|
Title: Cluster seed/key Post by: H2Deetoo on December 04, 2014, 01:23:25 AM Hi guys,
I've been playing around with Vagtacho 5.0 on my UDS cluster (3AA 920 880 A), and although it seems Vagtacho doesn't support my cluster it does show some interesting communications: Command: 2E FD 11 01 -> WriteDataByIdentifier Reply: 08 02 6E 02 AA AA AA AA AA -> Positve response Command: 31 01 02 03 -> RoutineControl Reply: 08 04 71 01 02 03 AA AA AA -> Seems like a positive response (71h=31h+40h) Command: 10 03 -> Enter diagnostic sessios 03 Reply: 08 06 50 03 00 32 00 C8 AA -> Positve response Command: 10 02 -> Enter diagnostic sessios 02 (programming mode) Reply: 08 03 7F 10 78 AA AA AA AA -> busy Reply: 08 06 50 02 00 32 2E E0 AA -> Positve response Command: 27 11 -> request seed index 11 Reply: 08 06 67 11 3A 8B C9 BF AA -> seed received Command: 27 12 B9 60 DB A9 -> send key index 11+1 Reply: 08 03 7F 27 35 AA AA AA AA -> 35 = invalid key Command: 27 11 Reply: 08 06 67 11 3A 8B C0 96 AA Command: 27 12 B9 69 F2 A9 Reply: 08 03 7F 27 35 AA AA AA AA Now the funny thing is that in this mode (the cluster becomes dark btw) I can continuously ask for a seed and transmit a key. There is no timeout or retry expiration which is normal in other modes. The seed is changing (pseude randomly) so if I supply a fixed key I can brute it. So I have a situation now where I could brute the correct key. I will make a test to see how fast this goes (if it is plausible to brute a valid key in my life span). It seems Vagtacho does calculate a specific key for a given seed but it doesn't seem correct (7F xx 35 response). So I guess the seed/key algo for my cluster is unsupported. I've left Vagtacho running for some time but ofcourse it doen't find the correct key, but when hitting the cancel button I see this: Command: 34 01 44 03 FF 1E 96 00 00 00 70 -> RequestDownload to ECU (write to ECU) Reply: 08 03 7F 34 7F AA AA AA AA -> 7F = Service or Subfunction not supported (in active Session) or Command: 34 01 44 03 FF 1E 96 00 00 00 70 -> RequestDownload to ECU (write to ECU) Reply: 08 03 7F 34 33 AA AA AA AA -> 33 = Security access denied I guess in a normal situation where it does answer with a valid key, its next step would be to upload something to the ECU. I've read that most these tools seem to upload some loader application to RAM, then execute it and the loader will output (a part of) the flash, where important values/keys are stored. If I could realise a valid key using brute, I could try to dump the firmware using command 35, and continue my investigations from there. Unfortunately, the syntaxis for the 34 cmd used by VagTacho is different compared to the one explained here: http://nefariousmotorsports.com/forum/index.php?topic=4983.15 Does anyone have some documentation somewhere which might explain the correct syntax ? Or can add some other helpfull info? Thanks in advance, H2Deetoo Title: Re: Cluster seed/key Post by: H2Deetoo on December 04, 2014, 02:47:22 AM I found a reference :
34 01 -> dataFormatIdentifier -> The high nibble specifies the “compressionMethod” = 0 -> The low nibble specifies the “encryptingMethod” = 1 44 -> addressAndLengthFormatIdentifier -> bit 7 - 4: Length (number of bytes) of the memorySize parameter. = 4 -> bit 3 - 0: Lenght (number of bytes) of the memoryAddress parameter. = 4 03 FF 1E 96 -> Memory address 4 bytes 00 00 00 70 -> Memory length 4 bytes Hopefully I read the firmware without compression and without encrypting ;-) Rgs H2Deetoo Title: Re: Cluster seed/key Post by: turboat on December 04, 2014, 03:12:18 AM What are you using to analyse the comms?
Title: Re: Cluster seed/key Post by: H2Deetoo on December 04, 2014, 04:18:49 AM Well, Vagtacho 5.0 software allows you to display the used CAN messages in its log window.
Also, I wrote my own logger (and test) software using this Vagtacho cable ... so I can log other tools like VCDS aswell. Rgs H2Deetoo Title: Re: Cluster seed/key Post by: turboat on December 04, 2014, 06:09:03 AM That sounds really useful, have you thought about open-sourcing it?
Title: Re: Cluster seed/key Post by: H2Deetoo on December 04, 2014, 07:34:34 AM That sounds really useful, have you thought about open-sourcing it? Well, a logger is usefull ofcourse but there are many logger cables/tools available for a fair price (like ELM327). The main reason I decided to write my own tool is the fact that I had the Vagtacho cable already, and so why buy a new/different one ? (And I like to do investigate such things and write test tools and so ..) For now it's not going open-source because there isn't anything special about it. But I am willing to help people out though who want to do a similar thing with their existing cables ... Rgs H2Deetoo Title: Re: Cluster seed/key Post by: H2Deetoo on December 04, 2014, 10:48:34 AM Hmm, it seems I can brute with a rate of 31 keys/sec
For a 32bit seed/key this will take me about 4 years :( Title: Re: Cluster seed/key Post by: g0tcha on May 26, 2016, 08:32:44 AM Hmm, it seems I can brute with a rate of 31 keys/sec For a 32bit seed/key this will take me about 4 years :( hi thats why people come to me, i make you life easier. i can offer you any seed/key algorithm. from ecu flashing to mileage correction (dashboard) to immobilizer |