Gm Seed key algorithms
37 posts
• Page 2 of 4 • 1, 2, 3, 4
Re: Gm Seed key algorithms
I think 0x2A is wrong "If HH<LL use 2's complement, else use 1's complement"
Has anyone got any seed key pairs to try on this
(Stepped through GMSeedkeyTestermaster)
(LL and HH reversed because it was easier for me)
05 Byte swap
14 ADD LLHH
2A IF LL<HH use 2's complement, else use 1's complement
37 AND HHLL
4C Rotate Left by LL bits
52 OR HHLL
6B Rotate Right by HH bits
75 ADD HHLL
7E Byte Swap then IF LL>HH ADD LLHH ELSE ADD HHLL
98 SUB LLHH
F8 SUB HHLL
Has anyone got any seed key pairs to try on this
(Stepped through GMSeedkeyTestermaster)
(LL and HH reversed because it was easier for me)
05 Byte swap
14 ADD LLHH
2A IF LL<HH use 2's complement, else use 1's complement
37 AND HHLL
4C Rotate Left by LL bits
52 OR HHLL
6B Rotate Right by HH bits
75 ADD HHLL
7E Byte Swap then IF LL>HH ADD LLHH ELSE ADD HHLL
98 SUB LLHH
F8 SUB HHLL
 Attachments

 GMSeedKey.exe
 (37.5 KiB) Downloaded 88 times
Re: Gm Seed key algorithms
What algo are you working with that you have questions about?
Algo 2A for Class 2
Algorithm: 2a
Step : tempseed1 == seed << 0xA
Step : tempseed2 == seed >> 0x6
Step : seed == (tempseed1  tempseed2)
Step : Seed += 0xD3C5
Step = Byte Swap seed
Step : seed+= 0xF863
Step : tempseed1 == seed >> 0xB
Step : tempseed2 == seed << 0x5
Step : key == (tempseed1  tempseed2)
Algo for GMlan
Step : seed = ~seed
Step : Seed += 0xAA38
Step : tempseed1 == seed << 0x2
Step : tempseed2 == seed >> 0xE
Step : seed == (tempseed1  tempseed2)
Step : key = Byte Swap Seed
Algo for GM other
Step : tempseed1 == seed >> 0x4
Step : tempseed2 == seed << 0xC
Step : seed == (tempseed1  tempseed2)
Step : seed= 0x7EBF
Step : seed = ~seed
Step : key = seed= 0x7A7F
Algo 2A for Class 2
Algorithm: 2a
Step : tempseed1 == seed << 0xA
Step : tempseed2 == seed >> 0x6
Step : seed == (tempseed1  tempseed2)
Step : Seed += 0xD3C5
Step = Byte Swap seed
Step : seed+= 0xF863
Step : tempseed1 == seed >> 0xB
Step : tempseed2 == seed << 0x5
Step : key == (tempseed1  tempseed2)
Algo for GMlan
Step : seed = ~seed
Step : Seed += 0xAA38
Step : tempseed1 == seed << 0x2
Step : tempseed2 == seed >> 0xE
Step : seed == (tempseed1  tempseed2)
Step : key = Byte Swap Seed
Algo for GM other
Step : tempseed1 == seed >> 0x4
Step : tempseed2 == seed << 0xC
Step : seed == (tempseed1  tempseed2)
Step : seed= 0x7EBF
Step : seed = ~seed
Step : key = seed= 0x7A7F
Re: Gm Seed key algorithms
mattyjf01 wrote:First post gmseedkey.doc
I was wondering if 2a was backwards?
Flip it, regression test it ...
Improve Knowledge = Share Yours!
Re: Gm Seed key algorithms
Not the algo. The 2A function described in the document on the first post
"0x2A = Complement – if HH>LL use 2’s complement, else use 1’s complement"
In GM_s_k and the Vb.net version i wrote its
"0x2A = Complement – if HH<LL use 2’s complement, else use 1’s complement"
"0x2A = Complement – if HH>LL use 2’s complement, else use 1’s complement"
In GM_s_k and the Vb.net version i wrote its
"0x2A = Complement – if HH<LL use 2’s complement, else use 1’s complement"
Re: Gm Seed key algorithms
Ok, I kinda started thinking that's what you meant/typed out and I just misunderstood..
So in order to test this we need to find an algo that uses the 2A function and then get some known seedkeys to test which way is correct, right??
It looks like algo 92 of glman for the E38 ecu uses the 2a function and what I have has been working for every single seed I've thrown at it..
you typed out that you reversed Hi and Low because it was easier for you? what does that mean? hi is low and low is hi?? That's going to confuse me.. sorry
your 2A function written as "2A IF LL<HH use 2's complement, else use 1's complement" matches mine..
