Seed key brute force program.

Programs / Tools / Scripts
Vampyre
Posts: 261
Joined: Wed Dec 06, 2017 1:02 pm
cars: grand am, trans am

Re: Seed key brute force program.

Post by Vampyre »

so you think this would work for say bcm ipc or other modules id like to play with hmmmmm? would at least get me started on reading them out or programming custon bins to them. :)
In-Tech
Posts: 778
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: Seed key brute force program.

Post by In-Tech »

I've mentioned elsewhere about a no-rom call dumper I made years ago for 8 bit stuff. All I would need to make it work on this stuff is the hardware register byte location/number of the I/O register. I can assemble a bs vb app pretty quick. Hoping to help :)
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Seed key brute force program.

Post by ironduke »

In-Tech wrote:I've mentioned elsewhere about a no-rom call dumper I made years ago for 8 bit stuff. All I would need to make it work on this stuff is the hardware register byte location/number of the I/O register. I can assemble a bs vb app pretty quick. Hoping to help :)
I'd love to hear more about this no-rom dumper?
In-Tech
Posts: 778
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: Seed key brute force program.

Post by In-Tech »

Code: Select all

AD 38 4A AD 1F 26 FB 71 80 92 C6 8E 20 04 30 00 9D 9D AD 26 3C 8F 26 F1 3C 8E 26 ED 3C 8A A6 80 B7 8E 20 E5 B7 52 A6 F0 4A 26 FD B6 52 81 9D 9D 9D 9D 9D 9D 9D 9B A6 55 20 C6 B7 52 4F AD E9 AE 0A 43 11 00 AD DE 20 00 10 00 AD D8 98 25 04 11 00 20 04 10 00 20 00 AD CB 48 5A 26 F0 10 00 81

0080: AD38        bsr     $00BA		;Branch to subroutine at 00BA
0082: 4A          deca			;
0083: AD1F        bsr     $00A4		;
0085: 26FB        bne     $0082		;
0087: 7180				;Set Page to 80
0089: 92C68E      lda     [$8Eh.w]	;
008C: 2004        bra     $0092		;
008E: 3000        neg     $00		;
0090: 9D          nop			;
0091: 9D          nop			;
0092: AD26        bsr     $00BA		;
0094: 3C8F        inc     $8F		;
0096: 26F1        bne     $0089		;
0098: 3C8E        inc     $8E		;
009A: 26ED        bne     $0089		;
009C: 3C8A        inc     $8A		;
009E: A680        lda     #$80		;
00A0: B78E        sta     $8E		;
00A2: 20E5        bra     $0089		;
00A4: B752        sta     $52		;
00A6: A6F0        lda     #$F0		;
00A8: 4A          deca			;
00A9: 26FD        bne     $00A8		;
00AB: B652        lda     $52		;
00AD: 81          rts			;
00AE: 9D          nop			;
00AF: 9D          nop			;
00B0: 9D          nop			;
00B1: 9D          nop			;
00B2: 9D          nop			;
00B3: 9D          nop			;
00B4: 9D          nop			;
00B5: 9B          sei			;
00B6: A655        lda     #$55		;
00B8: 20C6        bra     $0080		;
00BA: B752        sta     $52		;
00BC: 4F          clra			;
00BD: ADE9        bsr     $00A8		;
00BF: AE0A        ldx     #$0A		;
00C1: 43          coma			;
00C2: 1100        bclr0   $00		;
00C4: ADDE        bsr     $00A4		;
00C6: 2000        bra     $00C8		;
00C8: 1000        bset0   $00		;
00CA: ADD8        bsr     $00A4		;
00CC: 98          clc			;
00CD: 2504        bcs     $00D3		;
00CF: 1100        bclr0   $00		;
00D1: 2004        bra     $00D7		;
00D3: 1000        bset0   $00		;
00D5: 2000        bra     $00D7		;
00D7: ADCB        bsr     $00A4		;
00D9: 48          asla			;
00DA: 5A          decx			;
00DB: 26F0        bne     $00CD		;
00DD: 1000        bset0   $00		;
00DF: 81          rts			;
I have a commented version around here somewhere, I'll see if I can find it. I/O Register is at 52 in this example IIRC and just dump with a bit toggle starting at address 3000 loaded to ram via fake packet(erased from this example) at address 0080 then glitched micro to land and execute :punk:

Here is a sample instruction set
6805 instruction set.doc
(56.5 KiB) Downloaded 326 times
In-Tech
Posts: 778
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: Seed key brute force program.

