Daimler XENTRY Diagnosis: Enhancing Security for Modern Vehicle Diagnostics

In today’s automotive repair landscape, security is paramount. As vehicles become increasingly sophisticated and connected, the tools we use to diagnose and service them must also evolve to meet new security challenges. For professionals working with Daimler vehicles, the XENTRY Diagnosis system is a crucial tool. This article will delve into the enhanced security features implemented within XENTRY Diagnosis, specifically focusing on the mandatory second authentication process that strengthens the protection of vehicle electronic control units (ECUs). Understanding these updates is essential for any workshop utilizing Daimler Xentry for commissioning, programming, and coding.

Two-Factor Authentication: Your Enhanced Security Layer for XENTRY Flash

To safeguard against unauthorized access and ensure the integrity of vehicle systems, Daimler has implemented a two-factor authentication system for XENTRY Flash operations. This additional layer of security is now mandatory for all users performing ECU programming and coding, similar to the security protocols you might encounter in online banking. This process, often referred to as multi-factor authentication (MFA), requires users to verify their identity using two distinct methods, significantly reducing the risk of unauthorized access.

Choosing Your Authentication Factor:

For seamless and secure access to XENTRY Flash, you will need to set up one of the following two authentication factors:

• Smartphone Authenticator App: A convenient and readily accessible option is using an authenticator application on your smartphone. Popular and compatible apps include PingID and Microsoft Authenticator. These apps generate time-based one-time passwords (TOTP) that serve as your second authentication factor.

• USB Security Key (FIDO2 Standard): For a hardware-based security solution, you can utilize a USB security key. Crucially, the key must support the FIDO2 standard, ensuring compatibility with the Daimler XENTRY system. These keys are widely available from electronics retailers and directly from manufacturers.

Pro Tip: For maximum security and uninterrupted workflow, it is highly recommended to set up both authentication options from the outset. This redundancy ensures that if you lose access to one factor (e.g., lose your smartphone), you can seamlessly continue working with the alternative method, minimizing downtime in your workshop.

Setting Up and Managing Your Second Factor Authentication

To assist you in the setup process, Daimler provides a helpful HelpCard document, available for download in PDF format. This guide offers step-by-step instructions to configure your chosen authentication methods.

Troubleshooting Authentication Issues: Resetting Your Second Factor

In situations where you are unable to authenticate – for instance, if you lose your smartphone and haven’t set up a USB security key – there are recovery options available:

1. Utilize an Alternative Factor: If you have configured both a smartphone app and a USB security key, and one is unavailable, simply use the functioning alternative to regain access.

2. Contact Your Organization Administrator: If you lack an alternative second factor, your organization administrator (org admin) can assist you. The org admin has the authority to reset your second factor, allowing you to set up a new one. You can identify your Org admin through the Alice platform under your profile data by clicking on “Administrators.”

Comprehensive instructions for organization administrators on how to reset user second factors are also provided in a dedicated PDF document.

Expanding XENTRY Flash Applications in Your Workshop

The enhanced security measures do not limit the versatility of XENTRY Flash. This powerful tool remains essential for a wide range of diagnostic and service tasks across the Daimler vehicle spectrum:

• Comprehensive Vehicle Coverage: XENTRY Flash is compatible with Mercedes-Benz Cars (including smart* models – except smart model #1, Maybach, and SLR) and Mercedes-Benz Vans.

• Truck Parameterization: For Mercedes-Benz Trucks, XENTRY facilitates an efficient online parameterization process for control units. This significantly accelerates data availability in the workshop after ECU replacements, streamlining repair workflows.

• Integrated within Diagnostic Software: All XENTRY Flash processes are seamlessly integrated within the familiar XENTRY Diagnosis and XENTRY DAS software environments. This integration minimizes manual interventions by mechanics and promotes a more fluid diagnostic process.

Streamlined Post-Programming Procedures: Automatic SCN Coding and VeDoc Updates

XENTRY Diagnosis further enhances efficiency by automating crucial post-programming steps. After ECU programming, the system automatically initiates:

• SCN Coding (if applicable): If permitted by the specific control unit, SCN (Software Calibration Number) coding is automatically executed.

• VeDoc Reverse Documentation: The VeDoc (Vehicle Documentation) system is automatically updated to reflect any changes made to the vehicle or ECU software. This ensures the VeDoc vehicle data card remains current and accurate, providing a complete and up-to-date vehicle history.

Single Sign-On: Enhanced Convenience for Workshop Applications

To further optimize workflow efficiency, XENTRY Diagnosis incorporates a Single Sign-On (SSO) feature. Once logged into one Daimler workshop application (such as XENTRY Flash, WIS, or others), users gain seamless access to other central online systems without requiring repeated logins. This eliminates redundant sign-in steps and promotes a smoother, more productive workday. For security, the system automatically logs users out of online systems after one hour of inactivity.

Understanding Diagnosis User Rights: Adapting to New Security Concepts

The introduction of the E-Class facelift and the new S-Class models brought with it an updated security concept that significantly impacts the utilization of XENTRY Diagnosis software. Starting from the June 2020 data release, accessing diagnostic functions on these newer models requires entering a personalized username and password. This measure signifies a shift towards enhanced security and controlled access.

Key Implications of New User Rights:

• Diagnosis Access Authorization Required: Diagnosing the latest E-Class and S-Class vehicles is no longer possible without proper diagnosis access authorization.

• Identification Process for All Users: Every user must undergo a one-time identification process to acquire the necessary user rights for diagnosing these and subsequent models.

