There have been big changes in the processes; here’s what you need to know! …we will discuss the TRP policy and procedures, followed by what is likely somewhat new to you, the account verification system.

As the title suggests, there are two separate processes for verification when servicing Mercedes-Benz vehicles. One is related to the replacement of what is considered to be a theft relevant part (TRP), while the other deals with verifying the identity of the registered account/technician when coding or programming an electronic module or component. In the first part of this article we will discuss the TRP policy and procedures, followed by what is likely somewhat new to you, the account verification system.

How Did We Get Here?

First off, let me say that as a shop owner/technician I totally get how frustrating it can be to have to jump through a lot of hoops just to replace a part on a vehicle or perform a programming update. Techs tell me after attending any type of workshop or training class—be it virtual or live—when it comes to this topic, the discussion is always the same: It’s a pain! However, as with all other aspects of our business we need to see things from the customer’s perspective. According to a National Insurance Crime Bureau (NICB) analysis of data via the National Crime Information Center (NCIC), over a million vehicles were stolen in 2022, which means 1.9 vehicles are stolen every minute! Having had a close relative experience a car theft, due to a TikTok video that shows how easy it is to steal his particular brand of vehicle (an Asian import), and the ensuing nightmare that followed getting it repaired after it was recovered has shown me that keeping a vehicle secure from theft should be a high priority for automakers.

In 1984, the Motor Vehicle Theft Law Enforcement Act was created. As a means to prevent the theft of motor vehicles for their parts, the 1984 Theft Act required passenger cars and the major replacement parts for those cars to have vehicle identification numbers. In simple terms, it was a means of identifying parts that have maybe come from a “chop shop” which deals in stolen vehicles. This was only the beginning of vehicle security policies to come.

Mercedes-Benz takes the safety and security of their customer’s vehicles seriously, and as a result the Theft-Relevant Parts (TRP) program was introduced in 2008. It was a unique innovation to give independent technicians access to several of the MBUSA parts deemed critical to vehicle security. In part to improve consistency with process-implementation through the Mercedes-Benz dealer network and to increase aftermarket access to additional TRP items, MBUSA published a major revision to their TRP Policy in January 2015. A key requirement for participation in the MBUSA TRP program is a valid subscription to the NASTF Vehicle Security Professional (VSP) Registry, which connects locksmiths and technicians to original equipment manufacturer (OEM) security products using the OEM-NASTF-National Insurance Crime Bureau (NICB) Secure Data Release Model (SDRM) software. For more info on that, see NASTF and the VSP Registry (bit.ly/NASTFVSP) article in the June 2021 issue of StarTuned (bit.ly/mbst202106).

So what is a theft relevant part (TRP)? TRPs are parts that can be used to either steal a vehicle (such as a key) or give a vehicle a new identity (such as a new control unit). Below is a list of parts subject to the current Mercedes-Benz TRP policy.

• Electronic vehicle key
• Electronic steering lock (ELV, ESL, ESCL)
• Electronic ignition switch (EZS/EIS) and workshop key for personalization
• Electronic ignition switch with integrated central gateway (EZS/ZGW, EIS/CGW)
• Electronic selector lever module (EWM/ESM)
• Vehicle-related plates, identification plate, production plate, visible VIN plate, including base material
• Transmission control unit (VGS, TCM)
• Direct shift module (DSM, ISM)
• Bodies and body sections/parts for placement of the vehicle identification number
• Engine control unit (MSG, MCM)
• Power electronics for electric drive with DAS (TUBE)
• Hybrid and e-drive control unit (EMx, ME2)
• Belt-driven or integrated starter-alternator (RSG, ISG) for DAS4
• Locking sets and mechanical keys

Also part of the Mercedes-Benz TRP policy is theft relevant information (TRI), information that can be used to steal a vehicle or to give it a new identity. It includes the following:

• Locking data record
• Initialization data
• Personalization data
• Disable/enable information

Record Keeping

One of the important aspects of the TRP policy is accurate record keeping. This applies mostly to the dealer who is selling you parts, but requires that you obtain and keep accurate records as well.

