|
Title: VAG AES KEYS Post by: obdflasher on March 16, 2018, 12:20:41 AM Hi.
Who has experience with AES keys ? Title: Re: VAG AES KEYS Post by: H2Deetoo on September 19, 2018, 01:07:41 AM I guess I have ...
Title: Re: VAG AES KEYS Post by: obdhacker on January 04, 2020, 07:50:11 AM Me too ;)
Title: Re: VAG AES KEYS Post by: crystal_imprezav on March 02, 2020, 03:15:51 PM What would you like to know?
Typically 16 byte key and iv. AES CBC Zero Padding. LZ compress/decompress Title: Re: VAG AES KEYS Post by: d3irb on March 02, 2020, 03:23:50 PM Sure, what do you need? http://nefariousmotorsports.com/forum/index.php?topic=10364.msg122889#msg122889
Title: Re: VAG AES KEYS Post by: gremlin on March 04, 2020, 09:41:14 AM Looking for key/iv for AES packed MED17.1.61 and 0DL/0DW/OGC TCM frf/odx
Can exchange for many other aes pairs used in MED/EDC/MG1/MD1/Simos/TCM Title: Re: VAG AES KEYS Post by: crystal_imprezav on March 17, 2020, 01:06:19 PM Looking for key/iv for AES packed MED17.1.61 and 0DL/0DW/OGC TCM frf/odx Only old DSG's use AES (DQ500 & DQ381). I have those keys. I also have MED17 AES keys, but some MED17's use and xor encrypt and not AES. You could PM some files and I can see if I can decode them and trade from there if you interested. Can exchange for many other aes pairs used in MED/EDC/MG1/MD1/Simos/TCM Title: Re: VAG AES KEYS Post by: H2Deetoo on March 18, 2020, 01:27:06 AM If you're talking about immo regarding MED17 then there's no AES involved, but a simple XOR generated by unique Tricore CHIPID.
Title: Re: VAG AES KEYS Post by: gremlin on March 19, 2020, 10:58:40 AM You could PM some files and I can see if I can decode them and trade from there if you interested. crystal_imprezav, below some examples of frf-s using AES keys/iv i looking for. Med17 FL_04E906022B_4032__V001.frf FL_03H906026A_6872__V001.frf DQ500/DQ381 FL_0DL300012M_2106_ilBL_sw.frf FL_0DW300040A_2303_coBK_sw.frf FL_0GC300011G_1420_roUJ_sw.frf DL382 FL_4K0927153M__0005.frf Title: Re: VAG AES KEYS Post by: crystal_imprezav on March 19, 2020, 04:07:38 PM crystal_imprezav, below some examples of frf-s using AES keys/iv i looking for. Med17 FL_04E906022B_4032__V001.frf FL_03H906026A_6872__V001.frf DQ500/DQ381 FL_0DL300012M_2106_ilBL_sw.frf FL_0DW300040A_2303_coBK_sw.frf FL_0GC300011G_1420_roUJ_sw.frf DL382 FL_4K0927153M__0005.frf DQ500/381 I have. DL382 uses a decryption table completely different from any other VAG algo. I’ll check in the those MED17 files. Do you have a bench read of either you can send or upload? Title: Re: VAG AES KEYS Post by: gremlin on March 20, 2020, 01:45:00 PM DQ500/381 I have. DL382 uses a decryption table completely different from any other VAG algo. I’ll check in the those MED17 files. Do you have a bench read of either you can send or upload? There is no problem with old style (table crypted) DL382 frf files. I spoke about new version DL382 using Aurix TC27x CPU inside and AES-decryption. See screenshoot comparison. What about MED17 files.... if i had full dump read of ecus mentioning above i would not ask about AES-keys ;-) DQ500/381 keys are very interesting for me and i can exchange it for some info of your interest. If any... Title: Re: VAG AES KEYS Post by: prj on March 20, 2020, 02:36:34 PM You have RSA workaround for newer DL382?
