Vida CEM swapping

[aaivar]

DHA work in EEprom data and make new keys , change lost synh

[vtl]

DHA work in EEprom data and make new keys , change lost synh

Do you know where EEPROM encryption key is located in the flash dump?

[RickHaleParker]

What car is it? Also is it sending the message over CAN HS? CEM has ECU id 0x40 on CAN LS.

It is a CEM-L out of a 2006 V70 on the bench. Things where getting squirrely ... I'll look into this later.

Might have something for you later. I was experimenting with your new code. I ran it with CALC_BYTES = 6 and it almost got all six. That is with B3 - B5 the correct weights where making the shortlist up to a point. I have not ran through all the data yet but at first glance it look like if you select B0 - B2 by latency then B3 - B5 by lowest STD it would get all six correct.

[vtl]

Might have something for you later. I was experimenting with your new code. I ran it with CALC_BYTES = 6 and it almost got all six. That is with B3 - B5 the correct weights where making the shortlist up to a point. I have not ran through all the data yet but at first glance it look like if you select B0 - B2 by latency then B3 - B5 by lowest STD it would get all six correct.

Max CALC_BYTES is 4, or you'll be getting array access that is out of boundary. The algo uses +1 and +2 pin positions while it assesses latency, so it can't do more than 4 positions.

[vtl]

If it is able to find B0-B2 reliably, it would only take up to ~11 minutes to brute force the rest. Good enough already.

[RickHaleParker]

If it is able to find B0-B2 reliably, it would only take up to ~11 minutes to brute force the rest. Good enough already.

Ran it again with CALC_BYTES 4 & CALC_BYTES 6. It is unreliable. Stick with CALC_BYTES 3 .

[RickHaleParker]

If the PIN is 85 20 47 55 20 00 and the shuffle order is 3 1 5 0 2 4 should the detection order be 55 20 20 -- -- -- not 55 20 00 -- -- -- ?

85 20 47 55 20 00
03 01 05 00 02 04
------------------------
55 20 20 85 00 47

Anybody got an answer for this?
Detection order is 55 20 00 -- -- -- and it works.
Did I doing something wrong when I shuffled them above?

[vtl]

If the PIN is 85 20 47 55 20 00 and the shuffle order is 3 1 5 0 2 4 should the detection order be 55 20 20 -- -- -- not 55 20 00 -- -- -- ?

85 20 47 55 20 00
03 01 05 00 02 04
------------------------
55 20 20 85 00 47

Anybody got an answer for this?
Detection order is 55 20 00 -- -- -- and it works.
Did I doing something wrong when I shuffled them above?

You are doing it in reverse: shuffling CAN/transport bytes to get in-flash bytes. Should do in reverse, the algo searches the in-flash bytes.

Code: Select all

85 20 47 55 20 00 <- what you send over CAN
0  1  2  3  4  5

55 20 00 85 47 20 <- how it looks like in flash
3  1  5  0  2  4

[aaivar]

DHA work in EEprom data and make new keys , change lost synh

Do you know where EEPROM encryption key is located in the flash dump?

yes

[RickHaleParker]

You are doing it in reverse: shuffling CAN/transport bytes to get in-flash bytes. Should do in reverse, the algo searches the in-flash bytes.

I forgot you consider what is send over the Com line in order ( decrypted ) and what is in flash shuffled ( encrypted ).
The way I think is you encrypt to send and decrypt to use. That is what got me inverted.

85 20 47 55 20 00
00 01 02 03 04 05
------------------------
55 20 00 85 47 20
03 01 05 00 02 04