Basano
Full Member
Karma: +90/-3
Offline
Posts: 192
|
|
« Reply #15 on: March 31, 2020, 04:46:00 AM »
|
|
|
Read Section 4 of the attached, the actual pseudo opcodes are in the table in 4.5 Operation | Hex-Code | Values | [RSL] | 0x81 | - | [RSR] | 0x82 | - | [ADD”Value”] | 0x93 | 0xww,0xww,0xww,0xww | [SUB”Value”] | 0x84 | 0xww,0xww,0xww,0xww | [EOR”Value”] | 0x87 | 0xww, 0xww,0xww,0xww | For I = “value”of up to 1 | 0x68 | 0xww | Next | 0x49 | - | [BCC”Value”] | 0x4A | 0xww | [BRA”Value”] | 0x6B | 0xww | Finish | 0x4C | - |
Although the document is from 2003, it works on my SIMOS 18 so maybe is the same across the board for the majority of control units...
|
|
|
Logged
|
|
|
|
Teitek
Newbie
Karma: +1/-0
Offline
Posts: 21
|
|
« Reply #16 on: March 31, 2020, 06:09:22 AM »
|
|
|
Perfect, thank you Basano Regards
|
|
|
Logged
|
|
|
|
nihalot
Full Member
Karma: +40/-3
Offline
Posts: 116
|
|
« Reply #17 on: August 21, 2020, 07:33:37 AM »
|
|
|
Looking for key/iv for AES packed MED17.1.61 and 0DL/0DW/OGC TCM frf/odx Can exchange for many other aes pairs used in MED/EDC/MG1/MD1/Simos/TCM
Any luck with MED17.1.61? Working with MED17.1.62 and looking for Key/IV ECU doesnt seem to be using S-box or inv S-box. I think it's T-lookup table based AES-128
|
|
|
Logged
|
www.tangentmotorsport.commultimap/LC/rolling antilag for MED17/EDC17/MED9/EDC15 contact for reverse engineering services of any ECU/TCU
|
|
|
MarchCat
Newbie
Karma: +0/-0
Offline
Posts: 2
|
|
« Reply #18 on: November 17, 2020, 05:32:25 PM »
|
|
|
Hi all ! I have static aes keys for dashboard (Micronas) : 00 00 01 00 07 01 3F 00 31 10 05 00 01 D0 00 00 03 00 00 00 07 01 3F 00 31 10 05 00 02 D0 02 00 03 00 00 00 07 01 3F 00 10 05 06 00 07 D0 02 00 03 00 00 00 07 01 3F 00 01 06 06 00 07 D0 03 00
I need key for : 03 00 00 00 07 01 7F 00 07 03 07 00 05 D0 04 00
|
|
|
Logged
|
|
|
|
navatar_
Newbie
Karma: +1/-1
Offline
Posts: 18
|
|
« Reply #19 on: March 07, 2021, 12:04:53 AM »
|
|
|
Edit: No longer relevant
|
|
« Last Edit: April 20, 2021, 12:20:24 PM by navatar_ »
|
Logged
|
|
|
|
dkperformance
Newbie
Karma: +0/-0
Offline
Posts: 2
|
|
« Reply #20 on: April 07, 2021, 01:21:22 AM »
|
|
|
Hi, what software is that in your Screenshot? There is no problem with old style (table crypted) DL382 frf files. I spoke about new version DL382 using Aurix TC27x CPU inside and AES-decryption. See screenshoot comparison.
What about MED17 files.... if i had full dump read of ecus mentioning above i would not ask about AES-keys ;-)
DQ500/381 keys are very interesting for me and i can exchange it for some info of your interest. If any...
|
|
|
Logged
|
|
|
|
TheDECODER
Newbie
Karma: +0/-0
Offline
Posts: 22
|
|
« Reply #21 on: December 28, 2021, 07:48:41 AM »
|
|
|
Anyone had luck with the AES key for the MG1?
|
|
|
Logged
|
|
|
|
gremlin
|
|
« Reply #22 on: December 28, 2021, 04:18:41 PM »
|
|
|
Anyone had luck with the AES key for the MG1?
Yes, I managed to discover something. There are several versions of the AES keys used in the ECUS MD1 / MG1. So far, 7 of them have been identified.
|
|
|
Logged
|
|
|
|
TheDECODER
Newbie
Karma: +0/-0
Offline
Posts: 22
|
|
« Reply #23 on: December 29, 2021, 07:04:41 AM »
|
|
|
Hmm that is interesting.
Trying to find one that will match the encryption for the MG1SC002 but having no luck.
|
|
|
Logged
|
|
|
|
gremlin
|
|
« Reply #24 on: December 29, 2021, 08:52:14 AM »
|
|
|
Hmm that is interesting. Trying to find one that will match the encryption for the MG1SC002 but having no luck.
Hmm ... If there is a sample of complete flash dump any of MG1CS002 ECU, it is not very difficult to find out the iv/key pair.
|
|
« Last Edit: December 29, 2021, 09:05:57 AM by gremlin »
|
Logged
|
|
|
|
TheDECODER
Newbie
Karma: +0/-0
Offline
Posts: 22
|
|
« Reply #25 on: December 29, 2021, 11:24:03 AM »
|
|
|
I have the FTF file and I did a bench read using some commercial tools.
I can send it over if that will help?
|
|
|
Logged
|
|
|
|
gremlin
|
|
« Reply #26 on: December 29, 2021, 07:13:37 PM »
|
|
|
I have the FTF file and I did a bench read using some commercial tools.
I can send it over if that will help?
Then you have everything to find the key. Look inside the bench read dumps - it is there. I don't need files - I already know the keys
|
|
|
Logged
|
|
|
|
XzO
Newbie
Karma: +0/-0
Offline
Posts: 2
|
|
« Reply #27 on: April 06, 2023, 12:18:00 PM »
|
|
|
There is no problem with old style (table crypted) DL382 frf files. I spoke about new version DL382 using Aurix TC27x CPU inside and AES-decryption. See screenshoot comparison.
What about MED17 files.... if i had full dump read of ecus mentioning above i would not ask about AES-keys ;-)
DQ500/381 keys are very interesting for me and i can exchange it for some info of your interest. If any...
Hello! Which is the software name in the screenshoot that you use? dl382.jpg
|
|
|
Logged
|
|
|
|
|