Title: Re: VAG AES KEYS Post by: crystal_imprezav on March 20, 2020, 04:09:39 PM There is no problem with old style (table crypted) DL382 frf files. I spoke about new version DL382 using Aurix TC27x CPU inside and AES-decryption. See screenshoot comparison. What about MED17 files.... if i had full dump read of ecus mentioning above i would not ask about AES-keys ;-) DQ500/381 keys are very interesting for me and i can exchange it for some info of your interest. If any... Shoot me an email. Crystalimprezav@gmail.com and I’m sure we can work something out. I really like your application format to test and there is one thing I need you probably have. As for the newer dl382 the Haldex uses that chip. As well as some others. I’ll see what I got on those. Got an frf you can send? Title: Re: VAG AES KEYS Post by: Teitek on March 31, 2020, 03:41:07 AM There is no problem with old style (table crypted) DL382 frf files. I spoke about new version DL382 using Aurix TC27x CPU inside and AES-decryption. See screenshoot comparison. What about MED17 files.... if i had full dump read of ecus mentioning above i would not ask about AES-keys ;-) DQ500/381 keys are very interesting for me and i can exchange it for some info of your interest. If any... A question, how you get the pseudocode from the ODX? <SECURITY-METHOD TYPE="A_ASCIISTRING">SA2</SECURITY-METHOD> <FW-SIGNATURE TYPE="A_BYTEFIELD">6809872602201493270320154A03826B068193280420168429052017494C</FW-SIGNATURE> ¿? Thank you! Title: Re: VAG AES KEYS Post by: IamwhoIam on March 31, 2020, 03:44:35 AM A question, how you get the pseudocode from the ODX? <SECURITY-METHOD TYPE="A_ASCIISTRING">SA2</SECURITY-METHOD> <FW-SIGNATURE TYPE="A_BYTEFIELD">6809872602201493270320154A03826B068193280420168429052017494C</FW-SIGNATURE> ¿? Thank you! LOLWUT? That "pseudocode" IS IN the ODX itself LOL Title: Re: VAG AES KEYS Post by: Basano on March 31, 2020, 04:46:00 AM Read Section 4 of the attached, the actual pseudo opcodes are in the table in 4.5
Although the document is from 2003, it works on my SIMOS 18 so maybe is the same across the board for the majority of control units... Title: Re: VAG AES KEYS Post by: Teitek on March 31, 2020, 06:09:22 AM Perfect, thank you Basano ;)
Regards Title: Re: VAG AES KEYS Post by: nihalot on August 21, 2020, 07:33:37 AM Looking for key/iv for AES packed MED17.1.61 and 0DL/0DW/OGC TCM frf/odx Can exchange for many other aes pairs used in MED/EDC/MG1/MD1/Simos/TCM Any luck with MED17.1.61? Working with MED17.1.62 and looking for Key/IV ECU doesnt seem to be using S-box or inv S-box. I think it's T-lookup table based AES-128 Title: Re: VAG AES KEYS Post by: MarchCat on November 17, 2020, 05:32:25 PM Hi all !
I have static aes keys for dashboard (Micronas) : 00 00 01 00 07 01 3F 00 31 10 05 00 01 D0 00 00 03 00 00 00 07 01 3F 00 31 10 05 00 02 D0 02 00 03 00 00 00 07 01 3F 00 10 05 06 00 07 D0 02 00 03 00 00 00 07 01 3F 00 01 06 06 00 07 D0 03 00 I need key for : 03 00 00 00 07 01 7F 00 07 03 07 00 05 D0 04 00 Title: Re: VAG AES KEYS Post by: navatar_ on March 07, 2021, 12:04:53 AM Edit: No longer relevant
Title: Re: VAG AES KEYS Post by: dkperformance on April 07, 2021, 01:21:22 AM Hi, what software is that in your Screenshot?
