Pages: [1]
Author Topic: Seed key algorithm for BMW R1200GS motorcycle  (Read 6139 times)
sn4p
Newbie
*

Karma: +2/-0
Offline Offline

Posts: 5


« on: July 26, 2022, 02:02:56 PM »

I'm trying to reverse engineer the ECU of my motorcycle. I have figured out how to read and and reset the service but I'm stuck when it comes to open up the ECU for write access.
The seed is 8 bytes and the validation key is 128 bytes.
I have a tool that has the key but I'm unable to extract it. I can read the exchange however.
Example:

Request seed for write access:
>2701FFFFFFFF

Seed response
660F1100A670168DE68
660F12146EA2309F1FF

(Raw seed bytes without headers):
68 DE 68 46 EA 23 09 F1

Validation key:
>2702000000207C99EC54AF75E0716306C4D5F90061BB1C29B5AE56C4E01187E1B9860C6AE082A6E847A836E91B34268C983439F15FC7038F6F79C08662ED60000CF6A2537FA5E7E38498BC7454F79FAE4497C06592D27D13CCD11E58828ED8857433CBD79C043C132BA30FCCDF5C8F71EA2450BEAEF10E530B6D11D2C2653F029E585CAF506F

(Raw key bytes starts after 270200000020)

Validation "OK" response:
660F1037F2778
660F1026702

Raw bytes:
7F 27 78 67 02

I've seen a similar post but the key was much shorter so I'm unable to use the same algorithm.
Any help appreciated.
Logged
sn4p
Newbie
*

Karma: +2/-0
Offline Offline

Posts: 5


« Reply #1 on: July 26, 2022, 04:45:49 PM »

I'm assuming it uses an RSA-1024 algorithm to generate the key from the seed right?
So I'm guessing the only way is to disassemble the tool or the ecu bootloader to get the rsa key pair...
Unless someone already did that  Wink
Logged
unicornux
Full Member
***

Karma: +2/-6
Offline Offline

Posts: 83


« Reply #2 on: July 27, 2022, 02:33:17 AM »

Yes. Probably, if someone has worked with this algorithm before, he can get it.
Logged
jcsbanks
Full Member
***

Karma: +19/-3
Offline Offline

Posts: 146


« Reply #3 on: July 28, 2022, 02:42:19 AM »

You might find some handy Java in factory tools as an alternative to disassembly or buying the solution from someone.

I don't have either or know any more than that: I don't do BMWs these days.

Having written a C implementation of what an ECU was doing for a seed key, I did later find the Java of it in a tool for another manufacturer though. A little byte code interpreter has a bit less to disassemble than RSA routines though, unless you've looked at lots of them in disassembly many treat their implementations as a black box and most that write RSA implementations in C use code someone else has done as it reduces implementation errors and saves times. A bulky black box of code is more difficult for many to disassemble.
Logged
sn4p
Newbie
*

Karma: +2/-0
Offline Offline

Posts: 5


« Reply #4 on: July 31, 2022, 11:45:43 AM »

Ok I've made some progress. I've managed to extract the RSA keys from the tool. They were hidden in a C++ shared library that was called with NDK.
There are 385 unique keys.

Example of a key:
MD5|21|MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAOAuGBLt7xIHDFOFkW80IJUIOzcFaKzPYeknkEvosUADPULBJEwTCAVz6IjH2UkBGYqp6n2bSCJqZ+a56Upr5K55IhwQT0ynTLYG9w+PZXF2q5hqq2eWy0eVII4Strvh/xpQzGNHsG0koDynG4zfckDrhSepTEUoVjhIF08mLO3RAgEDAoGBAJV0EAyen2FaCDeuYPTNaw4FfM9Y8HM06/DFCt1Fy4ACKNcrbYgMsAOimwXakNtWEQcb8akSMBbxmpnRRjGdQx2734u5E3cvS/hEfkIHy2z9Kk0sNvk8q6+xuSE+2qCCi6Hj4YMTns7KSN02HdJ2Gp2BknpHnKli0U7IgFsrAFBDAkEA9pBLaQMQGBDGf9kAkPukOnVvTZ+Ca5CWCKnj54aSv6DoroFfy4TSC6dER7NBaKXbD+Tw5dDKugKta4WyqVuuxwJBAOjCfxGvCchJ+yBgq/K4qcB2tVq5b1A5KgHg+EzoOF6Mvsx4vt69ZOmLrI47j8WkeZlEf1gQfFoZlK/RE7xQxqcCQQCkYDJGAgq6tdmqkKsLUm18Tkozv6xHtblbG+1FBGHVFfB0Vj/dAzayb4Lad4DwbpIKmKCZNdx8AcjyWSHGPR8vAkEAmyxUtnSxMDFSFZXH9yXGgE8jkdD04CYcAUCliJrQPwh/Mvsp6dOYm7JzCX0Kg8L7u4L/kAr9kWZjH+C30uCEbwJBAIvlB+0YBO5tRmvHn42kkQctbj3P/vchPSEuY728oJJ6ORSF7EUen+xwO5f0PntWLyDfLA0M17rfcCDduBrbs/s=

Most keys are like this but there are some keys starting with MD5|20| and MD5|3| that are smaller in size so I guess it's just a header specifying the key size.

