{"id":415,"date":"2013-08-14T20:34:00","date_gmt":"2013-08-14T20:34:00","guid":{"rendered":"http:\/\/3.68.38.87\/?p=415"},"modified":"2023-07-10T23:06:23","modified_gmt":"2023-07-10T23:06:23","slug":"security-access-or-0x27-ways-to-have-fun","status":"publish","type":"post","link":"https:\/\/canbushack.com\/web\/security-access-or-0x27-ways-to-have-fun\/","title":{"rendered":"SECURITY ACCESS OR 0X27 WAYS TO HAVE FUN"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

So vehicle manufacturers don\u2019t like you\u2026 why?\u00a0 Because they know you want to modify your car in ways they never intended.\u00a0 They know you want to break your car and make them fix it under a warrantee claim.\u00a0 They know you want to Hack your car and make it do fun things.\u00a0 So they put in place a service that will deter you from accessing privileged functions on your vehicle.<\/p>\n\n

What are these functions? Things like reflashing a controller.\u00a0 Not just anyone should be able to do this.\u00a0 Resetting the Odometer.\u00a0 Accessing control commands that would potentially stop a vehicle from functioning properly.<\/p>\n\n

How do they stop you? Security Access a.k.a. Mode 0x27.\u00a0 This is the service that validates an application is authorized to do one or more of the privileged functions.
So how does it work?\u00a0 Well it varies a bit from OEM to OEM, but they all typically work the same.\u00a0 First you must be in a diagnostic mode (not all OEMs require this, but many do).\u00a0 So you have to use Service 0x10 \u2013 Start Diagnostics.<\/p>\n\n

Start Diagnostics will typically take a Subfunction.\u00a0 This Subfuction tells the ECU which Level of Diagnostics it needs to go into.\u00a0 Some OEMs have two or three levels of Diagnostics: OBDII\/Standard Diagnostics, Reflashing, and Enhanced Diagnostics.\u00a0 These subfunctions vary widely depending on the OEM so you\u2019ll have to poke around to find out which your vehicle supports.\u00a0 Some good ones to try are 0x01, 0x02, 0x03, 0x80, 0x81, 0x82, 0x90).\u00a0 I\u2019ve found these to be common.\u00a0 So an example is this:\u00a00x7E0 02 10 82 00 00 00 00 00.\u00a0If done correctly you will get back this:\u00a00x7E8 02 50 82 00 00 00 00 00.\u00a0 If not you will likely get this 0x7E8 03 7F 10 12 00 00 00 00 00 meaning that the Subfunction is not supported, so you\u2019ll need to try another.\u00a0 You might just want to increment through the entire range of 256 possible subfunction levels.\u00a0 Once you\u2019ve found one that works, you can move on.<\/p>\n\n

So Security Access is a Seed\/Key authentication method.\u00a0 First you request a Seed from the ECU then you calculate the appropriate Key response then send it back to the ECU.\u00a0 Of course you likely don\u2019t have the appropriate algorithm to successfully calculate the Key.\u00a0 So you may need to brute force it.\u00a0 (I\u2019ve spoke about this in an\u00a0early post<\/a>,<\/span> but I\u2019m going to reiterate it here with some more general examples).<\/p>\n\n

Brute forcing the key will take a while. How long? Well that depends on how wide the Key is (is it 2 bytes wide, 3 bytes, etc.).\u00a0 How do you know how wide it is?\u00a0 You have to make an educated guess.\u00a0 You do this by seeing how wide the Seed is.\u00a0 You know this by requesting the Seed from the controller (I\u2019ll go into how to do this in a bit).\u00a0 So if the Seed is 2 bytes, likely the Key is too.\u00a0 If the Seed is 4 bytes or larger, the odds that you\u2019ll be able to brute force it in any reasonable time is unlikely as manufactures add some simple steps to slow down the brute forcing method.<\/p>\n\n

So how do you request a Seed? Send this\u00a00x7E0 02 27 01 00 00 00 00 00\u00a0(do this within 3 seconds of the Start Diagnostics command).\u00a0 You should get back a Seed in the response:\u00a00x7E8 04 67 01 XX XX 00 00 00\u00a0or\u00a00x7E8 05 67 01 XX XX XX 00 00.\u00a0 Remember that the 0x04 indicates that the Seed will be two bytes wide (two bytes for the control information and two bytes for the seed) and 0x05 means the Seed will be three bytes wide. Also, you don\u2019t have to send 0x01 as the subfunciton, but all Seed request have odd numbers (except 0xFF) as the subfunction.\u00a0 This is how you differentiate from a Seed Request from a Key (Key requests are even numbers and must be x+1 where the Seed request subfunction is x).
Now you have a Seed, that\u2019s nice.\u00a0 But you have no way of calculating the Key so why even bother asking for one?\u00a0 Why not just send the Key?\u00a0 Because you can\u2019t, you must ask for a Seed before you can send a Key.\u00a0 The system requires it.<\/p>\n\n

