Results 1 to 14 of 14

Thread: segam ecu unlock ?

  1. #1
    Potential Tuner
    Join Date
    Sep 2003
    Location
    Posts
    9

    segam ecu unlock ?

    I'm trying to unlock a iso9141 segam ecu. The "xx xx" in the listing below is what I'm trying to figure out. This appears to be a response based on some transform of the "2A 6F" in the previous line that the sw must give to the ecu to unlock it.
    sw - is my software
    ecu - ecu response

    The sequence is as follows:

    sw - 82 D5 F5 27 85 F8
    ecu - 84 F5 D5 67 85 2A 6F D3
    sw - 84 D5 F5 27 86 xx xx 86
    ecu - 82 F5 D5 67 86 39
    sw - 82 D5 F5 A2 81 6F
    ecu - 82 F5 D5 E2 81 AF
    .
    .
    .

  2. #2
    HP Tuners Owner Keith@HPTuners's Avatar
    Join Date
    Sep 2002
    Location
    Chicago, IL
    Posts
    6,394

    Re: segam ecu unlock ?

    I'm not sure the answer to your question but I have a few comments..

    Welcome to the board and thanks for posting some of the ISO protocol. Looks similar to GM's in some aspect, but yet different at the same time. Do you have any more ISO info at all? I would love to add an ISO page up top.
    We got this guy Not Sure, ...

  3. #3
    Potential Tuner
    Join Date
    Sep 2003
    Location
    Posts
    9

    Re: segam ecu unlock ?

    Well, this "unlock" appears to be my last hurdle.

    Did some looking around in the files portion of this site and this is described in section 6.3 of 14230-3s.pdf.

    The 2A 6F is different each time the sequence is attempted and is really better represented as follows:

    sw - 82 D5 F5 27 85 F8
    ecu - 84 F5 D5 67 85 yy yy D3
    sw - 84 D5 F5 27 86 xx xx 86
    ecu - 82 F5 D5 67 86 39
    sw - 82 D5 F5 A2 81 6F
    ecu - 82 F5 D5 E2 81 AF

    yyyy/xxxx is a key/sendkey pair...

    Any guidelines on things to try?

  4. #4
    HP Tuners Owner Keith@HPTuners's Avatar
    Join Date
    Sep 2002
    Location
    Chicago, IL
    Posts
    6,394

    Re: segam ecu unlock ?

    Do you have any examples of valid seed/key pairs?

    Chances are its not a simple math routine. To find the routine you would have to do some debugging/snooping and look at API and DLL calls... and also watch mem values in RAM as the application gets the seed and calculates the seed.
    We got this guy Not Sure, ...

  5. #5
    Potential Tuner
    Join Date
    Sep 2003
    Location
    Posts
    9

    Re: segam ecu unlock ?

    perl scripted these out of some captures:

    from correct key
    ecu to ecu
    ------ -------
    1444 E5C8
    2619 9E02
    2A6F FD8E
    37EE 563C
    38E6 D5AC
    5657 9DDE
    590D 382A
    642F FD0E
    6642 3524
    6A71 7232
    8F7A 1914
    8F7A 1914
    98DA D9D4
    9BDD BECA
    9FEB B746
    A67B 7166
    AC25 45DA
    B614 DA68
    B804 D948
    C48F 9BCE
    CD9C 33F8
    D3D2 ED44
    DC2C 7E18
    DC5F 5C6E
    DFAE 91BC
    EA62 C764
    EF17 0B5E
    F6C0 8980
    FE55 793A

  6. #6
    Potential Tuner
    Join Date
    Sep 2003
    Location
    Posts
    9

    Re: segam ecu unlock ?

    Hmmm... there is a 10 second timeout if the key i send back is incorrect, but i guess I could write some software and let it run for a few days until i build up all the pairs creating a big lookup(64k)... will i have to power cycle between failures? if so this won't work.

    or maybe build a big enough table so that if i keep sending the request the ecu will eventually( within a resonable amount of time), respond with a known key(yyyy)...

    sw - 82 D5 F5 27 85 F8 (repeat until yyyy is a hit)
    ecu - 84 F5 D5 67 85 yy yy D3
    .
    .
    .
    This transform cannot be too complicated. The ecu does not have a lookup table that big. I was also going to play around with some crc algorithmns...

  7. #7
    Potential Tuner
    Join Date
    Sep 2003
    Location
    Posts
    9

    Re: segam ecu unlock ?

    What is the best way to monitor the application? It is running on w2k.
    TIA!

  8. #8
    HP Tuners Owner Keith@HPTuners's Avatar
    Join Date
    Sep 2002
    Location
    Chicago, IL
    Posts
    6,394

    Re: segam ecu unlock ?

    Its not a lookup table, its definately a calculaiton. the calc is not easy to obtain by any means either.

    The sniff idea may be your best bet, but the problem with that is there are 65535 possible combinations!!!!
    We got this guy Not Sure, ...

  9. #9
    Tuner in Training
    Join Date
    May 2003
    Location
    SLC, Utah
    Posts
    33

    Re: segam ecu unlock ?

    Do you have the contents of the ECU's flash memory?

    A lot of European ECU's have the seed/key algorithm
    inside the code.

    Do you know what processor is used/etc?

  10. #10
    HP Tuners Owner Keith@HPTuners's Avatar
    Join Date
    Sep 2002
    Location
    Chicago, IL
    Posts
    6,394

    Re: segam ecu unlock ?

    if the PCM calcs the seed randomly each time, the algo must be in the PCM.
    We got this guy Not Sure, ...

  11. #11
    Tuner in Training
    Join Date
    May 2003
    Location
    SLC, Utah
    Posts
    33

    Re: segam ecu unlock ?

    No doubt it is.

    Most of the Euro OEMS (Bosch/Siemens/etc) base the
    seed off of one of the timers, and then the calcs are
    included in the code.

    They bet (very correctly) that only a very small few
    people actually can R.E. code enough to reverse
    the actual seed/key.

    I've done the seed/keys for Bosch/Siemens/etc

    Jim

  12. #12
    Potential Tuner
    Join Date
    Sep 2003
    Location
    Posts
    9

    Re: segam ecu unlock ?

    Do tell. Do tell. My ecu uses a siemens C176CR-LM. What algorithms have you seen used on a siemens?

    My guess is that this algorithm is common across most oems that use the part. They make it unique by changing an internal key(not the response key) which should fall right out if you have valid seed/key(which i do) and the algorithm.

    The siemens has this instruction BFLDL...

    "Replaces those bits in the low byte of the destination word operand
    op1 which are selected by a '1' in the AND mask op2 with the bits
    at the corresponding positions in the OR mask specified by op3."

    am I getting warm???


  13. #13
    Tuner in Training
    Join Date
    May 2003
    Location
    SLC, Utah
    Posts
    33

    Re: segam ecu unlock ?

    No, it likely won't be the same.

    You need to remove the internal flash memory chip
    from the ECU and read it out via an EPROM programmer
    into a Binary file.

    Then you disassemble the code, and find the seed/key

    Jim

  14. #14
    Potential Tuner
    Join Date
    Jan 2008
    Posts
    1
    I was searching for information on seed key algorithm and found this forum , I want to know what is seed/ key ? and how is it used, is the sequence sent before or after every command /instruction/code or is it just used once to unlock the ECU and then the information on the EPROM can be read/written?
    I would like to have this information as I am queries about this as I heard it for the first time.