Post by In-Tech »

If anyone is wondering why there are jumps all over the place and the nops, it was to get the timing in range so it would work with all the built in clock jitter that was used in this particular application. The "ticks" were critical. Also figuring out the landing pad was a pita. My initial "Fake" packets were used with a loop strategy so I could guestimate landing pad glitch attacks. :)
Overdrive915
Posts: 8
Joined: Mon Feb 24, 2020 7:13 pm
cars: G20 4X4 7.4 l gen 6

Re: Seed key brute force program.

Post by Overdrive915 »

Hi to all I have tested this software and it works :D :D I have been battling to find some form of software to unlock a e38 and this works like a dream I will be testing on a locked e38 that i do not know what the code is and will let it run until I get the code. Will give feed back as soon as I get the code.
Thanks
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Seed key brute force program.

Post by ironduke »

Overdrive915 wrote:Hi to all I have tested this software and it works :D :D I have been battling to find some form of software to unlock a e38 and this works like a dream I will be testing on a locked e38 that i do not know what the code is and will let it run until I get the code. Will give feed back as soon as I get the code.
Thanks
If you post the seed of an E38 we can give you the key as long as it hasn't been locked by a tuner or semi-bricked.. As in if it's a regular unlock, we can get the key from the seed pretty easily.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Seed key brute force program.

Post by Tazzi »

In-Tech wrote:If anyone is wondering why there are jumps all over the place and the nops, it was to get the timing in range so it would work with all the built in clock jitter that was used in this particular application. The "ticks" were critical. Also figuring out the landing pad was a pita. My initial "Fake" packets were used with a loop strategy so I could guestimate landing pad glitch attacks. :)
Can you explain what exactly that code is doing?? Little bit lost for what its purpose is :)
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Overdrive915
Posts: 8
Joined: Mon Feb 24, 2020 7:13 pm
cars: G20 4X4 7.4 l gen 6

Re: Seed key brute force program.

Post by Overdrive915 »

ironduke wrote:
Overdrive915 wrote:Hi to all I have tested this software and it works :D :D I have been battling to find some form of software to unlock a e38 and this works like a dream I will be testing on a locked e38 that i do not know what the code is and will let it run until I get the code. Will give feed back as soon as I get the code.
Thanks
If you post the seed of an E38 we can give you the key as long as it hasn't been locked by a tuner or semi-bricked.. As in if it's a regular unlock, we can get the key from the seed pretty easily.

It was locked by a Tuner I managed to get the key after 2 day.
Seed 27F6
Key 22F0
Checked that with and the standard key was supposed to be Key 810C. Now I am trying to reprogram with PowerPCM and it keeps going to 810C to program and tells me that its not ok is there any way to change the key in powerPCM to 22F0 so that I can get into to program?
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Seed key brute force program.

Post by ironduke »

Overdrive915 wrote:
ironduke wrote:
Overdrive915 wrote:Hi to all I have tested this software and it works :D :D I have been battling to find some form of software to unlock a e38 and this works like a dream I will be testing on a locked e38 that i do not know what the code is and will let it run until I get the code. Will give feed back as soon as I get the code.
Thanks
If you post the seed of an E38 we can give you the key as long as it hasn't been locked by a tuner or semi-bricked.. As in if it's a regular unlock, we can get the key from the seed pretty easily.

It was locked by a Tuner I managed to get the key after 2 day.
Seed 27F6
Key 22F0
Checked that with and the standard key was supposed to be Key 810C. Now I am trying to reprogram with PowerPCM and it keeps going to 810C to program and tells me that its not ok is there any way to change the key in powerPCM to 22F0 so that I can get into to program?
I've never used it but.. your supposed to be able to use the dropdown on the right where you would select e38 or E67 and select the 0xffff and click that and type in the key you want to use.. I would definitively suggest a read before writing.. if it was tunerlocked then it was tuned so I'd want a copy of that just in case..
Post Reply