Printable View
I'm trying to unlock a iso9141 segam ecu. The "xx xx" in the listing below is what I'm trying to figure out. This appears to be a response based on some transform of the "2A 6F" in the previous line that the sw must give to the ecu to unlock it.
sw - is my software
ecu - ecu response
The sequence is as follows:
sw - 82 D5 F5 27 85 F8
ecu - 84 F5 D5 67 85 2A 6F D3
sw - 84 D5 F5 27 86 xx xx 86
ecu - 82 F5 D5 67 86 39
sw - 82 D5 F5 A2 81 6F
ecu - 82 F5 D5 E2 81 AF
.
.
.
I'm not sure the answer to your question but I have a few comments..
Welcome to the board and thanks for posting some of the ISO protocol. Looks similar to GM's in some aspect, but yet different at the same time. Do you have any more ISO info at all? I would love to add an ISO page up top. :)
Well, this "unlock" appears to be my last hurdle.
Did some looking around in the files portion of this site and this is described in section 6.3 of 14230-3s.pdf.
The 2A 6F is different each time the sequence is attempted and is really better represented as follows:
sw - 82 D5 F5 27 85 F8
ecu - 84 F5 D5 67 85 yy yy D3
sw - 84 D5 F5 27 86 xx xx 86
ecu - 82 F5 D5 67 86 39
sw - 82 D5 F5 A2 81 6F
ecu - 82 F5 D5 E2 81 AF
yyyy/xxxx is a key/sendkey pair...
Any guidelines on things to try?
Do you have any examples of valid seed/key pairs?
Chances are its not a simple math routine. To find the routine you would have to do some debugging/snooping and look at API and DLL calls... and also watch mem values in RAM as the application gets the seed and calculates the seed.
perl scripted these out of some captures:
from correct key
ecu to ecu
------ -------
1444 E5C8
2619 9E02
2A6F FD8E
37EE 563C
38E6 D5AC
5657 9DDE
590D 382A
642F FD0E
6642 3524
6A71 7232
8F7A 1914
8F7A 1914
98DA D9D4
9BDD BECA
9FEB B746
A67B 7166
AC25 45DA
B614 DA68
B804 D948
C48F 9BCE
CD9C 33F8
D3D2 ED44
DC2C 7E18
DC5F 5C6E
DFAE 91BC
EA62 C764
EF17 0B5E
F6C0 8980
FE55 793A
Hmmm... there is a 10 second timeout if the key i send back is incorrect, but i guess I could write some software and let it run for a few days until i build up all the pairs creating a big lookup(64k)... will i have to power cycle between failures? if so this won't work.
or maybe build a big enough table so that if i keep sending the request the ecu will eventually( within a resonable amount of time), respond with a known key(yyyy)...
sw - 82 D5 F5 27 85 F8 (repeat until yyyy is a hit)
ecu - 84 F5 D5 67 85 yy yy D3
.
.
.
This transform cannot be too complicated. The ecu does not have a lookup table that big. I was also going to play around with some crc algorithmns...
What is the best way to monitor the application? It is running on w2k.
TIA!
Its not a lookup table, its definately a calculaiton. the calc is not easy to obtain by any means either.
The sniff idea may be your best bet, but the problem with that is there are 65535 possible combinations!!!!
Do you have the contents of the ECU's flash memory?
A lot of European ECU's have the seed/key algorithm
inside the code.
Do you know what processor is used/etc?
if the PCM calcs the seed randomly each time, the algo must be in the PCM.
No doubt it is.
Most of the Euro OEMS (Bosch/Siemens/etc) base the
seed off of one of the timers, and then the calcs are
included in the code.
They bet (very correctly) that only a very small few
people actually can R.E. code enough to reverse
the actual seed/key.
I've done the seed/keys for Bosch/Siemens/etc
Jim
Do tell. Do tell. My ecu uses a siemens C176CR-LM. What algorithms have you seen used on a siemens?
My guess is that this algorithm is common across most oems that use the part. They make it unique by changing an internal key(not the response key) which should fall right out if you have valid seed/key(which i do) and the algorithm.
The siemens has this instruction BFLDL...
"Replaces those bits in the low byte of the destination word operand
op1 which are selected by a '1' in the AND mask op2 with the bits
at the corresponding positions in the OR mask specified by op3."
am I getting warm???
No, it likely won't be the same.
You need to remove the internal flash memory chip
from the ECU and read it out via an EPROM programmer
into a Binary file.
Then you disassemble the code, and find the seed/key
Jim
I was searching for information on seed key algorithm and found this forum , I want to know what is seed/ key ? and how is it used, is the sequence sent before or after every command /instruction/code or is it just used once to unlock the ECU and then the information on the EPROM can be read/written?
I would like to have this information as I am queries about this as I heard it for the first time.