Seed key brute force program.

Programs / Tools / Scripts
Chad
Posts: 1
Joined: Thu Jul 01, 2021 3:11 pm
cars: vx ss turbo ls1...ve gts ls3 eseries2 ve ssv z series

Re: Seed key brute force program.

Post by Chad »

ironduke wrote:Posting up some code I wrote, looking for people to test it for me, make it crash, tell me what I did wrong..

I wrote this for E38 ecu's but I believe it will work on any gm ecu with a 2 byte seed/key and with a 10 second timeout between tries..

Yes it could take up to 7 days, but hey, some of us have benches and nice power supplies so it runs in the background and does it's thing..

If you have a different ecu and know the key please give this a whirl for me, you can start the key attempts close to the know key so it doesn't run forever and see how it works..

Wrote it to work with J2534 devices besides the GM mdi but that's all I have to test with..
ECU.BruteForcer.0.0.4.7z
skipped a few..
Was wondering mate what program etc or app will the brute forcer work with , when i download it on my laptop it asks to search for a app to open it etc can you shed any light on this bud cheers
ECU.BruteForcer.0.0.7.7z
Made some revisions on connection and making sure I added bytes to send a full 12 bytes. Member had trouble with an E67
ECU.BruteForcer.0.0.8.7z
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Seed key brute force program.

Post by ironduke »

https://www.7-zip.org/

That file is just compressed using a freeware file compression software, once downloaded you unzip/unpack it and then run it.
craven_pwr
Posts: 8
Joined: Thu Feb 04, 2021 4:36 am
cars: Mercedes, corvette

Re: Seed key brute force program.

Post by craven_pwr »

Can I use a J2534 to use this program.. I've got an autel pro.. ?

Thanks
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Seed key brute force program.

Post by antus »

ironduke wrote:
Gatecrasher wrote:The SD card has the main MDI operating software. The onboard memory is only the initial bootloader and recovery kernel. It's like the difference between your BIOS and your main OS on your desktop.

I've been wondering something about these brute force programs. Pretty much all of the algorithms are known, right? So we do we need to do a brute force of the full key space? Why not just run the seed through the known algos and at least try those first before moving on to a true brute force attack? I had to do exactly this on a video processing module recently. The damn thing had to be allowed to go into a soft power off after every 2nd attempt, or else it would just keep throwing an 'exceeded number of attempts' error. I think it ended up working out to around 30 seconds per key. It would have taken a couple of weeks at that rate. So I ran the seed through the algos and came up with a list of ~512 possibilities. Had my key in a couple hours.
That could be something to try first.. but I have needed it because I borked writing the bin.. Key was nowhere near one of the known algo's.. And if it was locked with a key on purpose it wouldn't be one of the known algos..
^^ This. Tuners (typically dodgy ones with something to hide) usually use the tunerlock functions of aftermarket software that set the key to something that cant be calculated with standard algos. In the case of VPW PCMs you can short a couple of pins to corrupt the boot process and force recovery mode with no security, or you can use a tool like this.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Seed key brute force program.

Post by ironduke »

craven_pwr wrote:Can I use a J2534 to use this program.. I've got an autel pro.. ?

Thanks
it should work, that being said give it a go and report back. Also let us know what ECU your trying it with whether it works or not? etc..
craven_pwr
Posts: 8
Joined: Thu Feb 04, 2021 4:36 am
cars: Mercedes, corvette

Re: Seed key brute force program.

Post by craven_pwr »

ailed to unlock using 0408 with response of 7F2736AAAAAAAA
Recieved 3A9C as seed
Failed to unlock using 0409 with response of 7F2736AAAAAAAA
Recieved 3A9C as seed
Failed to unlock using 040A with response of 7F2736AAAAAAAA
Recieved 3A9C as seed
Failed to unlock using 040B with response of 7F2736AAAAAAAA
Recieved 3A9C as seed
Failed to unlock using 040C with response of 7F2736AAAAAAAA
Recieved 3A9C as seed
Failed to unlock using 040D with response of 7F2736AAAAAAAA
Recieved 3A9C as seed
Failed to unlock using 040E with response of 7F2736AAAAAAAA
Recieved 3A9C as seed
Failed to unlock using 040F with response of 7F2736AAAAAAAA
Recieved 3A9C as seed
Failed to unlock using 0410 with response of 7F2736AAAAAAAA
Recieved 3A9C as seed
Failed to unlock using 0411 with response of 7F2736AAAAAAAA

Im trying to unlock an E38 using an autel Pro J2534 adapter
This what i'm a getting when the program is running
does this look like a normal reponses
I want to make sure that it is actually working on trying to unlock

thanks
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Seed key brute force program.

Post by ironduke »

Yeah Craven, that looks right.. Unless you select differently it starts at 0000 and goes all the way to ffff (65535 combinations) at 10 seconds apart it could take up to 7 days.. It's not fast by any means.

Is it tuner-locked or bricked or messed up somehow? 0x6e66 should be the key if it's not modified or bricked or anything.. Few times I messed up the seed was the same as the key, another time 0000 was the key.. This was all doing stupid things to the ecu..
craven_pwr
Posts: 8
Joined: Thu Feb 04, 2021 4:36 am
cars: Mercedes, corvette

Re: Seed key brute force program.

Post by craven_pwr »

its a used stock ecu from a junk yard.. I can get into it using my diag tools and read id's and fault codes.. so in assuming that everything else is ok..

I tried the 6E66 key and it worked like a champ...
thank you very much
do you know of any open source software that will allow my to read out these ecus?
ironduke
Posts: 579
Joined: Thu Feb 13, 2020 11:32 pm
cars: Mainly GM trucks, a Cruze and an Equinox for dailys..

Re: Seed key brute force program.

Post by ironduke »

craven_pwr wrote:its a used stock ecu from a junk yard.. I can get into it using my diag tools and read id's and fault codes.. so in assuming that everything else is ok..

I tried the 6E66 key and it worked like a champ...
thank you very much
do you know of any open source software that will allow my to read out these ecus?
PowerPcm flasher here in the forum written by Daniel will read it and write calibration files to it.. As of yet it does not write OS files to it. Definitely get you started unless you need to change the OS.
viewtopic.php?f=3&t=6666&hilit=powerpcm

Tazzy here on this forum has another piece of software he's working on but he's all set for beta testers so you'll have to wait for it to be finished and on his website for purchase or another round of beta testing to volunteer.. There's a lot of pages in that topic and some very neat info!!!
viewtopic.php?f=26&t=6416
julespatch
Posts: 159
Joined: Fri Aug 25, 2017 5:28 pm
cars: liberty gen 5
Location: Adelaide

Re: Seed key brute force program.

Post by julespatch »

ironduke wrote:Yeah Craven, that looks right.. Unless you select differently it starts at 0000 and goes all the way to ffff (65535 combinations) at 10 seconds apart it could take up to 7 days.. It's not fast by any means.

Is it tuner-locked or bricked or messed up somehow? 0x6e66 should be the key if it's not modified or bricked or anything.. Few times I messed up the seed was the same as the key, another time 0000 was the key.. This was all doing stupid things to the ecu..
from memory a few of the scrambled e38's ive has worked with 1000 as the key. just flash a full file in with that and it's back
Post Reply