Open jglim opened 1 year ago
Note on DaimlerStandardSecurityAlgo:
This algo and DaimlerStandardSecurityAlgoRefG have implementation flaws that allow the generation parameter "K" to be extracted:
To do so, grab a copy of UnlockECU. In db.json, pick any DaimlerStandardSecurityAlgo definition, e.g. ANC_205M, Replace "K" parameter with the known key (in the seed-key pair) and save. Using the same definition and known seed, the generated output value will be the original "K" parameter.
As an example, with a seed of 1122334455667788
If K parameter = 996BBC90
, key output is A891859C
If K parameter = A891859C
, key output is 996BBC90
This snippet contains an example on how to programmatically:
For RefG, call DSSAG()
instead of DSSA()
SW definitions for future implementation: Reverse algo:
9079020203
9079022900
9079023701
9079026602
9079027202
9079023000
9079023801
9079026702
9079028101
0000000000000000 00 00 00 00 00 00 00 00
0000000000000001 01 00 00 00 00 00 00 00
0000000000000002 02 00 00 00 00 00 00 00
0000000000000003 03 00 00 00 00 00 00 00
0000000000000004 04 00 00 00 00 00 00 00
0123456789ABCDEF EF CD AB 89 67 45 23 01
Unknown 1:
9079020803
9079020903
9079022805
0000000000000000 26 3E C4 10 98 7F 68 9F
0000000000000001 77 A4 F5 61 4B EB 6E 56
0000000000000002 26 9E C4 14 98 7F 68 9F
0000000000000003 77 D4 F5 5E 4B EB 6E 56
0000000000000004 86 FE C3 38 98 7F 65 9F
0123456789ABCDEF A8 6F 31 25 F8 6B 97 4E
Unknown 2:
9079022705
0000000000000000 E3 AE F1 F3 56 5A 4D 0E
0000000000000001 16 A6 F1 CC 9B FA 4D C0
0000000000000002 16 9E F1 E9 9B FA 4D C0
0000000000000003 E3 96 F1 51 56 5A 4D 0F
0000000000000004 E3 CE F1 CB 54 5A 4B 0E
0123456789ABCDEF 6B A6 B5 C1 03 02 EC CD
Unknown 3:
9079024206
9079023706
0000000000000000 3D 9E 20 53 BB 45 58 FD
0000000000000001 3D A6 20 3D BB 45 58 FD
0000000000000002 3D AE 20 6F BB 45 58 FD
0000000000000003 3D B6 20 99 BB 45 58 FD
0000000000000004 3D BE 20 0B BB 45 58 FE
0123456789ABCDEF CA 66 50 E1 5F 6E 28 D2
Unknown 4:
9079024402
0000000000000000 6A 13 07 BF 77 66 54 71
0000000000000001 91 51 A9 98 C9 E4 AD 8A
0000000000000002 A0 63 07 6F 87 46 53 DD
0000000000000003 2E F9 A8 9A 19 D4 AD C9
0000000000000004 6A 73 07 A7 78 66 53 71
0123456789ABCDEF E5 BA 94 5F 4F 38 2D BB
Unknown 5:
9079025604
9079028704
9079025704
9079028904
0000000000000000 59 50 6F B4 AC B7 75 BB
0000000000000001 99 4C 6F 2C FE 47 75 EE
0000000000000002 9A 48 6F 30 FE 47 75 2E
0000000000000003 59 44 6F 9A AC B7 75 BB
0000000000000004 D9 80 6E DC A1 B7 76 BB
0123456789ABCDEF 0F E4 91 62 12 AF FF EC
Unknown 6:
9079027303
9079028001
9079027403
0000000000000000 0C D4 E6 0C 8F 88 C6 AA
0000000000000001 0C C8 E6 13 8F 88 C6 2A
0000000000000002 0C DC E6 1D 8F 88 C6 AA
0000000000000003 EA E0 E6 32 DB 78 C6 18
0000000000000004 0C C4 E6 EA 8F 88 C6 A9
0123456789ABCDEF A0 53 10 ED F4 01 F2 9C
ECU Name IC907
Source file
IC907.smr-d
Additional context Sergey (@Feezex) has been working on reversing the IC907. Some of his contributions for level 17 are already up (https://github.com/jglim/UnlockECU/commit/c32caddbbffa49dcefba3bef614c4156b00119cc)
Also from Feezex: Level 61 key is the seed array, reversed.