Hi Everyone,

Thanks for taking some time to read this.

I'm working on learning all about my Power sports ECU.
I want to be able to change some things in the Ecu like reset and read faults.
I have a OEM Tool that I have watched the CAN interaction between vehicle and tool.

It at first glance it looked simple to code my own tool to do the things I wanted to do. The trouble is when I coded my Tool it did not work.

After more studding the interaction between OEM Diagnosis Tool and Vehicle I learned that there is a set of 3 Seed key exchanges that take place before the ECU will allow what I want to do.   This may be the same 3 seed keys that allow reading of the ECU files, but I have not confirmed that.

What I would like to know is How do people go about figuring these Seed Key algorithms out?

I can get several Seeds and Keys but I'm Lost with how you even start to figure this out.

I read a very educational post by Basano     http://nefariousmotorsports.com/forum/index.php?topic=4983.0

This was a very nice read and I think I understand how he figured his algorithms out.
But What I'm up against appears to me to be much harder algorithms.

Like Basano I was able to develop my own tool that acts like the ECU and is able to launch the OEM Diagnosis Tool so this allows me to send any Seeds I want and get the correct keys back from the OEM Diagnosis Tool.

My First thought was to make a look up table but I quickly realized that the Seeds are 2 numbers in Hex (example A4 D2), so 65,535 possible Seeds.
It would take way to long to extract the Keys and the Lookup tables would be very large. Between the 2 its not a good solution.


So Back to my Main Question how do you even start to figure these Seed Key algorithms out?

Any Help anyone can give me or at least point me in the correct direction would be appreciated!



Also just for reference the Seeds and Keys in this situation are both 2 bytes each.
Example;

Seed   A4 D2
Key     48 A7

 

Ok I should have said I'm very new to this. Please excuse my ignorance. 
I have been able to Dump the ECU.
I don't know the bootloader location. Ill try and search this site for info on that.

Once I find the boot loader whats required to reverse the bootloader?


Thanks for the help! Greatly appreciate it!

Yes and yes.

It is always better to have Good Genuine Tools to work like Ida pro but there are some older ida versions around in the net you can use...Latest was version 7.0

A debugger like Radare2 will work only if the architecture is supported so check what cpu is your ecu using.Ida pro is known to support the most though...

That's normally the case indeed.
But in your situation because it is only a 16bit input and 16bit output, it would also have been possible to make a lookup table of about 132Kb.


Rgs H2Deetoo

Just amazing work!!!!