Hi,
I'm working on Mondeo MK5 IPC at the moment, and I try to brute force the seed key for it.
I already sniffed some seed/key pairs to test the keys, but at the final I receive more thousand false positive keys.
Currently I brute forcing on 3 CPU-s and still need about 4 days to test all the combinations.
Maybe some already have the seed keys for this IPC?
Regards,
leader
Mondeo MK5 IPC
Re: Mondeo MK5 IPC
Here are 12 seed/keys pairs sniffed during IPC update:
Just in case if someone else wan't to play with this IPC....
Code: Select all
728#05670162DFBD0000
720#0527024BB81C0000
728#056701F677D70000
720#0527021508890000
728#0567016521FB0000
720#052702C1294F0000
728#056701BB2D4D0000
720#05270217C9980000
728#05670163A62E0000
720#05270229CF390000
728#0567012F1B930000
720#052702A228F00000
728#0567019E0AB70000
720#052702BCA6140000
728#0567014764080000
720#0527026FF0040000
728#0567012BB2E30000
720#0527025F9F260000
728#0567010FC8BE0000
720#052702C643140000
728#056701A7A1770000
720#05270207D0FA0000
728#0567014CFE290000
720#0527022FADC60000
Re: Mondeo MK5 IPC
Hi!
Try S-keys that i calculated for MK4: https://gist.github.com/Ursadon/8941ff5 ... e09f060eec
Try S-keys that i calculated for MK4: https://gist.github.com/Ursadon/8941ff5 ... e09f060eec
Not native English speaker 
IPC hacker, embedded cracker, tamer of bears & beers
IPC hacker, embedded cracker, tamer of bears & beers
Re: Mondeo MK5 IPC
I tested all of them, but not workingUrsadon wrote: ↑31 Jan 2020, 15:35 Hi!
Try S-keys that i calculated for MK4: https://gist.github.com/Ursadon/8941ff5 ... e09f060eec
I also tested with the seed algo extracted from motral's tools...
(I think it's similar to yours, but with different implementation)
Currently I'm brute forcing the keys on 3 cpu, but it's really slow. I need at least 4-5 days to test all the combinations.
Another problem that I have many false positive results (collistion), at the and I will have at least 20-30.000 keys.
Currently I test only one seed/key pair but at the end I need to filter out only that key(s) which works all of these 12 seed/key pairs.
Re: Mondeo MK5 IPC
Does this dashboard have a JTAG?
Maybe it’s easier to dump firmware (PBL) and find the keys?
Maybe it’s easier to dump firmware (PBL) and find the keys?
Not native English speaker
IPC hacker, embedded cracker, tamer of bears & beers
IPC hacker, embedded cracker, tamer of bears & beers
Re: Mondeo MK5 IPC
It strange...
I already found 15254 keys with my brute force tool back tested on 2 key/seed pairs.
I tested all the found keys on my 12 key/seed pairs and all of them is working.
I made the backtest with Ursadon's and "mortal's" implementation of seed calculation algo also.
It's possible that more keys can generate the same seed password?
Here are the first 10 seed keys if someone like to play wit it:
I already found 15254 keys with my brute force tool back tested on 2 key/seed pairs.
I tested all the found keys on my 12 key/seed pairs and all of them is working.
I made the backtest with Ursadon's and "mortal's" implementation of seed calculation algo also.
It's possible that more keys can generate the same seed password?
Here are the first 10 seed keys if someone like to play wit it:
Code: Select all
00 00 4A 77 22
00 01 7B 0C 79
00 02 28 81 94
00 03 19 FA CF
00 04 DF BB 6E
00 05 EE C0 35
00 06 BD 4D D8
00 07 8C 36 83
00 08 60 EE BB
00 09 51 95 E0
Re: Mondeo MK5 IPC
For Can Bus hacking mainly I use SocketCAN and can-utils on Linux.
So I created a small bash script to monitor IPC messages with candump utility and calculate/send the seed password when needed:
(calcSeed is my utility to calculate the seed password. I used the firstly found seed key here: 00004A7722)
During the execution of this script in another terminal I send seed authentication request messages to the IPC with the following command:
I tested the authentication several times with different discovered seed keys and all the time the password was accapted.
An example output of the authentication script:
And finally here are all the discovered 15254 key until now:
So I created a small bash script to monitor IPC messages with candump utility and calculate/send the seed password when needed:
Code: Select all
#!/bin/bash
candump can1,728:7ff,720:7ff | while read x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12; do
echo "$x2 $x4 $x5 $x6 $x7 $x8 $x9 $x10 $x11 $x12"
if [ $x2 == "728" ] &&[ $x4 == '05' ] && [ $x5 == '67' ] && [ $x6 == '01' ]; then
r=$(./calcSeed 00 00 4A 77 22 $x7$x8$x9)
cansend can1 720#052702${r}0000
sleep 0.3
cansend can1 720#1009340000000000
fi
done
(calcSeed is my utility to calculate the seed password. I used the firstly found seed key here: 00004A7722)
During the execution of this script in another terminal I send seed authentication request messages to the IPC with the following command:
Code: Select all
cansend can1 720#0210020000000000; sleep 0.3; cansend can1 720#0227010000000000
An example output of the authentication script:
Code: Select all
root@homelab# bash send.sh
720 02 10 02 00 00 00 00 00
728 06 50 02 00 19 01 F4 00
720 02 27 01 00 00 00 00 00
728 05 67 01 1C 3D 06 00 00
720 05 27 02 31 C1 EE 00 00
728 02 67 02 00 00 00 00 00
720 10 09 34 00 00 00 00 00
728 30 00 00 00 00 00 00 00
720 02 10 02 00 00 00 00 00
728 06 50 02 00 19 01 F4 00
720 02 27 01 00 00 00 00 00
728 05 67 01 E4 3E BB 00 00
720 05 27 02 A4 3B DE 00 00
728 02 67 02 00 00 00 00 00
720 10 09 34 00 00 00 00 00
728 30 00 00 00 00 00 00 00
720 02 10 02 00 00 00 00 00
728 06 50 02 00 19 01 F4 00
720 02 27 01 00 00 00 00 00
728 05 67 01 DF B4 9B 00 00
720 05 27 02 97 61 D1 00 00
728 02 67 02 00 00 00 00 00
720 10 09 34 00 00 00 00 00
728 30 00 00 00 00 00 00 00
You do not have the required permissions to view the files attached to this post.
Re: Mondeo MK5 IPC
hope of some interest mk5 ipc just got running on bench
just making a start on trying to dump data currently making up leads
You do not have the required permissions to view the files attached to this post.
Last edited by Stevebe on 12 Feb 2020, 16:19, edited 1 time in total.
Digimod