Step : seed = ~seed
IF LL<HH use seed +1
actual 2a routine is below..
int sub_10001028(int a1, int a2) // a1 is the seed // a2 is dependent on data in the table for that algo.
{
__int16 v2;
int v4;
unsigned char low, high;
v4 = a2;
low = *(unsigned char *)v4; // this is 0xb8 for algo 0x92
high = *(unsigned char *)++v4; // this is 0x70 for algo 92
v2 = ~*(_WORD *)a1; // v2 = bitwise 1's compliment
if (debug) printf("Step : seed = ~seed\n");
*(_WORD *)a1 = v2; // push v2 to seed memory location
if (low < high) {
*(_WORD*)a1 = v2 + 1;
if (debug) printf("Step : seed += 1\n");
}
return 0;
}
in the 92 algo a1 is the seed and 0xb8 is low and 0x70 is hi.. lo(0xb8) is NOT lower than hi(0x70) so it's only 1's compliment
here's my short list of ecu to algo's feel free to add to my list, or correct me if I've got one wrong..
E38 is gmlan 0x92
E39 is gmlan 0xDC
E54 is Class2 0x36
E67 is GMlan 0xEB
e78 is gmlan 0xDB
E92 is GM_other 0x01
T43 is gmlan 0x84
T76 is gmlan 0xC5
T87 is GM_other 0x39
P01,P59 is class2? 0x28
P04 is class2 0x0e
So in order to test this we need to find an algo that uses the 2A function and then get some known seedkeys to test which way is correct, right??
It looks like algo 92 of glman for the E38 ecu uses the 2a function and what I have has been working for every single seed I've thrown at it..
you typed out that you reversed Hi and Low because it was easier for you? what does that mean? hi is low and low is hi?? That's going to confuse me.. sorry
your 2A function written as "2A IF LL<HH use 2's complement, else use 1's complement" matches mine..
Step : seed = ~seed
IF LL<HH use seed +1
actual 2a routine is below..
int sub_10001028(int a1, int a2) // a1 is the seed // a2 is dependent on data in the table for that algo.
{
__int16 v2;
int v4;
unsigned char low, high;
v4 = a2;
low = *(unsigned char *)v4; // this is 0xb8 for algo 0x92
high = *(unsigned char *)++v4; // this is 0x70 for algo 92
v2 = ~*(_WORD *)a1; // v2 = bitwise 1's compliment
if (debug) printf("Step : seed = ~seed\n");
*(_WORD *)a1 = v2; // push v2 to seed memory location
if (low < high) {
*(_WORD*)a1 = v2 + 1;
if (debug) printf("Step : seed += 1\n");
}
return 0;
}
in the 92 algo a1 is the seed and 0xb8 is low and 0x70 is hi.. lo(0xb8) is NOT lower than hi(0x70) so it's only 1's compliment
here's my short list of ecu to algo's feel free to add to my list, or correct me if I've got one wrong..
E38 is gmlan 0x92
E39 is gmlan 0xDC
E54 is Class2 0x36
E67 is GMlan 0xEB
e78 is gmlan 0xDB
E92 is GM_other 0x01
T43 is gmlan 0x84
T76 is gmlan 0xC5
T87 is GM_other 0x39
P01,P59 is class2? 0x28
P04 is class2 0x0e
Last edited by ironduke on Sun Oct 04, 2020 3:59 am, edited 2 times in total.
Re: Gm Seed key algorithms
That is decimal 40 (0x28) and decimal 14 (0x0E)ironduke wrote:P01,P59 is class2? 0x40
P04 is class2 0x14
Improve Knowledge = Share Yours!
Re: Gm Seed key algorithms
Gampy wrote:That is decimal 40 (0x28) and decimal 14 (0x0E)ironduke wrote:P01,P59 is class2? 0x40
P04 is class2 0x14
Doh!!! Thanks....
Re: Gm Seed key algorithms
Thanks Ironduke, That's Correct
I Only Have a GMLAN (Ve) to test on at the moment and none of the Algorithms have used the 2A Function
SWCAN
IPC = E8
EHU = B7
TDM = 71
I Only Have a GMLAN (Ve) to test on at the moment and none of the Algorithms have used the 2A Function
SWCAN
IPC = E8
EHU = B7
TDM = 71
Last edited by mattyjf01 on Sun Oct 04, 2020 3:28 pm, edited 1 time in total.
37 posts
• Page 2 of 4 • 1, 2, 3, 4
Who is online
Users browsing this forum: No registered users and 1 guest