Pages: 1 [2]
Author Topic: VAG AES KEYS  (Read 21696 times)
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #15 on: March 31, 2020, 04:46:00 AM »

Read Section 4 of the attached, the actual pseudo opcodes are in the table in 4.5

Operation Hex-Code Values
[RSL] 0x81 -
[RSR] 0x82 -
[ADD”Value”] 0x93 0xww,0xww,0xww,0xww
[SUB”Value”] 0x84 0xww,0xww,0xww,0xww
[EOR”Value”] 0x87 0xww, 0xww,0xww,0xww
For I = “value”of up to 1 0x68 0xww
Next 0x49 -
[BCC”Value”] 0x4A 0xww
[BRA”Value”] 0x6B 0xww
Finish 0x4C -

Although the document is from 2003, it works on my SIMOS 18 so maybe is the same across the board for the majority of control units...

Logged
Teitek
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 21


« Reply #16 on: March 31, 2020, 06:09:22 AM »

Perfect, thank you Basano  Wink

Regards
Logged
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #17 on: August 21, 2020, 07:33:37 AM »

Looking for key/iv for AES packed MED17.1.61 and 0DL/0DW/OGC TCM frf/odx
Can exchange for many other aes pairs used in MED/EDC/MG1/MD1/Simos/TCM

Any luck with MED17.1.61?
Working with MED17.1.62 and looking for Key/IV

ECU doesnt seem to be using S-box or inv S-box. I think it's T-lookup table based AES-128
Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
MarchCat
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 2


« Reply #18 on: November 17, 2020, 05:32:25 PM »

Hi all !
I have static aes keys for dashboard (Micronas) :
00 00 01 00 07 01 3F 00 31 10 05 00 01 D0 00 00
03 00 00 00 07 01 3F 00 31 10 05 00 02 D0 02 00
03 00 00 00 07 01 3F 00 10 05 06 00 07 D0 02 00
03 00 00 00 07 01 3F 00 01 06 06 00 07 D0 03 00

I need key for :
03 00 00 00 07 01 7F 00 07 03 07 00 05 D0 04 00
Logged
navatar_
Newbie
*

Karma: +1/-1
Offline Offline

Posts: 18


« Reply #19 on: March 07, 2021, 12:04:53 AM »

Edit: No longer relevant
« Last Edit: April 20, 2021, 12:20:24 PM by navatar_ » Logged
dkperformance
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 2


« Reply #20 on: April 07, 2021, 01:21:22 AM »

Hi, what software is that in your Screenshot?

There is no problem with old style (table crypted) DL382 frf files.
I spoke about new version DL382 using Aurix TC27x CPU inside and AES-decryption.
See screenshoot comparison.

What about MED17 files.... if i had full dump read of ecus mentioning above i would not ask about AES-keys ;-)

DQ500/381 keys are very interesting for me and i can exchange it for some info of your interest. If any...
Logged
TheDECODER
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 22


« Reply #21 on: December 28, 2021, 07:48:41 AM »

Anyone had luck with the AES key for the MG1?
Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 654


« Reply #22 on: December 28, 2021, 04:18:41 PM »

Anyone had luck with the AES key for the MG1?

Yes, I managed to discover something.
There are several versions of the AES keys used in the ECUS MD1 / MG1.
So far, 7 of them have been identified.
Logged
TheDECODER
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 22


« Reply #23 on: December 29, 2021, 07:04:41 AM »

Hmm that is interesting.

Trying to find one that will match the encryption for the MG1SC002 but having no luck.
Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 654


« Reply #24 on: December 29, 2021, 08:52:14 AM »

Hmm that is interesting.
Trying to find one that will match the encryption for the MG1SC002 but having no luck.

Hmm ...
If there is a sample of complete flash dump any of MG1CS002 ECU, it is not very difficult to find out the iv/key pair.
« Last Edit: December 29, 2021, 09:05:57 AM by gremlin » Logged
TheDECODER
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 22


« Reply #25 on: December 29, 2021, 11:24:03 AM »

I have the FTF file and I did a bench read using some commercial tools.

I can send it over if that will help?
Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 654


« Reply #26 on: December 29, 2021, 07:13:37 PM »

I have the FTF file and I did a bench read using some commercial tools.

I can send it over if that will help?

Then you have everything to find the key.
Look inside the bench read dumps - it is there.
I don't need files - I already know the keys
Logged
XzO
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 2


« Reply #27 on: April 06, 2023, 12:18:00 PM »

There is no problem with old style (table crypted) DL382 frf files.
I spoke about new version DL382 using Aurix TC27x CPU inside and AES-decryption.
See screenshoot comparison.

What about MED17 files.... if i had full dump read of ecus mentioning above i would not ask about AES-keys ;-)

DQ500/381 keys are very interesting for me and i can exchange it for some info of your interest. If any...



Hello! Which is the software name in the screenshoot that you use?

dl382.jpg
Logged
ankpyt
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 2


« Reply #28 on: April 26, 2024, 07:07:27 AM »

Maybe someone will tell you. The Tiguan 2 2021 car is powered by a 1.4 engine. I want to bypass the immobilizer for autorun. I was unloaded from the VW MED17 ECU data with security key 128 bit  , MAC, Power class. How does the ECU and key authorization work? There are suggestions that the data is encrypted with the AES 128 algorithm using the security key(CS). There is CAN bus data, but it is difficult to understand. I would like to understand which messages are in CAN, and how AES 128 is applied to them.

ID 01B | 0A 6C C2 EB F1 8D 2A A8
ID 01A | 2 AD 81 82 2F 0 0 7
         
ID 29E | FA B3 60 D0 74 E3 AF D3
ID 17330A11 | 40 0 1 14   
ID 17FE0114 | 3 40 1 3 AA AA AA AA
ID 29F | C4 E7 D9 45 0 0 0 0

ID 17FC0114 | 10 0B 80 1 6E 29 50 70
ID 17FE0114 | 30 0F 5 AA AA AA AA AA
ID 17FC0114 | 21 95 B4 68 A1 10 AA AA
         
ID 17FE0114 | 10 0B C0 1 80 1F 81 73
ID 17FC0114 | 30 0F 5 AA AA AA AA AA
ID 17FE0114 | 21 30 B6 FA E9 10 AA AA
         
ID 17FC0114 | 10 0B 80 2 17 71 AB CD
ID 17FE0114 | 30 0F 5 AA AA AA AA AA
ID 17FC0114 | 21 52 6A 72 74 10 AA AA
         
ID 17FE0114 | 10 0B C0 2 1C C5 46 7A
ID 17FC0114 | 30 0F 5 AA AA AA AA AA
ID 17FE0114 | 21 7B 22 EA A2 10 AA AA
Logged
Pages: 1 [2]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.048 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)