There is no problem with old style (table crypted) DL382 frf files. I spoke about new version DL382 using Aurix TC27x CPU inside and AES-decryption. See screenshoot comparison. What about MED17 files.... if i had full dump read of ecus mentioning above i would not ask about AES-keys ;-) DQ500/381 keys are very interesting for me and i can exchange it for some info of your interest. If any... Title: Re: VAG AES KEYS Post by: TheDECODER on December 28, 2021, 07:48:41 AM Anyone had luck with the AES key for the MG1?
Title: Re: VAG AES KEYS Post by: gremlin on December 28, 2021, 04:18:41 PM Anyone had luck with the AES key for the MG1? Yes, I managed to discover something. There are several versions of the AES keys used in the ECUS MD1 / MG1. So far, 7 of them have been identified. Title: Re: VAG AES KEYS Post by: TheDECODER on December 29, 2021, 07:04:41 AM Hmm that is interesting.
Trying to find one that will match the encryption for the MG1SC002 but having no luck. Title: Re: VAG AES KEYS Post by: gremlin on December 29, 2021, 08:52:14 AM Hmm that is interesting. Trying to find one that will match the encryption for the MG1SC002 but having no luck. Hmm ... If there is a sample of complete flash dump any of MG1CS002 ECU, it is not very difficult to find out the iv/key pair. Title: Re: VAG AES KEYS Post by: TheDECODER on December 29, 2021, 11:24:03 AM I have the FTF file and I did a bench read using some commercial tools.
I can send it over if that will help? Title: Re: VAG AES KEYS Post by: gremlin on December 29, 2021, 07:13:37 PM I have the FTF file and I did a bench read using some commercial tools. I can send it over if that will help? Then you have everything to find the key. Look inside the bench read dumps - it is there. I don't need files - I already know the keys Title: Re: VAG AES KEYS Post by: XzO on April 06, 2023, 12:18:00 PM There is no problem with old style (table crypted) DL382 frf files. I spoke about new version DL382 using Aurix TC27x CPU inside and AES-decryption. See screenshoot comparison. What about MED17 files.... if i had full dump read of ecus mentioning above i would not ask about AES-keys ;-) DQ500/381 keys are very interesting for me and i can exchange it for some info of your interest. If any... Hello! Which is the software name in the screenshoot that you use? dl382.jpg Title: Re: VAG AES KEYS Post by: ankpyt on April 26, 2024, 07:07:27 AM Maybe someone will tell you. The Tiguan 2 2021 car is powered by a 1.4 engine. I want to bypass the immobilizer for autorun. I was unloaded from the VW MED17 ECU data with security key 128 bit , MAC, Power class. How does the ECU and key authorization work? There are suggestions that the data is encrypted with the AES 128 algorithm using the security key(CS). There is CAN bus data, but it is difficult to understand. I would like to understand which messages are in CAN, and how AES 128 is applied to them.
ID 01B | 0A 6C C2 EB F1 8D 2A A8 ID 01A | 2 AD 81 82 2F 0 0 7 ID 29E | FA B3 60 D0 74 E3 AF D3 ID 17330A11 | 40 0 1 14 ID 17FE0114 | 3 40 1 3 AA AA AA AA ID 29F | C4 E7 D9 45 0 0 0 0 ID 17FC0114 | 10 0B 80 1 6E 29 50 70 ID 17FE0114 | 30 0F 5 AA AA AA AA AA ID 17FC0114 | 21 95 B4 68 A1 10 AA AA ID 17FE0114 | 10 0B C0 1 80 1F 81 73 ID 17FC0114 | 30 0F 5 AA AA AA AA AA ID 17FE0114 | 21 30 B6 FA E9 10 AA AA ID 17FC0114 | 10 0B 80 2 17 71 AB CD ID 17FE0114 | 30 0F 5 AA AA AA AA AA ID 17FC0114 | 21 52 6A 72 74 10 AA AA ID 17FE0114 | 10 0B C0 2 1C C5 46 7A ID 17FC0114 | 30 0F 5 AA AA AA AA AA ID 17FE0114 | 21 7B 22 EA A2 10 AA AA |