Open cityba opened 2 years ago
@jglim could you make a version where the @Fezex code calls the sw0 version plus and generates a hash value from it to have 8-8 pairs?
Level 27 09 5C 97 A0 A5 52 FB 02 05 seed D8 F1 69 D6 8D 5D 17 B6 key
Level 27 0D C1 EB F4 F9 4C A0 A7 A6 seed 49 D4 BE 45 A0 B6 DF F3 key
Sw 2049022903 I hope that helps
@Feezex Did I find reference values, see any relationship between IC_204 sw and key? here again, perhaps the sw is inserted in the last 8 values as in IC172 ....... 57 49 4C 59?
sw0= 2049022903 seed= 5C97A0A552FB0205 key5=D8F169D68D5D17BA securitylevel=9 seed= C1EBF4F94CA0A7A6 key7=49D4BE45A0B6DFF3 securitylevel=13
sw0= 2129026108 seed= 212A2F38F98A8BD7 key5=775588C8850CF244 securitylevel=9 seed= 28C1050F7B52C7CE key7=1C12895D44EFDF54 securitylevel=13
For actively developing on the algorithm, it would be best to directly fetch a copy of the project from the repository, then edit and build it based on your hypothesis.
When there are solid leads (good example here), I will be able to step in to fit the algo into the project.
The 204 will likely require disassembling the firmware; from my observation, it has more steps and the algo cannot be fully derived from comparing seed/key pairs.
Hey guys, maybe this information will help to solve something out. When you have the Seed calculating for IC204 older ones, its working without problems. Even FVDI, CGDI can read / write the EEPROM in full. But newer coloured cluster, lets say W204 2014, will not work anymore by this Seed calculations or FVDI/CGDI. So in this way, you can downgrade the #P0 level to: 2049020003.cff and the seedkey unlock will work!
You can also do it this way: downgrade the P0 level to the file i wrote, take FVDI, CGDI or similar tools and you will be able to Read and Write the whole EEPROM! Of course after your changes on EEPROM you have done, you will have to Restore the Original P0 File. I have tested it myself on many coloured IC204 cluster from W204, W212 and W218. All succesfull, All alive ;)
I think this Tools i wrote are carrying this Algo / Seedunlock inside it, but they are not able to use it on unkown / newer cff Versions.
Hope this helps somehow to find the solution for IC204!
hey guys, I am currently also trying to find the algo for this ECU. So if I can do anything, please let me know. I am a complete newbie but maybe I can help somehow. I have a huge javascript background but really no idea about algos. Let me know if there is any way I can help.
if you know how, you can try to dissemble the tools Software mentioned upper. they should have all we need for it inside
Are there any articles I can read through? A list of Softwares I need for that would also be very helpful.
For now I only have some dlls like the IC_204_IC_204_01_51_11_00.dll
.
Is it useful?
So I have done some research. I have learned about the dll files, cff and cbf files. Which one shall I try to decompile? I tried to use binwalk on the cff files but with no luck...
i also would like to know. there any thing that i can help?
Hi , disassembling the firmware would be good but i think that the firmware is encrypted and is decrypted on the fly by the MCU during flash or update, if this is the case would be difficult to make progress . I've seen other paid solution for ic204,ic213... so the solution is somewhere need just to dig deeper . Maybe they have access to smr-d unlock files
2705 8-4 for Reprogramming (Version:93E1..4|97E1..4|94E1..3|A8E4) Development 2705 8-4 for Reprogramming (Version:13E4|13E5) Production 2705 8-4 for Reprogramming (Version:17E4|17E5|17E6) Production 2705 8-4 for Reprogramming (Version:14E6|14E7) Production 2705 8-4 for Reprogramming (Version:FFFF) Production
2701 8-8 for Unlock_ECU_Level_1 2703 8-8 for Unlock_ECU_Level_3 2709 8-8 for Unlock_EE_Data_Access 270D 8-8 for Unlock_EE_Data_Access
SW0 List: 2044420121 2044420221 2044420621 2044420721 2044420921 2044421121 2044421221 2044421521 2044421621 2044421921 2044422121 2044422221 2044422521 2044422621 2044422921 2044423021 2044423621 2044423721 2044423921
2049020003
2049020303
2049020703
2049021202
2049021203
2049022403
2049022600
2049022602
2049022700
2049022702
2049022903
2049023401
2049023500
2049023600
2049023903
2049024102
2049024301
2049024602
2049024802
2049025003
2049025403
2049026403
2049026503
2049027003
2049027103
2049027203
2049027401
2049027500
2049028202
2049028303
2049028501
2049028802
2049028902
2124420421 2124420721 2124421021
2129020302 2129020501 2129021909 2129022008 2129023005 2129023402 2129024109 2129026108 2129026203 2129026510 2129029710 2129029806
2189020500 2189021001 2189023500 2189025205 2189025400 2189026900 2189027600 2189027900 2189027903 2189028400
Hello Are there any results?
Hi,
Is There any News? May There is also something to Help Out?
Regards
The algorithm searches for solutions and ideas for levels 7 and 9. All we have to say is that the 8-8 seed-key pair needs the SW version, and I think it generates a hash value from the 4 pairs we get, which will be the key 8. I would also be interested in extracting the seed value or disassembling the key value.