GM 5 byte seed key generator

dmaxben
Posts: 16
Joined: Thu Feb 19, 2015 12:54 am
cars: Duramax

Re: GM 5 byte seed key generator

Post by dmaxben »

Tazzi wrote:Ohhhh I see. 27 03 is actually called engineer/manufacture access. I was not aware of the 2017+ locking out after moving though, thats a new one.
The algorithm is on GM's servers, but.. can generate the required seeds by simulating a module to GM though, so I can give that a go.
GM does call 27 03/04 "device control security". Its in GMW3110, and every other dbc/document.

And then 27 FB/FC is "supplier security seed/key"...which I think has even higher level permissions/privileges than device control.

Ive already tried subbing in a device control seed during a normal SPS programming event, it doesnt work. That was a while ago that I tried it though.

I assume because the server was expecting the seed to end in 06 for the programming event, so it rejected the seed ending in 01/0C....
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM 5 byte seed key generator

Post by Tazzi »

dmaxben wrote:
Tazzi wrote:Ohhhh I see. 27 03 is actually called engineer/manufacture access. I was not aware of the 2017+ locking out after moving though, thats a new one.
The algorithm is on GM's servers, but.. can generate the required seeds by simulating a module to GM though, so I can give that a go.
GM does call 27 03/04 "device control security". Its in GMW3110, and every other dbc/document.

And then 27 FB/FC is "supplier security seed/key"...which I think has even higher level permissions/privileges than device control.

Ive already tried subbing in a device control seed during a normal SPS programming event, it doesnt work. That was a while ago that I tried it though.

I assume because the server was expecting the seed to end in 06 for the programming event, so it rejected the seed ending in 01/0C....
Hmm, I will have to bring up my documentation, but supplier security seed/key might be what I am referring to, as its the access they utilize to flash specific information in such as serial/Seed/key ect.

Ill spin up a session later today and see if I cant get a matching key to your previous values.

Out of curiosity, what are you wanting to do with the module unlocked while moving?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
dmaxben
Posts: 16
Joined: Thu Feb 19, 2015 12:54 am
cars: Duramax

Re: GM 5 byte seed key generator

Post by dmaxben »

Tazzi wrote:Hmm, I will have to bring up my documentation, but supplier security seed/key might be what I am referring to, as its the access they utilize to flash specific information in such as serial/Seed/key ect.

Ill spin up a session later today and see if I cant get a matching key to your previous values.

Out of curiosity, what are you wanting to do with the module unlocked while moving?
I just want to be able to command lights on/off (using mode AE) with the engine running. MY17+ BCM OS only allows that key on engine off (unless you have device control security access).

The BCM doesnt support supplier security access. Just programming (27 01) and device control (27 03).

Not many GM controllers even have supplier security access function, its a pretty specific thing only used for extremely tight-security features that generally wont ever be changed once the controller leaves the plant.

If you're curious if a specific controller has additional supplier-level security access features, just send it [USDT ID] 02 27 FB and see if it gives a positive or negative response......
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM 5 byte seed key generator

Post by Tazzi »

hmm, my docos dont indicate 27 FB, only about 27 03 which is designed for DVT access.
DVT access allows lots of different things including messing with seed/key.

I tried generate for a none 06 key, and it doesnt generate a matching key. Could be a different table algo so requires more investigation.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
dmaxben
Posts: 16
Joined: Thu Feb 19, 2015 12:54 am
cars: Duramax

Re: GM 5 byte seed key generator

Post by dmaxben »

Tazzi wrote:hmm, my docos dont indicate 27 FB, only about 27 03 which is designed for DVT access.
DVT access allows lots of different things including messing with seed/key.

I tried generate for a none 06 key, and it doesnt generate a matching key. Could be a different table algo so requires more investigation.
yes, DVT = Diagnostic Vehicle Testing. Its just another name for device control. Depends on the controller supplier whether they call it DVT or just the more generic global "device control".

Most ECM documents use "DVT"...whatever, its the same thing. Basically just lets engineers test certain things that they dont want tested out in the real world, or dont want tested under certain conditions.

IE, a regular dealer technician should be able to command the starter relay for service testing in the field...but the engineers would want to lock out the idiot dealer technicians from being able to command the starter relay when the engine is already running for obvious reasons. So they use the device control (DVT) security; if no security access is granted, the ECM will reject a mode AE request to command the starter relay when the engine is running. If you have device control access security granted, you get a nice grinding noise and the opportunity to buy a new starter/ring gear.

Yeah, as I said in my previous post, I already tried spoofing the device control key to SPS...no go. :cry:
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM 5 byte seed key generator

Post by Tazzi »

dmaxben wrote:yes, DVT = Diagnostic Vehicle Testing. Its just another name for device control. Depends on the controller supplier whether they call it DVT or just the more generic global "device control".

Most ECM documents use "DVT"...whatever, its the same thing. Basically just lets engineers test certain things that they dont want tested out in the real world, or dont want tested under certain conditions.

IE, a regular dealer technician should be able to command the starter relay for service testing in the field...but the engineers would want to lock out the idiot dealer technicians from being able to command the starter relay when the engine is already running for obvious reasons. So they use the device control (DVT) security; if no security access is granted, the ECM will reject a mode AE request to command the starter relay when the engine is running. If you have device control access security granted, you get a nice grinding noise and the opportunity to buy a new starter/ring gear.

Yeah, as I said in my previous post, I already tried spoofing the device control key to SPS...no go. :cry:
Yeah, itll be running under a different table algo. Theres technically a max of 255 for each 'table' so it should pop up if cycling through them all.
I ran out of time today bit will give it another go tomorrow.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: GM 5 byte seed key generator

Post by Gatecrasher »

DVT is dynamic vehicle test. It's a battery of automated tests that are run right after the car comes off the assembly line.

Does GDS2 make use of these secured device control modes? You'd think it would have to have the algos buried in a DLL or something.
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: GM 5 byte seed key generator

Post by Tazzi »

Gatecrasher wrote:DVT is dynamic vehicle test. It's a battery of automated tests that are run right after the car comes off the assembly line.

Does GDS2 make use of these secured device control modes? You'd think it would have to have the algos buried in a DLL or something.
Great thought, but seems GDS2 assumes the vehicle is in ideal conditions which are not moving as it doesn’t perform any security unlocks.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
dmaxben
Posts: 16
Joined: Thu Feb 19, 2015 12:54 am
cars: Duramax

Re: GM 5 byte seed key generator

Post by dmaxben »

Gatecrasher wrote:DVT is dynamic vehicle test. It's a battery of automated tests that are run right after the car comes off the assembly line.

Does GDS2 make use of these secured device control modes? You'd think it would have to have the algos buried in a DLL or something.
No, the device control security/DVT's are specifically there to keep dealer techs with GDS _out_ and keep them from breaking stuff with GDS.
User avatar
Gatecrasher
Posts: 272
Joined: Sat Apr 25, 2020 6:09 am

Re: GM 5 byte seed key generator

Post by Gatecrasher »

You're not wrong about the lockouts, but that's not what DVT means.

https://www.corvettemuseum.org/demystif ... d-process/
“The first thing that happens is alignment. The car is driven over an alignment pit with operators under the car doing the work with about 30 individual checks. The next step is Dynamic Vehicle Test (‘DVT’). Over 8,000 checks are done in DVT. The car will check a lot of things itself. In here we communicate with the vehicle and are looking to find things like are the antennas working properly for OnStar.”
Check out the video at the bottom of the page. Skip to 16:30. They show the DVT process.
Post Reply