Help on Security Access to Bosch0100

Bosch Motronic etc ECUs and PCMs
Post Reply
kornelio
Posts: 3
Joined: Sat Jun 02, 2018 4:42 pm

Help on Security Access to Bosch0100

Post by kornelio »

Hi all,
I'm looking for what kind of algorythm is being used to calculate the keys that allows the access to reserved functions of the new DMAX Isuzu pickup.

The ecu data are:
End Model Part Number: 8983702321
Software Version Number: 2
Hardware Part Number: 8983337470
Sys. Supplier ID/ECU Hardware Number: BOSCH0100
Base Model Part Number: 10C0386E
Diagnostic Data Identifier: 2302
MEC: 0
Interchange Ability Number: 11BOSCH001
Ecu Address: 11
Bosch part number : 0 281 032 814

I collected some data from the communication between diagnostic tool and Bosch engine control unit.
The message flow are the follow:

Diag. Tool: 0x02 0x27 0x01 0x00 0x00 0x00 0x00 0x00 Request for security access
Ecu : 0x04 0x67 0x01 0xPh 0xPl 0xaa 0xaa 0xaa where 0x04 are the lenght of message, 0x67 = 0x27+0x40, Ph Pl are plain data H and L
Diag. Tool: 0x04 0x67 0x02 0xCh 0xCl 0x00 0x00 0x00 where Ch and Cl are the checksum or crypted data related to Ph and Pl

I've obtained the response of the tool feeding message with only one bit set for Ph and Pl, but with no result.

Ph Pl Ch Cl
00 01 42 88
00 02 82 80
00 04 02 5F
00 08 01 D4
00 10 FF 9D
00 20 F6 B1
00 40 D2 D9
00 80 43 29
01 00 03 C7
02 00 04 FE
04 00 07 5A
08 00 0B CA
10 00 13 8A
20 00 1E 8A
40 00 22 8A
80 00 E2 89

This are general values from ecu<->tool communication:
Ph Pl Ch Cl
8C E9 39 97
D9 F6 61 33
BF C7 67 25
85 B2 00 ED
42 51 1B B0
F7 BD 1C 27
DA 89 27 3D
B1 27 28 8E
AF 6E 2A 71
BE 51 3F 5E
68 AD 4C 2A
DC C4 5B 47
06 01 5F 62
71 9A 7A 6F
71 7D 83 4D
42 1D 8E 08
6B FA A2 83
63 A0 AA B6
6E 57 BC 73
E6 EB E5 5B
A4 07 E8 37
A2 AD EA BA
9E 2A F5 FA
25 D1 F9 53

Hope someone can give an help...
Thank you in advance.

Kornelio
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Help on Security Access to Bosch0100

Post by Tazzi »

OoOoOoOoo.. bit of fun there!

Doesnt match up with anything Iv worked on before.. but its a standard seed/key security challenge.

Lets have a look at the top example:
Seed:0001 Key:4288
Seed:0002 Key:8280 - dif = 3FF8
Seed:0004 Key:025F - dif = 7FE5 (Which is almost 3FF8 * 2).. out by 0xB
Seed:0008 Key:01D4 - dif = FF75 (close to 3FF8*4).. out by 0x6B

A bit of a pattern can be seen.

If you simulate a seed for the first 15 seeds and grab the keys, might be able to find the exact pattern.
So... find for a seed of 3,5,6,7,9,A,B,C,D,E
Should then have the first 15 seed/key combos to begin finding the pattern.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
kornelio
Posts: 3
Joined: Sat Jun 02, 2018 4:42 pm

Re: Help on Security Access to Bosch0100

Post by kornelio »

Hi, these are about 512 values collected. There's a sort of scheme between the difference of two consecutive keys (6,6,5,7,6,6,5,7,.....) but I think is only a consequence of the underlying algorythm.

