Seed key brute force program.

Programs / Tools / Scripts
Posts: 219
Joined: Wed Dec 06, 2017 1:02 pm

Re: Seed key brute force program.

Postby Vampyre » Sat Oct 02, 2021 10:32 am

so you think this would work for say bcm ipc or other modules id like to play with hmmmmm? would at least get me started on reading them out or programming custon bins to them. :)

Posts: 468
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: Seed key brute force program.

Postby In-Tech » Sat Oct 02, 2021 10:55 am

I've mentioned elsewhere about a no-rom call dumper I made years ago for 8 bit stuff. All I would need to make it work on this stuff is the hardware register byte location/number of the I/O register. I can assemble a bs vb app pretty quick. Hoping to help :)

Posts: 438
Joined: Thu Feb 13, 2020 11:32 pm

Re: Seed key brute force program.

Postby ironduke » Sat Oct 02, 2021 9:36 pm

In-Tech wrote:I've mentioned elsewhere about a no-rom call dumper I made years ago for 8 bit stuff. All I would need to make it work on this stuff is the hardware register byte location/number of the I/O register. I can assemble a bs vb app pretty quick. Hoping to help :)


I'd love to hear more about this no-rom dumper?

Posts: 468
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: Seed key brute force program.

Postby In-Tech » Sun Oct 03, 2021 1:44 am

Code: Select all
AD 38 4A AD 1F 26 FB 71 80 92 C6 8E 20 04 30 00 9D 9D AD 26 3C 8F 26 F1 3C 8E 26 ED 3C 8A A6 80 B7 8E 20 E5 B7 52 A6 F0 4A 26 FD B6 52 81 9D 9D 9D 9D 9D 9D 9D 9B A6 55 20 C6 B7 52 4F AD E9 AE 0A 43 11 00 AD DE 20 00 10 00 AD D8 98 25 04 11 00 20 04 10 00 20 00 AD CB 48 5A 26 F0 10 00 81

0080: AD38        bsr     $00BA      ;Branch to subroutine at 00BA
0082: 4A          deca         ;
0083: AD1F        bsr     $00A4      ;
0085: 26FB        bne     $0082      ;
0087: 7180            ;Set Page to 80
0089: 92C68E      lda     [$8Eh.w]   ;
008C: 2004        bra     $0092      ;
008E: 3000        neg     $00      ;
0090: 9D          nop         ;
0091: 9D          nop         ;
0092: AD26        bsr     $00BA      ;
0094: 3C8F        inc     $8F      ;
0096: 26F1        bne     $0089      ;
0098: 3C8E        inc     $8E      ;
009A: 26ED        bne     $0089      ;
009C: 3C8A        inc     $8A      ;
009E: A680        lda     #$80      ;
00A0: B78E        sta     $8E      ;
00A2: 20E5        bra     $0089      ;
00A4: B752        sta     $52      ;
00A6: A6F0        lda     #$F0      ;
00A8: 4A          deca         ;
00A9: 26FD        bne     $00A8      ;
00AB: B652        lda     $52      ;
00AD: 81          rts         ;
00AE: 9D          nop         ;
00AF: 9D          nop         ;
00B0: 9D          nop         ;
00B1: 9D          nop         ;
00B2: 9D          nop         ;
00B3: 9D          nop         ;
00B4: 9D          nop         ;
00B5: 9B          sei         ;
00B6: A655        lda     #$55      ;
00B8: 20C6        bra     $0080      ;
00BA: B752        sta     $52      ;
00BC: 4F          clra         ;
00BD: ADE9        bsr     $00A8      ;
00BF: AE0A        ldx     #$0A      ;
00C1: 43          coma         ;
00C2: 1100        bclr0   $00      ;
00C4: ADDE        bsr     $00A4      ;
00C6: 2000        bra     $00C8      ;
00C8: 1000        bset0   $00      ;
00CA: ADD8        bsr     $00A4      ;
00CC: 98          clc         ;
00CD: 2504        bcs     $00D3      ;
00CF: 1100        bclr0   $00      ;
00D1: 2004        bra     $00D7      ;
00D3: 1000        bset0   $00      ;
00D5: 2000        bra     $00D7      ;
00D7: ADCB        bsr     $00A4      ;
00D9: 48          asla         ;
00DA: 5A          decx         ;
00DB: 26F0        bne     $00CD      ;
00DD: 1000        bset0   $00      ;
00DF: 81          rts         ;


I have a commented version around here somewhere, I'll see if I can find it. I/O Register is at 52 in this example IIRC and just dump with a bit toggle starting at address 3000 loaded to ram via fake packet(erased from this example) at address 0080 then glitched micro to land and execute :punk:

Here is a sample instruction set
6805 instruction set.doc
(56.5 KiB) Downloaded 115 times

Posts: 468
Joined: Mon Mar 09, 2020 4:35 pm
Location: California

Re: Seed key brute force program.

