Ford ECU Security Access Bruterforcer

[jakka]

I have created a J2534 Tool for Bruteforcing 0X27 Security Access on Ford modules. Haven't implemented FEPS yet, so it will not work on a PCM, but other modules it will. Uses the keybag from the Ford hack and bruteforces service 0x27 with those keys and some others. Used an OBDxPro FT interface so that will definetly work with this.

Edit: Updated the GUI and have now implemented FEPS and added additional keys pulled from Forscan with Ghidra.


https://github.com/jakka351/Ford-ECU-Bruteforcer

Ford ECU Bruteforcer.exe

(1.63 MiB) Downloaded 403 times

[darkman5001]

This is awesome. Great work and thanks for sharing.

[Gatecrasher]

There's some Python seed-key code included with the same research paper. It came up with the same key result as Forscan when I tested it against my 2018 instrument cluster. I need to test it against a few other modules in my truck.

It's also pretty easy to get the secrets from the module firmware. At least the PPC based ones. I pulled the secret bytes from an 18 IPC, 17 BCM, and 17 gateway. The code was virtually identical in all three modules, despite coming from different suppliers. They were also stored in a contiguous block in all three modules. So if you can brute force level 1 for example, you can probably find the other levels with a simple search in a hex editor.

It's also possible to get some of the secret bytes if you know how to decrypt the IDS XML files. At least for modules that don't use the so-called "crypto algo". I think that just refers to how the secrets are stored in IDS. Because my IPC is one of those modules, and it uses the same old security algo for 27 01 and 27 03 in the actual module.

[VX L67 Getrag]

WOW this is a pretty cool tool, I've never had the need for it but I'm sure it will come in handy to plenty of people & maybe me someday too!

[jakka]

I have now implemented FEPS for Ford Powertrain Control Module security access. Here is updated version:

Ford ECU Bruteforcer.exe

(435.5 KiB) Downloaded 493 times

[VX L67 Getrag]

As far as programming with all this stuff works I’ve been too reluctant to jump in to the shark pool… but the FEPS that needs crazy voltage jump hasn’t been needed when I tested read/write on bench but I’m sure I’ll be told that I’m in-correct!

[jakka]

I believe somewhere in the realm of 12 volts is sometimes sufficient. But the book says 18.

[jakka]

Have also created a JLR ECU Bruteforcer with keys from JLR SDD https://github.com/jakka351/JLR-ECU-Bruteforcer

[NickZ]

Is it possible to get a little more information on how to make this work?
Ive bought a OBDXPRO FT.
Im unsure of the can address im supposed to use in the HEX ECU addresses.
Ive use what is in the image, I get errors,
"ECU error occurred: index and length must refer to a location within a string. Parameter name: length2025-03-17 09:58:49.176. Key failed, trying next...
Security Access Error:Value of '484' is not valid for 'Value'.'Value' should be between 'minimum' and 'maximum'"
and the same Rx:00 00 07 20 is repeated.
is this the expected behavior?
I am using a BA ECU and cluster on the bench with a engine simulator and the ECU is talking CAN happily to the Cluster and forscan without problem.

[jakka]

If you wanna message me on Facebook I can take a look at it remotely for you