NefMoto

Hi all,

New to this place but i've been hacking my way into several ecus in the last couple of years.
Currently i'm working on a flashing tool for SAABs trionic 8 (also used in some other GM cars).
I've already found the seed&key algorithm for security access and i can read the entire content of the flash over the canbus. Flashing however seems to require an encryption algorithm and that is a bitch to find reversing the code.

If someone has info he/she wants to share on the subject that would be much appreciated. Please know that all the resulting code and information will become public in my open source projects which you can find here: http://trionic.mobixs.eu (http://trionic.mobixs.eu)

The t8 flasher projects progress can be followed here: http://www.trionictuning.com/forum/viewtopic.php?f=35&t=493 (http://www.trionictuning.com/forum/viewtopic.php?f=35&t=493)

Thanks for the very informative site you are running here... found some documents that might come in handy in the near future :)

Small world as I was just browsing this thread you had started: http://forum.ecuproject.com/showthread.php?3174-MotronicSuite

The way I found the seed/key algorithm in the ME7 was by tracking down the code that handles the KWP2000 security negotiation. Then I drove myself crazy translating it from assembly into C#.

Hi,

Small world indeed. There seem to be only a handful of people publicly working on these things.
Gladly i see a lot more of them working with the results :)

You don't have these routines available as open-source right? ;)

I'm sure i will come to a point where ME7 will be a priority but that is not now. Trionic 8 is eating up all my spare time (even bug reports for Trionic 5 and 7 have to wait a little, my concentration goes down the drain when i try to focus on multiple complex tasks).

I've posted the Trionic 8 library (the code is a copy from the Trionic 5 library, so there are routines for T5 left in it, i need to clean it up a little more) here:

Source for library: http://trionic.mobixs.eu/T8/T8CANLib.rar
Source for testapp: http://trionic.mobixs.eu/T8/T8CanLibTester.rar

There seed & key algorithm is also in there (SeedToKey.cs).

Hope this helps someone.
/Guido

I think i found it:

Rotating XOR mechanism it seems.

XOR 0x39
XOR 0x68
XOR 0x77
XOR 0x6D
XOR 0x47
XOR 0x39

So, six XOR values, which are used one after the other. First byte goes XOR 0x39, second byte XOR 0x68 etc...

Your doing a great job with your Trionic Suite when I have time I'll be using it to play around with my SAAB 95.

Nice to see that your getting close to the solution for the T8 encryption.

Thanks!

I'm pretty sure that i have all the info needed to build a flasher and get live data from the ECU now.

Enjoy T7Suite in the meantime :)

The flasher is done. I already integrated it into T8Suite (version 1.2.6)
First results from real world still have to come in though because i don't have access to a Trionic 8 car.

First results are back and everything seems to work properly.

Those are some great news!

I'm working on the divorce and marry process at the moment.
This is needed if you replace the ECU (physically) from the car and use a different one.
The new ECU needs to be married to the car in that case.

Recovery mode has been implemented as well.