Vida CEM swapping

[fmobile]

I haven't touched the code for over a year. It was Mark Dapoz.

OK

[ricked]

Does anyone have some instructions about the P3 bench setup? It would be a great way to start playing with the code and setup?

P3 on the bench .. Follow this link and get a EWD ( Electrical Wiring Diagram ). See if you can figure it out.

It's in VIDA, in information section, under cables and fuses.

sorry to dig up this old post but i have indeed the p3 cem like in picture and scrip cant find the part number and stops
the question is what is "Teensy loaded with VTL's P3 branch. Do not use the Main branch" there is no P3 in the script or on github

also this type uses 10 digit pin code not 12

edit:
i think i found it but script still dont have P3 in it and pin code is 6 bites instead of 5

this cem is with a R32C processors R5F64524 with pin in d-flash at 0x0
problem is that i found now 3 difference pcb's but the one i have i can not read eee, Dflash and flash to extract pin from Dflash

[vtl]

sorry to dig up this old post but i have indeed the p3 cem like in picture and scrip cant find the part number and stops
the question is what is "Teensy loaded with VTL's P3 branch. Do not use the Main branch" there is no P3 in the script or on github

Untitled.png (102.53 KiB) Viewed 1083 times

[ricked]

thanks vtl but this script extracts pin code is 6 bites instead of 5, i did not try it yet but does it work you think, also i did edit the above post just before your reply

[vtl]

thanks vtl but this script extracts pin code is 6 bites instead of 5, i did not try it yet but does it work you think, also i did edit the above post just before your reply

Use the p3 branch: https://raw.githubusercontent.com/vtl/v ... racker.ino

[ricked]

thanks vtl but this script extracts pin code is 6 bites instead of 5, i did not try it yet but does it work you think, also i did edit the above post just before your reply

Use the p3 branch: https://raw.githubusercontent.com/vtl/v ... racker.ino

thanks, i will try it tomorrow and post results

[ricked]

well i did try but after 2x 5 hours i get "hash collision found" both times

any suggestions?

[vtl]

well i did try but after 2x 5 hours i get "hash collision found" both times

any suggestions?

00 00 bb e2 b0 is your PIN code. If your software can't accept HEX numbers you can feed it any DEC pin generated by utils/seed-gen. To give you a few:

Code: Select all

$ ./seed-gen --seed "a5 39 17" --key "da b5 46"
Searching all hash collisions for SEED a5 39 17, KEY da b5 46 at 866 tries per second
   8.07 hrs [      1] PIN 00 25 15 71 83
   8.91 hrs [      2] PIN 00 27 77 87 35
  11.26 hrs [      3] PIN 00 35 10 63 91
  12.10 hrs [      4] PIN 00 37 72 95 27
  14.94 hrs [      5] PIN 00 46 58 90 02
  15.67 hrs [      6] PIN 00 48 85 33 61
  18.86 hrs [      7] PIN 00 58 80 21 73
  20.63 hrs [      8] PIN 00 64 30 42 90
  23.85 hrs [      9] PIN 00 74 35 50 82
  25.96 hrs [     10] PIN 00 80 93 72 20
  28.08 hrs [     11] PIN 00 87 55 33 81
  29.18 hrs [     12] PIN 00 90 96 60 32
  31.27 hrs [     13] PIN 00 97 50 21 93
  36.24 hrs [     14] PIN 01 12 99 10 79
  40.84 hrs [     15] PIN 01 27 32 91 58
  65.31 hrs [     16] PIN 02 03 62 43 87
  68.54 hrs [     17] PIN 02 13 67 51 95
  77.06 hrs [     18] PIN 02 40 25 86 22
  77.78 hrs [     19] PIN 02 42 47 70 94
  78.85 hrs [     20] PIN 02 45 81 31 35
  80.26 hrs [     21] PIN 02 50 20 94 30
  80.97 hrs [     22] PIN 02 52 42 62 86
  82.06 hrs [     23] PIN 02 55 84 23 27
 106.55 hrs [     24] PIN 03 32 19 18 87
^C

[ricked]

"00 00 bb e2 b0" is pincode after that sorry to say i have realy no clue what your talking about..
and indeed i need a 10 digit pin to give in the software

also feed to what, is there a other calc/ script to use to decrypt "00 00 bb e2 b0" ?

i did think that there was a real pincode like in the P1/P2 script not a HEX feedback that also needs to be decrypted

please point me in the right direction to decode this HEX "00 00 bb e2 b0"

thanks

[rkam]

P3 doesn't use a visible PIN code sent over CAN bus like the older ones.

First the controller sends a random seed number to you
Then your software uses a pin code and a calculation algorithm to calculate a key for that specific seed number.
Next your software sends that key back to the controller.
The controller will then do the same with its built in pin code and algorithm, and check that your key matches.

There are 65536 different pin codes that will give the correct key. The cracker is using the first one that starts with 00 00.
One of them is stored in your controller, but the cracker doesn't know which one, and it doesn't really matter.

If your software can send pin codes in HEX numbers, then you can used the pin found by the cracker.
But if your software require a pin code with only numbers 0-9, then you need to find a pin code with just numbers.

VTL points you to a tool that can take a matching pair of seed and key, and calculate different working pin codes with just numbers.
He has also already calculated 24 different working pin codes for you with that tool, based on your matching pair of seed and key.

Note:
The explanation of hex and numbers above is not fully correct.
If the cracker finds a pin code including a number like BB in hex. That is 187 in decimal numbers.
A pin code with numbers like 77 is also a hex number, but it contains only 0-9 and not 0-F. 77 in hex is 119 in decimal.
HEX is practial because a byte (0-255) can be written as two digits/letters (00-FF)