0001 4288
0002 8280
0003 C272
0004 025F
0005 4245
0006 8225
0007 C1FF
0008 01D4
0009 41A2
000A 816A
000B C12C
000C 00E9
000D 409F
000E 804F
000F BFF9
0010 FF9D
0011 3F3C
0012 7ED4
0013 BE66
0014 FDF2
0015 3D79
0016 7CF9
0017 BC73
0018 FBE7
0019 3B56
001A 7ABE
001B BA20
001C F97C
001D 38D3
001E 7823
001F B76D
0020 F6B1
0021 35F0
0022 7528
0023 B45A
0024 F386
0025 32AD
0026 71CD
0027 B0E7
0028 EFFB
0029 2F0A
002A 6E12
002B AD14
002C EC10
002D 2B07
002E 69F7
002F A8E1
0030 E7C5
0031 26A4
0032 657C
0033 A44E
0034 E31A
0035 21E1
0036 60A1
0037 9F5B
0038 DE0F
0039 1CBE
003A 5B66
003B 9A08
003C D8A4
003D 173B
003E 55CB
003F 9455
0040 D2D9
0041 1158
0042 4FD0
0043 8E42
0044 CCAE
0045 0B15
0046 4975
0047 87CF
0048 C623
0049 0472
004A 42BA
004B 80FC
004C BF38
004D FD6E
004E 3B9F
004F 79C9
0050 B7ED
0051 F60B
0052 3424
0053 7236
0054 B042
0055 EE48
0056 2C49
0057 6A43
0058 A837
0059 E625
005A 240E
005B 61F0
005C 9FCC
005D DDA2
005E 1B73
005F 593D
0060 9701
0061 D4BF
0062 1278
0063 502A
0064 8DD6
0065 CB7C
0066 091D
0067 46B7
0068 844B
0069 C1D9
006A FF61
006B 3CE4
006C 7A60
006D B7D6
006E F546
006F 32B1
0070 7015
0071 AD73
0072 EACB
0073 281E
0074 656A
0075 A2B0
0076 DFF0
0077 1D2B
0078 5A5F
0079 978D
007A D4B5
007B 11D8
007C 4EF4
007D 8C0A
007E C91A
007F 0625
0080 4329
0081 8027
0082 BD1F
0083 FA11
0084 36FE
0085 73E4
0086 B0C4
0087 ED9E
0088 2A73
0089 6741
008A A409
008B E0CB
008C 1D88
008D 5A3E
008E 96EE
008F D398
0090 103D
0091 4CDB
0092 8973
0093 C605
0094 0292
0095 3F18
0096 7B98
0097 B812
0098 F486
0099 30F5
009A 6D5D
009B A9BF
009C E61B
009D 2272
009E 5EC2
009F 9B0C
00A0 D750
00A1 138F
00A2 4FC7
00A3 8BF9
00A4 C825
00A5 044C
00A6 406C
00A7 7C86
00A8 B89A
00A9 F4A8
00AA 30B1
00AB 6CB3
00AC A8AF
00AD E4A5
00AE 2096
00AF 5C80
00B0 9864
00B1 D442
00B2 101B
00B3 4BED
00B4 87B9
00B5 C37F
00B6 FF3F
00B7 3AFA
00B8 76AE
00B9 B25C
00BA EE04
00BB 29A7
00BC 6543
00BD A0D9
00BE DC69
00BF 17F4
00C0 5378
00C1 8EF6
00C2 CA6E
00C3 05E1
00C4 414D
00C5 7CB3
00C6 B813
00C7 F36D
00C8 2EC2
00C9 6A10
00CA A558
00CB E09A
00CC 1BD7
00CD 570D
00CE 923D
00CF CD67
00D0 088C
00D1 43AA
00D2 7EC2
00D3 B9D4
00D4 F4E0
00D5 2FE7
00D6 6AE7
00D7 A5E1
00D8 E0D5
00D9 1BC4
00DA 56AC
00DB 918E
00DC CC6A
00DD 0741
00DE 4211
00DF 7CDB
00E0 B79F
00E1 F25D
00E2 2D16
00E3 67C8
00E4 A274
00E5 DD1A
00E6 17BB
00E7 5255
00E8 8CE9
00E9 C777
00EA 0200
00EB 3C82
00EC 76FE
00ED B174
00EE EBE4
00EF 264F
00F0 60B3
00F1 9B11
00F2 D569
00F3 0FBC
00F4 4A08
00F5 844E
00F6 BE8E
00F7 F8C8
00F8 32FD
00F9 6D2B
00FA A753
00FB E175
00FC 1B92
00FD 55A8
00FE 8FB8
00FF C9C2
0100 03C7
0101 3DC5
0102 77BD
0103 B1AF
0104 EB9B
0105 2582
0106 5F62
0107 993C
0108 D310
0109 0CDF
010A 46A7
010B 8069
010C BA25
