|
Title: Seed Key Algorithm how do you start to figure these out? Post by: BM1785 on December 14, 2017, 02:03:03 PM Hi Everyone,
Thanks for taking some time to read this. I'm working on learning all about my Power sports ECU. I want to be able to change some things in the Ecu like reset and read faults. I have a OEM Tool that I have watched the CAN interaction between vehicle and tool. It at first glance it looked simple to code my own tool to do the things I wanted to do. The trouble is when I coded my Tool it did not work. After more studding the interaction between OEM Diagnosis Tool and Vehicle I learned that there is a set of 3 Seed key exchanges that take place before the ECU will allow what I want to do. This may be the same 3 seed keys that allow reading of the ECU files, but I have not confirmed that. What I would like to know is How do people go about figuring these Seed Key algorithms out? I can get several Seeds and Keys but I'm Lost with how you even start to figure this out. I read a very educational post by Basano http://nefariousmotorsports.com/forum/index.php?topic=4983.0 This was a very nice read and I think I understand how he figured his algorithms out. But What I'm up against appears to me to be much harder algorithms. Like Basano I was able to develop my own tool that acts like the ECU and is able to launch the OEM Diagnosis Tool so this allows me to send any Seeds I want and get the correct keys back from the OEM Diagnosis Tool. My First thought was to make a look up table but I quickly realized that the Seeds are 2 numbers in Hex (example A4 D2), so 65,535 possible Seeds. It would take way to long to extract the Keys and the Lookup tables would be very large. Between the 2 its not a good solution. So Back to my Main Question how do you even start to figure these Seed Key algorithms out? Any Help anyone can give me or at least point me in the correct direction would be appreciated! Also just for reference the Seeds and Keys in this situation are both 2 bytes each. Example; Seed A4 D2 Key 48 A7 Title: Re: Seed Key Algorithm how do you start to figure these out? Post by: prj on December 14, 2017, 02:18:15 PM Dump the ECU and reverse the bootloader.
Title: Re: Seed Key Algorithm how do you start to figure these out? Post by: BM1785 on December 14, 2017, 02:46:39 PM Dump the ECU and reverse the bootloader. Ok I should have said I'm very new to this. Please excuse my ignorance. I have been able to Dump the ECU. I don't know the bootloader location. Ill try and search this site for info on that. Once I find the boot loader whats required to reverse the bootloader? Thanks for the help! Greatly appreciate it! Title: Re: Seed Key Algorithm how do you start to figure these out? Post by: BM1785 on December 15, 2017, 04:34:57 AM Am I correct in thinking the bootloader in the first part of the ECU file? Starting and address 0 ?
Also what do I need to start reversing the Bootloader? Is IDA PRO the correct software to start doing this? Thanks again. Title: Re: Seed Key Algorithm how do you start to figure these out? Post by: prj on December 15, 2017, 06:08:13 AM Yes and yes.
Title: Re: Seed Key Algorithm how do you start to figure these out? Post by: BM1785 on December 16, 2017, 09:02:21 PM Yes and yes. Can Radare2 also be used? IDA PRO is a bit expensive. Title: Re: Seed Key Algorithm how do you start to figure these out? Post by: gt-innovation on December 17, 2017, 05:31:35 AM Can Radare2 also be used? IDA PRO is a bit expensive. It is always better to have Good Genuine Tools to work like Ida pro but there are some older ida versions around in the net you can use...Latest was version 7.0 A debugger like Radare2 will work only if the architecture is supported so check what cpu is your ecu using.Ida pro is known to support the most though... Title: Re: Seed Key Algorithm how do you start to figure these out? Post by: BM1785 on January 06, 2018, 02:37:00 PM It is always better to have Good Genuine Tools to work like Ida pro but there are some older ida versions around in the net you can use...Latest was version 7.0 A debugger like Radare2 will work only if the architecture is supported so check what cpu is your ecu using.Ida pro is known to support the most though... Thanks! I was able to hire someone to help me with this and after looking at the algorithm I see that I would not have figured it out with out reverse engineering. Title: Re: Seed Key Algorithm how do you start to figure these out? Post by: H2Deetoo on January 08, 2018, 12:00:25 AM That's normally the case indeed.
