Vida CEM swapping

Post by **charlie13** » 22 Apr 2022, 13:15

vtl wrote: ↑22 Apr 2022, 13:08
charlie13 wrote: ↑22 Apr 2022, 13:06 No
Oh, pardon, change p1 to count from 20.

now great. thank you

Post by **charlie13** » 23 Apr 2022, 05:19

What can be changed? It stops in the same place.
SEED 93 7d cb, PIN 00 21 86 25 71, KEY 4e aa cc, 445 pins/s
reply: 02 67 02 00 00 00 00 00
hash collision found
SEED 6c 8c c5, PIN 00 21 86 28 06, KEY ff ba cd, 235 pins/s
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

Post by **vtl** » 23 Apr 2022, 07:41

charlie13 wrote: ↑23 Apr 2022, 05:19 What can be changed? It stops in the same place.
SEED 93 7d cb, PIN 00 21 86 25 71, KEY 4e aa cc, 445 pins/s
reply: 02 67 02 00 00 00 00 00
hash collision found
SEED 6c 8c c5, PIN 00 21 86 28 06, KEY ff ba cd, 235 pins/s
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00

It is done. PIN is 00 21 86 28 06.

Power6 · Post by **Power6** » 23 Apr 2022, 08:29

Hey VTL, on P3 with seed/key, this is similar to SPA, how many PINs are you checking in the possible set? The SPA isn't limited to only BCD values within 5 bytes, but I've worked it down to only 3 bytes of unique PINs that are a single match for any possible seed/key. I implemented in the brute force cracker I built to pull encrypted seed/key sample from VIDA logs, will crack a PIN in less than a minute on a small Azure instance, PINMagic https://spaycetech.azurewebsites.net/LogMagic.html

I did much testing against this algorithm, to figure out the limitations. I still have 3 bytes of possibilities in the PIN, which is a problem for brute forcing against the CEM directly on the SPA, ECUs all have anti-hammering (timeout after 3 seed/key tries) so still far too long to check the ~17 million possibilities. But that beats the trillion or so possibilities of the full 40 byte PIN so it's progress.

It seems online VIDA logs using DiCE contain the same captured seed/key info (need to run "Test Configuration" software), so I am going to update PINMagic to work on a DiCE log format when I have a little time. Needing to capture a good seed/key sucks, but it's awfully convenient if you are in the US and have VIDA available, have a DiCE/VOC and a laptop.

Post by **charlie13** » 23 Apr 2022, 10:09

vtl wrote: ↑23 Apr 2022, 07:41
charlie13 wrote: ↑23 Apr 2022, 05:19 What can be changed? It stops in the same place.
SEED 93 7d cb, PIN 00 21 86 25 71, KEY 4e aa cc, 445 pins/s
reply: 02 67 02 00 00 00 00 00
hash collision found
SEED 6c 8c c5, PIN 00 21 86 28 06, KEY ff ba cd, 235 pins/s
Resetting all ECUs.
CAN_HS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
CAN_LS ---> ID=000ffffe data=ff c8 00 00 00 00 00 00
It is done. PIN is 00 21 86 28 06.

I didn't know how it works in P3, the first time I did it using a cracker. the pin works, but there are a few others that do. 1844518461 also works weird. Another time thank you very much for your help.

Post by **vtl** » 23 Apr 2022, 10:21

charlie13 wrote: ↑23 Apr 2022, 10:09 I didn't know how it works in P3, the first time I did it using a cracker. the pin works, but there are a few others that do. 1844518461 also works weird. Another time thank you very much for your help.

This is how a hash function works (in principle, not only in P3): it takes a long argument(s) and reduces it to a short result. Because a part of argument has to be lost, the hash produces the same result for multiple input arguments.

https://en.wikipedia.org/wiki/Hash_function

In the P3 case, there are about 600-700 PINs that produces the same hash result for the same SEED/KEY pair.

Post by **vtl** » 23 Apr 2022, 10:23

Power6 wrote: ↑23 Apr 2022, 08:29 Hey VTL, on P3 with seed/key, this is similar to SPA

Similar or the same? Working with a full range is not a problem, however does SPA use the exact same hash function?

Post by **RickHaleParker** » 23 Apr 2022, 10:54

vtl wrote: ↑23 Apr 2022, 10:23 Similar or the same? Working with a full range is not a problem, however does SPA use the exact same hash function?

It is the same algorithm. Initialized with the same constant.

Are you 100% sure the PIN on the P3 needs to be BCD? I noticed your seed and keys are Hex.

Post by **vtl** » 23 Apr 2022, 11:02

RickHaleParker wrote: ↑23 Apr 2022, 10:54 Are you 100% sure the PIN on the P3 needs to be BCD? I noticed your seed and keys are Hex.

For the hash function it does not matter, it works with the data in a binary form.

Post by **vtl** » 23 Apr 2022, 11:08

vtl wrote: ↑23 Apr 2022, 11:02
RickHaleParker wrote: ↑23 Apr 2022, 10:54 Are you 100% sure the PIN on the P3 needs to be BCD? I noticed your seed and keys are Hex.
For the hash function it does not matter, it works with the data in a binary form.

Any real world examples of SPA pin + seed + key?

Vida CEM swapping

Re: Vida CEM swapping