Anybody want to let me borrow their module? I know it says it is VIN locked but I'm a software engineer and I reversed parts of the flashing sequence done by the MyGenius enough to sniff the unencrypted tune map and I'd like to give this module a shot. I'd be willing to pay for a deposit, etc.

I know the module says it is VIN locked. I would be trying to spoof the CAN/OBD-II traffic and could replicate what VIN is sent to the device.

From there, I could read the OBD-II/CAN commands that are set and then I could make an open source tool that would require a $20 CAN device, not a $450 markup

 

Does anyone have a current ebay link for the E63s handheld suspension lowering module discussed above. The link provided above routes me to an ebay link that says item not found.

 

https://www.ebay.com/itm/MERCEDES-BE...IAAOSwV5law-kg

 

I have 2 of them but 1st did not work with the car. I can send it to you if you need.

 

@Mandarin--thanks for the link.

 

let us know how this goes! appreciate the effort.

 

time to put my money where my mouth is

here is what it sends when you plug it in:

$ candump can0

can0 7DF [8] 02 01 0C AA AA AA AA AA

can0 7DF [8] 02 01 0C AA AA AA AA AA

can0 7DF [8] 02 01 0C AA AA AA AA AA

can0 7DF [8] 02 01 0C AA AA AA AA AA

can0 7DF [8] 02 01 0C AA AA AA AA AA

can0 744 [8] 02 10 03 55 55 55 55 55

can0 692 [8] 02 10 03 55 55 55 55 55

can0 692 [8] 02 10 92 55 55 55 55 55

can0 638 [8] 02 10 03 55 55 55 55 55

can0 652 [8] 02 10 03 55 55 55 55 55

can0 652 [8] 02 10 92 55 55 55 55 55

can0 7E0 [8] 02 10 03 55 55 55 55 55

can0 7E0 [8] 02 10 92 55 55 55 55 55

can0 7E0 [8] 03 22 F1 90 55 55 55 55

can0 7E0 [8] 02 1A 90 55 55 55 55 55

[8] 02 01 0C AA AA AA AA AA <- get engine RPM (check if engine is off?)
[8] 02 1A 90 55 55 55 55 55 <- ReadECUIdentification (KWP2000)
[8] 02 10 03 55 55 55 55 55 <- Diagnostic Session Control (type 0x03)
[8] 02 10 92 55 55 55 55 55 <- Diagnostic Session Control (type 0x92)
[8] 03 22 F1 90 55 55 55 55 <- Read Data By Identifier (VIN)

it probes to different CAN IDs to figure out what car it is, which is to be expected. time to spoof some data

 

I'm able to get the car into a position where the head unit shows "Diagnostics"

Then, the screen displays "I U O B E S ->[A]A A A A A "

As anybody encountered this? I am able to control the letters with the wheel. Do I just need to... enter the password?

Edit: nevermind, I was sending the wrong VIN to the device. After I fixed that, it displayed the vehicle expected output correctly:

31 01 12 09 00 04 31 2f 32 20 43 75 72 3a 20 46 61 63 74 6f 72 79 20 53 65 6c 3a 20 46 61 63 74 6f 72 79 20 00 55 55 55 55
1 1/2 Cur: Factory Sel: Factory UUUU

edit 2: i've got the device writing to the screen. i just need to figure out how to emulate a trackpad swipe -> trackpad press down to emulate "factory -> low -> save", and then i'll sniff the final packets and be done!

edit 3: not sure on these, but maybe:

can0 1F3 [8] 00 00 00 86 00 00 77 00 -- buton normal
can0 1F3 [8] 00 00 01 86 00 00 77 00 -- button pressed down
can0 1F3 [8] 00 00 02 86 00 00 77 00 -- move up
can0 1F3 [8] 00 00 80 86 00 00 77 00 -- move left
can0 1F3 [8] 00 00 08 86 00 00 77 00 -- move right
can0 1F3 [8] 00 00 20 86 00 00 77 00 -- move down

 

It's not a trackpad swipe, it was a rotary wheel "right" or "left" and push down for "ok" fyi. The video showed trackpad swipe but that didn't work.

 

I was able to emulate the rotary wheel right + left + push down.

When you lowered your car, did it say "Security access" on the screen for a while? I feel like the demonstration videos did not mention that?

 

Yes, it does show that message

 

for roughly how long? 30 seconds? a few minutes?

 

Yes around 15-20s I think. Never recorded. But not a minute 100%

 

This is a big help, thank you.

Update:

CEASE AND DESIST

Here is the code I use to "sniff" the unencrypted tune maps off of the MyGenius. If anybody is interested, I *think* I am confident enough in the approach/code to introduce a "hack" that works around VIN restrictions. Meaning, you can go buy a used MyGenius with the tune map you want for the same car and I can get it to work without the reset fee/procedure.

The same "VIN spoofing" can be used with just about any device that checks VIN. Handheld lowering module, etc. etc. It's really not hard.

