I have created a J2534 Tool for Bruteforcing 0X27 Security Access on Ford modules. Haven't implemented FEPS yet, so it will not work on a PCM, but other modules it will. Uses the keybag from the Ford hack and bruteforces service 0x27 with those keys and some others. Used an OBDxPro FT interface so that will definetly work with this.
Edit: Updated the GUI and have now implemented FEPS and added additional keys pulled from Forscan with Ghidra.
There's some Python seed-key code included with the same research paper. It came up with the same key result as Forscan when I tested it against my 2018 instrument cluster. I need to test it against a few other modules in my truck.
It's also pretty easy to get the secrets from the module firmware. At least the PPC based ones. I pulled the secret bytes from an 18 IPC, 17 BCM, and 17 gateway. The code was virtually identical in all three modules, despite coming from different suppliers. They were also stored in a contiguous block in all three modules. So if you can brute force level 1 for example, you can probably find the other levels with a simple search in a hex editor.
It's also possible to get some of the secret bytes if you know how to decrypt the IDS XML files. At least for modules that don't use the so-called "crypto algo". I think that just refers to how the secrets are stored in IDS. Because my IPC is one of those modules, and it uses the same old security algo for 27 01 and 27 03 in the actual module.
As far as programming with all this stuff works I’ve been too reluctant to jump in to the shark pool… but the FEPS that needs crazy voltage jump hasn’t been needed when I tested read/write on bench but I’m sure I’ll be told that I’m in-correct!