pcmhacking.net

Someone was kind enough to share this with me elsewhere. I haven't had a chance to verify any of it yet but judging by the source, I wouldn't question its authenticity.

Enjoy.

That was actually a pretty interesting read.

That is pretty interesting. Ive heard much of the 256 algos and seen that index on its own on other sites but never a description of how to make sense of it. I think the days of algos are over for new cars though. Some recent cars tuning software requires that you to purchase a key from the software vendor who presumably emulates the car and pull the key from a session with the official tools. Then there is newer security again which I suspect is occuring to tighten security with the upcoming generations of connected self driving vehicles that are on the horizon. This is looking like a possible end to diy tuning, but we'll see.

for GM, starting with some MY17 cars, they have switched to a 5 byte seed/key. In addition to the algorithm number discussed above, there is a security table now as well. Each security table has N number of algorithm rows similar to the old functionality. (a lot more to brute force) Additionally, these are *not* pre-fabricated. Each vendor is responsible to create their own security table and they do so by making a DLL file from a template. This also developers to gain security access and ensures that no one has "all" of the codes, etc. The only place which will have all of the codes will be GM and that is obscured behind the TIS2WEB application at this point.

Also, somewhere around MY20/21, you'll start seeing encrypted CAN and signed files, etc.

DIY tuning options for that stuff is going to be pretty bleak to be honest.

blundar wrote:Someone was kind enough to share this with me elsewhere. I haven't had a chance to verify any of it yet but judging by the source, I wouldn't question its authenticity.

Enjoy.

this document is old.
It is valid for cars until 2005
Can anyone have a description for cars 2009-2017?
Best Regards

navitel wrote:

blundar wrote:Someone was kind enough to share this with me elsewhere. I haven't had a chance to verify any of it yet but judging by the source, I wouldn't question its authenticity.

Enjoy.

this document is old.
It is valid for cars until 2005
Can anyone have a description for cars 2009-2017?
Best Regards

I believe I do. I am currently building my own tuning/research platform called "Sauve" ("Tuning with some f***ing class." Lol). From what I can tell (or rather have been told) it's legit. My platform is geared at least for now toward gen iv/v GM, as that is what I have to do my research on (2015 cruze 1.4t, e78 ecm) and a spare e78 that I have yet to build a bench harness for just yet. I also have my wfes '15 malibu to test my poc on when I get to that point. I have so far finished the authentication and logging modules, part of the UI, and other random bits (hardware autodect and configuration, support for everything DTC related, and a little bit of the logging), but I am bored with the DTC stuff at the moment and want to start digging into the UDS/ISOTP, etc etc modules.

That being said, I am pretty old school, have used hex editors a bunch, have done a bunch of reverse engineering on microcontrollers and ripping apart software and hardware to see how it works. One thing I am absolutely stupid on is how, if these algorithms are in fact good, I frikkin use them. Like, there are supposed 256 and this has as many, but like, how the f*** do I know which algorithm applies to a specific vehicle? I had read somewhere MONTHS ago in my daily, multiple hours obsession research, that you can basically use service 0x22 and request the, for lack of a better term, "id" that correlates to the proper algorithm to use. That is my first challenge. The next is how to apply the algorithm to the seed to spit out the key. I have successfully built a brute force tool, and it works, but obviously takes forever to figure it out, and even then, I still have no clue how to deduce the algorithm from the seed and key to know how the ecm and OEM tools just 'know' the right one to use, if there actually are multiple ones and not one badass universal one. Any help or pointers or links would be greatly appreciated.

Yes... before you say; I have searched. I have been researching this for literally the last year day in and day out, hours per day. to and from work, lunch breaks, late nights, during movies and fights. lol. This particular part has been my greatest hurdle, and I am thinking that the reason it's so hard for me to search for the correct answer is partially because I lack the terminology to describe to das googlez what I am trying to find.

Thanks a bunch fr any help you can give me. This site has been a MASSIVE help to me (I am an engineer by trade; network/linux and full stack, with a background in network security and telecomm), so this stuff for sure gets me all kinds of frisky. I have been spinning my wheels on this for a bout 3 months (the uds/0x27 stuff) and this is the first time I have reached out for help.

Thanks all!

You can get various IDs from a locked pcm and apply a lookup. Could use osid, hardware number, or vin depending what you know. Some or most of these algos probably were not used. Newer pcms use a 5 byte key which nobody including the major after markets know how to calculate. To figure it out log an oem tool, calc all the keys, see which algo lines up and add it to your lookup database.

Ya know that is what I figured dudes like hpt were doing. Get that type of ecu, flash the vin, flash it with an oem tool, get the key, and bam they are done. After everything I had researched that was the only logical way I could think of getting the key and deliver their licenses like that. Glad that if I understand it correctly that is the way and I guess I gotta buy some oem tools. I have a kess v2, a tactrix, a bunch of obdlink cables and dongles, waiting on a mongoose, but I suppose now I should cop a tech2 and whatever it's replacement is and monitor that on whatever I can get ahold of correct? I have a bunch of arduino and canbus shields and things like that so eavesdropping on that stuff isn't an issue. Any other things I should look out for?

Mdi or mdi 2 is the newer tool but it'll get expensive. Keep thinking, there is no one and only way. Nobody can teach or tell you everything. You will find the more you know it keeps getting harder to go deeper.

I wonder if it would help to take apart an ECM and look for a way to read the flash chip. Maybe with JTAG, BDM, or similar. Maybe by desoldering a chip and putting it into a standalone tool. I was right on the verge of desoldering the flash chip from a P59 when we got the BDM stuff figured out.

If you could get a firmware image that way, there's a chance you could find the communication code, and then find the seed/key code. One example might not be enough since the keys apparently are unique to each one, but depending on the information you already have, it might only take one example.