try this dump (pm):
cpu1_repaired
Examined ESL data again today to demystify structure. Good overview is post #67.
I compared ESL hashes with EZS hashes, so it seems that:
00-0F key0 hash
10-1F key1 hash
...
70-7F key7 hash
80-8F has also key structure, but what is it, the green dealer key?
90-9F mystique, probably must be s.th with transport lock status, activation and so on, anyone found more details?
General: Key hashes are 4x 2-bytes, =4 hashes per key rail. I am also not sure wheter these 4 hashes per key rail are the last 4 used key codes (F713) or whether it is key1+2 hash, emergency key hash and workshop key hash. Anyone figured out more details here?
Last edited by mark.sch; 29th August, 2012 at 08:41 PM.
>80-8F has also key structure, but what is it, the green >dealer key?
This is password challange so you can erase the ESL via K-Line but one more criterium must be full filled !
>90-9F mystique, probably must be s.th with transport lock >status, activation and so on, anyone found more details?
This row is status of ESL,initalized or not, some counter and nothing more speacial with it.
Check the W203_DIS that I have uploaded all secrects are inside
Regards ficho
Last edited by ficho; 25th September, 2012 at 12:33 PM.
I am seeking a way to reconstruct lost EZS eeprom data. So, I got key hashes from ESL, SSID from reading the nec key, so what is missing is the password only. In EZS it is 8 byte password, from my ESL it seems to be 4 byte value. Has someone a working dump from paired ESL+EZS to compare?
PASSWORD +SSID in motorola key are stored from 0x01 up to 0x0C, I dont think that you can restore easy EZS unless you do a complete recover, synchronization.
Key0-> must fit ezs hash of key0 (0x80 -0x87) -> also esl hash of key0 (0x00-0x0F).
EZS is the master, reads the key see if it meets criteria then unlock esl, a little bit complecated you can't restore dumps just by looking at them, trying to figure it out...
I have reversed also the ezs motorola's but dificult to see whats going on, time consuming also
regards ficho
ps. could somone try to unpack this file?
Last edited by ficho; 3rd September, 2012 at 09:16 AM.
Hi,
Does sombody know how to check keyhash, somthing about the algo implemented in the soft previously that I have uploaded?
Regards Ficho
Seems to be PELock 1.06. EZS Explorer is very outdated, my last Armadillo (similar to PELock) took quite some time, so I am not sure whether it is worth spending the time on this soft...better doing it on SKC
But found this detailed tutorial: http://thelegendofrandom.com/files/t..._nwokiller.rar
Version history:
----------------
V1.0.0.0 - first relese
V1.0.0.2 - add support for EZS A169.545.1908, A169.545.2308
V1.0.0.3 - add support for EZS A169.545.1708
V1.0.0.4 - add support for EZS A169.905.1500
V1.0.0.5 - add support for EZS A169.545.1108
V1.0.0.6 - add support for EZS A169.545.2108
V1.0.0.7 - improved detection of dumps
V1.0.0.8 - add support for EZS A169.545.1108 (encrypted version)
V1.0.0.9 - add support for EZS A169.545.2208
V1.0.1.0 - add support for EZS A169.545.2008
If someone can share V1.0.1.0 will be good.
what algorithm is used to generate the hash?
how generate key manually?
Since it is some kind of an Hash algo, then some soft must be used to do the calculation/bruteforce for generating key.
KeyHash,SSID and Password with EZS must be fullfilled for normal operation, read full flash of key with motorola inside and do reverse then you'll see how complecated it is indeed.
Regards ficho
Hi,
I would like to ask if somone could generate key5-7 for attached dump, I need to do some test on a motorola key
210 545 02 08
zc410979 /1D69J
regards ficho
Last edited by ficho; 12th October, 2012 at 11:35 AM.
ezs part number?
mcu code?
NORSHAN (8th April, 2014)
Bookmarks