pcmhacking.net

Can you post some valid seed/keys?

Sure will do when I'm in front of a pc later.

rolls wrote:Nope.

It is a simple routine about 20 lines long that rewrote in c# in about 30 minutes. They extracted the secrete keys from the ids software however you can brute force them. I wrote a routine to brute force them juts to prove it could be done but you need about 10 seed keys as there are a lot of secrete keys that have collisions and give the correct result for that seed only.

Ah right, yes I see now. I missed that one!

So.. whats actually missing now.. definitions and hardware?

Working read/write with cheap hardware. Probably only a month or so more work to get this working.

Creating definitions without infringing on other companies IP which will be difficult as all the descriptions I have are from IDS, hptuners SCT and moates and I'm not sure if simply rewriting the names and descriptions is good enough. I might need to demonstrate that ive discovered them myself.

I won't release anything until I can figure this out. Definitely open to suggestions.

Here is a list of seeds and the accepted response code that I have sniffed for a BF falcon, I haven't confirmed but I believe the secret key for all of them is: 0x 08 30 61 A4 C5
can easily verify these against this python script
https://github.com/Self-Driving-Vehicle ... ecurity.py

seed response
dc5622 778858
c18939 945b0b
c027d9 2b0c53
25bcaa bd4d65
2e2816 cc837a
48d35c f955da
dfdc92 d5f93b
6bb1cb 3741a0
44307c f96714
ceca0e 02cb95
6143e7 4e8de2
bb94ee dc4a05
caf441 ffea49
d06d9c 5356a3
824066 1fe50d
e25d45 ee64a4

edit: Lots of other interesting scripts on that github which are all writen about in their thesis
https://github.com/Self-Driving-Vehicle/CANBUS-Hack
http://www.ioactive.com/pdfs/IOActive_A ... _Units.pdf

rolls wrote:Working read/write with cheap hardware. Probably only a month or so more work to get this working.

Creating definitions without infringing on other companies IP which will be difficult as all the descriptions I have are from IDS, hptuners SCT and moates and I'm not sure if simply rewriting the names and descriptions is good enough. I might need to demonstrate that ive discovered them myself.

I won't release anything until I can figure this out. Definitely open to suggestions.

Yeah Id say thats probably true, would need to decompile the Ford dumps, and at least show some work from there.
Really.. you could get a few definitions from (Insert company name here) and find where they would actually reside inside the decompiled ecu bin and begin reverse engineer from there... it would give a starting point to help understand how they identified what everything was.

https://github.com/rolandh/j2534-logger/

I've forked a J2534 shim DLL. If you download and compile this you can edit your J2534 registry entries to use this DLL, when the DLL is called it will create a dialog box and ask which real J2534 DLL you would like you use and a log location.

I've tested it with a VCI mini china clone and FORscan in windows 10 x64 without issue. I'll create an installer for it later but you guys should be able to figure it out manually.

You can then use IDS, moates etc and it will record all J2534 DLL calls to disk which you can then use to replay/recreate the functionality.

Enjoy!

rolls wrote:https://github.com/rolandh/j2534-logger/

I've forked a J2534 shim DLL. If you download and compile this you can edit your J2534 registry entries to use this DLL, when the DLL is called it will create a dialog box and ask which real J2534 DLL you would like you use and a log location.

I've tested it with a VCI mini china clone and FORscan in windows 10 x64 without issue. I'll create an installer for it later but you guys should be able to figure it out manually.

You can then use IDS, moates etc and it will record all J2534 DLL calls to disk which you can then use to replay/recreate the functionality.

Enjoy!

Would have thought IDS would be picky and not allow using the vci mini? I know they begun banning clone serial numbers from v96 up I think.

Tazzi wrote:

rolls wrote:https://github.com/rolandh/j2534-logger/

I've forked a J2534 shim DLL. If you download and compile this you can edit your J2534 registry entries to use this DLL, when the DLL is called it will create a dialog box and ask which real J2534 DLL you would like you use and a log location.

I've tested it with a VCI mini china clone and FORscan in windows 10 x64 without issue. I'll create an installer for it later but you guys should be able to figure it out manually.

You can then use IDS, moates etc and it will record all J2534 DLL calls to disk which you can then use to replay/recreate the functionality.

Enjoy!

Would have thought IDS would be picky and not allow using the vci mini? I know they begun banning clone serial numbers from v96 up I think.

Well if that is the case then we could easily mimick a VCM2 by editing the shim DLL to fudge the version, name and serial number.

Anyone got a VCM2 that they gave provide this information for? Only take me 30 minutes to add it as an option.

rolls wrote:

Tazzi wrote:

rolls wrote:https://github.com/rolandh/j2534-logger/

I've forked a J2534 shim DLL. If you download and compile this you can edit your J2534 registry entries to use this DLL, when the DLL is called it will create a dialog box and ask which real J2534 DLL you would like you use and a log location.

I've tested it with a VCI mini china clone and FORscan in windows 10 x64 without issue. I'll create an installer for it later but you guys should be able to figure it out manually.

You can then use IDS, moates etc and it will record all J2534 DLL calls to disk which you can then use to replay/recreate the functionality.

Enjoy!

Would have thought IDS would be picky and not allow using the vci mini? I know they begun banning clone serial numbers from v96 up I think.

Well if that is the case then we could easily mimick a VCM2 by editing the shim DLL to fudge the version, name and serial number.

Anyone got a VCM2 that they gave provide this information for? Only take me 30 minutes to add it as an option.

Once I get back home I'll grab the details off mine.
Serial could be set to anythign really as long as it doesnt match the clone