But in your situation because it is only a 16bit input and 16bit output, it would also have been possible to make a lookup table of about 132Kb. Rgs H2Deetoo Title: Re: Seed Key Algorithm how do you start to figure these out? Post by: 360trev on August 28, 2018, 02:19:19 AM I know this is an old thread but here's some hopefully useful additional material for anyone else interested in ME7.x seed keys.
A slightly different approach is to identify the seedkey routine in the bootloader and then modify the exit condition to ALWAYS return #1... (key matched) which means it doesn't matter which seed you use you'll alway get a positive answer! :) Here's 2 different variants to get you started... ; Seedkey Routine - VAG Variant ; ; $inputs: r14,r15=seed1,seed2 ; r12=xortable offset ; ; OUT: r4 - 0=key bad, 1=key matches... ME7_Seedcheck: mov [-r0], r6 mov r4, r13 addb rl4, #23h mov r13, r4 cmpb rl4, #23h jmpr cc_NC, loc_475A mov r13, #0FFh loc_475A: movb rl6, #0 jmpr cc_UC, loc_4792 loc_475E: cmp r15, #8000h jmpr cc_NZ, loc_4766 cmp r14, #0 loc_4766: jmpr cc_C, loc_478C mov r4, r12 movbz r4, rl4 shl r4, #2 extp #0, #2 ; boot loader segment mov r10, [r4+seed_hi] ; key hi from boot loader rom mov r11, [r4+seed_lo] ; key lo from boot loader rom mov r4, r14 mov r5, r15 add r4, r4 addc r5, r5 xor r4, r10 xor r5, r11 mov r14, r4 mov r15, r5 jmpr cc_UC, loc_4790 loc_478C: add r14, r14 addc r15, r15 loc_4790: addb rl6, #1 loc_4792: mov r4, r13 cmpb rl6, rl4 jmpr cc_C, loc_475E mov r4, [r0+2] ; seed key hi mov r5, [r0+4] ; seed key lo sub r4, r14 subc r5, r15 jmpr cc_NZ, loc_47AA *** mov r4, #1 ; seed key matched jmpr cc_UC, loc_47AC loc_47AA: *** mov r4, #0 ; seed key did not match <----- ** CHANGE THIS TO a 1 instead of a zero and it will ALWAYS be successful loc_47AC: mov r6, [r0+] rets Here's the one I found in my Ferrari firmware... ; Seedkey Routine - Ferrari/Alfa Variant ; ; $inputs: r14,r15=seed1,seed2 ; r12=xortable offset ; ; OUT: r4 - 0=key bad, 1=key matches... /// ME7_SeedKeyCheck: mov [-r0], r12 mov [-r0], r9 mov [-r0], r8 mov [-r0], r7 mov [-r0], r6 mov r7, r13 mov r8, r14 mov r9, r15 addb rl7, #23h cmpb rl7, #23h jmpr cc_NC, loc_4764 movb rl7, #0FFh loc_4764: movb rl6, #0 jmpr cc_UC, loop_enter loop_key: cmp r9, #8000h jmpr cc_NZ, loc_4770 cmp r8, #0 loc_4770: jmpr cc_C, loc_4786 movb rl4, [r0+8] movbz r12, rl4 mov r13, r8 mov r14, r9 calls 0, unk_6090 mov r8, r4 mov r9, r5 jmpr cc_UC, loc_478A loc_4786: add r8, r8 addc r9, r9 loc_478A: addb rl6, #1 loop_enter: cmpb rl6, rl7 jmpr cc_C, loop_key mov r4, [r0+0Ah] ; seed key hi word mov r5, [r0+0Ch] ; seed key lo word sub r4, r8 subc r5, r9 jmpr cc_NZ, key_bad_exit *** mov r4, #1 ; OUT: r4 - 1=key matched... jmpr cc_UC, key_match_exit key_bad_exit: *** mov r4, #0 ; OUT: r4 - 0=key bad... <----- ** CHANGE THIS TO a 1 instead of a zero and it will ALWAYS be successful key_match_exit: mov r6, [r0+] mov r7, [r0+] mov r8, [r0+] mov r9, [r0+] add r0, #2 rets Title: Re: Seed Key Algorithm how do you start to figure these out? Post by: eliotroyano on August 30, 2018, 02:47:36 PM Just amazing work!!!! :o :o :o :o :o
|