Benz SKC Calculator

**doslamer** · 12th June, 2012, 10:03 AM

Originally Posted by JOHNCICY

SMALL KNOWLEDGE OF E S L.
No need of learning with DAS

May be this is all if someone need to make key without key maker. Just use this dump for ESL from JOHNCICY post, from my post #9 use dump for any key just put correct SSID and PASSWORD,after that put info in EZS any arhive of my post have correct place for key. After programming of key you can start the car. But for some model with automatic transmission you may need to reprogram ECU.

**ivanrpm** · 15th June, 2012, 07:40 PM

Originally Posted by doslamer

May be this is all if someone need to make key without key maker. Just use this dump for ESL from JOHNCICY post, from my post #9 use dump for any key just put correct SSID and PASSWORD,after that put info in EZS any arhive of my post have correct place for key. After programming of key you can start the car. But for some model with automatic transmission you may need to reprogram ECU.

yes bro you are completly right this will work, making a summary of all info, excelent, like bram380 want to do at the beggining make a key without software,by hand!

**JOHNCICY** · 5th August, 2012, 05:53 PM

Originally Posted by JOHNCICY

SMALL KNOWLEDGE OF E S L.
No need of learning with DAS

I found out that this dump works on w211 also........

**bram380** · 10th August, 2012, 01:55 PM

Welcome to the month of Ramadan, the month of forgiveness.
God bless all.

**lexa-dok** · 11th August, 2012, 02:31 PM

Please for me

Mercedes EIS 210 Key by dump

thanks

**bram380** · 11th August, 2012, 02:41 PM

please info ezs type & mcu1 &2 type (zc.....)

FYI:
mcu1 & mcu2 without password, so new key wont work.
please read again mcu.
or read old key to see the password.

**bram380** · 11th August, 2012, 03:06 PM

ESL learning

address: containts:
-------- ----------
00-0F ...?????... ---> SSID, Password ?
10-1F key0 hash
20-2F key1 hash
30-3F key2 hash
40-4F key3 hash
50-5F key4 hash
60-6F key5 hash
70-7F key6 hash
80-8F key7 hash
90-9F ...?????.... ---> synchrone code to ecu?

example:
40-4F xxxx 3333 xxxx xxxxx ---> key3 used
50-4F 4444 4444 4444 4444 ---> key4 not used
60-6F 5555 xxxx xxxx xxxx ----> key5 used

4444 is first 8byte of key4

Need confirmation from mb expert about this esl.

**lexa-dok** · 11th August, 2012, 09:28 PM

Originally Posted by bram380

please info ezs type & mcu1 &2 type (zc.....)

FYI:
mcu1 & mcu2 without password, so new key wont work.
please read again mcu.
or read old key to see the password.

what to do

can as that it is possible to restore dump with EIS

still I apply ESL dump

**bram380** · 11th August, 2012, 10:36 PM

I think ezs dump read by k-line

**lexa-dok** · 13th August, 2012, 03:42 PM

Mercedes EZS 210 Key by dump

re-read anew

**bram380** · 13th August, 2012, 04:08 PM

Key no.0,1,2 used.
Key no.7 have source code error
Make new keys no.3,4,5,6

**JOHNCICY** · 13th August, 2012, 06:19 PM

Originally Posted by lexa-dok

Mercedes EZS 210 Key by dump

re-read anew

Here u have ......test and report

**mark.sch** · 24th August, 2012, 07:56 AM

Very, very interesting thread ;-)

When ESL contains SSID+Pass+Hashes it should be possible to manually rebuild a lost EZS eeprom? A hope for all those having their eeprom damaged due to faulty xprog (my case).

At least when 722.9 gearbox is present, this seem to become even harder. But dismounting 7G and doing SPI coding is not an option for me right now.

So I am taking a closer look doing it the Mercedes way with MB DAS - ESL_RESET, ECU_RESET and key learning. In one of the first posts it is said that a EZS eeprom and key without SSID+Pass is virgin. Does it mean, when you take any spare EZS remove this information from EZS and Key, it behaves like a virgin EZS with green dealer key - so you have all MB DAS possibilities?

**ficho** · 25th August, 2012, 02:16 PM

HI ,
I have reversed a little ESL, attached W203_DIS, If I upload
ESL_AUTO_LEARNING_KEY.bin will ESL adapt to EZS or EZS to ESL, what keys will be accepted?

CF30DBFA7816FBD6747E850D5C57A115
653B34A9371DA2D81D69584F6BA4A1DB
1C42C469A209871003049C61C674A24C
2A887FBB2A887FBB2A887FBB2A887FBB
F0D5236CF0D5236CF0D5236CF0D5236C
DD0A6ADEDD0A6ADEDD0A6ADEDD0A6ADE
AF23065DAF23065DAF23065DAF23065D
D2A3AF7BD2A3AF7BD2A3AF7BD2A3AF7B
D589DCF5D589DCF5D589DCF5D589DCF5
FFFF320163636300005514020000FFA1

The last row is autochecked and repaired if check fails, also at $197 ussually the ESL writes $F7 by it's self!
At 0x80 is the Password challange so ESL can be Erased.
If someone can make some test's and inform here on forum, then reversing can be focused in less subroutines.
Protocol can be sniffed at speed of 9600 8N1, use HTERM der-Hammer: HTerm - A Terminal Program for Windows and Linux can do a RAW log or hex with time stamp.
Regards ficho

**mark.sch** · 25th August, 2012, 06:11 PM

Originally Posted by ficho

HI ,
I have reversed a little ESL, attached W203_DIS, If I upload
ESL_AUTO_LEARNING_KEY.bin will ESL adapt to EZS or EZS to ESL, what keys will be accepted?

CF30DBFA7816FBD6747E850D5C57A115
653B34A9371DA2D81D69584F6BA4A1DB
1C42C469A209871003049C61C674A24C
2A887FBB2A887FBB2A887FBB2A887FBB
F0D5236CF0D5236CF0D5236CF0D5236C
DD0A6ADEDD0A6ADEDD0A6ADEDD0A6ADE
AF23065DAF23065DAF23065DAF23065D
D2A3AF7BD2A3AF7BD2A3AF7BD2A3AF7B
D589DCF5D589DCF5D589DCF5D589DCF5
FFFF320163636300005514020000FFA1

The last row is autochecked and repaired if check fails, also at $197 ussually the ESL writes $F7 by it's self!
At 0x80 is the Password challange so ESL can be Erased.
If someone can make some test's and inform here on forum, then reversing can be focused in less subroutines.
Protocol can be sniffed at speed of 9600 8N1, use HTERM der-Hammer: HTerm - A Terminal Program for Windows and Linux can do a RAW log or hex with time stamp.
Regards ficho

Just for understanding, you read Motorola 68HC05E6 flash memory on bench with s.th. like xprog and used IDA disassembler with Motorola instruction set? But where comes your HTERM serial sniffing into place, which interfaces with serial communication are you listening at?