010D F3DB
010E 2D8C
010F 6736
0110 A0DA
0111 DA78
0112 1411
0113 4DA3
0114 872F
0115 C0B5
0116 FA35
0117 33B0
0118 6D24
0119 A692
011A DFFA
011B 195D
011C 52B9
011D 8C0F
011E C55F
011F FEA9
0120 37EE
0121 712C
0122 AA64
0123 E396
0124 1CC3
0125 55E9
0126 8F09
0127 C823
0128 0138
0129 3A46
012A 734E
012B AC50
012C E54C
012D 1E43
012E 5733
012F 901D
0130 C901
0131 01E0
0132 3AB8
0133 738A
0134 AC56
0135 E51C
0136 1DDD
0137 5697
0138 8F4B
0139 C7F9
013A 00A2
013B 3944
013C 71E0
013D AA76
013E E306
013F 1B91
0140 5415
0141 8C93
0142 C50B
0143 FD7D
0144 35EA
0145 6E50
0146 A6B0
0147 DF0A
0148 175F
0149 4FAD
014A 87F5
014B C037
014C F873
014D 30AA
014E 68DA
014F A104
0150 D928
0151 1147
0152 495F
0153 8171
0154 B97D
0155 F183
0156 2984
0157 617E
0158 9972
0159 D160
015A 0949
015B 412B
015C 7907
015D B0DD
015E E8AD
015F 2078
0160 583C
0161 8FFA
0162 C7B2
0163 FF64
0164 3711
0165 6EB7
0166 A657
0167 DDF1
0168 1586
0169 4D14
016A 849C
016B BC1E
016C F39A
016D 2B11
016E 6281
016F 99EB
0170 D14F
0171 08AE
0172 4006
0173 7758
0174 AEA4
0175 E5EA
0176 1D2B
0177 5465
0178 8B99
0179 C2C7
017A F9EF
017B 3112
017C 682E
017D 9F44
017E D654
017F 0D5F
0180 4463
0181 7B61
0182 B259
0183 E94B
0184 2038
0185 571E
0186 8DFE
0187 C4D8
0188 FBAC
0189 327B
018A 6943
018B A005
018C D6C1
018D 0D78
018E 4428
018F 7AD2
0190 B176
0191 E814
0192 1EAD
0193 553F
0194 8BCB
0195 C251
0196 F8D1
0197 2F4C
0198 65C0
0199 9C2E
019A D296
019B 08F9
019C 3F55
019D 75AB
019E ABFB
019F E245
01A0 188A
01A1 4EC8
01A2 8500
01A3 BB32
01A4 F15E
01A5 2785
01A6 5DA5
01A7 93BF
01A8 C9D3
01A9 FFE1
01AA 35EA
01AB 6BEC
01AC A1E8
01AD D7DE
01AE 0DCF
01AF 43B9
01B0 799D
01B1 AF7B
01B2 E553
01B3 1B26
01B4 50F2
01B5 86B8
01B6 BC78
01B7 F232
01B8 27E7
01B9 5D95
01BA 933D
01BB C8DF
01BC FE7B
01BD 3412
01BE 69A2
01BF 9F2C
01C0 D4B0
01C1 0A2F
01C2 3FA7
01C3 7519
01C4 AA85
01C5 DFEB
01C6 154C
01C7 4AA6
01C8 7FFA
01C9 B548
01CA EA90
01CB 1FD3
01CC 550F
01CD 8A45
01CE BF75
01CF F49F
01D0 29C4
01D1 5EE2
01D2 93FA
01D3 C90C
01D4 FE18
01D5 331F
01D6 681F
01D7 9D19
01D8 D20D
01D9 06FC
01DA 3BE4
01DB 70C6
01DC A5A2
01DD DA78
01DE 0F49
01DF 4413
01E0 78D7
01E1 AD95
01E2 E24D
01E3 1700
01E4 4BAC
01E5 8052
01E6 B4F2
01E7 E98C
01E8 1E21
01E9 52AF
01EA 8737
01EB BBB9
01EC F035
01ED 24AC
01EE 591C
01EF 8D86
01F0 C1EA
01F1 F648
01F2 2AA1
01F3 5EF3
01F4 933F
01F5 C785
01F6 FBC5
01F7 3000
01F8 6434
01F9 9862
01FA CC8A
01FB 00AD
01FC 34C9
01FD 68DF
01FE 9CEF
01FF D0F9
0200 04FE
0201 38FC
0202 6CF4
0203 A0E6
0204 D4D2
0205 08B9
0206 3C99
0207 7073
0208 A447
0209 D815
020A 0BDE
020B 3FA0
020C 735C
020D A712
020E DAC2
020F 0E6D
0210 4211
0211 75AF
0212 A947
0213 DCD9
0214 1066
0215 43EC
0216 776C
0217 AAE6
0218 DE5A