Postby In-Tech » Sun Oct 03, 2021 12:58 pm

If anyone is wondering why there are jumps all over the place and the nops, it was to get the timing in range so it would work with all the built in clock jitter that was used in this particular application. The "ticks" were critical. Also figuring out the landing pad was a pita. My initial "Fake" packets were used with a loop strategy so I could guestimate landing pad glitch attacks. :)

Posts: 8
Joined: Mon Feb 24, 2020 7:13 pm

Re: Seed key brute force program.

Postby Overdrive915 » Fri Oct 29, 2021 11:56 pm

Hi to all I have tested this software and it works :D :D I have been battling to find some form of software to unlock a e38 and this works like a dream I will be testing on a locked e38 that i do not know what the code is and will let it run until I get the code. Will give feed back as soon as I get the code.
Thanks

Posts: 438
Joined: Thu Feb 13, 2020 11:32 pm

Re: Seed key brute force program.

Postby ironduke » Sat Oct 30, 2021 1:45 am

Overdrive915 wrote:Hi to all I have tested this software and it works :D :D I have been battling to find some form of software to unlock a e38 and this works like a dream I will be testing on a locked e38 that i do not know what the code is and will let it run until I get the code. Will give feed back as soon as I get the code.
Thanks


If you post the seed of an E38 we can give you the key as long as it hasn't been locked by a tuner or semi-bricked.. As in if it's a regular unlock, we can get the key from the seed pretty easily.

User avatar
Posts: 2931
Joined: Thu May 17, 2012 8:53 pm
Location: WA

Re: Seed key brute force program.

Postby Tazzi » Sat Oct 30, 2021 12:46 pm

In-Tech wrote:If anyone is wondering why there are jumps all over the place and the nops, it was to get the timing in range so it would work with all the built in clock jitter that was used in this particular application. The "ticks" were critical. Also figuring out the landing pad was a pita. My initial "Fake" packets were used with a loop strategy so I could guestimate landing pad glitch attacks. :)

Can you explain what exactly that code is doing?? Little bit lost for what its purpose is :)
Your Local Aussie Reverse Engineer
Site:www.envyouscustoms.com
Mob:+61406 140 726
Image

Posts: 8
Joined: Mon Feb 24, 2020 7:13 pm

Re: Seed key brute force program.

Postby Overdrive915 » Sun Nov 07, 2021 9:11 pm

ironduke wrote:
Overdrive915 wrote:Hi to all I have tested this software and it works :D :D I have been battling to find some form of software to unlock a e38 and this works like a dream I will be testing on a locked e38 that i do not know what the code is and will let it run until I get the code. Will give feed back as soon as I get the code.
Thanks


If you post the seed of an E38 we can give you the key as long as it hasn't been locked by a tuner or semi-bricked.. As in if it's a regular unlock, we can get the key from the seed pretty easily.



It was locked by a Tuner I managed to get the key after 2 day.
Seed 27F6
Key 22F0
Checked that with and the standard key was supposed to be Key 810C. Now I am trying to reprogram with PowerPCM and it keeps going to 810C to program and tells me that its not ok is there any way to change the key in powerPCM to 22F0 so that I can get into to program?

Posts: 438
Joined: Thu Feb 13, 2020 11:32 pm

Re: Seed key brute force program.

Postby ironduke » Mon Nov 08, 2021 12:11 am

Overdrive915 wrote:
ironduke wrote:
Overdrive915 wrote:Hi to all I have tested this software and it works :D :D I have been battling to find some form of software to unlock a e38 and this works like a dream I will be testing on a locked e38 that i do not know what the code is and will let it run until I get the code. Will give feed back as soon as I get the code.
Thanks


If you post the seed of an E38 we can give you the key as long as it hasn't been locked by a tuner or semi-bricked.. As in if it's a regular unlock, we can get the key from the seed pretty easily.



It was locked by a Tuner I managed to get the key after 2 day.
Seed 27F6
Key 22F0
Checked that with and the standard key was supposed to be Key 810C. Now I am trying to reprogram with PowerPCM and it keeps going to 810C to program and tells me that its not ok is there any way to change the key in powerPCM to 22F0 so that I can get into to program?


I've never used it but.. your supposed to be able to use the dropdown on the right where you would select e38 or E67 and select the 0xffff and click that and type in the key you want to use.. I would definitively suggest a read before writing.. if it was tunerlocked then it was tuned so I'd want a copy of that just in case..

PreviousNext

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests