Benz SKC Calculator

**davidnz** · 29th August, 2012, 02:43 PM

I tell them hello mate with a c350 benz W203 with error that it does not recognize the hash key, if I can repair the attached file please EZS and photos, thanks ...

**bram380** · 29th August, 2012, 03:08 PM

try this dump (pm):
cpu1_repaired

**mark.sch** · 29th August, 2012, 08:36 PM

Examined ESL data again today to demystify structure. Good overview is post #67.

I compared ESL hashes with EZS hashes, so it seems that:

00-0F key0 hash
10-1F key1 hash
...
70-7F key7 hash

80-8F has also key structure, but what is it, the green dealer key?

90-9F mystique, probably must be s.th with transport lock status, activation and so on, anyone found more details?

General: Key hashes are 4x 2-bytes, =4 hashes per key rail. I am also not sure wheter these 4 hashes per key rail are the last 4 used key codes (F713) or whether it is key1+2 hash, emergency key hash and workshop key hash. Anyone figured out more details here?

**ficho** · 30th August, 2012, 11:10 AM

>80-8F has also key structure, but what is it, the green >dealer key?
This is password challange so you can erase the ESL via K-Line but one more criterium must be full filled !

>90-9F mystique, probably must be s.th with transport lock >status, activation and so on, anyone found more details?
This row is status of ESL,initalized or not, some counter and nothing more speacial with it.

Check the W203_DIS that I have uploaded all secrects are inside

Regards ficho

**mark.sch** · 30th August, 2012, 03:54 PM

Originally Posted by ficho

>80-8F has also key structure, but what is it, the green >dealer key?
This is password challange so you can erase the ESL via K-Line but one more criterium msut be full filled !

>90-9F mystique, probably must be s.th with transport lock >status, activation and so on, anyone found more details?
This row is status of ESL,initalized or not, some counter and nothing more speacial with it.

Check the W203_DIS that I have uploaded all secrects are inside

Regards ficho

I am seeking a way to reconstruct lost EZS eeprom data. So, I got key hashes from ESL, SSID from reading the nec key, so what is missing is the password only. In EZS it is 8 byte password, from my ESL it seems to be 4 byte value. Has someone a working dump from paired ESL+EZS to compare?

**ficho** · 30th August, 2012, 10:29 PM

Originally Posted by mark.sch

I am seeking a way to reconstruct lost EZS eeprom data. So, I got key hashes from ESL, SSID from reading the nec key, so what is missing is the password only. In EZS it is 8 byte password, from my ESL it seems to be 4 byte value. Has someone a working dump from paired ESL+EZS to compare?

PASSWORD +SSID in motorola key are stored from 0x01 up to 0x0C, I dont think that you can restore easy EZS unless you do a complete recover, synchronization.

Key0-> must fit ezs hash of key0 (0x80 -0x87) -> also esl hash of key0 (0x00-0x0F).
EZS is the master, reads the key see if it meets criteria then unlock esl, a little bit complecated you can't restore dumps just by looking at them, trying to figure it out...
I have reversed also the ezs motorola's but dificult to see whats going on, time consuming also

regards ficho

ps. could somone try to unpack this file?

**ficho** · 4th September, 2012, 08:15 PM

Hi,
Does sombody know how to check keyhash, somthing about the algo implemented in the soft previously that I have uploaded?

Regards Ficho

**mark.sch** · 4th September, 2012, 10:25 PM

Originally Posted by ficho

PASSWORD +SSID in motorola key are stored from 0x01 up to 0x0C, I dont think that you can restore easy EZS unless you do a complete recover, synchronization.

Key0-> must fit ezs hash of key0 (0x80 -0x87) -> also esl hash of key0 (0x00-0x0F).
EZS is the master, reads the key see if it meets criteria then unlock esl, a little bit complecated you can't restore dumps just by looking at them, trying to figure it out...
I have reversed also the ezs motorola's but dificult to see whats going on, time consuming also

regards ficho

ps. could somone try to unpack this file?

Seems to be PELock 1.06. EZS Explorer is very outdated, my last Armadillo (similar to PELock) took quite some time, so I am not sure whether it is worth spending the time on this soft...better doing it on SKC

But found this detailed tutorial: http://thelegendofrandom.com/files/t..._nwokiller.rar

**bram380** · 26th September, 2012, 12:59 PM

Version history:
----------------
V1.0.0.0 - first relese
V1.0.0.2 - add support for EZS A169.545.1908, A169.545.2308
V1.0.0.3 - add support for EZS A169.545.1708
V1.0.0.4 - add support for EZS A169.905.1500
V1.0.0.5 - add support for EZS A169.545.1108
V1.0.0.6 - add support for EZS A169.545.2108
V1.0.0.7 - improved detection of dumps
V1.0.0.8 - add support for EZS A169.545.1108 (encrypted version)
V1.0.0.9 - add support for EZS A169.545.2208
V1.0.1.0 - add support for EZS A169.545.2008

**milanoffracing** · 27th September, 2012, 10:04 AM

If someone can share V1.0.1.0 will be good.

**JOHNCICY** · 28th September, 2012, 05:32 PM

Originally Posted by milanoffracing

If someone can share V1.0.1.0 will be good.

For those who need skc version 1.0.0.0

**nokius** · 28th September, 2012, 07:03 PM

what algorithm is used to generate the hash?
how generate key manually?

**ficho** · 29th September, 2012, 11:56 AM

Originally Posted by nokius

what algorithm is used to generate the hash?
how generate key manually?

Since it is some kind of an Hash algo, then some soft must be used to do the calculation/bruteforce for generating key.
KeyHash,SSID and Password with EZS must be fullfilled for normal operation, read full flash of key with motorola inside and do reverse then you'll see how complecated it is indeed.

Regards ficho

**ficho** · 11th October, 2012, 06:46 PM

Hi,
I would like to ask if somone could generate key5-7 for attached dump, I need to do some test on a motorola key

210 545 02 08
zc410979 /1D69J

regards ficho