Pages: [1]
Author Topic: Seed Key Algorithm how do you start to figure these out?  (Read 1688 times)
BM1785
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« on: December 14, 2017, 02:03:03 PM »

Hi Everyone,

Thanks for taking some time to read this.

I'm working on learning all about my Power sports ECU.
I want to be able to change some things in the Ecu like reset and read faults.
I have a OEM Tool that I have watched the CAN interaction between vehicle and tool.

It at first glance it looked simple to code my own tool to do the things I wanted to do. The trouble is when I coded my Tool it did not work.

After more studding the interaction between OEM Diagnosis Tool and Vehicle I learned that there is a set of 3 Seed key exchanges that take place before the ECU will allow what I want to do.   This may be the same 3 seed keys that allow reading of the ECU files, but I have not confirmed that.

What I would like to know is How do people go about figuring these Seed Key algorithms out?

I can get several Seeds and Keys but I'm Lost with how you even start to figure this out.

I read a very educational post by Basano     http://nefariousmotorsports.com/forum/index.php?topic=4983.0

This was a very nice read and I think I understand how he figured his algorithms out.
But What I'm up against appears to me to be much harder algorithms.

Like Basano I was able to develop my own tool that acts like the ECU and is able to launch the OEM Diagnosis Tool so this allows me to send any Seeds I want and get the correct keys back from the OEM Diagnosis Tool.

My First thought was to make a look up table but I quickly realized that the Seeds are 2 numbers in Hex (example A4 D2), so 65,535 possible Seeds.
It would take way to long to extract the Keys and the Lookup tables would be very large. Between the 2 its not a good solution.


So Back to my Main Question how do you even start to figure these Seed Key algorithms out?

Any Help anyone can give me or at least point me in the correct direction would be appreciated!



Also just for reference the Seeds and Keys in this situation are both 2 bytes each.
Example;

Seed   A4 D2
Key     48 A7

 



Logged
prj
Hero Member
*****

Karma: +268/-13
Offline Offline

Posts: 3363


« Reply #1 on: December 14, 2017, 02:18:15 PM »

Dump the ECU and reverse the bootloader.
Logged
BM1785
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #2 on: December 14, 2017, 02:46:39 PM »

Dump the ECU and reverse the bootloader.

Ok I should have said I'm very new to this. Please excuse my ignorance. 
I have been able to Dump the ECU.
I don't know the bootloader location. Ill try and search this site for info on that.

Once I find the boot loader whats required to reverse the bootloader?


Thanks for the help! Greatly appreciate it!
Logged
BM1785
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #3 on: December 15, 2017, 04:34:57 AM »

Am I correct in thinking the bootloader in the first part of the ECU file? Starting and address 0 ?

Also what do I need to start reversing the Bootloader? Is IDA PRO the correct software to start doing this?

Thanks again.
Logged
prj
Hero Member
*****

Karma: +268/-13
Offline Offline

Posts: 3363


« Reply #4 on: December 15, 2017, 06:08:13 AM »

Yes and yes.
Logged
BM1785
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #5 on: December 16, 2017, 09:02:21 PM »

Yes and yes.

Can Radare2 also be used?  IDA PRO is a bit expensive.
Logged
gt-innovation
Sr. Member
****

Karma: +26/-2
Offline Offline

Posts: 307


« Reply #6 on: December 17, 2017, 05:31:35 AM »

Can Radare2 also be used?  IDA PRO is a bit expensive.

It is always better to have Good Genuine Tools to work like Ida pro but there are some older ida versions around in the net you can use...Latest was version 7.0

A debugger like Radare2 will work only if the architecture is supported so check what cpu is your ecu using.Ida pro is known to support the most though...
Logged
BM1785
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #7 on: January 06, 2018, 02:37:00 PM »

It is always better to have Good Genuine Tools to work like Ida pro but there are some older ida versions around in the net you can use...Latest was version 7.0

A debugger like Radare2 will work only if the architecture is supported so check what cpu is your ecu using.Ida pro is known to support the most though...



Thanks!   

I was able to hire someone to help me with this and after looking at the algorithm I see that I would not have figured it out with out reverse engineering.

 
Logged
H2Deetoo
Full Member
***

Karma: +7/-0
Offline Offline

Posts: 142


« Reply #8 on: January 08, 2018, 12:00:25 AM »

That's normally the case indeed.
But in your situation because it is only a 16bit input and 16bit output, it would also have been possible to make a lookup table of about 132Kb.


Rgs H2Deetoo
Logged
360trev
Full Member
***

Karma: +16/-1
Offline Offline

Posts: 108


« Reply #9 on: August 28, 2018, 02:19:19 AM »

I know this is an old thread but here's some hopefully useful additional material for anyone else interested in ME7.x seed keys.

