search

jglim / UnlockECU

Free, open-source ECU seed-key unlocking tool.
MIT License
243 stars 55 forks source link

IC907 #27

Open jglim opened 1 year ago

jglim commented 1 year ago

ECU Name IC907

Source file IC907.smr-d

Additional context Sergey (@Feezex) has been working on reversing the IC907. Some of his contributions for level 17 are already up (https://github.com/jglim/UnlockECU/commit/c32caddbbffa49dcefba3bef614c4156b00119cc)

Also from Feezex: Level 61 key is the seed array, reversed.

Used in IC907 level 61 (Unlock Eeprom Data Access) 
Applicable SW1 : 
9079020203 
9079022900 
9079023701 
9079026602 
9079027202 
9079023000 
9079023801 
9079026702 
9079028101
jglim commented 1 year ago

Note on DaimlerStandardSecurityAlgo:

This algo and DaimlerStandardSecurityAlgoRefG have implementation flaws that allow the generation parameter "K" to be extracted:

To do so, grab a copy of UnlockECU. In db.json, pick any DaimlerStandardSecurityAlgo definition, e.g. ANC_205M, Replace "K" parameter with the known key (in the seed-key pair) and save. Using the same definition and known seed, the generated output value will be the original "K" parameter.

As an example, with a seed of 1122334455667788 If K parameter = 996BBC90, key output is A891859C If K parameter = A891859C, key output is 996BBC90

This snippet contains an example on how to programmatically:

Program.cs

For RefG, call DSSAG() instead of DSSA()

Feezex commented 1 year ago

SW definitions for future implementation: Reverse algo:

9079020203
9079022900
9079023701
9079026602
9079027202
9079023000
9079023801
9079026702
9079028101
0000000000000000        00 00 00 00 00 00 00 00 
0000000000000001        01 00 00 00 00 00 00 00 
0000000000000002        02 00 00 00 00 00 00 00 
0000000000000003        03 00 00 00 00 00 00 00 
0000000000000004        04 00 00 00 00 00 00 00 
0123456789ABCDEF        EF CD AB 89 67 45 23 01

Unknown 1:

9079020803
9079020903
9079022805
0000000000000000        26 3E C4 10 98 7F 68 9F 
0000000000000001        77 A4 F5 61 4B EB 6E 56 
0000000000000002        26 9E C4 14 98 7F 68 9F 
0000000000000003        77 D4 F5 5E 4B EB 6E 56 
0000000000000004        86 FE C3 38 98 7F 65 9F 
0123456789ABCDEF        A8 6F 31 25 F8 6B 97 4E

Unknown 2:

9079022705
0000000000000000        E3 AE F1 F3 56 5A 4D 0E 
0000000000000001        16 A6 F1 CC 9B FA 4D C0 
0000000000000002        16 9E F1 E9 9B FA 4D C0 
0000000000000003        E3 96 F1 51 56 5A 4D 0F 
0000000000000004        E3 CE F1 CB 54 5A 4B 0E 
0123456789ABCDEF        6B A6 B5 C1 03 02 EC CD

Unknown 3:

9079024206
9079023706
0000000000000000        3D 9E 20 53 BB 45 58 FD 
0000000000000001        3D A6 20 3D BB 45 58 FD 
0000000000000002        3D AE 20 6F BB 45 58 FD 
0000000000000003        3D B6 20 99 BB 45 58 FD 
0000000000000004        3D BE 20 0B BB 45 58 FE 
0123456789ABCDEF        CA 66 50 E1 5F 6E 28 D2

Unknown 4:

9079024402
0000000000000000        6A 13 07 BF 77 66 54 71 
0000000000000001        91 51 A9 98 C9 E4 AD 8A 
0000000000000002        A0 63 07 6F 87 46 53 DD 
0000000000000003        2E F9 A8 9A 19 D4 AD C9 
0000000000000004        6A 73 07 A7 78 66 53 71 
0123456789ABCDEF        E5 BA 94 5F 4F 38 2D BB

Unknown 5:

9079025604
9079028704
9079025704
9079028904
0000000000000000        59 50 6F B4 AC B7 75 BB 
0000000000000001        99 4C 6F 2C FE 47 75 EE 
0000000000000002        9A 48 6F 30 FE 47 75 2E 
0000000000000003        59 44 6F 9A AC B7 75 BB 
0000000000000004        D9 80 6E DC A1 B7 76 BB 
0123456789ABCDEF        0F E4 91 62 12 AF FF EC

Unknown 6:

9079027303
9079028001
9079027403
0000000000000000        0C D4 E6 0C 8F 88 C6 AA 
0000000000000001        0C C8 E6 13 8F 88 C6 2A 
0000000000000002        0C DC E6 1D 8F 88 C6 AA 
0000000000000003        EA E0 E6 32 DB 78 C6 18 
0000000000000004        0C C4 E6 EA 8F 88 C6 A9 
0123456789ABCDEF        A0 53 10 ED F4 01 F2 9C