PDA

View Full Version : Algo for calculate key in Sagem 3000



TeiS
17th July, 2014, 10:14 PM
Hi


Someone know how to or have the algorithm for calculate the Key from the Seed that send the Sagem 3000 ECU (Renault)


For example, i have some seeds:


The ECU sent 2D 7B 51 40 and the diagnostic tool response: FC 88 34 7A


Other


The ECU sent CD 82 82 19 and the diagnostic tool response: 5E 80 D2 06


I tried some combinations but is strong for me, if someone have this algo please contact with me

ominimicu
18th July, 2014, 11:29 AM
seed key can be done via Brute force, but of course u need a software. most tools do taht for flash reading

TeiS
19th July, 2014, 11:50 PM
seed key can be done via Brute force, but of course u need a software. most tools do taht for flash reading
I can make a software for send seeds to a tool but need so much time for make a db of key responses

morgano
20th July, 2014, 01:06 AM
I remember in the past that DB techinque was used by so famous romanian cellular phone hacker to bypass rsa security and enter the phone in flashing mode.

With original tool from official service he made sw to sniff seeds and answer between tool and phone, after each dialog reset the phone and start again.

He managed to get a nice DB with many pairs of keys, then his sw and interface for flashing just asked phone for seed, checked if he had answer in his db and if he had correct pair, send to phone and enter flash mode, if he has not answer in db just reset phone and ask newer seed untill he received a known request.

Was impresive seing how well the system worked with a tiny db. Cannot tell how many times efectively he reseted the phone per second, but what i can tell you is that phones entered flash mode most of the times in less than 2 minutes. Maybe worth give that method a try. ;)

TeiS
27th July, 2014, 12:29 PM
Hi, i tried to send to many request of key to an interface MPPS and i have many responses of differents keys, but it's crazy make a complete DB of Seed/Keys.

Some examples:

SEED ---------- KEY
00010000 --- C4B422F4
00010002 --- 8D35DECD

I see that the seed consist of 2 elements 0001 and 0000 for the first example.
At the first element if it's 0000 the MPPS not calculate the KEY.

This first elment is involved in a operation with the second element but the second element isn't involved in the operations with the first element, for example.

SEED --------------- KEY
0001 FF00 ------- 3D1A D24D
0010 FF00 ------- 58BC D24D
0100 FF00 ------- A6FA D24D
1000 FF00 ------- 83D9 D24D




I tried to convert binary to see if I could find the logic but......


I think that the algo can use any table for the operations....

If someone wants to help me to understand, i would be very grateful.

Sorry for me english