NefMoto

Technical => Reverse Engineering => Topic started by: mavidelisi on July 16, 2021, 08:54:39 AM


Title: How to get Algorithm from hex values Seed/Keys
Post by: mavidelisi on July 16, 2021, 08:54:39 AM
Hello friends;

I am a new member to the forum. I am pleased to meet you. I wish you all success in your life. About the seed key algorithm on Google
I came across your site while researching. I hope I wrote my question in the right place. Please don't be offended if I'm wrong.
I have a car brain. I want security request with 02 27 07 while reading flash from inside; then he sends me seeds via 06 67 07. Seed deciphered
real key is being sent. For this, I establish a connection between the clone device and the program and send the seeds from the brain myself, and the program sent to the brain
there are some real keys. However, no matter what I did, I could not solve the relationship between them. I need to make an algorithm. One of my expert friends
could you please; can you solve the algorithm

Thank you and have a nice day.

************************************************

SEED   : 01 01 01 01      0000 0001 0000 0001 0000 0001 0000 0001
KEY            : 11 E6 FE D2      ‭0001 0001 1110 0110 1111 1110 1101 0010‬      
                                 
SEED   : 02 02 02 02       0000 0010 0000 0010 0000 0010 0000 0010
KEY            : 23 CD FD A4      ‭0010 0011 1100 1101 1111 1101 1010 0100‬

SEED   : 03 03 03 03              ‭0000 0011 0000 0011 0000 0011 0000 0011‬
KEY      : 32 2B 03 76       ‭0011 0010 0010 1011 0000 0011 0111 0110‬

SEED   : 04 04 04 04       0000 ‭0100 0000 0100 0000 0100 0000 0100‬
KEY      : 47 9B FB 48       ‭0100 0111 1001 1011 1111 1011 0100 1000‬

SEED   : 02 01 01 01      ‭0000 0010 0000 0001 0000 0001 0000 0001‬   
KEY      : C2 22 F0 58      ‭1100 0010 0010 0010 1111 0000 0101 1000‬

SEED   : 00 00 00 01      0000 0000 0000 0000 0000 0000 0000 0001   
KEY      : 4C 2B 3C 5C      ‭0100 1100 0010 1011 0011 1100 0101 1100‬
   
SEED   : 00 00 00 02       0000 0000 0000 0000 0000 0000 0000 0010   
KEY      : 98 56 78 B8      ‭1001 1000 0101 0110 0111 1000 1011 1000‬
   
SEED   : 00 00 00 03       0000 0000 0000 0000 0000 0000 0000 0011   
KEY      : D4 7D 44 E4      ‭1101 0100 0111 1101 0100 0100 1110 0100‬
   
SEED   : 00 00 00 04        0000 0000 0000 0000 0000 0000 0000 0100   
KEY      : 6E A8 88 86      ‭0110 1110 1010 1000 1000 1000 1000 0110‬
   
SEED   : 00 00 00 05       0000 0000 0000 0000 0000 0000 0000 0101
KEY      : 22 83 B4 DA      ‭0010 0010 1000 0011 1011 0100 1101 1010‬
   
SEED   : 00 00 00 06        0000 0000 0000 0000 0000 0000 0000 0110
KEY      : F6 FE F0 3E      ‭1111 0110 1111 1110 1111 0000 0011 1110‬
   
SEED   : 00 00 00 07        0000 0000 0000 0000 0000 0000 0000 0111
KEY      : BA D5 CC 62       ‭1011 1010 1101 0101 1100 1100 0110 0010‬
   
SEED   : 00 00 00 08        0000 0000 0000 0000 0000 0000 0000 1000
KEY      : DD 51 11 0C       ‭1101 1101 0101 0001 0001 0001 0000 1100‬
   
SEED   : 00 00 00 09        0000 0000 0000 0000 0000 0000 0000 1001
KEY      : 91 7A 2D 50       ‭1001 0001 0111 1010 0010 1101 0101 0000‬
   
SEED   : 00 00 00 0A        0000 0000 0000 0000 0000 0000 0000 1010
KEY      : 45 07 69 B4       ‭0100 0101 0000 0111 0110 1001 1011 0100‬

SEED   : 01 00 00 00        0000 0001 0000 0000 0000 0000 0000 0000
KEY      : 84 BF D2 D4      ‭1000 0100 1011 1111 1101 0010 1101 0100‬

SEED   : 02 00 00 00        0000 0010 0000 0000 0000 0000 0000 0000
KEY      : 57 7B DC 5E       ‭0101 0111 0111 1011 1101 1100 0101 1110‬

SEED   : 03 00 00 00        0000 0011 0000 0000 0000 0000 0000 0000
KEY      : D3 C4 0E 8A        ‭1101 0011 1100 0100 0000 1110 1000 1010‬
                        
SEED   : 00 01 00 00        0000 0000 0000 0001 0000 0000 0000 0000
KEY      : 45 21 FF 24        ‭0100 0101 0010 0001 1111 1111 0010 0100‬