Now you need to send the Key.. but wait not yet.\u00a0 Because there is one thing you need to determine first.\u00a0 Is the Seed static or dynamic?\u00a0 You want to know this because this will let you know if you are going to increment your key or not.\u00a0 If the Seed is static, then you\u2019ll need to change the Key when you are brute forcing the system.\u00a0 If the Seed is dynamic, then you\u2019ll want to keep the Key Static. So send another Seed Request.\u00a0 Did the Seed change?\u00a0 If so it\u2019s a dynamic Seed.\u00a0 If not it\u2019s static.
Now we need to send a Key.\u00a0 To do this we send\u00a00x7E0 04 27 02 XX XX 00 00 00, where XX XX is the Key (remember 0x02 subfunction is x+1 of the Seed request). Likely we will get a negative response because the odds of us guessing the exact Key for the Seed we received is 1\/(2^key width).\u00a0 So if key width = 65536 then we have a 1\/65536 chance of getting it right.\u00a0 Now if we increment through all possible Keys then our odds of getting the response approach 100% quickly (see the\u00a0birthday problem<\/a><\/span>).\u00a0 But if the Seed is dynamic we don\u2019t want to increment the Key.\u00a0 So this is a much different problem.<\/p>\n\n

However those pesky engineers at the auto manufactures thought of this brute force method and took some steps to slow us down. How? By making it so that we after 3 or 4 attempts we get locked out. How do we know that we\u2019ve reached this condition? They let us know by sending this:\u00a00x7E8 03 7F 27 36 00 00 00 00.\u00a0 Which means \u201cExceeded Number of Attempts.\u201d This means we have to someone reset the controller so we can try again.\u00a0 This can be achieved by either cycling the power.\u00a0 You can do this by finding the fuse for the controller and simply pulling it.\u00a0 Now this could be cumbersome so you may want to automate it using your favorite open source embedded controller.\u00a0 Or we may be able to reset it using the ECU Reset Service a.k.a. Mode 11.<\/p>\n\n

ECU Reset is the funnest service ever\u2026 because it allows you to tell a controller to cycle its power.\u00a0 (Don\u2019t try it while you are actually driving bad things may happen\u2026\u2026).\u00a0 The problem with ECU Reset is there are so many different permutations of it, it\u2019s hard to describe universally.\u00a0 So you\u2019ll have to do some experimenting on how your vehicle has it implemented.\u00a0 But here is an example of how it may work:\u00a00x7E0 02 11 01 00 00 00 00 00.\u00a0 Because you did a reset, you may not get a response from the controller at all if you did it correctly.\u00a0 However if it didn\u2019t like the request, it will give you a negative response\u00a00x7E8 03 7F 11 XX 00 00 00 00, where XX is the negative response code.\u00a0 You\u2019ll have to parse the code know how to handle the exception.\u00a0 If the NRC is 0x12 just keep trying all subfunctions until one of them works.<\/p>\n\n

Once you\u2019ve reset the controller, send another Seed request.\u00a0 If you still get \u201cExceeded Number of Attempts\u201d as a response.\u00a0 Then the reset didn\u2019t work. Keep trying more subfunction of the reset command until you\u2019ve exhausted them all.\u00a0 If still no luck, you\u2019ll have to do a hard reset of the power to the ECU (pulling the fuse).\u00a0 Now try to send another Seed request.\u00a0 Likely if you do this quickly (within 10 or so seconds of the ECU powering up), you\u2019ll get another negative response, 0x7E8 03 7F 27 37 00 00 00 00, \u201cRequired Time Delay Not Expired.\u201d Meaning that you have to wait a few seconds longer.\u00a0 Keep trying until this error goes away.\u00a0 This is just another way that the manufacturer has made it difficult for you to brute force the system.\u00a0 Because of this delay, the brute force will take much longer.\u00a0 But if you\u2019re motivated you\u2019ll eventually get there.<\/p>\n\n

How will you know you\u2019ve got it?\u00a0 You\u2019ll see this:\u00a00x7E8 02 67 02 00 00 00 00 00.\u00a0 Then you can be sure.\u00a0 And if you missed that message you can always send another Seed request.\u00a0 If you get Seed of Zero that means that the ECU security is bypassed.<\/p>\n\n

Don\u2019t let the window close.\u00a0 If you want to keep the ECU \u201cunlocked\u201d then you\u2019ll need to maintain this state.\u00a0 To do this simply keep sending a Seed request or better, send a Tester Present message:\u00a00x7E0 02 3E XX 00 00 00 00 00, where XX is the subfunction (you\u2019ll have to test this first to see what works) or\u00a00x7E0 01 3E 00 00 00 00 00 00.
Good Luck and as always feel free to contact me if you have any questions.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

So vehicle manufacturers don\u2019t like you\u2026 why?\u00a0 Because they know you want to modify your car in ways they never intended.\u00a0 They know you want to break your car and make them fix it under a warrantee claim.\u00a0 They know you want to Hack your car and make it do fun things.\u00a0 So they put […]<\/p>\n","protected":false},"author":1,"featured_media":375,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[7],"tags":[],"class_list":["post-415","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/canbushack.com\/web\/wp-json\/wp\/v2\/posts\/415","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/canbushack.com\/web\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/canbushack.com\/web\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/canbushack.com\/web\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/canbushack.com\/web\/wp-json\/wp\/v2\/comments?post=415"}],"version-history":[{"count":0,"href":"https:\/\/canbushack.com\/web\/wp-json\/wp\/v2\/posts\/415\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/canbushack.com\/web\/wp-json\/wp\/v2\/media\/375"}],"wp:attachment":[{"href":"https:\/\/canbushack.com\/web\/wp-json\/wp\/v2\/media?parent=415"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/canbushack.com\/web\/wp-json\/wp\/v2\/categories?post=415"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/canbushack.com\/web\/wp-json\/wp\/v2\/tags?post=415"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}