Pages: [1]
Author Topic: How to get Algorithm from hex values Seed/Keys  (Read 5392 times)
mavidelisi
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« on: July 16, 2021, 08:54:39 AM »

Hello friends;

I am a new member to the forum. I am pleased to meet you. I wish you all success in your life. About the seed key algorithm on Google
I came across your site while researching. I hope I wrote my question in the right place. Please don't be offended if I'm wrong.
I have a car brain. I want security request with 02 27 07 while reading flash from inside; then he sends me seeds via 06 67 07. Seed deciphered
real key is being sent. For this, I establish a connection between the clone device and the program and send the seeds from the brain myself, and the program sent to the brain
there are some real keys. However, no matter what I did, I could not solve the relationship between them. I need to make an algorithm. One of my expert friends
could you please; can you solve the algorithm

Thank you and have a nice day.

************************************************

SEED   : 01 01 01 01      0000 0001 0000 0001 0000 0001 0000 0001
KEY            : 11 E6 FE D2      ‭0001 0001 1110 0110 1111 1110 1101 0010‬      
                                 
SEED   : 02 02 02 02       0000 0010 0000 0010 0000 0010 0000 0010
KEY            : 23 CD FD A4      ‭0010 0011 1100 1101 1111 1101 1010 0100‬

SEED   : 03 03 03 03              ‭0000 0011 0000 0011 0000 0011 0000 0011‬
KEY      : 32 2B 03 76       ‭0011 0010 0010 1011 0000 0011 0111 0110‬

SEED   : 04 04 04 04       0000 ‭0100 0000 0100 0000 0100 0000 0100‬
KEY      : 47 9B FB 48       ‭0100 0111 1001 1011 1111 1011 0100 1000‬

SEED   : 02 01 01 01      ‭0000 0010 0000 0001 0000 0001 0000 0001‬   
KEY      : C2 22 F0 58      ‭1100 0010 0010 0010 1111 0000 0101 1000‬

SEED   : 00 00 00 01      0000 0000 0000 0000 0000 0000 0000 0001   
KEY      : 4C 2B 3C 5C      ‭0100 1100 0010 1011 0011 1100 0101 1100‬
   
SEED   : 00 00 00 02       0000 0000 0000 0000 0000 0000 0000 0010   
KEY      : 98 56 78 B8      ‭1001 1000 0101 0110 0111 1000 1011 1000‬
   
SEED   : 00 00 00 03       0000 0000 0000 0000 0000 0000 0000 0011   
KEY      : D4 7D 44 E4      ‭1101 0100 0111 1101 0100 0100 1110 0100‬
   
SEED   : 00 00 00 04        0000 0000 0000 0000 0000 0000 0000 0100   
KEY      : 6E A8 88 86      ‭0110 1110 1010 1000 1000 1000 1000 0110‬
   
SEED   : 00 00 00 05       0000 0000 0000 0000 0000 0000 0000 0101
KEY      : 22 83 B4 DA      ‭0010 0010 1000 0011 1011 0100 1101 1010‬
   
SEED   : 00 00 00 06        0000 0000 0000 0000 0000 0000 0000 0110
KEY      : F6 FE F0 3E      ‭1111 0110 1111 1110 1111 0000 0011 1110‬
   
SEED   : 00 00 00 07        0000 0000 0000 0000 0000 0000 0000 0111
KEY      : BA D5 CC 62       ‭1011 1010 1101 0101 1100 1100 0110 0010‬
   
SEED   : 00 00 00 08        0000 0000 0000 0000 0000 0000 0000 1000
KEY      : DD 51 11 0C       ‭1101 1101 0101 0001 0001 0001 0000 1100‬
   
SEED   : 00 00 00 09        0000 0000 0000 0000 0000 0000 0000 1001
KEY      : 91 7A 2D 50       ‭1001 0001 0111 1010 0010 1101 0101 0000‬
   
SEED   : 00 00 00 0A        0000 0000 0000 0000 0000 0000 0000 1010
KEY      : 45 07 69 B4       ‭0100 0101 0000 0111 0110 1001 1011 0100‬

SEED   : 01 00 00 00        0000 0001 0000 0000 0000 0000 0000 0000
KEY      : 84 BF D2 D4      ‭1000 0100 1011 1111 1101 0010 1101 0100‬

SEED   : 02 00 00 00        0000 0010 0000 0000 0000 0000 0000 0000
KEY      : 57 7B DC 5E       ‭0101 0111 0111 1011 1101 1100 0101 1110‬

SEED   : 03 00 00 00        0000 0011 0000 0000 0000 0000 0000 0000
KEY      : D3 C4 0E 8A        ‭1101 0011 1100 0100 0000 1110 1000 1010‬
                        
SEED   : 00 01 00 00        0000 0000 0000 0001 0000 0000 0000 0000
KEY      : 45 21 FF 24        ‭0100 0101 0010 0001 1111 1111 0010 0100‬

