BMW E65 keys data in dump [Sitemap]

View Full Version : BMW E65 keys data in dump

cartronic

6th February, 2013, 05:29 PM

hi people
here is data from CAS from BMW E65 and explane what bytes mean
BR
cartronic

CAS E65 6.922.329 68HC912DG128 0K50E

KEY 0 Data _
KEY 1 Data _
KEY 2 Data _
CS data area _

0800: 00 55 04 03 14 01 01 78 28 00 02 00 00 BF 00 FD
0810: 00 F8 00 FA 00 FB 00 FC FD FF FF FF FF BD A4 89 - #081D-0830 = Key numbers ???
0820: 24 08 AE A2 60 27 9C D1 6D 7E 9C 9D 46 2D 72 1F - #0831 = CS key numbers
0830: C0 42 14 1C A0 C2 56 F4 D3 10 FB 39 C9 D0 AB FA - #0832-0845 = Radio pass HI
0840: CD 21 D7 DC 91 72 D5 36 55 A0 DD 86 7F 80 F3 85 - #0846 = CS Radio pass HI
0850: 73 B8 AD 6B 67 23 34 16 DC A7 10 74 38 19 DF CB - #0847-086E = Radio pass LO
0860: D0 C0 F9 95 D8 E9 28 B0 7C 8D BD 57 69 ED D7 1F - #086F = CS Radio pass LO
0870: C2 7F E2 E7 66 BD 28 9C 90 4C 07 FB C9 D6 34 DA
0880: CA 3B CD 9C F3 13 FE 4F EF 43 EB 6B F5 D0 7C D3
0890: B3 91 66 99 D2 29 26 AF C2 7F E2 E7 66 BD 28 9C
08A0: 90 4C 07 FD C9 D6 34 DA CA 3B CD 9C F3 13 FE 4F
08B0: EF 43 EB 6B F5 D0 7C D3 B3 91 66 99 D2 29 26 AF
08C0: C2 7F E2 E7 66 BD 28 9C 90 4C 07 FF C9 D6 34 DA
08D0: CA 3B CD 9C F3 13 FE 4F EF 43 EB 6B F5 D0 7C D3 - #0870-0987 = Radio random code
08E0: B3 91 66 99 D2 29 26 AF C2 7F E2 E7 66 BD 28 9C
08F0: 90 4C 07 D7 C9 D6 34 DA CA 3B CD 9C F3 13 FE 4F
0900: EF 43 EB 6B F5 D0 7C D3 B3 91 66 99 D2 29 26 AF
0910: C2 7F E2 E7 66 BD 28 9C 90 4C 07 F5 C9 D6 34 DA
0920: CA 3B CD 9C F3 13 FE 4F EF 43 EB 6B F5 D0 7C D3
0930: B3 91 66 99 D2 29 26 AF C2 7F E2 E7 66 BD 28 9C
0940: 90 4C 07 F7 C9 D6 34 DA CA 3B CD 9C F3 13 FE 4F
0950: EF 43 EB 6B F5 D0 7C D3 B3 91 66 99 D2 29 26 AF
0960: C2 7F E2 E7 66 BD 28 9C 90 4C 07 F9 C9 D6 34 DA
0970: CA 3B CD 9C F3 13 FE 4F EF 43 EB 6B F5 D0 7C D3
0980: B3 91 66 99 D2 29 26 AF FF FF F0 FF FF FF FF 03 - #098F-09AF = Radio status area
0990: 00 01 02 0F 0F 0F 0F 0F 0F 60 00 00 00 00 00 00 - #0999,09A4,09AF = CS
09A0: 00 00 00 00 00 01 02 02 01 01 01 01 01 01 01 0C
09B0: 90 2A FF FF B8 E8 4E FF FF 34 25 D7 F2 EB FF FF
09C0: FF FF D5 2A E8 4E 25 FF FF FF FF 81 E8 4E 27 06
09D0: 00 00 00 00 E8 4E 27 07 00 00 00 00 E8 4E 27 08
09E0: 00 00 00 00 E8 4E 27 09 00 00 00 00 E8 4E 27 0B
09F0: 00 00 00 00 E8 4E 27 04 00 00 00 00 E8 4E 27 05 - #0A11-0A1A = Key enable status
0A00: 00 00 00 00 FF FF FF FF 68 FF FF 00 FF 04 01 00 - #0A1B = CS key enable status
0A10: 01 00 00 00 00 00 00 00 00 00 00 00 2B 4B 4B 76 - #0A1C-0A25 = Key type status
0A20: 76 76 76 76 76 76 FB 00 00 00 08 08 08 08 08 08 - #0A26 = CS key type status
0A30: 08 38 8C F7 F4 11 89 AB 00 41 D0 AB 00 41 FF FF - #0A27-0A31 = ? key status + CS
0A40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - #0A32-0A59 = Serial numbers
0A50: FF FF FF FF FF FF FF FF FF FF 9D BF 5B D7 9D 93 - #0A5A = CS serial numbers area
0A60: D9 1A FD AF 2C 7B 67 33 B6 B7 BE 0C 17 64 5B 0E - #0A5B-0A6E = Crypto HI
0A70: 65 09 85 05 0D FA D6 9D DE 82 57 6B A4 51 57 C9 - #0A6F = CS crypto HI area
0A80: 24 83 E4 CC 81 45 51 20 DE 73 44 AE C0 92 9C EB - #0A70-0A97 = Crypto LO
0A90: C9 A3 AC 3A 60 15 56 C9 39 CE 3F C6 68 C8 4B 1D - #0A98 = CS crypto LO area
0AA0: 4B C8 90 3C 48 C8 DF 6E 9B C8 B5 85 23 C8 EF D1 - #0A99-0AC0 = CFG/Password
0AB0: C9 C8 C0 72 4F C8 CF F7 51 C8 C0 4F 6C C8 B8 79 - #0AC1 = CS CFG/Password area
0AC0: A9 C5 2B 22 DA FF FF FF FF FF FF FF 20 AA AA AA - #0AC2-0ACB = Key CS
0AD0: FE 30 35 30 38 32 04 17 0A 05 1C 42 FF 06 00 06 - #0ACC = CS key CS
0AE0: 01 00 0C 24 03 F2 19 15 68 01 01 7F 30 34 37 35 - #0ACD-0ACF = Programming status
0AF0: D0 55 36 42 41 0E 30 30 30 30 C0 00 13 0B 01 1F
0B00: 2B 07 01 33 03 00 00 03 00 FF 00 FF FF FF AF F4
0B10: 1E C8 14 0A 28 32 64 28 0E 10 00 AB 50 05 05 0A
0B20: 02 00 00 00 0A 64 00 D4 FF FF FF FF FF FF FF FF
-----------------------------------------------------