SEED   : 00 02 00 00        0000 0000 0000 0010 0000 0000 0000 0000
KEY      : 8A 43 FE 48       ‭1000 1010 0100 0011 1111 1110 0100 1000‬

SEED   : 00 03 00 00        0000 0000 0000 0011 0000 0000 0000 0000
KEY      : CF 62 01 6C       ‭1100 1111 0110 0010 0000 0001 0110 1100‬
                        
SEED   : 00 00 01 00        0000 0000 0000 0000 0000 0001 0000 0000
KEY      : 9C 53 EF 7E       ‭1001 1100 0101 0011 1110 1111 0111 1110‬

SEED   : 00 00 02 00        0000 0000 0000 0000 0000 0010 0000 0000
KEY      : 66 A3 A7 0A       ‭0110 0110 1010 0011 1010 0111 0000 1010‬

SEED   : 00 00 03 00        0000 0000 0000 0000 0000 0011 0000 0000
KEY      : FA F0 48 74       ‭1111 1010 1111 0000 0100 1000 0111 0100‬

SEED   : FF FF FF F0        ‭1111 1111 1111 1111 1111 1111 1111 0000‬
KEY      : BD 41 11 48       ‭1011 1101 0100 0001 0001 0001 0100 1000‬

SEED   : F0 FF FF FF        ‭1111 0000 1111 1111 1111 1111 1111 1111‬
KEY      : A4 1D 72 9E        ‭1010 0100 0001 1101 0111 0010 1001 1110‬

SEED   : 0F 00 00 00      1111 0000 0000 0000 0000 0000 0000 0000
KEY           : F3 57 33 92      ‭1111 0011 0101 0111 0011 0011 1001 0010‬         

SEED   : FF FF FF 0F      ‭1111 1111 1111 1111 1111 1111 0000 1111‬   
KEY      : 38 95 77 04      ‭0011 1000 1001 0101 0111 0111 0000 0100‬

SEED   : 20 20 20 20      ‭0010 0000 0010 0000 0010 0000 0010 0000‬
KEY           : 80 D7 29 AC      ‭1000 0000 1101 0111 0010 1001 1010 1100‬

SEED   : 20 20 20 21      ‭0010 0000 0010 0000 0010 0000 0010 0001‬
KEY      : CC FC 15 F0      ‭1100 1100 1111 1100 0001 0101 1111 0000‬

Title: Re: How to get Algorithm from hex values Seed/Keys
Post by: prj on July 16, 2021, 09:05:47 AM
This is because only some very simple/stupid algorithms can be deduced by sniffing.
For proper ones you need to reverse either the ECU binary or the OEM DLL doing the algo.

Title: Re: How to get Algorithm from hex values Seed/Keys
Post by: mavidelisi on July 16, 2021, 09:11:50 AM
I read the car brain with another program.  I have the ECU flash file.  If I open the ECU flash with winols, can I reverse or do I need a full bench?  My friend  said that a full bench is needed.  He said that it should be taken with ktag and reversed.is this right ?
And what about OEM Dll ?

Title: Re: How to get Algorithm from hex values Seed/Keys
Post by: prj on July 16, 2021, 02:19:26 PM
If you are asking these questions then you are not going to "reverse" anything. You need many years of experience to even attempt it.
Also WinOLS is completely useless for this.

Title: Re: How to get Algorithm from hex values Seed/Keys
Post by: mavidelisi on July 16, 2021, 11:45:32 PM
Quote from: prj on July 16, 2021, 02:19:26 PM
If you are asking these questions then you are not going to "reverse" anything. You need many years of experience to even attempt it.
Also WinOLS is completely useless for this.

Ok i understand you.

Thanks.

Title: Re: How to get Algorithm from hex values Seed/Keys
Post by: crystal_imprezav on July 21, 2021, 12:00:06 PM
Hint:

Load into IDA and search for 0xFFFFFF27 or 0x27000000 hex sequence. Should point to some offsets and start tracing. Alternate #2 is to search for a fuzzy signature of what a UDS/ISO asm sequence would look like and the asm should show some logic such as branch is 0x01 or 0x03 or 0x11 and also reference rejection handlers such as 0x7F. Then trace to find interesting routines with a bunch of XOR, Shift, Rotate, etc. This is fairly standard on MED17 less VAG since VAG has predefined routine offsets.

Port the code to python or similar and start testing seed key combos and eventually you should find it. Ghidra can help with the ASM to C if you are not familiar.

Title: Re: How to get Algorithm from hex values Seed/Keys
Post by: prj on July 24, 2021, 01:44:39 PM
All good points but OP probably has zero experience with code, so ...

Title: Re: How to get Algorithm from hex values Seed/Keys
Post by: coralgol on August 16, 2021, 05:08:06 PM
See example based on access to VIC3 gateway in DAF.

 ;D

Title: Re: How to get Algorithm from hex values Seed/Keys
Post by: prj on August 17, 2021, 04:29:46 AM
Try the Porsche algorithm on KWP2000 ;D

Not everything is so easy unfortunately :(


Powered by SMF 1.1.21 | SMF © 2015, Simple Machines