Subaru SSM4 CMD_SecurityAccess

[jglim]

ECU Name Subaru ECUs that depend on SSM4 CMD_SecurityAccess

Source file SSM4, CMD_FhiCan.dll

Additional context Subaru ECU key material can now be extracted from SSM4 as the XML keys are now known. In their API definitions, there are typically two types of keys

• 16-byte AES key, used by CMD_SecurityAccess2018CY1, already addressed here
• 16 × u16, likely used by CMD_SecurityAccess, 4 input bytes, 4 output bytes. This is the target algo

I've ripped and tidied up the raw x86 instructions, and stuck them into a keygen template. As of right now, I am unable to test if it is working correctly as I do not have a known seed/key pair with an associated ECU ID/variant.

Help wanted! I would appreciate having seed/key pairs with the ECU variant (e.g. 12002/2EE2)

---

Here's the tool if you'd like to test the algo on your own: sandbox.zip. Windows-only, requires XP and above.

[jnewb1]

Here's some seed/key pairs from a 2021 Crosstrek eyesight module. ECU ID appears to be 12425. Tried your tool but couldn't get it to work for this ecu. Perhaps an endianness issue?

ca5616c0 3adfc8e0

ce0baaff 4bdfdae0

1f5e4b83 94dfd2e0

8a598591 0edfaae0

d121cfea dadfbfe0

9c11699b 9cdfb3e0

2714cb65 74df8ae0

47e5e9fe b0df95e0

[jglim]

Thanks! I've tried swapping the endianness of the inputs and variant keys and couldn't find a match too.

Are those seed/keys generated through SSM4? I'm curious if it is using the same algo as the rip (CMD_SecurityAccess in CMD_FhiCan.dll)

[jnewb1]

Thanks! I've tried swapping the endianness of the inputs and variant keys and couldn't find a match too.

Are those seed/keys generated through SSM4? I'm curious if it is using the same algo as the rip (CMD_SecurityAccess in CMD_FhiCan.dll)

Yes they are generated by ssm4. I'll try putting a breakpoint at CMD_SecurityAccess to verify