Title: closter G7 ver brazil. SeedKey 2701 Post by: ASTROLIDER on April 30, 2023, 02:43:57 PM Hello, I am with a vdo g7 brazil version closter; studying the seed key 2701 algorithm.
Security Access 27 01 21 5A 65 99 Seed D6 59 E2 05 Key 21 DC 66 1B SEED 7E 40 3D BC KEY 22 4F 66 8E SEED E9 A0 C2 74 KEY 22 E1 67 1F SEED C2 94 37 59 KEY 23 74 67 B2 SEED E3 8C A4 FC KEY 23 FB 68 39 SEED 0B EF 21 42 KEY 24 64 68 A2 SEED 9B 80 5A 61 KEY 24 EA 69 28 SEED B8 5A 28 75 KEY 12 C9 57 07 SEED C0 57 BA 89 KEY 13 4B 57 8A Seed 63 39 53 A0 Key 13 D4 58 12 Seed 33 7D 1D C2 Key 14 4E 58 8D Seed C5 BD 48 60 Key 14 D1 59 0F Seed DD 3D 0B 1F Key Title: Re: closter G7 ver brazil. SeedKey 2701 Post by: prj on May 01, 2023, 04:41:39 AM If the seed/key is not a simple addition then you can post as many of these as you want, it will not get you closer to the solution.
You can either try to dump the binary of the cluster (not the eeprom, the whole ROM) and reverse engineer it or you can reverse engineer whatever tool you are using to generate the responses. Title: Re: closter G7 ver brazil. SeedKey 2701 Post by: ASTROLIDER on May 01, 2023, 06:18:45 AM If the seed/key is not a simple addition then you can post as many of these as you want, it will not get you closer to the solution. You can either try to dump the binary of the cluster (not the eeprom, the whole ROM) and reverse engineer it or you can reverse engineer whatever tool you are using to generate the responses. Thanks for your answer. I upload the main micro file of the dash. Title: Re: closter G7 ver brazil. SeedKey 2701 Post by: ASTROLIDER on May 01, 2023, 06:36:31 AM opcode seed key 2711
Here I show the SA2 chain of the dash file for the seed key 27 11 Title: Re: closter G7 ver brazil. SeedKey 2701 Post by: ASTROLIDER on May 22, 2023, 05:47:29 AM Continuing with my investigation with the data obtained, I notice that the algorithm for seed/key 27-01 depends on each starting section on the board.
000000,41,927100,0x714,Rx,Data,8,02 10 60 00 00 00 00 00 000001,41,928200,0x77E,Rx,Data,8,06 50 60 00 28 00 C8 AA 000002,41,948400,0x714,Rx,Data,8,04 31 01 02 03 00 00 00 000003,41,949500,0x77E,Rx,Data,8,04 71 01 02 03 AA AA AA 000004,41,969700,0x714,Rx,Data,8,03 22 22 03 00 00 00 00 <<--------- application 000005,41,989600,0x77E,Rx,Data,8,05 62 22 03 1C F2 AA AA <<--------- 1C F2 change for each section 000006,42,009900,0x714,Rx,Data,8,03 22 F1 90 00 00 00 00 000007,42,010700,0x77E,Rx,Data,8,10 14 62 F1 90 39 42 57 000008,42,030900,0x714,Rx,Data,8,30 08 0A 00 00 00 00 00 000009,42,031200,0x77E,Rx,Data,8,21 41 42 34 35 5A 30 4A 000010,42,040700,0x77E,Rx,Data,8,22 34 30 32 33 30 33 33 000011,42,060900,0x714,Rx,Data,8,02 10 03 00 00 00 00 00 000012,42,062000,0x77E,Rx,Data,8,06 50 03 00 28 00 C8 AA 000013,42,082200,0x714,Rx,Data,8,02 10 02 00 00 00 00 00 000014,42,119400,0x77E,Rx,Data,8,03 7F 10 78 AA AA AA AA 000015,42,144400,0x77E,Rx,Data,8,06 50 02 00 32 2E E0 AA Title: Re: closter G7 ver brazil. SeedKey 2701 Post by: ASTROLIDER on May 22, 2023, 06:13:38 AM If the seed/key is not a simple addition then you can post as many of these as you want, it will not get you closer to the solution. You can either try to dump the binary of the cluster (not the eeprom, the whole ROM) and reverse engineer it or you can reverse engineer whatever tool you are using to generate the responses. you are correct for more seed/key that you request in each section changes. example if I simulate a fixed seed for each section started its key response changes |