All CS are calculated : CS = X1 + X2 + X3 + ... + Xn = select LS byte

Example :
Serial number CS = 8C + F7 + F4 + 11 + 89 + AB + ... + FF + FF = 219D = 9D (#0A5A)

KEY 1 - PCF7942 ( original dump, before programming )
-------------------------
Bl.00 : 89 AB 00 41 - serial number
Bl.01 : 4D 49 4B 52 - crypto LO (ISK LO)
Bl.02 : 00 00 4F 4E - crypto HI (ISK HI)
Bl.03 : 08 AA 48 54 - CFG(TMCF)/Pass > change CFG > Bl.03 : 00 AA 48 54
Bl.04 : D4 45 55 55 - \ Bl.04 : FF FF FF FF \
Bl.05 : FF FF FF FF - \ user data Bl.05 : FF FF FF FF \ Remote
Bl.06 : FF 13 04 04 - / area Bl.06 : FF FF FF FF / key area
Bl.07 : FF FF FF FF - / Bl.07 : FF FF FF FF /

KEY 1 ( after programming )
-------------------------
Bl.00 : 89 AB 00 41 - serial number
Bl.01 : 0D FA D6 9D - crypto LO (ISK LO)
Bl.02 : 00 00 D7 9D - crypto HI (ISK HI)
Bl.03 : C8 4B 1D 4B - CFG/Pass Remote key area (Invisible)
Bl.04 : xx xx xx xx - \ Bl.04 : 86 7F 80 F3 - radio pass LO
Bl.05 : xx xx xx xx - \ user data Bl.05 : xx xx A0 C2 - radio pass HI
Bl.06 : xx xx xx xx - / area Bl.06 : xx xx xx xx - remote config ???
Bl.07 : xx xx xx xx - / Bl.07 : xx xx xx xx - synchronization ???

