Mercedes-Benz has implemented robust security enhancements within the XENTRY Diagnosis system to protect vehicles from unauthorized access and cyber threats. A key component of this enhanced security framework is the Vehicle Documentation system, known as VeDoc. This article will delve into the latest security updates in XENTRY Diagnosis and highlight the crucial role of VeDoc, particularly in relation to XENTRY Flash operations.
To ensure the highest levels of security when commissioning, programming, and coding Electronic Control Units (ECUs) using XENTRY Flash, a mandatory second authentication layer has been introduced for every user. This dual authentication process mirrors the security measures employed in online banking, adding a significant layer of protection against unauthorized modifications.
Two-Factor Authentication for XENTRY Flash
Users are now required to utilize one of two authentication methods to access XENTRY Flash functionalities:
- Smartphone Authenticator App: Compatible with popular authenticator applications such as PingID and Microsoft Authenticator.
- USB Security Key: Any security key that adheres to the FIDO2 standard is supported. These keys are readily available from electronics retailers and manufacturers.
It is strongly recommended to configure both authentication options. This redundancy ensures continued access to XENTRY Flash even if one authentication factor is lost or unavailable.
Resetting the Second Factor
In situations where authentication becomes impossible, several recovery options are available:
- Alternative Second Factor: If a smartphone is lost or inaccessible but a USB security key is set up, the security key can be used for authentication.
- Organizational Administrator Reset: If no alternative second factor is configured, contacting the organization administrator is necessary. The administrator can reset the second factor, enabling the user to set up a new one. Organization administrator details can be found within the user’s profile on the Alice platform under “Administrators.”
Comprehensive instructions for organization administrators on resetting the second factor are available for download, ensuring a smooth recovery process.
VeDoc: Automatic Documentation of Vehicle Modifications
XENTRY Flash is a versatile tool applicable to Mercedes-Benz Cars (including smart*, Maybach, and SLR) and Mercedes-Benz Vans for various operations, including flashing, SCN/CVN coding, and equipment code entry. These processes are seamlessly integrated within the XENTRY Diagnosis and XENTRY DAS software, minimizing manual intervention.
A significant advantage of XENTRY Flash is its automatic integration with the VeDoc Vehicle Documentation System. After ECU programming, if permitted by the control unit, SCN coding and, importantly, reverse documentation are automatically executed in VeDoc. This automatic process ensures that any modifications made to the vehicle or its ECU software are meticulously recorded and updated on the VeDoc vehicle data card. This feature is critical for maintaining an accurate and secure history of vehicle configurations and software statuses.
Single Sign-On for Streamlined Workflow
To enhance user convenience and workflow efficiency, a single sign-on (SSO) system is implemented across Mercedes-Benz workshop applications. Once logged into one application, such as XENTRY Flash or WIS, no further login is required for accessing other central online systems, resulting in a seamless and uninterrupted workflow within the workshop environment.
Diagnosis User Rights and Security Certificates
Introduced with the E-Class facelift and the new S-Class, a new security concept necessitates personalized user rights for diagnosis. Since June 2020, accessing newer E-Class and S-Class models requires entering a personalized username and password. Diagnosis of these vehicles is impossible without proper authorization, mandating an identification process for every user to acquire the necessary rights. Notably, XENTRY Diagnosis Kit 2 is no longer sufficient for these models; XENTRY Diagnosis Kit 3 or later is required.
Two distinct user right types exist:
- XENTRY Standard Diagnosis: For basic diagnosis users without XENTRY Flash authorization, allowing functions like reading and erasing fault memories.
- XENTRY Flash User: Corresponds to the existing XENTRY Flash user role, granting access to flashing and coding functionalities.
Users can obtain these rights through the UMAS platform (https://umas.mercedes-benz.com/umas). XENTRY Flash roles (Standard and Extended) and XENTRY Standard Diagnosis rights both require a one-time identification process via UMAS. Market-specific ISP support may need to create user IDs in GEMS if they do not already exist.
Certificate-Based Diagnosis: Protecting Vehicle Integrity
The increasing sophistication of vehicles as “mobile computers” has made them potential targets for cyberattacks. Mercedes-Benz is proactively addressing this threat by implementing certificate-based diagnosis, aligning with forthcoming UNECE regulations mandating vehicle protection.
Certificate-based diagnosis, introduced initially with the E-Class facelift (W213) and fully implemented in the S-Class W223, is now standard for all new model series and facelifts. This system requires a manufacturer-provided certificate to initiate a diagnosis session. This certificate is exchanged between the diagnostic tester and the vehicle at the start of each session, operating transparently in the background to ensure secure communication and prevent unauthorized access.
Obtaining Diagnosis Certificates
The process for obtaining certificates varies based on the user type:
- Independent Workshops: Certificates are provided by Mercedes-Benz AG for users of XENTRY Diagnosis Kit 3, 4, or XENTRY Pass Thru EU. For workshops using independent manufacturer diagnostic tools, certificate provision depends on agreements between the tool manufacturer and Mercedes-Benz AG.
- Diagnosis Tool Manufacturers, Technical Inspection Agencies, and Official Bureaus: Specific processes are in place for these entities to obtain necessary certificates.
Crucially, Mercedes-Benz AG provides these certificates free of charge to all customers.
Data Requirements and Access Levels
The data required for certificate issuance depends on the access level:
- Read Access Authorizations: Organization-bound and issued for an organization or service operation.
- Write Access Authorizations: Personalized and require prior personal authentication, either through Mercedes-Benz AG or an independent tool manufacturer.
OBD-II Functionality and Certificate Requirements
Standard OBD-II functions (SAE J1979) remain unrestricted and accessible without certificates. However, all advanced diagnostic functions beyond OBD-II require diagnosis certificates, with access levels (organization or person-bound) determined by the specific function’s authorization requirements.
XENTRY Flash Support Resources
For further assistance with XENTRY Flash, users can find answers to frequently asked questions or open a support ticket via the provided help resources, ensuring ongoing support and guidance for utilizing the XENTRY Diagnosis system effectively and securely.
In conclusion, Mercedes-Benz’s enhanced security measures within XENTRY Diagnosis, particularly the two-factor authentication and certificate-based diagnosis, represent a significant step forward in protecting vehicle systems. The integration of VeDoc for automatic reverse documentation is a critical component, ensuring a secure and auditable record of all authorized modifications, reinforcing the trustworthiness and security of the XENTRY ecosystem.
* except smart model #1
