MicroHacker Forum

Posted: **31 Jan 2020, 07:32**

Hi,

I'm working on Mondeo MK5 IPC at the moment, and I try to brute force the seed key for it.
I already sniffed some seed/key pairs to test the keys, but at the final I receive more thousand false positive keys.
Currently I brute forcing on 3 CPU-s and still need about 4 days to test all the combinations.

Maybe some already have the seed keys for this IPC?

Regards,
leader

Posted: **31 Jan 2020, 15:14**

Here are 12 seed/keys pairs sniffed during IPC update:

Code: Select all

728#05670162DFBD0000
720#0527024BB81C0000

728#056701F677D70000
720#0527021508890000

728#0567016521FB0000
720#052702C1294F0000

728#056701BB2D4D0000
720#05270217C9980000

728#05670163A62E0000
720#05270229CF390000

728#0567012F1B930000
720#052702A228F00000

728#0567019E0AB70000
720#052702BCA6140000

728#0567014764080000
720#0527026FF0040000

728#0567012BB2E30000
720#0527025F9F260000

728#0567010FC8BE0000
720#052702C643140000

728#056701A7A1770000
720#05270207D0FA0000

728#0567014CFE290000
720#0527022FADC60000

Just in case if someone else wan't to play with this IPC....

Posted: **31 Jan 2020, 15:35**

Hi!
Try S-keys that i calculated for MK4: https://gist.github.com/Ursadon/8941ff5 ... e09f060eec

Posted: **31 Jan 2020, 15:49**

Ursadon wrote: ↑31 Jan 2020, 15:35 Hi!
Try S-keys that i calculated for MK4: https://gist.github.com/Ursadon/8941ff5 ... e09f060eec

I tested all of them, but not working

I also tested with the seed algo extracted from motral's tools...
(I think it's similar to yours, but with different implementation)

Currently I'm brute forcing the keys on 3 cpu, but it's really slow. I need at least 4-5 days to test all the combinations.
Another problem that I have many false positive results (collistion), at the and I will have at least 20-30.000 keys.
Currently I test only one seed/key pair but at the end I need to filter out only that key(s) which works all of these 12 seed/key pairs.

Posted: **31 Jan 2020, 16:22**

Does this dashboard have a JTAG?
Maybe it’s easier to dump firmware (PBL) and find the keys?

Posted: **31 Jan 2020, 16:25**

Ursadon wrote: ↑31 Jan 2020, 16:22 Does this dashboard have a JTAG?
Maybe it’s easier to dump firmware (PBL) and find the keys?

Not tested yet. But maybe it's time to disassemble the unit.
I will post the photos and the result...

Posted: **31 Jan 2020, 18:34**

It strange...

I already found 15254 keys with my brute force tool back tested on 2 key/seed pairs.
I tested all the found keys on my 12 key/seed pairs and all of them is working.
I made the backtest with Ursadon's and "mortal's" implementation of seed calculation algo also.

It's possible that more keys can generate the same seed password?

Here are the first 10 seed keys if someone like to play wit it:

Code: Select all

00 00 4A 77 22
00 01 7B 0C 79
00 02 28 81 94
00 03 19 FA CF
00 04 DF BB 6E
00 05 EE C0 35
00 06 BD 4D D8
00 07 8C 36 83
00 08 60 EE BB
00 09 51 95 E0

Posted: **31 Jan 2020, 19:45**

For Can Bus hacking mainly I use SocketCAN and can-utils on Linux.
So I created a small bash script to monitor IPC messages with candump utility and calculate/send the seed password when needed:

Code: Select all

#!/bin/bash

candump can1,728:7ff,720:7ff | while read x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12; do
  echo "$x2 $x4 $x5 $x6 $x7 $x8 $x9 $x10 $x11 $x12"
  if [ $x2 == "728" ] &&[ $x4 == '05' ] && [ $x5 == '67' ] && [ $x6 == '01' ]; then
    r=$(./calcSeed 00 00 4A 77 22 $x7$x8$x9)
    cansend can1 720#052702${r}0000
    sleep 0.3
    cansend can1 720#1009340000000000
  fi
done

(calcSeed is my utility to calculate the seed password. I used the firstly found seed key here: 00004A7722)

During the execution of this script in another terminal I send seed authentication request messages to the IPC with the following command:

Code: Select all

cansend  can1 720#0210020000000000; sleep 0.3; cansend  can1 720#0227010000000000

I tested the authentication several times with different discovered seed keys and all the time the password was accapted.
An example output of the authentication script:

Code: Select all

root@homelab# bash send.sh
720 02 10 02 00 00 00 00 00
728 06 50 02 00 19 01 F4 00
720 02 27 01 00 00 00 00 00
728 05 67 01 1C 3D 06 00 00
720 05 27 02 31 C1 EE 00 00
728 02 67 02 00 00 00 00 00
720 10 09 34 00 00 00 00 00
728 30 00 00 00 00 00 00 00

720 02 10 02 00 00 00 00 00
728 06 50 02 00 19 01 F4 00
720 02 27 01 00 00 00 00 00
728 05 67 01 E4 3E BB 00 00
720 05 27 02 A4 3B DE 00 00
728 02 67 02 00 00 00 00 00
720 10 09 34 00 00 00 00 00
728 30 00 00 00 00 00 00 00

720 02 10 02 00 00 00 00 00
728 06 50 02 00 19 01 F4 00
720 02 27 01 00 00 00 00 00
728 05 67 01 DF B4 9B 00 00
720 05 27 02 97 61 D1 00 00
728 02 67 02 00 00 00 00 00
720 10 09 34 00 00 00 00 00
728 30 00 00 00 00 00 00 00

And finally here are all the discovered 15254 key until now:

MondeMK5_IPC_Seedkeys.txt

Posted: **05 Feb 2020, 21:24**

Ursadon wrote: ↑31 Jan 2020, 16:22 Maybe it’s easier to dump firmware (PBL) and find the keys?

Do you think they are contained there? I would think they are only obfuscated by some algorithm.

Posted: **12 Feb 2020, 15:05**

hope of some interest mk5 ipc just got running on bench

mk5 ipc block diagrame.png

mk5 ipc.jpg

IPC PINOUT.png

IPC PLUG.png

ipc mk5.jpg

just making a start on trying to dump data currently making up leads

MicroHacker Forum

Mondeo MK5 IPC

Mondeo MK5 IPC

Re: Mondeo MK5 IPC

Re: Mondeo MK5 IPC

Re: Mondeo MK5 IPC

Re: Mondeo MK5 IPC

Re: Mondeo MK5 IPC

Re: Mondeo MK5 IPC

Re: Mondeo MK5 IPC

Re: Mondeo MK5 IPC

Re: Mondeo MK5 IPC