Pages: [1]
Author Topic: Seed Key Algorithm how do you start to figure these out?  (Read 1094 times)
BM1785
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« on: December 14, 2017, 02:03:03 PM »

Hi Everyone,

Thanks for taking some time to read this.

I'm working on learning all about my Power sports ECU.
I want to be able to change some things in the Ecu like reset and read faults.
I have a OEM Tool that I have watched the CAN interaction between vehicle and tool.

It at first glance it looked simple to code my own tool to do the things I wanted to do. The trouble is when I coded my Tool it did not work.

After more studding the interaction between OEM Diagnosis Tool and Vehicle I learned that there is a set of 3 Seed key exchanges that take place before the ECU will allow what I want to do.   This may be the same 3 seed keys that allow reading of the ECU files, but I have not confirmed that.

What I would like to know is How do people go about figuring these Seed Key algorithms out?

I can get several Seeds and Keys but I'm Lost with how you even start to figure this out.

I read a very educational post by Basano     http://nefariousmotorsports.com/forum/index.php?topic=4983.0

This was a very nice read and I think I understand how he figured his algorithms out.
But What I'm up against appears to me to be much harder algorithms.

Like Basano I was able to develop my own tool that acts like the ECU and is able to launch the OEM Diagnosis Tool so this allows me to send any Seeds I want and get the correct keys back from the OEM Diagnosis Tool.

My First thought was to make a look up table but I quickly realized that the Seeds are 2 numbers in Hex (example A4 D2), so 65,535 possible Seeds.
It would take way to long to extract the Keys and the Lookup tables would be very large. Between the 2 its not a good solution.


So Back to my Main Question how do you even start to figure these Seed Key algorithms out?

Any Help anyone can give me or at least point me in the correct direction would be appreciated!



Also just for reference the Seeds and Keys in this situation are both 2 bytes each.
Example;

Seed   A4 D2
Key     48 A7

 



Logged
prj
Hero Member
*****

Karma: +261/-10
Online Online

Posts: 3315


« Reply #1 on: December 14, 2017, 02:18:15 PM »

Dump the ECU and reverse the bootloader.
Logged
BM1785
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #2 on: December 14, 2017, 02:46:39 PM »

Dump the ECU and reverse the bootloader.

Ok I should have said I'm very new to this. Please excuse my ignorance. 
I have been able to Dump the ECU.
I don't know the bootloader location. Ill try and search this site for info on that.

Once I find the boot loader whats required to reverse the bootloader?


Thanks for the help! Greatly appreciate it!
Logged
BM1785
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #3 on: December 15, 2017, 04:34:57 AM »

Am I correct in thinking the bootloader in the first part of the ECU file? Starting and address 0 ?

Also what do I need to start reversing the Bootloader? Is IDA PRO the correct software to start doing this?

Thanks again.
Logged
prj
Hero Member
*****

Karma: +261/-10
Online Online

Posts: 3315


« Reply #4 on: December 15, 2017, 06:08:13 AM »

Yes and yes.
Logged
BM1785
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #5 on: December 16, 2017, 09:02:21 PM »

Yes and yes.

Can Radare2 also be used?  IDA PRO is a bit expensive.
Logged
gt-innovation
Sr. Member
****

Karma: +24/-24
Offline Offline

Posts: 293


« Reply #6 on: December 17, 2017, 05:31:35 AM »

Can Radare2 also be used?  IDA PRO is a bit expensive.

It is always better to have Good Genuine Tools to work like Ida pro but there are some older ida versions around in the net you can use...Latest was version 7.0

A debugger like Radare2 will work only if the architecture is supported so check what cpu is your ecu using.Ida pro is known to support the most though...
Logged
BM1785
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #7 on: January 06, 2018, 02:37:00 PM »

It is always better to have Good Genuine Tools to work like Ida pro but there are some older ida versions around in the net you can use...Latest was version 7.0

A debugger like Radare2 will work only if the architecture is supported so check what cpu is your ecu using.Ida pro is known to support the most though...



Thanks!   

I was able to hire someone to help me with this and after looking at the algorithm I see that I would not have figured it out with out reverse engineering.

 
Logged
H2Deetoo
Full Member
***

Karma: +7/-0
Offline Offline

Posts: 133


« Reply #8 on: January 08, 2018, 12:00:25 AM »

That's normally the case indeed.
But in your situation because it is only a 16bit input and 16bit output, it would also have been possible to make a lookup table of about 132Kb.


Rgs H2Deetoo
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.019 seconds with 16 queries. (Pretty URLs adds 0s, 0q)