It is your dealer’s responsibility to verify the required documentation is present before accepting any order for, and delivering, a TRP. This precaution is necessary to safeguard your customer’s vehicle and minimize your liability exposure. Failure to adhere to these requirements can expose you, your employees and the dealership you do business with to criminal or civil liability in cases of theft or fraud. For these reasons, it is essential that all personnel adhere to the following documentation process:

Theft-Relevant Parts may only be ordered by the vehicle owner, or their authorized representative (which is you, the ISP) or authorized Mercedes-Benz or Freightliner dealerships completing a vehicle repair.

So what do you need as a representative? Well, if you’ve ever ordered a new key for a customer you may have already been through this and this may be a refresher, but for those who haven’t, here is the procedure:

For starters, you need to become registered on the NASTF website as a Vehicle Security Professional (VSP). For more information on the SDRM registry and how to become a Vehicle Security Professional (VSP), please visit: nastf.org and view “Vehicle Security Professional.” It’s not terribly expensive, and definitely worthwhile if you are servicing a reasonable volume of Mercedes-Benz vehicles. Indeed, the VSP registration opens up a new world for virtually every manufacturer’s theft-relevant parts.

When an order for a TRP is placed by a VSP, the following documentation must be presented to the dealer, who will retain either the original form or make copies of the ownership and identification documentation and retain it in their vehicle file:

Note: Our dealer requests us to have an actual authorization from the customer. This can be a simple letter from your customer stating that you are authorized to repair the vehicle. It’s a good idea to have these forms already made up ahead of time. If you or your service advisors know that a TRP is going to be involved, you can have the customer fill this out when dropping off the vehicle to save time.

• Proof of ownership: A copy of the vehicle registration, title, or any ownership document which would be accepted by a Department of Motor Vehicles to issue a title.
• VSP Proof of identity: Original or photocopy of the VSP’s government-issued driver/operator license with photo, or a passport.
• Repair Order: A valid repair order from the VSP’s business, with the customer name & address, VIN and TRP part number(s) clearly noted.

Again, its time well spent to have this handled up front when your customer drops off the vehicle for service. Have all your employees attend a TRP meeting in the shop and have a folder ready for when a job like this comes in.

The TRP form, several examples, as well as a copy of the policy spelling out all the details can be found at bit.ly/mbtrpi.

What About Keys?

Any Vehicle Security Professionals (VSPs) participating in the NASTF Secure Data Release Model (SDRM) Registry may purchase pre-programmed and/or pre-cut Keys, subject to additional documentation requirements:

• All documentation outlined in the TRP policy above must be presented.
• An additional key certification form (also available on the STAR Tekinfo website) must be completed and presented to the dealer. The dealer keeps the original in the vehicle file with the other TRP documentation for the transaction.

• Keys may be shipped securely to a VSP.
• Blank or unprogrammed keys may not be sold under any circumstances.
• DAS 4 keys require the VSP to have an active XENTRY Diagnosis subscription in order to mark the vehicle as ‘present.’ Whether programmed in-vehicle by a dealer, or ordered from the MBUSA Parts depot, a DAS4 key cannot be programmed unless the DAS4 servers in Europe have received the ‘vehicle is present’ message via XENTRY. What this means is, if you don’t have a XENTRY subscription, you can’t order a new key—you’ll have to send the customer to the dealer, or another ISP who has one.

If you are thinking about getting a XENTRY Diagnosis system, you can find the purchase details on the STAR TekInfo website, under the Mercedes-Benz Workshop Resources category. Check out the article in this issue on the STAR TekInfo website for details, and the June 2017 (bit.ly/mbst201706) StarTuned issue explaining the advantages of XENTRY Diagnosis systems (bit.ly/needXENTRY).

