Pages: [1]
Author Topic: closter G7 ver brazil. SeedKey 2701  (Read 1793 times)
ASTROLIDER
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 13


« on: April 30, 2023, 02:43:57 PM »

Hello, I am with a vdo g7 brazil version closter; studying the seed key 2701 algorithm.

Security Access 27 01 

21 5A 65 99 Seed
D6 59 E2 05 Key

21 DC 66 1B SEED
7E 40 3D BC KEY

22 4F 66 8E SEED
E9 A0 C2 74 KEY

22 E1 67 1F SEED
C2 94 37 59 KEY

23 74 67 B2 SEED
E3 8C A4 FC KEY

23 FB 68 39 SEED
0B EF 21 42 KEY

24 64 68 A2 SEED
9B 80 5A 61 KEY

24 EA 69 28 SEED
B8 5A 28 75 KEY

12 C9 57 07 SEED
C0 57 BA 89 KEY

13 4B 57 8A Seed
63 39 53 A0  Key

13 D4 58 12 Seed
33 7D 1D C2 Key

14 4E 58 8D Seed
C5 BD 48 60 Key

14 D1 59 0F Seed
DD 3D 0B 1F Key

Logged
prj
Hero Member
*****

Karma: +903/-420
Offline Offline

Posts: 5789


« Reply #1 on: May 01, 2023, 04:41:39 AM »

If the seed/key is not a simple addition then you can post as many of these as you want, it will not get you closer to the solution.
You can either try to dump the binary of the cluster (not the eeprom, the whole ROM) and reverse engineer it or you can reverse engineer whatever tool you are using to generate the responses.
Logged

PM's will not be answered, so don't even try.
Log your car properly.
ASTROLIDER
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 13


« Reply #2 on: May 01, 2023, 06:18:45 AM »

If the seed/key is not a simple addition then you can post as many of these as you want, it will not get you closer to the solution.
You can either try to dump the binary of the cluster (not the eeprom, the whole ROM) and reverse engineer it or you can reverse engineer whatever tool you are using to generate the responses.

Thanks for your answer. I upload the main micro file of the dash.
Logged
ASTROLIDER
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 13


« Reply #3 on: May 01, 2023, 06:36:31 AM »

opcode seed key 2711

Here I show the SA2 chain of the dash file for the seed key 27 11
Logged
ASTROLIDER
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 13


« Reply #4 on: May 22, 2023, 05:47:29 AM »

Continuing with my investigation with the data obtained, I notice that the algorithm for seed/key 27-01 depends on each starting section on the board.

000000,41,927100,0x714,Rx,Data,8,02 10 60 00 00 00 00 00 
000001,41,928200,0x77E,Rx,Data,8,06 50 60 00 28 00 C8 AA 
000002,41,948400,0x714,Rx,Data,8,04 31 01 02 03 00 00 00 
000003,41,949500,0x77E,Rx,Data,8,04 71 01 02 03 AA AA AA 
000004,41,969700,0x714,Rx,Data,8,03 22 22 03 00 00 00 00  <<--------- application
000005,41,989600,0x77E,Rx,Data,8,05 62 22 03 1C F2 AA AA  <<--------- 1C F2  change for each section
000006,42,009900,0x714,Rx,Data,8,03 22 F1 90 00 00 00 00 
000007,42,010700,0x77E,Rx,Data,8,10 14 62 F1 90 39 42 57 
000008,42,030900,0x714,Rx,Data,8,30 08 0A 00 00 00 00 00 
000009,42,031200,0x77E,Rx,Data,8,21 41 42 34 35 5A 30 4A 
000010,42,040700,0x77E,Rx,Data,8,22 34 30 32 33 30 33 33 
000011,42,060900,0x714,Rx,Data,8,02 10 03 00 00 00 00 00 
000012,42,062000,0x77E,Rx,Data,8,06 50 03 00 28 00 C8 AA 
000013,42,082200,0x714,Rx,Data,8,02 10 02 00 00 00 00 00 
000014,42,119400,0x77E,Rx,Data,8,03 7F 10 78 AA AA AA AA 
000015,42,144400,0x77E,Rx,Data,8,06 50 02 00 32 2E E0 AA
Logged
ASTROLIDER
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 13


« Reply #5 on: May 22, 2023, 06:13:38 AM »

If the seed/key is not a simple addition then you can post as many of these as you want, it will not get you closer to the solution.
You can either try to dump the binary of the cluster (not the eeprom, the whole ROM) and reverse engineer it or you can reverse engineer whatever tool you are using to generate the responses.

you are correct for more seed/key that you request in each section changes. example if I simulate a fixed seed for each section started its key response changes

Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.015 seconds with 16 queries. (Pretty URLs adds 0s, 0q)