Okay here is what i have found, now for you mathematicians to find a logrithm to make sense of it all
Seed- 61CD- 0110 0001 1100 1101
Key- 9C3D- 1001 1100 0011 1101
Seed- 703C- 0111 0000 0011 1100
Key- 14D1- 0001 0100 1101 0001
These are two seed and Keys from A Grand Prix GTP write... Now the question is what links them?
If my theory is correct then the logrithm should be the same...
Kevin
Will probably need more than just two... Can start looking into possibilities, but there are many that could fit with such a small sample.
if we find 2 seeds or keys that are the same then we will know if there is any external info taken into account or it is just a straight hash. the odds are only 65535:1 :
I count sheep in hex...
what if we could get a cable and PC to respond with every mode $27 seed combination? we could then just map out a table of seeds/keys.
anyone else think this is crazy? since its only 2^16 it may just be doable. :huh2:
I count sheep in hex...
It appears to be standard Xor encryption routine to me.
i cant see it ???
here's some more:
[tt]
seed 2590 0010 0101 1001 0000
key 0328 0000 0011 0010 1000
seed 4470 0100 0100 0111 0000
key 2309 0010 0011 0000 1001
seed 136A 0001 0011 0110 1010
key 293A 0010 1001 0011 1010
[/tt]
I count sheep in hex...
Well, if it does use the Xor method, the seed and key pairs alone are not enough to determine this.
For instance, if it were encrypting the entire data stream, you would need to obtain a block of data that was encrypted and then Xor it with the key provided. Then you would compare the resulting unencrypted data to the same block of code extracted directly from the chip (e.g. clear text). If the Xor'ed data matches the extracted chip data then you are good to go.
If on the other hand it is using a separate securty code located at a specific memory address which the PCM encrypts using the key, it will be much more complicated as you would have nothing as far as clear text to compare it to. In this case one would need to obtain the security code encrypted by the key, Xor it, and then submit it to the PCM for security access approval.
Here is a useful js calculator for Xor encryption :
http://www.eng.uwaterloo.ca/~ejones/...e/encrypt.html
my guess is it is a simple hash function that takes one sixteen bit number and generates another. Knowing the algorithm is diffcult because it could be something really simple or something really obscure. the fact that it is "only" sixteen bits helps i guess.
I count sheep in hex...
Just perusing these posts. I have the identical problem with a different ecu. I've posted stuff over in the iso programming area.
If you can gather enough correct seed/key pairs, my guess is that you can just keep asking the ecu for a seed until one matches a seed in your set that you have the key for. Down side of this is the random amount of time it takes to do the unlock.
Also I may try what one poster mentioned above. just keep trying keys until you have a hit then log it. Given enough time you can fill a 65536x16 lookup table and your home free. The hitch here is that some ecus lock you out for 10 seconds(or more) after 2 bad key responses... if your have to power cycle it will make it really tough... hmmm pc controlled relay...
Not sure of the algorithm but may be some kind of crc.
Here is a cool crc calculator:
http://rcswww.urz.tu-dresden.de/%7Esr21/crc.html
do your pcm's generate a new seed every request? GM's pcm's have a seed hard coded and every time you request security from that PCM you get back the same seed.
We got this guy Not Sure, ...
Yes, I get a new seed every time. I posted the good seed/key pairs I have captured so far over in the iso area.
What is the best way to view what the application running on w2k is doing?
Hera those seed and keys dont have the same algo as the ls1s from gameover...
They use a different algo..
I need more than 2 seed key pairs.. can you post them?
Reply With Quote