How does flasers work?

**tomshao** · 08-24-2008

Hello everyone,

I'm new here, actually also new in car tuning.

I have a question about how the commercial ECU flashers work with vehicles, and here it is:

As far as I know, you need to have valid seed/key pairs to modify the content of ECUs.(I am talking about modification via diagnostic interface, not BDM flashing.

) And after several days searching on internet, I found little useful information about this

. Have HPtuners( or other company) already cracked the algorithm, or you just find sufficient number of valid seed/key pairs?

any directions?

Thank you very much in advance.

**EC_Tune** · 08-28-2008

Ummm. HP has them all handled. I don't think they will be just handing out proprietary info in an open forum though. However if you get them all figured out, don't hesitate to post up!

**Kris_LS1** · 08-28-2008

Originally Posted by tomshao

Hello everyone,

I'm new here, actually also new in car tuning.

I have a question about how the commercial ECU flashers work with vehicles, and here it is:

As far as I know, you need to have valid seed/key pairs to modify the content of ECUs.(I am talking about modification via diagnostic interface, not BDM flashing.

) And after several days searching on internet, I found little useful information about this

. Have HPtuners( or other company) already cracked the algorithm, or you just find sufficient number of valid seed/key pairs?

any directions?

Thank you very much in advance.

I think you will find this is called intellectual knowledge and is also patented, so I doubt if you will get an answer here or anywhere else for that matter.

**Chris@HPTuners** · 08-28-2008

the key just gets you in the first door to the next set of puzzles that finally leads to the giant maze inside that often goes nowhere, lol. Think Indiana Jones in a small silver box

Don't look at the light!

**jpr5690** · 08-28-2008

JUST TELL THE GUY ITS NOT LIKE HE GONNA START A COMPANY, HELL HALF OF US (INCLUDING MYSELF) PROBLALLY Cant even comprehend the answer anayways...

**tomshao** · 08-30-2008

Originally Posted by EC_Tune

Ummm. HP has them all handled. I don't think they will be just handing out proprietary info in an open forum though. However if you get them all figured out, don't hesitate to post up!

Hi guys,

Thanks for your reply.
I find following from another website, have anyone checked out this algorithm ?

From: kiti <kiti@...>
Date: Thu Sep 29 2005 - 07:01:43 CEST

Ok, that's nice! Thanks!
Anything about KW1281 ?

At 11:30 PM 9/28/05, you wrote:
>Let's assume you have a KWP2000 connection with your VAG group ECU

>
>Then let's go send these messages:
>
>82 : 2 data bytes
>01
>F1
>1A : ISO 14230-3 ReadECUIdentification
>92 : systemSupplierSpecific
>20 : CRC
>
>The ECU should respond with
>
>87 : 7 data bytes
>F1
>01
>5A : ISO 14230-3 positive reply
>92 : systemSupplierSpecific
>VV
>WW
>XX
>YY
>ZZ
>CS : CRC
>
>Now compute the following
>
>ecuid = (VV+WW+XX+YY+ZZ) & 0x3f
>
>Then send:
>
>82 : 2 data bytes
>01
>F1
>27 : ISO 14230-3 SecurityAccessRequest
>01 : Request Seed
>9C : CRC
>
>The ECU should respond with
>
>86 :6 data bytes
>01
>F1
>67 : ISO 14230-3 positive reply
>01 : Request Seed
>WW : Seed MSB
>XX
>YY
>ZZ : Seed LSB
>CS : CRC
>
>Now compute the following
>
>Seed = (WW<<24)+(XX<<16)+(YY<<8)+(ZZ)
>
>unsigned int table[64] =
>{
>0x0A221289,0x144890A1,0x24212491,0x290A0285,0x421 45091,0x504822C1,0x0A
>24C4C1,0x14252229,
>0x24250525,0x2510A491,0x28488863,0x29148885,0x422 184A5,0x49128521,0x50
>844A85,0x620CC211,
>0x124452A9,0x18932251,0x2424A459,0x29149521,0x423 52621,0x4A512289,0x52
>A48911,0x11891475,
>0x22346523,0x4A3118D1,0x64497111,0x0AE34529,0x153 98989,0x22324A67,0x2D
>12B489,0x132A4A75,
>0x19B13469,0x25D2C453,0x4949349B,0x524E9259,0x196 4CA6B,0x24F5249B,0x28
>979175,0x352A5959,
>0x3A391749,0x51D44EA9,0x564A4F25,0x6AD52649,0x764 93925,0x25DE52C9,0x33
>2E9333,0x68D64997,
>0x494947FB,0x33749ACF,0x5AD55B5D,0x7F272A4F,0x35B D5B75,0x3F5AD55D,0x5B
>5B6DAD,0x6B5DAD6B,
>0x75B57AD5,0x5DBAD56F,0x6DBF6AAD,0x75775EB5,0x5AE DFED5,0x6B5F7DD5,0x6F
>757B6B,0x5FBD5DBD
>};
>
>for (int i=0; i<5; i++)
>{
> if ((seed & 0x80000000) == 0)
> {
> seed = (table[ecuid]) ^ (seed << 1);
> }
> else
> {
> seed = (seed << 1);
> }
>}
>
>
>Then send:
>
>88 : 8 data bytes
>01
>F1
>27 : ISO 14230-3 SecurityAccessRequest
>02 : Send Key
>WW : (seed >> 24 ) & 0xff
>XX : (seed >> 16 ) & 0xff
>YY : (seed >> 8 ) & 0xff
>ZZ : (seed ) & 0xff
>00
>00
>CS : CRC
>
>The ECU should respond with
>
>83 : 3 data bytes
>01
>F1
>67 : ISO 14230-3 positive reply
>02 : Send Key
>34 : Not sure what this means
>12 : CRC
>
>Secure access granted, now you can read/write anything (eeprom etc.)
>
>Enjoy!
>
>

Thread: How does flasers work?

Thread Tools

How does flasers work?

An old thread from an other site