• XENTRY Diagnosis Kit 3 Minimum Requirement: Diagnosing these newer model series is not supported with XENTRY Diagnosis Kit 2. A XENTRY Diagnosis Kit 3 or later is mandatory.

Two Tiers of User Rights:

The new system differentiates between two distinct types of user rights, catering to different user roles and access needs:

• XENTRY Standard Diagnosis: This right level is intended for diagnosis users who do not require XENTRY Flash authorization. It provides access for essential diagnostic tasks such as reading and clearing fault memories.

• XENTRY Flash User: This user right level corresponds to the previous XENTRY Flash user authorization, granting full access to XENTRY Flash functionalities.

Acquiring User Rights:

To obtain the necessary user rights, Daimler provides a straightforward process through the UMAS (User Management and Authorization System) platform:

1. XENTRY Flash Authorization: Both Standard-Flash and Extended Flash roles (for all CeBAS vehicles) are requested via UMAS. Each user must complete a one-time identification process through the UMAS portal (https://umas.mercedes-benz.com/umas) to obtain Flash roles.

2. XENTRY Standard Diagnosis Rights: All diagnosis users needing access to newer models must independently request Standard Diagnosis rights through the same UMAS portal (https://umas.mercedes-benz.com/umas) and complete the one-off identification process. In some market-specific cases, ISP support may need to create the user in GEMS if a user ID doesn’t already exist.

The Rationale Behind Certificate-Based Diagnosis: Protecting Modern Vehicles

The increasing sophistication of vehicles, transforming them into “mobile computers,” unfortunately also makes them prime targets for cyberattacks and unauthorized manipulation. Growing media attention on vehicle hacking and emerging UNECE regulations mandating vehicle protection highlight the critical need for robust security measures.

Mercedes-Benz is proactively addressing these challenges by implementing certificate-based diagnosis. This security architecture is designed to protect against unauthorized diagnostic access and safeguard vehicle integrity.

Vehicle Applicability: Which Models are Affected?

Certificate-based diagnosis was initially introduced in E-Class facelift vehicles (model series W213 facelift) for individual control units. The S-Class W223 marked the full-scale implementation of this security architecture. Moving forward, all new Mercedes-Benz model series and subsequent facelifts will incorporate certificate-based diagnosis as a standard security feature.

Changes to the Diagnosis Process: Certificate Exchange

With certificate-based diagnosis, a crucial change is introduced to the diagnostic process itself. To initiate a diagnosis session on affected vehicles, a digital certificate provided by the manufacturer is now required. At the start of each session, this certificate is automatically exchanged between the diagnostic tester and the vehicle. This certificate exchange process is managed seamlessly within the tester application and runs in the background, ensuring minimal disruption to the diagnostic workflow.

Obtaining Certificates: Access for Independent Workshops and Tool Manufacturers

The process for obtaining certificates varies depending on your workshop type:

• Independent Workshops (using official tools): If you utilize a XENTRY Diagnosis Kit 3 or 4, or XENTRY Pass Thru EU, the necessary certificates are directly provided by Mercedes-Benz AG at no additional cost.

• Independent Workshops (using aftermarket tools): If you employ a diagnostic tool from an independent manufacturer, certificate availability depends on whether the tool manufacturer has established a data agreement with Mercedes-Benz AG. In such cases, certificates are provided by the tool manufacturer.

• Diagnosis Tool Manufacturers: Specific processes are in place for diagnosis tool manufacturers to obtain certificates, typically involving agreements with Mercedes-Benz AG.

• Technical Inspection Agencies/Official Bureaus: Similar to tool manufacturers, technical inspection agencies and official bureaus have dedicated procedures for certificate acquisition, often involving direct arrangements with Mercedes-Benz AG.

Cost Considerations: Certificate Availability and Associated Expenses

Mercedes-Benz AG provides the necessary diagnostic certificates free of charge to all authorized customers. This commitment ensures that enhanced security does not impose additional financial burdens on workshops utilizing genuine or approved diagnostic tools.

Data Requirements: Personalization and Access Levels

The specific data required for certificate issuance and access authorization varies based on the level of access needed:

• Read Access Authorizations: These authorizations are organization-bound and must be issued to an organization or service operation.

• Write Access Authorizations: Write access, which allows for modifications and programming, is personalized and necessitates prior personal authentication, either directly with Mercedes-Benz AG or with the independent tool manufacturer (if applicable).

OBD-II Functionality and Access Restrictions: Understanding Limitations

It’s important to understand the impact of certificate-based diagnosis on different diagnostic functions:

• Unrestricted OBD-II Functions: Standard OBD-II functions (SAE J1979), primarily related to emissions diagnostics, remain accessible without any certificate requirements.

• Certificate-Required Functions: All diagnostic functions beyond standard OBD-II now require diagnosis certificates. The specific certificate type (organization-bound or person-bound) depends on the level of access authorization needed for the function.

XENTRY Flash Support: Dedicated Assistance Resources

For any questions or assistance related to XENTRY Flash and the new security measures, Daimler provides dedicated support resources. Within the XENTRY system, you can access a comprehensive “Need help?” section. This section offers FAQs and troubleshooting guidance. If you cannot find a suitable answer in the FAQs, you can directly open a support ticket through the system for personalized assistance.

By understanding and implementing these enhanced security measures within Daimler XENTRY Diagnosis, workshops can ensure the continued safe and efficient servicing of modern Mercedes-Benz vehicles in an increasingly complex and security-conscious automotive world.