CHECK VIDEO: https://www.youtube.com/watch?v=HmdPyjj1Qbo&feature=share
If you want to receive fast update tip, subscribe to our youtube channel.
V3: CRD1 CRD2 CRD3 and other ECU's with extended diagnostic protocol
V4: DSM Reading Variant coding (Type of car vica versa migrating not possible without this step) 164/246 204/212/221 and other)
V5: DSM Erase variant, erase learned position (DSM Will be in UNCODED condition) (new button when DSM checked)
V6: DSM Variant bug fix (didnt read Variant when OBD Checked)
DSM - CONTINENTAL. DO NOT ERASE VARIANT FIRST, YOU MUST UNLOCK DSM WITH DEALER PASSWORD, THEN YOU ERASE VARIANT.
IF YOU DO NOT FOLLOW THIS ORDER, THEN UNLOCK TO VIRGIN NOT POSSIBLE, YOU WILL NEED TO CODE IT FIRST THEN MAKE UNLOCK (VIRGIN)
MBCAN is not designed to reset on vehicle. YOU MUST RESET IT ON BENCH
Inside software function info:
OBD - is obd protocol to read hashes, that means this is checked only to read and unchecked during UNLOCK clicking
NAG - in some cases NAG must be checked because reset doesnt work, try with and without NAG checked
Steps: Check OBD, read hashes, uncheck OBD, in our case for VGS3 check NAG2, click unlock 4-5 times, check OBD again and read status or read hashes.
YOU CAN RESET:
- CRD3 (working)
- 7G units VGS1 VGS2 VGS3
- ISM - SIEMENS+CONTINENTAL (Updated finished, old customers please contact us for new software)
MBcan: FBS2 FBS3 logger and tool:
- makes possible to see what happens on CAN wires: authorizations, status, FBS service messages.
- allows to neutralize (renew) FBS components.
- makes possible to personalize older “SERIES” EIS where additional command to K-line is necessary to launch personalization
- in case of FBS2 and EIS it is possible to calculate key password from CAN and key data.
How to connect:
Although there is an OBD plug, in most cases device must be attached to PT-CAN (powertrain CAN) or control unit directly.
According to OBD standarts -
- CAN HI: pin 6,
- CAN LO: pin 14,
- ground: pins 4 and 5
- K-line: pins 1 and 7
- power +12v: pin 16 (not necessary when using CAN, only for K-line)
Some description how stuff works:
- each unit which must be authorized has it’s own address. ECU has address 02, transmission - 03 etc. EIS itself has 00, ESL - 01. EIS is a master of all FBS3 related communications and is accessible via IR, ESL is a submodule of EIS and is accessible via K-line. That’s why we are starting from address 02 here.
- MBcan emulates EIS from a FBS3 unit point of view. Be careful, sending diagnostic requests to CAN directly can cause EIS damage: EIS see that there is a response, but there was no any diagnostic request before… If it gets wrong answer to some previosly sent request, nobody knows what will happen. It’s on your own risk. By the way, logging is absolutely safe.
- on picture below you can see communication between ECU and EIS (very simple car, only ECU needs authorization). What we see is - 1) ECU send request 2) EIS send response with current track and actual hash 3) ECU responds - accepted or rejected. In addition we manually send request for status to address 02 here and got answer from ECU. What we see is ECU is authorized now and ready to start. We did that at our own risk here, safe way is to request data via EIS, response will be shown in log window anyway because tool is continuously monitoring CAN line (you can temporary switch monitoring off if you wish).
- If more modules attached, we will see activity and communication with all of them (transmission, ISM etc…), they must initiate authorization requests and EIS must respond to them all.
- another functionality: button “Read” requests hash list from control unit as shown on picture. This function is very useful when working with control units “on the bench” without car - for example, to read out SONDER HASH for unit renew jobs.
- note: hash list and status from 7G control units (automatic transmission) is readable using two different methods. If check box is marked, it is read out via diagnostic session like DAS/Xentry does. If unchecked, it is read as ordinary FBS module located on address 03. In this case IGNITION ON signal is mandatory.
- about unlock: at first you must obtain HASH for unlock based on actual SONDER HASH (use online services - we recommend to use www.dealer-hash-reset.com ). Then press “unlock”. There must be some feedback from control unit after some seconds. Observe status. If everything is okay you will see picture like this:
- EIS via K-line: used to send diagnostic request to EIS to initiate SERIES EIS personalization.
Some notes in addition:
- this tool is designed for jobs not covered by DAS / Xentry or other diagnostic tools available on the market for almost everyone. That’s why there are no any personalization and activation buttons here.
- same story about SERIES EIS personalization: this small but so necessary K-line job is implemented here because personalization command for w210 and similar ones not exist in DAS software at all (HTT only for old EIS). For later units DAS works fine, no reason to copy/paste this functionality.
how to get password from CAN exchange and key data collection:
- at first attach MBcan to PT-CAN and try to start a car. You must see three authorization related messages in log window: random from ECU, response from EIS and authorization result from ECU (accepted or not).
- you can play with these values (FBS2 mathematics) to understand what happens and how they are calculated. Common task is to get MAC (it’s a function from KEY password). When making calculations, result is displayed on green background, incoming data is displayed on yellow background.
- when we have valid MAC, we can use it to program FBS2 emulator. Reasonable option. But this is not what we will do now because our task is to restore password from MAC.
- step 1: MAC to PASSWORD, press “Go”! Calculation is launched. It is possible to interrupt it at any time by pressing ESC button on keyboard. Full cycle takes about 1 hour at average PC / Laptop. Result is displayed in log window. If success, last 4 bytes of password are recovered ( xxxxxxxx44AD6A21 in our case) . More than one result is possible, it is recommended to continue until no more combinations possible (software will say when calculation is finished).
- step 2: must load KEY data collection (must use MBir and password checker utility to get data from key). If data is OK and loaded, SSID is displayed.
note: it is possible to complete task with MBnec or MBir password checker too.
- step 3: keydata to password: press “Go” and wait for result:
Overall process can take up to some hours on average PC.
Some notes in addition:
- in most cases it is possible to get keyset password much faster using invasive methods and device programmer.
- this method works if EIS dump isn’t corrupted
- any method is good enough. This is only another possibility how to do job..
- advantages: only 5 minutes necessary to log communications and collect key data and hash list from EIS via IR. If all data collected, car is not necessary for further calculations
- disadvantage: only older cars covered, with HC705 mcu’s inside EIS.