Page 2 of 6

Re: Seed key brute force program.

Posted: Wed Apr 28, 2021 11:54 am
by ironduke
Gampy wrote:Sorry, but that's just fudged up, why they make shit like that is beyond me, freaking control freaks.
The clones are hot glued in, genuine's are not.. I'm guessing they glue them in so they don't fall out when they get thrown in a shipping container and sent over here, lol..

Re: Seed key brute force program.

Posted: Wed Apr 28, 2021 12:07 pm
by Gampy
I don't mean the glue gun construction, I mean running off the SD ... I assume you have to be connected to the internet to do it.

Re: Seed key brute force program.

Posted: Wed Apr 28, 2021 12:14 pm
by ironduke
Gampy wrote:I don't mean the glue gun construction, I mean running off the SD ... I assume you have to be connected to the internet to do it.
Nope, just be running the MDI manager.. no internet required.. No license, just the software and you can get it straight from Bosch..

Honestly not sure what the card is used for. Back 2-3 years ago I found out you could modify a file in the SD card and get a different serial number.. The clones all have the same serial and if your in a shop with more than one it can be problematic since it's used wireless.. They had a firmware update later on that ended that, but you can still modify the serial # if you really want to, just no where as easy. It does have data and info on it, and the MDI doesn't like booting without it, but it does have on board memory so??

Re: Seed key brute force program.

Posted: Thu Apr 29, 2021 12:12 am
by Gatecrasher
The SD card has the main MDI operating software. The onboard memory is only the initial bootloader and recovery kernel. It's like the difference between your BIOS and your main OS on your desktop.

I've been wondering something about these brute force programs. Pretty much all of the algorithms are known, right? So we do we need to do a brute force of the full key space? Why not just run the seed through the known algos and at least try those first before moving on to a true brute force attack? I had to do exactly this on a video processing module recently. The damn thing had to be allowed to go into a soft power off after every 2nd attempt, or else it would just keep throwing an 'exceeded number of attempts' error. I think it ended up working out to around 30 seconds per key. It would have taken a couple of weeks at that rate. So I ran the seed through the algos and came up with a list of ~512 possibilities. Had my key in a couple hours.

Re: Seed key brute force program.

Posted: Thu Apr 29, 2021 12:16 am
by ironduke
Gatecrasher wrote:The SD card has the main MDI operating software. The onboard memory is only the initial bootloader and recovery kernel. It's like the difference between your BIOS and your main OS on your desktop.

I've been wondering something about these brute force programs. Pretty much all of the algorithms are known, right? So we do we need to do a brute force of the full key space? Why not just run the seed through the known algos and at least try those first before moving on to a true brute force attack? I had to do exactly this on a video processing module recently. The damn thing had to be allowed to go into a soft power off after every 2nd attempt, or else it would just keep throwing an 'exceeded number of attempts' error. I think it ended up working out to around 30 seconds per key. It would have taken a couple of weeks at that rate. So I ran the seed through the algos and came up with a list of ~512 possibilities. Had my key in a couple hours.
That could be something to try first.. but I have needed it because I borked writing the bin.. Key was nowhere near one of the known algo's.. And if it was locked with a key on purpose it wouldn't be one of the known algos..

Re: Seed key brute force program.

Posted: Thu Apr 29, 2021 12:26 am
by Gatecrasher
I get that. I'm not saying there's no need for it. I just keep seeing these days-long attempts mentioned in discussions about otherwise stock ECUs. Nobody ever mentions trying the known keys before moving on to a full brute force attack.

Re: Seed key brute force program.

Posted: Thu Apr 29, 2021 12:52 am
by ironduke
Gatecrasher wrote:I get that. I'm not saying there's no need for it. I just keep seeing these days-long attempts mentioned in discussions about otherwise stock ECUs. Nobody ever mentions trying the known keys before moving on to a full brute force attack.
Yeah, I pretty much know all the algos for the ecu's I'm working with but definitely get your point. I think I will work on adding a selection for unknown ecu, try all possible ago's.. would be a lot quicker and I could even have it point out the aglo.. Thanks for the idea..

I'm just posting this out since someone had asked for it and I'm trying to learn to code better, the more people to break it for me the better.. already finding out some shortcomings and working on error control and trying again instead of just quitting the program..

Re: Seed key brute force program.

Posted: Thu Apr 29, 2021 3:32 am
by gmtech825
Gatecrasher wrote:The SD card has the main MDI operating software. The onboard memory is only the initial bootloader and recovery kernel. It's like the difference between your BIOS and your main OS on your desktop.

I've been wondering something about these brute force programs. Pretty much all of the algorithms are known, right? So we do we need to do a brute force of the full key space? Why not just run the seed through the known algos and at least try those first before moving on to a true brute force attack? I had to do exactly this on a video processing module recently. The damn thing had to be allowed to go into a soft power off after every 2nd attempt, or else it would just keep throwing an 'exceeded number of attempts' error. I think it ended up working out to around 30 seconds per key. It would have taken a couple of weeks at that rate. So I ran the seed through the algos and came up with a list of ~512 possibilities. Had my key in a couple hours.
Currently I'm trying to brute force a key from a tunerlocked ecm. Previous owner traded the truck in without removing the tune/lock.

Re: Seed key brute force program.

Posted: Thu Apr 29, 2021 7:16 am
by Gampy
Gatecrasher wrote:I've been wondering something about these brute force programs. Pretty much all of the algorithms are known, right? So we do we need to do a brute force of the full key space? Why not just run the seed through the known algos and at least try those first before moving on to a true brute force attack? I had to do exactly this on a video processing module recently. The damn thing had to be allowed to go into a soft power off after every 2nd attempt, or else it would just keep throwing an 'exceeded number of attempts' error. I think it ended up working out to around 30 seconds per key. It would have taken a couple of weeks at that rate. So I ran the seed through the algos and came up with a list of ~512 possibilities. Had my key in a couple hours.
There is already a program out there that uses the known 2 byte algorithms and produces a key in seconds from a seed ... No need for another!

The need is for Tuner Locked (or unknowns), exactly what Ironduke has going on here ... I think it's also needed for VPW.

Unfortunately, At the moment I do not have a CAN setup, nor do I have a J-Tool ... Thus I cannot test!

Re: Seed key brute force program.

Posted: Thu May 06, 2021 9:23 pm
by gmtech825
Tested the latest version. It worked great, and only took about 5 days.