I assume the signing algorithm is MD5withRSA using the 8 byte random seed from the ECU as data. However I cannot match the results I got from the scan (I've tried all keys and the seed in reverse). What am I missing? Could there be some XOR stuff happening before the sign? Any help appreciated.
Logged
d3irb
Full Member
***

Karma: +134/-1
Offline Offline

Posts: 195


« Reply #5 on: July 31, 2022, 12:47:30 PM »

Have you tried encrypting the "Key" data from your sniff using the public exponent+modulus from each RSA key until you get a valid ASN.1 payload, to see what the actual data is (ie - the MD5 hash you are targeting)? Then you are not flying blind with respect to what you are looking for at least.
« Last Edit: July 31, 2022, 04:45:37 PM by d3irb » Logged
sn4p
Newbie
*

Karma: +2/-0
Offline Offline

Posts: 5


« Reply #6 on: July 31, 2022, 06:00:14 PM »

The problem is that a valid payload will most likely be an md5 hash. So there is really no way to know which public key was used nor the plain message before the hash. Guess I have to disassembly some more trying to find the hash function unless someone knows a common algorithm that is applied on the seed. They could also use a non standard padding which would result in different signatures as well…
Logged
d3irb
Full Member
***

Karma: +134/-1
Offline Offline

Posts: 195


« Reply #7 on: July 31, 2022, 08:53:03 PM »

As you know, the MD5 hash needs to be padded to generate the necessary 1024-bit integer for RSA. So there is almost certain to be a structure to a "correct" payload which you can use to figure out which public key was employed.

IMO it is _exceptionally_ likely to be the standard RSA PKCS#1.5 signing method, with ASN.1 structure containing the MD5 hash and the usual PKCS#1.5 leader bytes.

I really think it could be useful to iterate through all public keys until you find one that produces a valid ASN.1 / PKCS#1.5 RSA signature structure. That way you at least know the MD5 hash you are looking for as well as which public key is in use. Bruteforcing 8 bytes of plaintext out of MD5 is also possible if it isn't actually the hash of something obvious. 

Of course, you're right, you do just have the code anyway, so you might as well disassemble it instead.
Logged
sn4p
Newbie
*

Karma: +2/-0
Offline Offline

Posts: 5


« Reply #8 on: August 01, 2022, 01:54:36 PM »

I finally cracked it  Grin

I would never had guessed it if I hadn't done the disassembly....

First you need to get the bootloader id, which is extracted from some specific bytes you get from a 22F101 command, then you use that ID as an index to get the right RSA key (there are about 350 keys), then the seed and the bootloader id are sent to a function that scrambles those bytes which are sent to an MD5 hash function, then another function scrambles the hash which is sent to the RSA sign function (that uses a not so common RSA/NONE/NoPadding scheme btw), then the signature is sent to a third scrambling function and finally those bytes are converted into a hex response sent back to the ECU.

Since both the seed and the bootloader id are used in the first scramble function a brute force attack over the the keys wouldn't have worked.

Talk about overkill security for an ECU...
Logged
d3irb
Full Member
***

Karma: +134/-1
Offline Offline

Posts: 195


« Reply #9 on: August 01, 2022, 05:17:49 PM »

Wow, that is overkill indeed - and yes, thanks to the third scrambling function my idea would never have worked.

This approach actually sounds decent provided the ECU's implementation of the same overcomplicated algorithm is sound.

Using an ID command to decide which RSA key ID to pull out of the "keychain" is a fairly common practice in the industry, but usually the signature piece is either standard or standard-ish. For example Bosch and Temic bootloaders use incorrectly implemented standard PKCS#1.5 with RIPEMD160 or SHA, or completely custom, for example Simos bootloader which just sends you 1024 or 2048 bits of not actually "random" supposedly random data and expects you to send it back encrypted.
Logged
jcsbanks
Full Member
***

Karma: +19/-3
Offline Offline

Posts: 146


« Reply #10 on: August 02, 2022, 12:22:05 AM »

Nice work.
Logged
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #11 on: August 18, 2022, 04:05:26 AM »

I finally cracked it  Grin

I would never had guessed it if I hadn't done the disassembly....

First you need to get the bootloader id, which is extracted from some specific bytes you get from a 22F101 command, then you use that ID as an index to get the right RSA key (there are about 350 keys), then the seed and the bootloader id are sent to a function that scrambles those bytes which are sent to an MD5 hash function, then another function scrambles the hash which is sent to the RSA sign function (that uses a not so common RSA/NONE/NoPadding scheme btw), then the signature is sent to a third scrambling function and finally those bytes are converted into a hex response sent back to the ECU.

Since both the seed and the bootloader id are used in the first scramble function a brute force attack over the the keys wouldn't have worked.

Talk about overkill security for an ECU...


Great! now that you have write access, you can disable/patch WMBA to work without seed/key.
Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
alfa-bravo
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« Reply #12 on: December 09, 2023, 02:53:27 AM »

hello, very good work, I am currently working on something similar, a cas 2 of BMW E60 (2004) I sniffed the frames of my tool, it makes an id request and then a seed request which is 8 bytes and the response is 64 bytes (128 octets) could someone help me please, the public keys that were rsa extracted, can you share them? a priori my id is 019002341. Thank you

Envoyé de mon SM-F926B en utilisant Tapatalk

Logged
808AWD325xi
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


« Reply #13 on: February 09, 2024, 01:13:36 PM »

hello, very good work, I am currently working on something similar, a cas 2 of BMW E60 (2004) I sniffed the frames of my tool, it makes an id request and then a seed request which is 8 bytes and the response is 64 bytes (128 octets) could someone help me please, the public keys that were rsa extracted, can you share them? a priori my id is 019002341. Thank you

Envoyé de mon SM-F926B en utilisant Tapatalk



You need a RSA private key. Each authentication level has a unique key.
Logged
Stiffi66
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 2


« Reply #14 on: November 05, 2024, 12:52:50 AM »

Hi Smiley
I found the list with the different key's, related to the bootloader-id.
Does anybody have any hint where to search for the hash and sign functions?
Is it something in the pdx or part of e-sys/ista in general?

Br
Stiffi
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.023 seconds with 16 queries. (Pretty URLs adds 0s, 0q)