A slightly different approach is to identify the seedkey routine in the bootloader and then modify the exit condition to ALWAYS return #1... (key matched) which means it doesn't matter which seed you use you'll alway get a positive answer! Smiley

Here's 2 different variants to get you started...



; Seedkey Routine - VAG Variant
;
; $inputs: r14,r15=seed1,seed2
; r12=xortable offset
;
; OUT: r4 - 0=key bad, 1=key matches...

ME7_Seedcheck:  mov     [-r0], r6
                mov     r4, r13
                addb    rl4, #23h
                mov     r13, r4
                cmpb    rl4, #23h
                jmpr    cc_NC, loc_475A

                mov     r13, #0FFh

loc_475A:       movb    rl6, #0
                jmpr    cc_UC, loc_4792

loc_475E:       cmp     r15, #8000h
                jmpr    cc_NZ, loc_4766

                cmp     r14, #0
loc_4766:       jmpr    cc_C, loc_478C

                mov     r4, r12
                movbz   r4, rl4
                shl     r4, #2

                extp    #0, #2                      ; boot loader segment
                mov     r10, [r4+seed_hi]         ; key hi from boot loader rom
                mov     r11, [r4+seed_lo]         ; key lo from boot loader rom

                mov     r4, r14
                mov     r5, r15
                add     r4, r4
                addc    r5, r5
                xor     r4, r10
                xor     r5, r11
                mov     r14, r4
                mov     r15, r5
                jmpr    cc_UC, loc_4790

loc_478C:       add     r14, r14
                addc    r15, r15

loc_4790:       addb    rl6, #1

loc_4792:       mov     r4, r13
                cmpb    rl6, rl4
                jmpr    cc_C, loc_475E

                mov     r4, [r0+2]                  ; seed key hi
                mov     r5, [r0+4]                  ; seed key lo
                sub     r4, r14
                subc    r5, r15
                jmpr    cc_NZ, loc_47AA

***             mov     r4, #1                  ; seed key matched
                jmpr    cc_UC, loc_47AC

loc_47AA:
***             mov     r4, #0                      ; seed key did not match <----- ** CHANGE THIS TO a 1 instead of a zero and it will ALWAYS be successful

loc_47AC:       mov     r6, [r0+]
                rets



Here's the one I found in my Ferrari firmware...


; Seedkey Routine - Ferrari/Alfa Variant
;
; $inputs: r14,r15=seed1,seed2
; r12=xortable offset
;
; OUT: r4 - 0=key bad, 1=key matches...
///

ME7_SeedKeyCheck:
                mov     [-r0], r12
                mov     [-r0], r9
                mov     [-r0], r8
                mov     [-r0], r7
                mov     [-r0], r6
                mov     r7, r13
                mov     r8, r14
                mov     r9, r15
                addb    rl7, #23h
                cmpb    rl7, #23h
                jmpr    cc_NC, loc_4764

                movb    rl7, #0FFh

loc_4764:       movb    rl6, #0
                jmpr    cc_UC, loop_enter

loop_key:
                cmp     r9, #8000h
                jmpr    cc_NZ, loc_4770
                cmp     r8, #0

loc_4770:       jmpr    cc_C, loc_4786
       
                movb    rl4, [r0+8]
                movbz   r12, rl4
                mov     r13, r8
                mov     r14, r9
                calls   0, unk_6090
                mov     r8, r4
                mov     r9, r5
                jmpr    cc_UC, loc_478A

loc_4786:       add     r8, r8
                addc    r9, r9

loc_478A:       addb    rl6, #1

loop_enter:
                cmpb    rl6, rl7
                jmpr    cc_C, loop_key

                mov     r4, [r0+0Ah]     ; seed key hi word
                mov     r5, [r0+0Ch]     ; seed key lo word
                sub     r4, r8
                subc    r5, r9
                jmpr    cc_NZ, key_bad_exit

***             mov     r4, #1          ; OUT: r4 - 1=key matched...
                jmpr    cc_UC, key_match_exit

key_bad_exit:
***             mov     r4, #0          ; OUT: r4 - 0=key bad... <----- ** CHANGE THIS TO a 1 instead of a zero and it will ALWAYS be successful

key_match_exit: mov     r6, [r0+]
                mov     r7, [r0+]
                mov     r8, [r0+]
                mov     r9, [r0+]
                add     r0, #2
                rets

Logged
eliotroyano
Hero Member
*****

Karma: +37/-5
Offline Offline

Posts: 691


« Reply #10 on: August 30, 2018, 02:47:36 PM »

Just amazing work!!!!  Shocked Shocked Shocked Shocked Shocked
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.025 seconds with 18 queries. (Pretty URLs adds 0s, 0q)