SA2 extended opcodes for VW Golf MK8 cluster (5H0920340A) — MQB37 VM unknown instructions

Forum on Volkswagen related hardware, so VW, Audi, Seat, Skoda etc.
Post Reply
cutter2211
Posts: 1
Joined: Tue Apr 14, 2026 12:33 pm

SA2 extended opcodes for VW Golf MK8 cluster (5H0920340A) — MQB37 VM unknown instructions

Post by cutter2211 »

Hi everyone,

I'm reverse-engineering the SA2 security access algorithm for the VW Golf MK8 instrument cluster (5H0920340A, SW 3470, Continental Automotive, date 2021-12-03).

I extracted the SA2 bytecode directly from the ODX flash file:

814A24680D814A0D932FAB6318828410FB53A44A0A871632DB619374A1D4F849933DA640B14A1968834A2588C21A8784A4078747CB864A03879B40B2C44A014B

Running this through the standard bri3d/sa2_seed_key VM works for ~75% of seeds (those that don't hit the conditional branch at offset 0x25). The remaining seeds pass through a block containing opcodes unknown to the standard VM:

[2B] 0x88 0xC2 — 2-byte instruction (rotate? OR? shift?)
[2D] 0x1A — 1-byte instruction (NOP? NOT? NEG?)
[33] 0x47 0xCB — 2-byte instruction
[35] 0x86 + 4-byte operand — 5-byte instruction (MUL? AND?)
[3A] 0x40 + ? — variable length

The MK7.5 cluster (5G1920791B) uses the standard opcodes only and works perfectly with the bri3d VM.

Has anyone already documented the extended SA2 opcode set for MQB37 (Golf 8, post-2019)? Any reference to 0x88, 0x1A, 0x47, 0x86 or 0x40 in the VAG SA2 VM context would be very helpful.

Thanks!
Top
Post Reply

Return to “VW (VAG, Volkswagen, Audi, Porsche etc.)”