pcmhacking.net

ironduke wrote:Posting up some code I wrote, looking for people to test it for me, make it crash, tell me what I did wrong..

I wrote this for E38 ecu's but I believe it will work on any gm ecu with a 2 byte seed/key and with a 10 second timeout between tries..

Yes it could take up to 7 days, but hey, some of us have benches and nice power supplies so it runs in the background and does it's thing..

If you have a different ecu and know the key please give this a whirl for me, you can start the key attempts close to the know key so it doesn't run forever and see how it works..

Wrote it to work with J2534 devices besides the GM mdi but that's all I have to test with..

ECU.BruteForcer.0.0.4.7z

skipped a few..
Was wondering mate what program etc or app will the brute forcer work with , when i download it on my laptop it asks to search for a app to open it etc can you shed any light on this bud cheers

ECU.BruteForcer.0.0.7.7z

Made some revisions on connection and making sure I added bytes to send a full 12 bytes. Member had trouble with an E67

ECU.BruteForcer.0.0.8.7z

ironduke wrote:

Gatecrasher wrote:The SD card has the main MDI operating software. The onboard memory is only the initial bootloader and recovery kernel. It's like the difference between your BIOS and your main OS on your desktop.

I've been wondering something about these brute force programs. Pretty much all of the algorithms are known, right? So we do we need to do a brute force of the full key space? Why not just run the seed through the known algos and at least try those first before moving on to a true brute force attack? I had to do exactly this on a video processing module recently. The damn thing had to be allowed to go into a soft power off after every 2nd attempt, or else it would just keep throwing an 'exceeded number of attempts' error. I think it ended up working out to around 30 seconds per key. It would have taken a couple of weeks at that rate. So I ran the seed through the algos and came up with a list of ~512 possibilities. Had my key in a couple hours.

That could be something to try first.. but I have needed it because I borked writing the bin.. Key was nowhere near one of the known algo's.. And if it was locked with a key on purpose it wouldn't be one of the known algos..

craven_pwr wrote:Can I use a J2534 to use this program.. I've got an autel pro.. ?

Thanks

craven_pwr wrote:its a used stock ecu from a junk yard.. I can get into it using my diag tools and read id's and fault codes.. so in assuming that everything else is ok..

I tried the 6E66 key and it worked like a champ...
thank you very much
do you know of any open source software that will allow my to read out these ecus?

ironduke wrote:Yeah Craven, that looks right.. Unless you select differently it starts at 0000 and goes all the way to ffff (65535 combinations) at 10 seconds apart it could take up to 7 days.. It's not fast by any means.

Is it tuner-locked or bricked or messed up somehow? 0x6e66 should be the key if it's not modified or bricked or anything.. Few times I messed up the seed was the same as the key, another time 0000 was the key.. This was all doing stupid things to the ecu..