If it is a cryptographic challenge and response, you'd theoretically need the BCM on the CAN bus every time you engage the DU. If you were to reverse engineer what the BCM is doing and share the details with the readers here, you would have an audience of grateful TMC members.
Well my findings upto now are that it isn't this. it's just one code 8 bytes which are indeed paired / teached.
Offcourse this could be software version dependent.
I know that my solution won't cut it for everyone and yes there are aftermarket controllers available but those controllers dont pass
EMC certificate testing and that's mandatory.
What you see is that the drive unit spits out :
0x276 8 02 00 00 00 00 00 00 00 (request for IMMO)
0x256 8 yy yy yy ay yy yy yy yy (a has IMMO state in it -- ((data[3] & 0x70) >> 4) --)
0x5A8 8 xx xx xx xx xx xx xx xx (answer coming from somewhere i guess BCM through gateway) with the code.
0x256 8 yy yy yy ay yy yy yy yy (a has IMMO state in it -- ((data[3] & 0x70) >> 4) --)
The code repeats each 10/100ms (not sure yet).
The 0x276 and 0x256 with immo locked are normally not / not always seen.
If some people feel to contribute i fear/think the code is VIN related.
But a nice start would be to compare 5A8's and atleast we learn if that one is unique.
Uptil now i know that over the years it stays the same for the same vehicle.
(but i only have one vehicle sample)