Inspect NX PIN-Code

[Go4IT]

Today i played around with the PIN-code of the NX. From my older investigations i know it is hidden somewhere inside sector 507 of the mainboard Flash.
What i've done was to download this sector from several NX units i have in access, and other dumps i have access to and write it onto my test-unit. In all cases the PIN associated with the device the sector came from, can be entered in the test-NX

I still have no clue where the PIN is coded and how, but it's there somewhere. The sector itself is hex 0x1FFFF Bytes in size (131.071 Bytes decimal) but only 0x389 bytes are "used", the others are "0xFF". The location the PIN is stored could be narrowed down by using a binary tree algorithm. Put the lower half of the original sector and the higher half of the other sector into one new sector. Flash it and see if the original PIN still works. If so, the higher half has no meaning for PIN calculation. Go on and split the lower half into two pieces, doing the same as before. Until it doesn't work anymore, then use the upper half of the remaining chunk until it narrowed down to a small amount of bytes.

Maybe it's possible to find the area, but it doesn't mean that it is usefull, because i expect the PIN to be crypted by an unknown algo. I don't expect a real number to find, no no. But having the memory location of it may help to search the code accessing this location, which in turn would be the subroutine checking the input against the stored PIN hash. If the routine is found, it may be patched to always return a positive result, or to inspect the calculation and build an pincode calculator yourself.

You can find many other usefull information in this sector also, like the Ford-partnumber, the BOSCH-partnumber...

For you guys who want to play with it, i attached a sector 507 having the pin 9823. Would like to receive some other samples from you to compare the contents

[Stevebe]

[attachment=0]
NX_8S7T-18K931-BB_3A053688276636_MBFLASH_SEC-507_PIN-9118.7z[/attachment

[Go4IT]

What you all can test is: In sector 507, change one byte after another to 0xFF (ok, if it was 0xFF change it to 0x00, so said to something different) and test PIN code until it fails to narrow down the byte location(s). I assume there to be at least 4 byte, even more, where PIN is calculated from. Start with the first byte of sector. Shure, first make a safety copy by storing the sector in it's originate state. Mark the bytes found being involved to PIN calculation on a spreadsheet (location) and turn value back again. Do this for all bytes (0x380) used in this sector to be clear which are and which are not used.

To do this, you need to erase and write back the sector after each change, boot the unit and test the PIN. You can do this without /SEL to GND, because it is a very fast operation, no watchdog disturbing here.

This is a hell of a job, but it must be done...

[Stevebe]

This is a comparison between the 2 sectors of each unit thr red under line is the difference

B79FA128-2444-4625-BE15-C9819F73B539.png

[oscarboiro]

Today I try to replace the 507 sectors some times from different units.
I look the vin number wrote after part number. And in one dump file has a 2 vin numbers.
My first step is delete de vin number, I replace all digits for “.” And later try to run the unit and the result are ok.
The second step is replace some characters to “.”
Curiously after write, I put the elmconfig and read configuration, and check except key code are unchecked.

I thing, the unit don’t have a PIN number writed, have an algorithm to calculate from the part number. Tomorrow I go to try to modufy only one number, write and try the PIN number. If the pin don’t work we have a request.
Later to confirm only need make a new pin and try.

[Go4IT]

Yes, the PIN is calculated by the radios serial number, like 'C7E3...'.
The cars VIN (WF05... or whatever) is shurely taken from the CAN (sent by BCM) and stored inside the radio. It does not belong to the PIN in any way. You can remove replace like you want.
The partnumber, like BS7T-18K931-AB is Ford specficic and has also no influence on the PIN.
I guess the real code is not stored anywhere, it's only a hash of it. So your input get's calculated through an unknown algo which results in an hash value, which may or may not have 4 digits which fits into two bytes as ASCII or two bytes as integer but also could have more bytes. This value is compared with the stored value in flash. The value may also be stored multiple times in flash.
So finding the right PIN could be a brute force iteration of all 9999 pin calculation until the right hash value found. We should clarify which bytes in sector 507 are responsible for PIN. So change every byte until code does not work anymore.

[Go4IT]

Today i repaired an 8S7T NX (looses language settings and navigation targets, can't program home address and also does not start Update-CD) and found that it has a "Deactivate PIN-Code" menu entry unter "Reset to factory defaults". Did not expect it there and was really suprised to find it. It also worked like it should. After entering the PIN the code was disabled and i could power up the radio without the need to enter it. Also it could be activated in the same manner.
I've read out the sector 507 between changing this setting, but they are equal. So this setting is stored somewhere else...
Please could you check your NX if this setting in the MENU is available also?

[Go4IT]

Here are the pictures for the above post:

Press "MENU" button

nx_menu_settings.jpg

Then choose "Werkseinstellungen" ("Factory defaults"):

nx_menu_settings_factory-defaults.jpg

Press "Diebstahlschutz" ("Anti theft protection"):

nx_menu_settings_factory-defaults_burglar-protection.jpg

Enter PIN-Code and it is deaktivated:

nx_menu_settings_factory-defaults_burglar-protection-off.jpg

To activate it, do the same again. The system hat MAIN VER SW 0632_080717 installed.
I also took a dump of the flash.