CFG(TMCF) bit description :

b7(MSB) ? ISKL ? Immobilizer Secret Key Lock
b6 - PG3L - Page 3 Lock
b5 - RCFL - Remote Configuration Lock
b4 - PWUP - Protect Write User Pages
b3 - BSEL - Bank Select
b2 - x
b1 - x
b0(LSB) ? DCS - Data Coding Select

Immobilizer Secret Key Lock, ISKL
If set, block 1 and block 2 are irreversible locked against reading and writing.
Thus if set once, the Immobilizer Secret Key, ISK, can no longer be read altered.

Page 3 Lock, PG3L
If set, block 3 is irreversible locked against writing.
Thus if set once, the Transponder and Memory Configuration (TMCF) and Password (PSW) can no longer be altered. However, reading is supported in any case.

Remote Configuration Lock, RCFL
If set, the remote configuration pages (RCFG), block 4 to 7, are irreversible locked against reading and writing. Thus if set once, its content can no longer be read or altered. The operation of the RESYNC and READ_SYNC commands are not affected.

Protect Write User Pages, PWUP
If set, a write protection is assigned for the User Data Memory, block 4 to 7.
As a result its content can not be altered, however, reading is supported in any case.
If cleared, block 4 to 7 support reading and writing.

Bank Select, BSEL

If cleared, the User Data Memory is disabled and access to block 4 to 7 is enabled (remote configuration pages, RCFG). If set, the User Data Memory, block 4 to 7, is mapped to the memory. In no case the memory content of the involved pages are modified.

Data Coding Select, DCS

Data transmitted from the transponder to the basestation may be encoded in Manchester or CDP fashion. If DCS is cleared, Manchester encoding is applied, otherwise CDP coding is applied.

bram380

6th February, 2013, 05:37 PM

Dark is black.
Black hard to read.

If you expect help from others, you can make white your posts?