CEASE AND DESIST

The handheld lowering module is more advanced than I thought. I am pretty impressed actually. I was able to reverse the MyGenius flash flow without any problems because ECU tuning is such a widely talked about issue for many years now. Secret Mercedes AirMatic suspension modules? Not so much. I actually need to order a few more wires/cables/parts to fully reverse the flow, but I already got my $20 CAN controller faking the "plug in to car, spoof VIN, detect what type of car we are in, put message on screen, move the wheel to the option we want, hit accept" flow. I just need to sniff a couple of packets from this security access flow from the car (since there is so little information online about these specific subfunctions), and then I can clean the code up and hopefully we have a free open source suspension lowering module? Maybe not. There's a chance I won't be able to code the hard security access stuff that is all under wraps. I'm just trying to see what values the module writes to where, after the security access. That part is worth a lot to me, but without the security access solved, it's useless.

 

if we put the setting to “low”, are we in danger of rubbing the fenders/wheels/rims?

 

No

 

The "low" setting on the device is -40mm in case anybody was wondering.

 

the -70 is my setting I made to make it look like a lowrider for funny pics lol.

 

PM me if you want to lower your car but don't want to spend $500 on an eBay module.

https://canable.io/ pick up a $20 CAN interface and this OBD-II pigtail cable:
connect the two, plug into your car, plug USB into your computer running a linux virtual machine

a few `cansend` command line invocations, viola. you're a car hacker!

# start diag session
(1559688792.794026) can1 744 [8] 02 10 03 55 55 55 55 55
(1559688792.851786) can1 724 [8] 06 50 03 00 14 00 C8 AA

# stupid useless rejected red herring security access call?
(1559688808.639673) can1 744 [8] 02 27 3D 55 55 55 55 55
(1559688808.684114) can1 724 [8] 03 7F 27 11 AA AA AA AA

# 0103 call with 00 parameter (reset airmatic configuration)?
(1559688808.699849) can1 744 [8] 04 31 01 03 00 55 55 55
(1559688808.743162) can1 724 [8] 04 71 01 03 00 AA AA AA

# 0103 call with 15 parameter (write 15 71 76 6C 79, which is stock height)
(1559688815.902725) can1 744 [8] 10 08 31 01 03 15 71 76
(1559688815.927146) can1 724 [8] 30 20 00 AA AA AA AA AA
(1559688815.932857) can1 744 [8] 21 6C 79 55 55 55 55 55
(1559688815.998634) can1 724 [8] 03 7F 31 78 AA AA AA AA
(1559688816.018956) can1 724 [8] 04 71 01 03 15 AA AA AA

# 0203 call with 00 (reset something maybe?)
(1559688826.046521) can1 744 [8] 04 31 02 03 00 55 55 55
(1559688826.094093) can1 724 [8] 04 71 02 03 00 AA AA AA

# 0303 call with 15 (read setting back, verify that it was correct)
(1559688844.773726) can1 744 [8] 04 31 03 03 15 55 55 55
(1559688844.826746) can1 724 [8] 10 08 71 03 03 15 71 76
(1559688844.833660) can1 744 [8] 30 08 14 55 55 55 55 55
(1559688844.862942) can1 724 [8] 21 6C 79 AA AA AA AA AA

# clear DTC
(1559688863.500483) can1 744 [8] 04 14 FF FF FF 55 55 55
(1559688863.556492) can1 724 [8] 03 7F 14 78 AA AA AA AA
(1559688863.576248) can1 724 [8] 01 54 AA AA AA AA AA AA

# ECU reset
(1559688863.590582) can1 744 [8] 02 11 03 55 55 55 55 55
(1559688863.635850) can1 724 [8] 02 51 03 AA AA AA AA AA

https://en.wikipedia.org/wiki/Unifie...ostic_Services
https://en.wikipedia.org/wiki/ISO_15765-2

 

Ordered mine yesterday at noon. Arrived in the morning, all done in under 24 hours.

 

How low did you go? Did you get an alignment after? Your front seems a little lower than the rear. Was that intentional?

 

Wasn’t intentional. This photo is the default -32 front and rear. I ended up tweaking it a little more as this was too low for my tastes, and settled on -24 front and -27 rear. No side view, but it looks like this in the lowest sport setting:



No alignment yet, will do it soon. Would love to destroy these stupid run flats so I have an excuse to switch to PSS 4S.

edit - made some adjustments tonight, set it to -29 front and -32 rear. Sport suspension is around the height of the first photo, plan on driving it mostly on comfort suspension which now equals my 2nd photo. Using the lift mode, looks to be high enough to clear anything high angle driveways.

 

Final settings, -28 front -32 rear.





Experimented a bit with the settings, it lets me go all the way down to more than -60, but physically the car only drops another 16mm or so to -45 front and -48 rear based on my measuring tape. Any more drop than that in the settings and nothing changes.

 

That looks great rage2.

Mine is on its way right now from MBCANSOLUTIONS on eBay. His follow up on a Sunday afternoon was 3-4 minutes. Looking forward to be able to tweak my E300 sport.

 

man

people love to spend $400 of their hard earned money instead of opening up a command line prompt and running some commands