NefMoto > Technical > Reverse Engineering > bosch mg1 security access
Pages: [1]
« previous next »
Author Topic: bosch mg1 security access  (Read 4508 times)
chackiem
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3
« on: January 05, 2023, 12:18:11 PM »
Hi,
I'm researching mg1 ecu and now stuck on security access, actually on two.
I can talk with ecu on bench and read mcu id, boot and security versions using 0x21 command. I believe it's sboot.
First security access request is done by sending 0x27 0x7F and getting 14 random bytes + one static byte, response to that is 0x27 0x80 with 128 bytes payload, where only last 20 are different each time.
Second security access is done by 0x27 0x01 and getting 4 random bytes, where response is 0x27 0x02 + 4 bytes answer.

Need help Smiley
Logged
prj
Hero Member
*****

Karma: +914/-425
Online Online

Posts: 5830
« Reply #1 on: January 05, 2023, 04:14:16 PM »
If you have the full dump of the ECU already then reverse the comms stack.
Or post it in services and ask if someone will sell it to you.

Not sure what you are looking for, since it seems like you've done zero reversing so far and just sniffed comms.
Logged
PM's will not be answered, so don't even try.
Log your car properly.
chackiem
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3
« Reply #2 on: January 06, 2023, 06:33:20 AM »
I'm looking for an algo and keys for security access in this unit.
@prj, do you have such information ? I started reverse but it's not something that could be done in a minute.
Service section seems to be dead, so if anyone have something to offer - dm me.
Logged
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425
« Reply #3 on: January 06, 2023, 05:39:47 PM »
Did you figure out the compression/encryption method? I mean after SA you can read it but the data is encrypted.
Logged
unicornux
Full Member
***

Karma: +2/-6
Offline Offline

Posts: 83
« Reply #4 on: January 08, 2023, 05:29:10 AM »
Please send your ecu dump file to do a preliminary check. This can be very helpful.
So, according to the your message you could figure out first seed/key algo. do you want the second one now?
Do you have a sample for verification?
Logged
Geremia
Jr. Member
**

Karma: +11/-10
Offline Offline

Posts: 27
« Reply #5 on: January 08, 2023, 06:20:06 AM »
Quote from: chackiem on January 05, 2023, 12:18:11 PM
...response to that is 0x27 0x80 with 128 bytes payload, where only last 20 are different each time.

if this doesn't trigger any idea in your head, it explains me certainly one thing: you choosed the wrong target for a quick&dirt "sniff a tool and replicate the trick", there are so many things that you are missing and a lot more will come later after you pass sk, sorry.
Logged
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425
« Reply #6 on: January 08, 2023, 07:28:35 AM »
Quote from: unicornux on January 08, 2023, 05:29:10 AM
Please send your ecu dump file to do a preliminary check. This can be very helpful.

I'm not sure but I think the algo is related to the processor's model.
Logged
chackiem
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3
« Reply #7 on: January 08, 2023, 12:26:44 PM »
Quote from: terminator on January 06, 2023, 05:39:47 PM
Did you figure out the compression/encryption method? I mean after SA you can read it but the data is encrypted.
Plain data transfer is available.

Quote from: unicornux on January 08, 2023, 05:29:10 AM
Please send your ecu dump file to do a preliminary check. This can be very helpful.
So, according to the your message you could figure out first seed/key algo. do you want the second one now?
Do you have a sample for verification?
Nope, first one looks more complicated, trying to figure out structure of that 128 bytes data ...

Quote from: Geremia on January 08, 2023, 06:20:06 AM
if this doesn't trigger any idea in your head, it explains me certainly one thing: you choosed the wrong target for a quick&dirt "sniff a tool and replicate the trick", there are so many things that you are missing and a lot more will come later after you pass sk, sorry.
I'm not sure about what "idea" you are talking about, could you please share your thoughts on that ? I could guess, maybe do you think it's rsa1024 because of 128 bytes ?
Logged
instantioc
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 11
« Reply #8 on: October 03, 2023, 12:37:10 PM »
Any progress on this?
Logged
janek51a
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 1
« Reply #9 on: November 11, 2023, 02:40:12 PM »
Try this …
Logged
prj
Hero Member
*****

Karma: +914/-425
Online Online

Posts: 5830
« Reply #10 on: November 11, 2023, 02:55:03 PM »
I'm not sure what the point is of posting a random dll which relies on the official method.
The official method is clear, you need a smartcard, which can do the private/public key crypto.
Logged
PM's will not be answered, so don't even try.
Log your car properly.
Pages: [1]
  Print  
« previous next »
 
Jump to:  

Navigation
Personal Tools
  • April 15, 2024, 10:31:40 PM
  • Welcome, Guest. Please login or register.
    Did you miss your activation email?

    Login with username, password and session length
Search
 
Advanced Search
About Disclaimer
All Rights Reserved 2010 Nefarious Motosports
Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.022 seconds with 17 queries. (Pretty URLs adds 0s, 0q)