SEED   : 00 02 00 00        0000 0000 0000 0010 0000 0000 0000 0000
KEY      : 8A 43 FE 48       ‭1000 1010 0100 0011 1111 1110 0100 1000‬

SEED   : 00 03 00 00        0000 0000 0000 0011 0000 0000 0000 0000
KEY      : CF 62 01 6C       ‭1100 1111 0110 0010 0000 0001 0110 1100‬
                        
SEED   : 00 00 01 00        0000 0000 0000 0000 0000 0001 0000 0000
KEY      : 9C 53 EF 7E       ‭1001 1100 0101 0011 1110 1111 0111 1110‬

SEED   : 00 00 02 00        0000 0000 0000 0000 0000 0010 0000 0000
KEY      : 66 A3 A7 0A       ‭0110 0110 1010 0011 1010 0111 0000 1010‬

SEED   : 00 00 03 00        0000 0000 0000 0000 0000 0011 0000 0000
KEY      : FA F0 48 74       ‭1111 1010 1111 0000 0100 1000 0111 0100‬

SEED   : FF FF FF F0        ‭1111 1111 1111 1111 1111 1111 1111 0000‬
KEY      : BD 41 11 48       ‭1011 1101 0100 0001 0001 0001 0100 1000‬

SEED   : F0 FF FF FF        ‭1111 0000 1111 1111 1111 1111 1111 1111‬
KEY      : A4 1D 72 9E        ‭1010 0100 0001 1101 0111 0010 1001 1110‬

SEED   : 0F 00 00 00      1111 0000 0000 0000 0000 0000 0000 0000
KEY           : F3 57 33 92      ‭1111 0011 0101 0111 0011 0011 1001 0010‬         

SEED   : FF FF FF 0F      ‭1111 1111 1111 1111 1111 1111 0000 1111‬   
KEY      : 38 95 77 04      ‭0011 1000 1001 0101 0111 0111 0000 0100‬

SEED   : 20 20 20 20      ‭0010 0000 0010 0000 0010 0000 0010 0000‬
KEY           : 80 D7 29 AC      ‭1000 0000 1101 0111 0010 1001 1010 1100‬

SEED   : 20 20 20 21      ‭0010 0000 0010 0000 0010 0000 0010 0001‬
KEY      : CC FC 15 F0      ‭1100 1100 1111 1100 0001 0101 1111 0000‬
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6035


« Reply #1 on: July 16, 2021, 09:05:47 AM »

This is because only some very simple/stupid algorithms can be deduced by sniffing.
For proper ones you need to reverse either the ECU binary or the OEM DLL doing the algo.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
mavidelisi
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« Reply #2 on: July 16, 2021, 09:11:50 AM »

I read the car brain with another program.  I have the ECU flash file.  If I open the ECU flash with winols, can I reverse or do I need a full bench?  My friend  said that a full bench is needed.  He said that it should be taken with ktag and reversed.is this right ?
And what about OEM Dll ?
« Last Edit: July 16, 2021, 09:13:31 AM by mavidelisi » Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6035


« Reply #3 on: July 16, 2021, 02:19:26 PM »

If you are asking these questions then you are not going to "reverse" anything. You need many years of experience to even attempt it.
Also WinOLS is completely useless for this.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
mavidelisi
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« Reply #4 on: July 16, 2021, 11:45:32 PM »

If you are asking these questions then you are not going to "reverse" anything. You need many years of experience to even attempt it.
Also WinOLS is completely useless for this.

Ok i understand you.

Thanks.
Logged
crystal_imprezav
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 12


« Reply #5 on: July 21, 2021, 12:00:06 PM »

Hint:

Load into IDA and search for 0xFFFFFF27 or 0x27000000 hex sequence. Should point to some offsets and start tracing. Alternate #2 is to search for a fuzzy signature of what a UDS/ISO asm sequence would look like and the asm should show some logic such as branch is 0x01 or 0x03 or 0x11 and also reference rejection handlers such as 0x7F. Then trace to find interesting routines with a bunch of XOR, Shift, Rotate, etc. This is fairly standard on MED17 less VAG since VAG has predefined routine offsets.

Port the code to python or similar and start testing seed key combos and eventually you should find it. Ghidra can help with the ASM to C if you are not familiar.
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6035


« Reply #6 on: July 24, 2021, 01:44:39 PM »

All good points but OP probably has zero experience with code, so ...
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
coralgol
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 1


« Reply #7 on: August 16, 2021, 05:08:06 PM »

See example based on access to VIC3 gateway in DAF.

 Grin
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6035


« Reply #8 on: August 17, 2021, 04:29:46 AM »

Try the Porsche algorithm on KWP2000 Grin

Not everything is so easy unfortunately Sad
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.02 seconds with 17 queries. (Pretty URLs adds 0s, 0q)