Do you have some pointers on how you would get started if you had this cluster at your hand?
I have a bench setup where I can connect the various control units to a battery. I also have a couple of old laptops and a logic analyzer (
https://usd.saleae.com/products/saleae-logic-pro-8 but something much cheaper like this would probably also work:
https://www.sparkfun.com/products/18627 )
I then use some of the commercial tools to communicate with a control unit while recording what happens on the K-Line using the logic analyzer. Then based on what I see on the K-Line, I can often work out what commands to send to the control unit to retrieve the SKC.
You will need to understand the KWP1281 protocol (and also sometimes KWP2000) in order to understand what you're seeing on the K-Line. Here's a good reference: something like this might work:
https://www.blafusel.de/obd/obd2_kw1281.html
Sometimes it's pretty easy. Reverse engineering how VDS-Pro talks to the CCM to change bytes in the EEPROM was straightforward as there's not much security.
Other times, such as unlocking VDO clusters, there's a cryptographic challenge/response. Just seeing the 4-byte challenge (which is random and changes every time) from the cluster and the 4-byte response from the tool doesn't give much insight on how to calculate the response from the challenge. To figure that one out, I had to download the ROM from a VDO cluster and then spend
many hours disassembling it to figure that out.
I reverse engineered how to unlock the Bosch RB8 cluster challenge/response without access to the cluster ROM. For that one, I wrote a simulator that pretended to be an RB8 cluster. I then tried to unlock the cluster with a commercial tool by sending sequential challenges from the simulator while observing how the responses from the tool changed for each one. Eventually I had enough challenge/response pairs to work out how to calculate the response from the challenge. Luckily the algorithm was much simpler than the one used by VDO clusters. Otherwise it would have been too hard to figure out.
For Marelli clusters and Bosch EDC15 ECUs, I observed that the commercial tools sent a big block of binary data to the control units to unlock them. That turned out to be a small program that the control units execute. Since kw1281test is open source, I didn't want to have it sending obscure binary data with no source code, so I downloaded the data sheets for the processors used in those control units and disassembled the binary data to understand what the programs were doing. Then I made some improvements to the programs and built them into kw1281test. If you read the kw1281test source code, you can read the assembly code that is downloaded to the Marelli clusters and Bosch ECUs to in order to read the EEPROMS.