Hi Tim,
I have (almost) no experience with Siemens, but common sense dictates
that the generation algorithm should be hard to guess.
It would be quite simple to implement in the software a complex
algorithm. Therefore, I think that it might be simplier - for the
same car to use a "playback" attack, meaning that you simply have to
store correct seed/key pairs, and request seeds until you get one for
which you know the key.
This approach, however implies that you store at least some 4-8.000
seed/keys... out of the total of 65536 available. It might work if
you'd get to automate the key/seed retrieval process.
Just my 0.02 euros.
Stefan.
--- In opendiag@yahoogroups.com, "Tim" <tmarstei@y...> wrote:
> I'm trying to unlock a iso9141 segam mc1000 ecu (it uses the
siemens
> C167CR-LM). The "xx xx" in the listing below is what I'm trying to
> figure out. This appears to be a response based on a transform of
> the "yy yy" in the previous line, that the sw must give to the ecu
to
> unlock it.
> sw - is my software
> ecu - ecu response
>
> The sequence is as follows:
>
> sw - 82 D5 F5 27 85 F8 initiate security sequence
> ecu - 84 F5 D5 67 85 yy yy CS seed
> sw - 84 D5 F5 27 86 xx xx CS key response to seed
> ecu - 82 F5 D5 67 86 39
>
> yyyy/xxxx is a key/sendkey pair described in section 6.3 of 14230-
> 3s.pdf
>
> http://pcm.dxsoftware.com/public/14230-3s.pdf
>
> Any ideas where to start? I have several correct seed/key pairs.
>
> I've tried the simple stuff like add,sub, mult, and, or, xor with
no
> common value. I messed around with some basic crc algorithms but
> again nothing.
>
> Thanks,
> Tim
Received on Wed Sep 10 03:18:41 2003
This archive was generated by hypermail 2.1.8 : Wed Jan 02 2008 - 00:56:01 CET