "Unlock Additional Commands" block Sending Custom "Read Software Version" blocks 00: VWK501MH $10 $01 01: $81 $19 02: $18 $08 $01 $0B $1C $09 03: VW/Sk MH Serie/Flash Sending EndCommunication block
Here's a full list of commands. You'll see that same info if you just run the program and don't specify any parameters.Code:
PS C:\> .\kw1281test.exe com4 10400 17 DumpEeprom 0 2048 Opening serial port com4 Sending wakeup message Reading sync byte Keyword Lsb $01 Keyword Msb $8A Protocol is KW 1281 (8N1) ECU: 3B7920946E KOMBI+WEGFAHRSP VDO V095 Sending Custom "Unlock Additional Commands" block Sending ReadIdent block Sending Custom "Unlock partial EEPROM read" block Sending Custom "Are you unlocked?" block Sending Custom "Seed request" block Block: 7A 42 2A DE 80 28 6F 45 01 00 Sending Custom "Key response" block Sending ReadEeprom block (Address: $0000, Count: $10) Received "Read EEPROM Response" block: 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... Sending ReadEeprom block (Address: $07F0, Count: $10) Received "Read EEPROM Response" block: FF 4C 00 00 00 00 00 FF FF FF 08 0E 08 0E 08 0E Saving EEPROM dump to WVWUK63B33P247312_____VWZ7Z0B6069175_$0000_eeprom.bin Sending EndCommunication block
So if this sounds useful, please give it a try and let me know if it works for you. I'm interested in hearing what cables it works with, which controllers it can talk to and which is has trouble with, bug reports and suggestions for new features.Code:
Usage: KW1281Test PORT BAUD ADDRESS COMMAND [args] PORT = COM1|COM2|etc. BAUD = 10400|9600|etc. ADDRESS = The controller address, e.g. 17 (cluster), 46 (CCM), 56 (radio) COMMAND = ReadIdent ReadSoftwareVersion ReadEeprom ADDRESS ADDRESS = Address in decimal (e.g. 4361) or hex (e.g. $1109) WriteEeprom ADDRESS VALUE ADDRESS = Address in decimal (e.g. 4361) or hex (e.g. $1109) VALUE = Value in decimal (e.g. 138) or hex (e.g. $8A) DumpEeprom START LENGTH START = Start address in decimal (e.g. 0) or hex (e.g. $0) LENGTH = Number of bytes in decimal (e.g. 2048) or hex (e.g. $800) DumpRom START LENGTH START = Start address in decimal (e.g. 8192) or hex (e.g. $2000) LENGTH = Number of bytes in decimal (e.g. 65536) or hex (e.g. $10000) MapEeprom Reset DelcoVWPremium5SafeCode