j2534 Open Source Resources

User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: j2534 Open Source Resources

Post by antus »

Can you post some valid seed/keys?
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
rolls
Posts: 407
Joined: Wed Sep 07, 2016 11:22 am
cars: bf xr6t falcon

Re: j2534 Open Source Resources

Post by rolls »

Sure will do when I'm in front of a pc later.
User avatar
Tazzi
Posts: 3421
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: j2534 Open Source Resources

Post by Tazzi »

rolls wrote:Nope.

It is a simple routine about 20 lines long that rewrote in c# in about 30 minutes. They extracted the secrete keys from the ids software however you can brute force them. I wrote a routine to brute force them juts to prove it could be done but you need about 10 seed keys as there are a lot of secrete keys that have collisions and give the correct result for that seed only.
Ah right, yes I see now. I missed that one!

So.. whats actually missing now.. definitions and hardware?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
rolls
Posts: 407
Joined: Wed Sep 07, 2016 11:22 am
cars: bf xr6t falcon

Re: j2534 Open Source Resources

Post by rolls »

Working read/write with cheap hardware. Probably only a month or so more work to get this working.

Creating definitions without infringing on other companies IP which will be difficult as all the descriptions I have are from IDS, hptuners SCT and moates and I'm not sure if simply rewriting the names and descriptions is good enough. I might need to demonstrate that ive discovered them myself.

I won't release anything until I can figure this out. Definitely open to suggestions.
User avatar
rolls
Posts: 407
Joined: Wed Sep 07, 2016 11:22 am
cars: bf xr6t falcon

Re: j2534 Open Source Resources

Post by rolls »

Here is a list of seeds and the accepted response code that I have sniffed for a BF falcon, I haven't confirmed but I believe the secret key for all of them is: 0x 08 30 61 A4 C5
can easily verify these against this python script
https://github.com/Self-Driving-Vehicle ... ecurity.py

seed response
dc5622 778858
c18939 945b0b
c027d9 2b0c53
25bcaa bd4d65
2e2816 cc837a
48d35c f955da
dfdc92 d5f93b
6bb1cb 3741a0
44307c f96714
ceca0e 02cb95
6143e7 4e8de2
bb94ee dc4a05
caf441 ffea49
d06d9c 5356a3
824066 1fe50d
e25d45 ee64a4

edit: Lots of other interesting scripts on that github which are all writen about in their thesis
https://github.com/Self-Driving-Vehicle/CANBUS-Hack
http://www.ioactive.com/pdfs/IOActive_A ... _Units.pdf
User avatar
Tazzi
Posts: 3421
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: j2534 Open Source Resources

Post by Tazzi »

rolls wrote:Working read/write with cheap hardware. Probably only a month or so more work to get this working.

Creating definitions without infringing on other companies IP which will be difficult as all the descriptions I have are from IDS, hptuners SCT and moates and I'm not sure if simply rewriting the names and descriptions is good enough. I might need to demonstrate that ive discovered them myself.

I won't release anything until I can figure this out. Definitely open to suggestions.
Yeah Id say thats probably true, would need to decompile the Ford dumps, and at least show some work from there.
Really.. you could get a few definitions from (Insert company name here) and find where they would actually reside inside the decompiled ecu bin and begin reverse engineer from there... it would give a starting point to help understand how they identified what everything was. :thumbup:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
rolls
Posts: 407
Joined: Wed Sep 07, 2016 11:22 am
cars: bf xr6t falcon

Re: j2534 Open Source Resources

Post by rolls »

https://github.com/rolandh/j2534-logger/

I've forked a J2534 shim DLL. If you download and compile this you can edit your J2534 registry entries to use this DLL, when the DLL is called it will create a dialog box and ask which real J2534 DLL you would like you use and a log location.

I've tested it with a VCI mini china clone and FORscan in windows 10 x64 without issue. I'll create an installer for it later but you guys should be able to figure it out manually.

You can then use IDS, moates etc and it will record all J2534 DLL calls to disk which you can then use to replay/recreate the functionality.

Enjoy!
User avatar
Tazzi
Posts: 3421
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: j2534 Open Source Resources

Post by Tazzi »

rolls wrote:https://github.com/rolandh/j2534-logger/

I've forked a J2534 shim DLL. If you download and compile this you can edit your J2534 registry entries to use this DLL, when the DLL is called it will create a dialog box and ask which real J2534 DLL you would like you use and a log location.

I've tested it with a VCI mini china clone and FORscan in windows 10 x64 without issue. I'll create an installer for it later but you guys should be able to figure it out manually.

You can then use IDS, moates etc and it will record all J2534 DLL calls to disk which you can then use to replay/recreate the functionality.

Enjoy!
Would have thought IDS would be picky and not allow using the vci mini? I know they begun banning clone serial numbers from v96 up I think.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
rolls
Posts: 407
Joined: Wed Sep 07, 2016 11:22 am
cars: bf xr6t falcon

Re: j2534 Open Source Resources

Post by rolls »

Tazzi wrote:
rolls wrote:https://github.com/rolandh/j2534-logger/

I've forked a J2534 shim DLL. If you download and compile this you can edit your J2534 registry entries to use this DLL, when the DLL is called it will create a dialog box and ask which real J2534 DLL you would like you use and a log location.

I've tested it with a VCI mini china clone and FORscan in windows 10 x64 without issue. I'll create an installer for it later but you guys should be able to figure it out manually.

You can then use IDS, moates etc and it will record all J2534 DLL calls to disk which you can then use to replay/recreate the functionality.

Enjoy!
Would have thought IDS would be picky and not allow using the vci mini? I know they begun banning clone serial numbers from v96 up I think.
Well if that is the case then we could easily mimick a VCM2 by editing the shim DLL to fudge the version, name and serial number.

Anyone got a VCM2 that they gave provide this information for? Only take me 30 minutes to add it as an option.
User avatar
Tazzi
Posts: 3421
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: j2534 Open Source Resources

Post by Tazzi »

rolls wrote:
Tazzi wrote:
rolls wrote:https://github.com/rolandh/j2534-logger/

I've forked a J2534 shim DLL. If you download and compile this you can edit your J2534 registry entries to use this DLL, when the DLL is called it will create a dialog box and ask which real J2534 DLL you would like you use and a log location.

I've tested it with a VCI mini china clone and FORscan in windows 10 x64 without issue. I'll create an installer for it later but you guys should be able to figure it out manually.

You can then use IDS, moates etc and it will record all J2534 DLL calls to disk which you can then use to replay/recreate the functionality.

Enjoy!
Would have thought IDS would be picky and not allow using the vci mini? I know they begun banning clone serial numbers from v96 up I think.
Well if that is the case then we could easily mimick a VCM2 by editing the shim DLL to fudge the version, name and serial number.

Anyone got a VCM2 that they gave provide this information for? Only take me 30 minutes to add it as an option.
Once I get back home I'll grab the details off mine.
Serial could be set to anythign really as long as it doesnt match the clone :thumbup:
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
Post Reply