• For DAS 4 keys, when no keys are present, it gets a lot more complicated, since the ignition must be switched on to register the vehicle as ‘present.’ The VSP must perform vehicle and VIN referencing at the vehicle, along with the submission of all documentation required in the TRP documentation above to the authorized Mercedes-Benz dealer before the submission of the key certification form. Then the dealer has a form he must complete that certifies the vehicle as present. Speak with your local dealer to understand the details of this ‘fallback’ process, and note that this is not a substitute for not having a XENTRY subscription.

In a nutshell, the idea behind the policy here is to prevent someone who doesn’t present the vehicle as well, from coming in and ordering a key. They may forge some documentation in order to get a key and steal a vehicle. Prior to more rigid enforcement of the TRP policy, it happened far more often than you might think. In fact, a Mercedes-Benz dealer (who will remain nameless) on the East coast was visited by Interpol and eventually held liable for several million dollars worth of stolen Mercedes-Benz vehicles—all because they got sloppy with the TRP policy.

Multi-factor Identification

Now we come to the second part of the article, an identity and account verification system used to prevent unauthorized programming of control units. Before commissioning, programming or coding control units of any type (using XENTRY Flash), you must authenticate yourself in XENTRY Diagnosis with a second factor. In addition to your usual C7 User ID and password, you’ll need an authentication app (we explain the details below) on your smartphone.

The basic idea is that anyone—even someone who doesn’t have a XENTRY Diagnosis system—can create an account, get a GEMS (C7) username assigned and, if you’re the ‘business owner’—the first one registering a particular business—you have administrative rights and can assign yourself “XENTRY Standard Diagnosis” rights. (Getting a C7 ID is discussed in the “STAR TekInfo” article elsewhere in this issue). With that, you are able to log in and use XENTRY Diagnosis for everything except Flashing (coding/programming). If you want Flash rights, you simply contact MBUSA and, if you have a XENTRY Diagnosis system, they’ll start the process to have them assigned to you (which takes a few days).

In order to assign yourself the Standard Diagnosis role, you must complete a process known as IDNow, and this carries through to Flash rights as well. The website is easy to understand and will walk you though the process, but MBUSA also provides complete and detailed instructions. It is not terribly difficult, but in general it involves providing your identification (such as a driver’s license) and taking a few selfies.

Once you assign yourself the Standard Diagnosis role, you can contact MBUSA to request Flash rights, for which (again) MBUSA provides detailed instructions. This often takes a few days for processing though.

Once Flash rights are assigned, to flash a control unit, you simply begin your diagnosis with XENTRY Flash operation as usual, and you will be automatically guided through the authentication process. The first time you try it, you’ll be guided to set up the Mercedes-Benz recommended PingID app. This can sometimes trip up some users, so let’s look at that process more closely.

Install the PingID app on your phone from the either the Apple App Store or Google Play. Start the app and accept the terms and conditions, including allowing camera access. Then, scan the QR code shown on the XENTRY screen with your phone and click Next. The app generates an authentication code—type this onto the screen as indicated and click Verify. Finally, select Start Setup, add your account (tap “+”) and, once completed, you will be redirected to the two-factor protected application and can start using it.

The first time you log in with XENTRY flash, you will be prompted to choose between a security key or the authentication app on your smartphone: Choose the smartphone app, unless you really don’t have a smartphone. If you must use a security key, which is a little USB device, just ask MBUSA and they’ll send you the details on getting and using it.

Following the smartphone procedure, you will get a verification code in the app. You will need to respond with this quickly, as it expires in about 30 seconds. Once it goes through, you will be sent a message that the authentication has been approved and you can proceed with the programming procedure. This process will store your second factor authentication.

Upon subsequent logins, simply use XENTRY Diagnosis as usual. As soon as it is necessary, XENTRY Diagnosis will inform you that you need to perform authentication. You can now use your second factor for authentication.

For both ISPs and Dealers, it seems there are more and more procedures and policies to follow to keep up with the ever-changing industry. But it has always been this way—new technology makes many things easier, although there is always a learning curve. Stay ahead of the curve by having some of these policies in place and training your technicians and advisors so that these processes can run as smooth as possible.