youssef70

6th February, 2013, 09:53 PM

now its on white

CAS E65 6.922.329 68HC912DG128 0K50E

KEY 0 Data _
KEY 1 Data _
KEY 2 Data _
CS data area _

0800: 00 55 04 03 14 01 01 78 28 00 02 00 00 BF 00 FD
0810: 00 F8 00 FA 00 FB 00 FC FD FF FF FF FF BD A4 89 - #081D-0830 = Key numbers ???
0820: 24 08 AE A2 60 27 9C D1 6D 7E 9C 9D 46 2D 72 1F - #0831 = CS key numbers
0830: C0 42 14 1C A0 C2 56 F4 D3 10 FB 39 C9 D0 AB FA - #0832-0845 = Radio pass HI
0840: CD 21 D7 DC 91 72 D5 36 55 A0 DD 86 7F 80 F3 85 - #0846 = CS Radio pass HI
0850: 73 B8 AD 6B 67 23 34 16 DC A7 10 74 38 19 DF CB - #0847-086E = Radio pass LO
0860: D0 C0 F9 95 D8 E9 28 B0 7C 8D BD 57 69 ED D7 1F - #086F = CS Radio pass LO
0870: C2 7F E2 E7 66 BD 28 9C 90 4C 07 FB C9 D6 34 DA
0880: CA 3B CD 9C F3 13 FE 4F EF 43 EB 6B F5 D0 7C D3
0890: B3 91 66 99 D2 29 26 AF C2 7F E2 E7 66 BD 28 9C
08A0: 90 4C 07 FD C9 D6 34 DA CA 3B CD 9C F3 13 FE 4F
08B0: EF 43 EB 6B F5 D0 7C D3 B3 91 66 99 D2 29 26 AF
08C0: C2 7F E2 E7 66 BD 28 9C 90 4C 07 FF C9 D6 34 DA
08D0: CA 3B CD 9C F3 13 FE 4F EF 43 EB 6B F5 D0 7C D3 - #0870-0987 = Radio random code
08E0: B3 91 66 99 D2 29 26 AF C2 7F E2 E7 66 BD 28 9C
08F0: 90 4C 07 D7 C9 D6 34 DA CA 3B CD 9C F3 13 FE 4F
0900: EF 43 EB 6B F5 D0 7C D3 B3 91 66 99 D2 29 26 AF
0910: C2 7F E2 E7 66 BD 28 9C 90 4C 07 F5 C9 D6 34 DA
0920: CA 3B CD 9C F3 13 FE 4F EF 43 EB 6B F5 D0 7C D3
0930: B3 91 66 99 D2 29 26 AF C2 7F E2 E7 66 BD 28 9C
0940: 90 4C 07 F7 C9 D6 34 DA CA 3B CD 9C F3 13 FE 4F
0950: EF 43 EB 6B F5 D0 7C D3 B3 91 66 99 D2 29 26 AF
0960: C2 7F E2 E7 66 BD 28 9C 90 4C 07 F9 C9 D6 34 DA
0970: CA 3B CD 9C F3 13 FE 4F EF 43 EB 6B F5 D0 7C D3
0980: B3 91 66 99 D2 29 26 AF FF FF F0 FF FF FF FF 03 - #098F-09AF = Radio status area
0990: 00 01 02 0F 0F 0F 0F 0F 0F 60 00 00 00 00 00 00 - #0999,09A4,09AF = CS
09A0: 00 00 00 00 00 01 02 02 01 01 01 01 01 01 01 0C
09B0: 90 2A FF FF B8 E8 4E FF FF 34 25 D7 F2 EB FF FF
09C0: FF FF D5 2A E8 4E 25 FF FF FF FF 81 E8 4E 27 06
09D0: 00 00 00 00 E8 4E 27 07 00 00 00 00 E8 4E 27 08
09E0: 00 00 00 00 E8 4E 27 09 00 00 00 00 E8 4E 27 0B
09F0: 00 00 00 00 E8 4E 27 04 00 00 00 00 E8 4E 27 05 - #0A11-0A1A = Key enable status
0A00: 00 00 00 00 FF FF FF FF 68 FF FF 00 FF 04 01 00 - #0A1B = CS key enable status
0A10: 01 00 00 00 00 00 00 00 00 00 00 00 2B 4B 4B 76 - #0A1C-0A25 = Key type status
0A20: 76 76 76 76 76 76 FB 00 00 00 08 08 08 08 08 08 - #0A26 = CS key type status
0A30: 08 38 8C F7 F4 11 89 AB 00 41 D0 AB 00 41 FF FF - #0A27-0A31 = ? key status + CS
0A40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - #0A32-0A59 = Serial numbers
0A50: FF FF FF FF FF FF FF FF FF FF 9D BF 5B D7 9D 93 - #0A5A = CS serial numbers area
0A60: D9 1A FD AF 2C 7B 67 33 B6 B7 BE 0C 17 64 5B 0E - #0A5B-0A6E = Crypto HI
0A70: 65 09 85 05 0D FA D6 9D DE 82 57 6B A4 51 57 C9 - #0A6F = CS crypto HI area
0A80: 24 83 E4 CC 81 45 51 20 DE 73 44 AE C0 92 9C EB - #0A70-0A97 = Crypto LO
0A90: C9 A3 AC 3A 60 15 56 C9 39 CE 3F C6 68 C8 4B 1D - #0A98 = CS crypto LO area
0AA0: 4B C8 90 3C 48 C8 DF 6E 9B C8 B5 85 23 C8 EF D1 - #0A99-0AC0 = CFG/Password
0AB0: C9 C8 C0 72 4F C8 CF F7 51 C8 C0 4F 6C C8 B8 79 - #0AC1 = CS CFG/Password area
0AC0: A9 C5 2B 22 DA FF FF FF FF FF FF FF 20 AA AA AA - #0AC2-0ACB = Key CS
0AD0: FE 30 35 30 38 32 04 17 0A 05 1C 42 FF 06 00 06 - #0ACC = CS key CS
0AE0: 01 00 0C 24 03 F2 19 15 68 01 01 7F 30 34 37 35 - #0ACD-0ACF = Programming status
0AF0: D0 55 36 42 41 0E 30 30 30 30 C0 00 13 0B 01 1F
0B00: 2B 07 01 33 03 00 00 03 00 FF 00 FF FF FF AF F4
0B10: 1E C8 14 0A 28 32 64 28 0E 10 00 AB 50 05 05 0A
0B20: 02 00 00 00 0A 64 00 D4 FF FF FF FF FF FF FF FF
-----------------------------------------------------

