Update IPC

[Ursadon]

I try some times and always repeat same codes, y try aroun 35 times and only have this codes:

Thanks you!
i tried to bruteforce with you seed/keys values and got many s1-s5 keys, which seems to be correct. But when i using it for 0xBAABEF (Go4IT dump), key is invalid, so I've been stuck.

scr_2019-04-14 09-51-37.png

[oscarboiro]

I’m interested to calculate in my Arduino Sketch and try to write my instrument cluster. What code I need copy on my protect?

[oscarboiro]

Hello, i have problema with my arduino skecth to calculate SEED with the keygen of this post:

I don't expect those old Ford modules to be smartest, nor that they really expect hackers those days, but shure they implemented brute force detection and simply lock down the module until reset.

I will go digging a bit deeper into this seed thing. Let's see what i can find out. What do you use for those pen-testing-tasks? How did you automate it? I'm thinking about to use my most liked USB/CAN board using a STM32 micro emulating SLCAN and write some PHP scripts to do, because for me it's the leanest way.

As soon as i get some results i post it back here.

There is no bruteforce detection. Seeds i got using Br@y terminal (http://sites.google.com/site/terminalbpp/) by spamming secureAccess command via ELM327

So I found the key generation algorithm - Galois LFSR with modified multiplicator.
Here is implementation in C - https://gist.github.com/Ursadon/92b9b5e ... 5dd963f35f

I tried to bruteforce constants s1-s5, using 32-core server, it tooks ~7 hours, but i got too many results. So i need more dumps with succesful secureAccess to crack the algo.

After copy on my arduino sketch have this error: expected initializer before 'LFSR'

i need a LFSR library? the code are only to C# or is valid to arduino?

[Ursadon]

After copy on my arduino sketch have this error: expected initializer before 'LFSR'

i need a LFSR library? the code are only to C# or is valid to arduino?

Hi! I apologize for the delay - I finished my studies at the institute

This is pseudo C code
Here is C code, which you can use - https://gist.github.com/Ursadon/8c55972 ... efa037fabb

Also:
1) I cracked all secret keys for (probably) all modules in Ford - https://gist.github.com/Ursadon/8941ff5 ... e09f060eec
For IPC use second key.
2) I made my own CANhacker, so the development process will go faster

[Go4IT]

Extremely cool job done, ursadon!! I'm really impressed

[Stevebe]

I don’t like to show my ignorance, but can someone explain what is ment by seeds , I can gather that Oscar has made a big step forward but it has gone over my head, I keep reading and trying to learn but I think I’m getting to old, or I’m just stupid..
Steve

[Ursadon]

I don’t like to show my ignorance, but can someone explain what is ment by seeds , I can gather that Oscar has made a big step forward but it has gone over my head, I keep reading and trying to learn but I think I’m getting to old, or I’m just stupid..
Steve

It's okay, now I will explain in my bad english. For most private UDS functions, like WriteDataByAddress/ReadMemoryByAddress, RoutineControl, RequestDownload, TransferData, e.t.c. you need to authenticate via SecurityAccess procedure.
This procedure includes 4 steps:
1) client (PC) requests the “seed” by sending SecurityAcces Request Service Id - "0x27 0x01" to module
2) server (CAN module) sends the “seed” - 1-5 bytes random value
3) client sends the “key” (appropriate for the Seed received) by performing some math operation on seed. For example, multiplies seed on 128 (128 - secret value, only factory stuff knows about this value);
4) server responds that the “key” was valid (by performing same math operation) and that it will unlock itself.
Now you can execute secured functons.

This is how it looks in the dump:

Выделение_003.png

The difficulty is that it is almost impossible to crack an encryption algorithm. But since the our modules use only 3 bytes for the key, and there is software in which it is implemented (Ford IDS), the complexity is significantly reduced

Now i'm trying to download secondary bootloader to download other software (main ROM, extended flash).

P.S. IPC doesn't support ReadMemoryByAddress routine - so we can't read memory via CAN. It seems like that odometer correction procedure we can run only via UDS RoutineControl procedure, by making own SBL, which will perform the i2c writing function, which is located in the main fw of IPC

[Stevebe]

Thanks so much Ursadon, now I see how the word “SEED” is being used I think I understand. I’ll read up more on the subject I’m playing a lot with IPC ( on my ford Galaxy)
I did manage to convert a Diesal ipc to Petrol , by reprogramming the 16c24, I have not found the flag bit yet that set the difference for the tacho 6k to 8k. As when I compair the 2 files. It seems The there are a lot of parts the same but shifted,
So trying to find the Flagg or difference is difficult, as I’m not well versed in software, I’m trying to teach myself.
I’m ok with hardware ,,,
My ipc unit

C7E4665A-C0E8-445D-AAE9-60469D2B27D4.jpeg

C0D13A78-72E7-4D3C-920C-AD45B1190CC4.jpeg

57CF350B-3FB9-4C6E-9FA7-563CD6C68D1E.jpeg

3B7AFEAF-EE50-4B67-92C6-AD696961A2EA.jpeg

B65126F0-9372-478C-8AEA-11AD7DACAC9A.jpeg

3891894B-50F1-4B02-A21F-866206D6D2D4.jpeg

828D3EAE-2BC7-4190-B5A0-7E5D5C17221F.jpeg

ABCE70B8-4B4F-4DA0-A9C8-1C15A751F41B.jpeg

[Go4IT]

One important key concept is how to address a specific module to initiate a session. As you now, CAN is a message oriented protocol where only senders has an ID, but there is no addressing scheme to specifiy a receiver of a message. In UDS, to do the trick, each module reads the UDS frame with a special CAN ID. It is given to a single module only.

Here is a list of all known UDS (also OBD) IDs of the Mondeo MK4:
https://mk4-wiki.denkdose.de/artikel/ca ... us_modules

As used in OBD protocol, the receiver answers with an message 8 bytes above the request ID. So if 0x720 is used to address the IPC, it answers with an message of CAN ID 0x728.

[Go4IT]

1) client (PC) requests the “seed” by sending SecurityAcces Request Service Id - "0x27 0x01" to module
2) server (CAN module) sends the “seed” - 1-5 bytes random value

I would explain "seed" and the function of it as follows: The seed itself is used by client (normally a diagnose software) together with the unencrypted key (which is known to the client and the server) to generate an encrypted key. Because the server dictates the random part (the seed) to be used for encryption, the algorithm inside the client generates a different secure key (encrypted key) every time. This is to prevent someone to simply reuse the data by sending it again to gain access to the server (the target module).

We either don't know the unencrypted key, nor the encryption algorithm. So from our perspective the client generate an "arbitrary" byte sequence each time the server sends an random seed sequence. In an perfect world there was exactly one answer for each request, so the same seed generates the same answer. If this was true, all we need is to sniff all (or even enough) request/answer pairs to simulate the knowledge of a key and encryption algo

To find out, we can sniff a valid request, e.g. made from UCDS or IDS. Then request a secure session until the former sniffed seed came accross. We then know the answer and if it is still the same, we know we are on the right track! A problem for this method may be, that session generating request may be limited or throttled after a few trials. Good if we know how to reset the module by software, as this also resets the counters

There may also a way to brute-force the seed/secure-key pairs using the same method but instead of sniffing working pairs, we simply try out each possible answer combination. So if the server sends 4A 55 0F as seed and expects three bytes encrypted key, we start trying with 00 00 00 as the answer, going up to FF FF FF, each time the seed came accross. At least one answer must fit, but i can take a loooong time to try every combination of 2* 3 Bytes.