Find UDS Session Keys for MCA

[Go4IT]

Anyone here to look into where to find the seed-keys for the MCA?
After a UDS DID-scan (using 0x22 Read Data By Identifier) using the default session (unauth) it looks like only a limited subset is shown. Now i'd like to scan again using a secured session using "Security Access Service Identifier (0x27)"

Therefore i need to know the secure key to open the session. This, for shure is somewhere in the firmware of the V850 (Radio-Processor), but how to find? Maybe it could be found using some brute-force methods?

The usual way to implement this is outlined here ("client" is the requestor, "server" the MCA):

• The client sends a request for a "seed" to the server that it wants to unlock.
• The server replies by sending the "seed" back to the client.
• The client then generates a "key" based on the "seed" and sends the key to the server.
• If the client-generated the "key" with the correct algorithm the server will respond that the "key" was valid and that it will unlock itself.

The idea here is that somebody sniffing the CAN do not see the secret key in clear, as it is scrambled with the seed and the seed-algo. So we need to know the key and the algo.

[DGAlexandru]

How about what was written here:
viewtopic.php?p=237#p237 ?
If you have a working algo for IPC you could try to find the seed key for MCA.. but with Ford IDS I never found a function for MCA that would need Secure Acess.

[Go4IT]

Maybe there aren't any secured functions... i don't know, was just a guess.
I found out that Bosch utilizes their own CAN-Protocol, called "MCNet" which sit on top of ISO-TP, like UDS.