Vin protection

[peter]

a python script can do it for you

[Stevebe]

a python script can do it for you

I’m no good with code But I have found a ton of python snippets. That read code write code and various other ..
I have tried running a few canned scripts which seem quite good, so I’ll have a play ..
Thanks for the heads up btw

[Stevebe]

Code: Select all

#include <stdio.h>

typedef unsigned long DWORD;
typedef unsigned short WORD;

#define LOWORD(a) ((WORD)(a))
#define HIWORD(a) ((WORD)(((DWORD)(a) >> 16) & 0xFFFF))

int calc(unsigned int a1, char a2)
{
  return (a1 << (32 - a2)) | (a1 >> a2);
}

int main() {
  char VIN[] = "WF0EXXGXXY8X12345";
  int x =0, i;
  for (i=0; i<17; i++)
    x+=calc(VIN[i],i+1);
  unsigned char x1 = (HIWORD(x)+x) &  0xff;
  unsigned char x2 = ((HIWORD(x)+x) >> 0x08) & 0xff;
  printf("0xd59f6: %08X\n", x1);
  printf("0xd59EE: %08X\n", x2);
  printf("0xd5b48: %08X\n", x1);
  printf("0xd5b40: %08X\n", x2);
};

Save to text rename to main.cpp open power shell with admin win10 pro rights go to folder with main.cpp and Type
g++ -std=c++11 -Wall Main.cpp -o Main.exe
Then Type main.exe .. it’s all good fun. You will need GCC (MingW / GNU GCC). Compiler

[leader]

Save to text rename to main.cpp open power shell with admin win10 pro rights go to folder with main.cpp and Type
g++ -std=c++11 -Wall Main.cpp -o Main.exe
Then Type main.exe .. it’s all good fun

Welcome

I never compiled it on windows, only on OSX and Linux with gcc...
It's just a POC code, you need to recalculate crc and checksum (optional) for the vbf....

[leader]

I received a question in PM about howto extract the VBF files from the MondeElmLoader.exe.
It's a very simple method....

The VBF files are stored as resource in the MondeElmLoader.exe file. So you need to open the exe with a Resource Editor and save the firmwares with it.

Or here is a simple PHP function to do the task:

Code: Select all

function getVBF($content) {
  $offset = strrpos($content, "vbf_version");
  if ($offset === false) {
    return false;
  }
  $size = unpack("Iint", substr($content, $offset-4, 4))["int"];
  return substr($content,$offset, $size);
}

Where $content variable stores the content of the MondeoElmLoader.exe file and the function will return the extracted content of the VBF file.

The algorithm is simple:
You need to search for string pattern "vbf_version" in the exe file. This is the offset of the VBF file.
Because is stored as resource, the 4 bytes before the offset stores the size of the VBF file (size of the binary resource).
So you need to save the "size" count of bytes from the "offset".

The "vbf_version" pattern can be found twice in the program because the SBL is stored as well in the program.
On the first offset there will be the SBL and the seconds one is the EXE or DATA vbf file...
Because we need only the second VBF file for this reason function search for the pattern from the end of the file backward (strrpos()).

Thats all folks

[Stevebe]

I will certainly have a look I’m only lerning slowly I’ll keep trying, I haven’t played with PHP much

[tasicky]

Thats all folks

Your method will not work with the latest conversMOD files.
In new version VBF files are included as resource and encrypted. Encrypter is included inside as binary module.

The config.dat file is also encrypted using the same module.The config.dat file contains VIN, IPC serial number, expiration date of the loader, number of uploads to IPC.

[leader]

Your method will not work with the latest conversMOD files.
In new version VBF files are included as resource and encrypted. Encrypter is included inside as binary module.

The config.dat file is also encrypted using the same module.The config.dat file contains VIN, IPC serial number, expiration date of the loader, number of uploads to IPC.

Yes that right, the latest MondeoElmLoader.exe stores the VBF files in encrypted forms. I'm able to decrypt them but I not modified my automatic code to handle these exe files, because I already unpacked/unprotected VBF files from about 350-400 MondeoElmLoader.exe in the last years. And I think I have almost all the modifications... I not worked on convers mods since long time...
For the license file I have also created the keygen, and it's possible to make an unlimited license file also...

Another easy way to obtain the modified firmware is to use the MondeoElmTester program which will read the content of the firmware from the IPC and stores all the CAN messages int the log file. With a simple bash script you can regenerate the whole firmware from the CAN messages....
Based on m0rtal's tester program I also created my little program to read/write the vbs files and now there is the IPC Updater tool developed here on the forum which can also read the firmware from any Convers+ IPC.

[leader]

Fortunately m0tral develops his stuff in .NET.
So after unpacking and reversing the .NET source code you can learn a lot of things about programing and seed key calculations of several Ford modules.

[DGAlexandru]

So after unpacking and reversing the .NET source code

I tried this a long time ago but couldn't get a pseudo code that I could understand in order to build a working seed key calculator.