Kornelio
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Help on Security Access to Bosch0100

Post by Tazzi »

Pretty constant pattern happening.. at least up to 0x3A which I calced to.

The difference of the difference (Like you have stated) seems to be consistent.
7,6,6,5 then repeats..
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Help on Security Access to Bosch0100

Post by Tazzi »

Ah take that back.. was looking at it wrong. The roll over has an affect of minus by one to the 'difference'.. so instead of the difference being 7,6,6,5... it ends up being 6,6,6,6,6,6,6 ect..

At roll over, have to add 1 otherwise it throws it out.

Seed: 0 Mine: 28A
Seed: 1 Mine: 4288
Seed: 2 Mine: 8280
Seed: 3 Mine: C272
Seed: 4 Mine: 25F
Seed: 5 Mine: 4245
......
Seed: 7FF0 Mine: DFA5
Seed: 7FF1 Mine: 2001
Seed: 7FF2 Mine: 6056
Seed: 7FF3 Mine: A0A5
Seed: 7FF4 Mine: E0EE
Seed: 7FF5 Mine: 2132
Seed: 7FF6 Mine: 616F
Seed: 7FF7 Mine: A1A6
Seed: 7FF8 Mine: E1D7
Seed: 7FF9 Mine: 2203
Seed: 7FFA Mine: 6228
Seed: 7FFB Mine: A247
Seed: 7FFC Mine: E260
Seed: 7FFD Mine: 2274
Seed: 7FFE Mine: 6281
Seed: 7FFF Mine: A288
Seed: 8000 Mine: E289

Can happily calc all 0xFFFF keys :thumbup:

starting at key value of 028A, then ADDING by 4004 (Call this var).. then on next seed you reduce var by 6.. then add to key again ect.
On int16 rollover, need to reduce key by 1.

And var should roll over to FFFF and begin again.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Help on Security Access to Bosch0100

Post by Tazzi »

Im sure the actual algo is meant to be bitshift ect... but my method works. :thumbup:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
kornelio
Posts: 3
Joined: Sat Jun 02, 2018 4:42 pm

Re: Help on Security Access to Bosch0100

Post by kornelio »

Hi, I confirm that's correct for the first 512 values.

I've seen that using an algorythm like yours (very less efficient and more complex...)

Maybe for different range of seeds the pattern change.

I'll collect more seeds/keys.

Thank you!!!

kornelio
yoda69
Posts: 1215
Joined: Sun Mar 15, 2009 10:20 am
cars: 2004 VYII Acclaim Wagon V6 Auto LPG/Petrol
2004 VYII Berlina sedan V6 Auto
2005 VZ Monaro CV8 manual
Location: Geelong, VIC

Re: Help on Security Access to Bosch0100

Post by yoda69 »

Attached Excel file calculates the key from a seed.
Key = Mod(Seed x 16382 + 650 + (Seed - 1) * -3 x Seed) , 65535)
or rearrange to: Key = Mod(Seed x 16382 + 650 -3 x (Seed)^2 + 3 x Seed) , 65535)
Security Access to Bosch0100.xlsx
(32.3 KiB) Downloaded 405 times
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Help on Security Access to Bosch0100

Post by Tazzi »

kornelio wrote:Hi, I confirm that's correct for the first 512 values.

I've seen that using an algorythm like yours (very less efficient and more complex...)

Maybe for different range of seeds the pattern change.

I'll collect more seeds/keys.

Thank you!!!

kornelio
Seems to be correct for all the ones you listed :thumbup:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
jay woo
Posts: 51
Joined: Mon Jul 11, 2011 8:42 pm

Re: Help on Security Access to Bosch0100

Post by jay woo »

Below is a link to some Arduino code that may be of assistance. I am assuming most of the communication will be the same but with a different algorithm to calculate the response for security access. The ECU the code is for is probably not the same, but the code may give you a guide. If you are trying to flash the ECU, tread carefully. Flashing Bosch ECU's is notorious for being temperamental and complex. The ECU also logs the number of attempts to flash and successful flashes.

https://github.com/fjvva/ecu-tool/blob/ ... _EDC16.ino
Post Reply