The goal shifted from reading suspension data to controlling it. We wanted to send diagnostic commands directly to the Ride Level Control Module (RLM) — the ECU that manages the Discovery 3’s air suspension.
To do that, we needed the dealer tool’s playbook. So we downloaded JLR SDD 130 (the Jaguar Land Rover Symptom Driven Diagnostics software, circa 2012) and extracted every byte.
What’s Inside SDD
SDD is a Windows XP application distributed as a VirtualBox VM. It’s not a single program — it’s a stack:
SDD GUI (testman.exe)
└─ SA_*.dll (Service Action plugins, one per diagnostic routine)
└─ VISO14229.dll (UDS protocol stack)
└─ J2534 Pass-Thru driver (MongoosePro JLR)
└─ CAN bus → vehicle ECUsThe VM image is a 10GB .ova file. We extracted it, mounted the virtual disk, and went hunting.
Key Files Found
| File | What It Is |
|---|---|
SA_AirCalibration_01.dll |
The actual suspension calibration plugin |
SecAlg.dll |
Security algorithm library (seed-to-key) |
Security.exml |
Master key database for every ECU |
MDX_RLM.exml |
RLM ECU definition (DIDs, routines) |
RLM.xml |
CAN addressing and protocol config |
VISO14229.dll |
ISO 14229 (UDS) communication library |
The SA (Service Action) DLLs are native C++ plugins. Each one implements a diagnostic procedure — reading sensors, actuating outputs, running calibrations. They’re not .NET (easy to decompile) — they’re compiled Win32 binaries.
What We Extracted from the DLLs
From SA_AirCalibration_01.dll strings, we found every valve and sensor the calibration routine controls:
@J_I_FRONT_RIGHT_VALVE @J_I_FRONT_LEFT_VALVE
@J_I_REAR_RIGHT_VALVE @J_I_REAR_LEFT_VALVE
@J_I_FRONT_CROSS_LINK @J_I_REAR_CROSS_LINK
@J_I_RESERVOIR_VALVE @J_I_EXHAUST_VALVE
@J_I_COMPRESSOR @J_I_COMPRESSOR_TEMP
@J_I_MOTOR_TEMP @J_I_HEIGHTAnd the calibration procedures themselves:
@J_I_COMP_10SEC_VLV_CLO_60SEC_OP — Compressor test
@J_I_COMP_EXH_OPEN_GALL_PRES — Gallery pressure test
@J_I_CAU_GALL_PRES_AIR_DEL — Air delivery calibration
@J_I_RID_LEV_CM_INTFAC — Ride level calibration interface
@J_I_PLACE_RLM_INOUT_TOL — Tight tolerance modeThe “tight tolerance mode” is particularly interesting — it’s the calibration mode that allows writing new height offsets to the ECU.
The VERONA Protocol Layer
JLR uses a proprietary CAN addressing scheme called “VERONA.” For the Discovery 3 (L319 MY05) RLM, the config is:
<VERONA deviceNo="0" bitLen="29" baudRate="500K">
<addressing type="physical" format="Fixed">
<CAN srcId="0x33" targetId="0x2B" />
</addressing>
</VERONA>This tells us the RLM is on the 500kbps HS-CAN bus, using 29-bit CAN identifiers. The source and target addresses (0x33 and 0x2B) are used to construct the diagnostic CAN ID.
Coming up in Part 7: cracking the Ford security algorithm, finding the RLM’s secret keys, and building the security unlock flow.
Disclaimer: This series documents reverse engineering for educational and research purposes. JLR SDD is proprietary software owned by Jaguar Land Rover. The techniques described are applied to a bench ECU, not a road-registered vehicle.
Leave a Reply