Pages: [1]
Author Topic: Cluster seed/key  (Read 7317 times)
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« on: December 04, 2014, 01:23:25 AM »

Hi guys,


I've been playing around with Vagtacho 5.0 on my UDS cluster (3AA 920 880 A), and although it seems Vagtacho doesn't support my cluster it does show some interesting communications:

Command: 2E FD 11 01              -> WriteDataByIdentifier
Reply: 08 02 6E 02 AA AA AA AA AA -> Positve response

Command: 31 01 02 03              -> RoutineControl
Reply: 08 04 71 01 02 03 AA AA AA -> Seems like a positive response (71h=31h+40h)

Command: 10 03                      -> Enter diagnostic sessios 03
Reply: 08 06 50 03 00 32 00 C8 AA -> Positve response

Command: 10 02                      -> Enter diagnostic sessios 02 (programming mode)
Reply: 08 03 7F 10 78 AA AA AA AA -> busy
Reply: 08 06 50 02 00 32 2E E0 AA -> Positve response

Command: 27 11                    -> request seed index 11
Reply: 08 06 67 11 3A 8B C9 BF AA -> seed received

Command: 27 12 B9 60 DB A9        -> send key index 11+1
Reply: 08 03 7F 27 35 AA AA AA AA -> 35 = invalid key

Command: 27 11
Reply: 08 06 67 11 3A 8B C0 96 AA
Command: 27 12 B9 69 F2 A9
Reply: 08 03 7F 27 35 AA AA AA AA

Now the funny thing is that in this mode (the cluster becomes dark btw) I can continuously ask for a seed and transmit a key.
There is no timeout or retry expiration which is normal in other modes.
The seed is changing (pseude randomly) so if I supply a fixed key I can brute it.
So I have a situation now where I could brute the correct key. I will make a test to see how fast this goes (if it is plausible to brute a valid key in my life span).

It seems Vagtacho does calculate a specific key for a given seed but it doesn't seem correct (7F xx 35 response). So I guess the seed/key algo for my cluster is unsupported.
I've left Vagtacho running for some time but ofcourse it doen't find the correct key, but when hitting the cancel button I see this:

Command: 34 01 44 03 FF 1E 96 00 00 00 70 -> RequestDownload to ECU (write to ECU)
Reply: 08 03 7F 34 7F AA AA AA AA         -> 7F = Service or Subfunction not supported (in active Session)

or

Command: 34 01 44 03 FF 1E 96 00 00 00 70 -> RequestDownload to ECU (write to ECU)
Reply: 08 03 7F 34 33 AA AA AA AA         -> 33 = Security access denied

I guess in a normal situation where it does answer with a valid key, its next step would be to upload something to the ECU.
I've read that most these tools seem to upload some loader application to RAM, then execute it and the loader will output (a part of) the flash, where important values/keys are stored.

If I could realise a valid key using brute, I could try to dump the firmware using command 35, and continue my investigations from there.
Unfortunately, the syntaxis for the 34 cmd used by VagTacho is different compared to the one explained here:
http://nefariousmotorsports.com/forum/index.php?topic=4983.15

Does anyone have some documentation somewhere which might explain the correct syntax ? Or can add some other helpfull info?


Thanks in advance,

H2Deetoo
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #1 on: December 04, 2014, 02:47:22 AM »

I found a reference :

34
01 -> dataFormatIdentifier
   -> The high nibble specifies the “compressionMethod” = 0
   -> The low nibble specifies the “encryptingMethod”   = 1


44 -> addressAndLengthFormatIdentifier
   -> bit 7 - 4: Length (number of bytes) of the memorySize parameter.    = 4
   -> bit 3 - 0: Lenght (number of bytes) of the memoryAddress parameter. = 4

03 FF 1E 96 -> Memory address 4 bytes
00 00 00 70 -> Memory length 4 bytes

Hopefully I read the firmware without compression and without encrypting ;-)


Rgs H2Deetoo
Logged
turboat
Hero Member
*****

Karma: +45/-3
Offline Offline

Posts: 619


« Reply #2 on: December 04, 2014, 03:12:18 AM »

What are you using to analyse the comms?
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #3 on: December 04, 2014, 04:18:49 AM »

Well, Vagtacho 5.0 software allows you to display the used CAN messages in its log window.
Also, I wrote my own logger (and test) software using this Vagtacho cable ... so I can log other tools like VCDS aswell.


Rgs H2Deetoo
Logged
turboat
Hero Member
*****

Karma: +45/-3
Offline Offline

Posts: 619


« Reply #4 on: December 04, 2014, 06:09:03 AM »

That sounds really useful, have you thought about open-sourcing it?
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #5 on: December 04, 2014, 07:34:34 AM »

That sounds really useful, have you thought about open-sourcing it?

Well, a logger is usefull ofcourse but there are many logger cables/tools available for a fair price (like ELM327).
The main reason I decided to write my own tool is the fact that I had the Vagtacho cable already, and so why buy a new/different one ?
(And I like to do investigate such things and write test tools and so ..)

For now it's not going open-source because there isn't anything special about it.
But I am willing to help people out though who want to do a similar thing with their existing cables ...


Rgs H2Deetoo
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #6 on: December 04, 2014, 10:48:34 AM »

Hmm, it seems I can brute with a rate of 31 keys/sec
For a 32bit seed/key this will take me about 4 years Sad
Logged
g0tcha
Newbie
*

Karma: +0/-2
Offline Offline

Posts: 4


« Reply #7 on: May 26, 2016, 08:32:44 AM »

Hmm, it seems I can brute with a rate of 31 keys/sec
For a 32bit seed/key this will take me about 4 years Sad

hi

thats why people come to me, i make you life easier. i can offer you any seed/key algorithm. from ecu flashing to mileage correction (dashboard) to immobilizer
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.034 seconds with 17 queries. (Pretty URLs adds 0s, 0q)