All CS are calculated : CS = X1 + X2 + X3 + ... + Xn = select LS byte

Example :
Serial number CS = 8C + F7 + F4 + 11 + 89 + AB + ... + FF + FF = 219D = 9D (#0A5A)

KEY 1 - PCF7942 ( original dump, before programming )
-------------------------
Bl.00 : 89 AB 00 41 - serial number
Bl.01 : 4D 49 4B 52 - crypto LO (ISK LO)
Bl.02 : 00 00 4F 4E - crypto HI (ISK HI)
Bl.03 : 08 AA 48 54 - CFG(TMCF)/Pass > change CFG > Bl.03 : 00 AA 48 54
Bl.04 : D4 45 55 55 - \ Bl.04 : FF FF FF FF \
Bl.05 : FF FF FF FF - \ user data Bl.05 : FF FF FF FF \ Remote
Bl.06 : FF 13 04 04 - / area Bl.06 : FF FF FF FF / key area
Bl.07 : FF FF FF FF - / Bl.07 : FF FF FF FF /

KEY 1 ( after programming )
-------------------------
Bl.00 : 89 AB 00 41 - serial number
Bl.01 : 0D FA D6 9D - crypto LO (ISK LO)
Bl.02 : 00 00 D7 9D - crypto HI (ISK HI)
Bl.03 : C8 4B 1D 4B - CFG/Pass Remote key area (Invisible)
Bl.04 : xx xx xx xx - \ Bl.04 : 86 7F 80 F3 - radio pass LO
Bl.05 : xx xx xx xx - \ user data Bl.05 : xx xx A0 C2 - radio pass HI
Bl.06 : xx xx xx xx - / area Bl.06 : xx xx xx xx - remote config ???
Bl.07 : xx xx xx xx - / Bl.07 : xx xx xx xx - synchronization ???

CFG(TMCF) bit description :

b7(MSB) ***8211; ISKL ***8211; Immobilizer Secret Key Lock
b6 - PG3L - Page 3 Lock
b5 - RCFL - Remote Configuration Lock
b4 - PWUP - Protect Write User Pages
b3 - BSEL - Bank Select
b2 - x
b1 - x
b0(LSB) ***8211; DCS - Data Coding Select

Immobilizer Secret Key Lock, ISKL
If set, block 1 and block 2 are irreversible lockedagainst reading and writing.
Thus if set once,the Immobilizer Secret Key, ISK, can no longer be readaltered.

Page 3 Lock, PG3L
If set, block 3 is irreversible locked against writing.
Thus if set once, the Transponder and MemoryConfiguration (TMCF) and Password (PSW) can no longerbe altered.
However, reading is supported in any case.

Remote Configuration Lock, RCFL
If set, the remote configuration pages (RCFG), block 4 to 7, are irreversible locked against reading andwriting.
Thus if set once, its content can nolonger be read or altered. The operation of the RESYNCand READ_SYNC commands are not affected.

Protect Write User Pages, PWUP
If set, a write protection is assigned for the User Data Memory, block 4 to 7.
As a result its content cannot be altered, however, reading is supported in any case.
If cleared, block 4 to 7 support reading and writing.

Bank Select, BSEL

If cleared, the User Data Memory is disabled and access toblock 4 to 7 is enabled (remote configurationpages, RCFG).
If set, the User Data Memory, block 4 to 7, ismapped to the memory.In no case the memory content of the involved pages aremodified.

Data Coding Select, DCS

Data transmitted from the transponder to the basestationmay be encoded in Manchester or CDP fashion.If DCS is cleared, Manchester encoding
is applied,otherwise CDP coding is applied.

andrius

7th February, 2013, 08:04 AM

CAS system did not change in years, only now you have to check if dump is crypted :) good manual. :)