Hi, New just now to this site and have a question... I am very interested in the seed/key algorithm. I began to write a program to do an automatic decode. The line "• 0x2A = Complement – if HH>LL use 2’s complement, else use 1’s complement" agrees with what I have done, but later in the document the line "Thus, given the seed 0x1234: a) ~0x1234 = 0xEDCB b) 0xEDCB ROR 3 = 0x7DB9 c) 0x7DB9 " shows him using a 1s complement. I believe the calculation is off. Hope this thread is still active.
Also wonder if a '97 Camaro 5.7 would be covered by one of the algorithms. If yes which of the 256. I have worked out where the seed and key is stored in the internal HC11 EEPROM. Just need to find a way to access it.
Hope there is still interest in a key gen...
Tom
Thank you Kur40. I had figured the key & seed to be at $E00 thru $E03. Thank you for confirmation.
I will finish the keygen and try it out with $05. Great help!
I have a large part of the OBDII code dis-assembled and working to comment. Is this interesting to others? If yes, where should the result be posted when I complete it.
This is a generous offer. A tool to test seed/key algos could be useful.
How large is the disassembly file? If not too large you can upload it to its own thread and I or a mod can make it a sticky. If it's too large to upload send me a PM and we'll figure out another path.
Ok will do. I am not so sure of how the site works though. Once commented (estimate about a week or so) I will be in touch with size. I have found many of the code parameters from the OBD code. When I see a malf that pertains to an input I use that to describe the location it is in. Are there known sources for content of ram? Some are obvious others I am not so sure.
A sample of some of the code I am working on...
************************************************
* DISABLE NORMAL MESSAGE TRANSMISSION
* MODE 28
************************************************
D2F5 02 ; MINIMUM REQUEST LENGTH
D2F6 02 ; MAXIMUM REQUEST LENGTH
D2F7 F6 18 7C LDAB $187C ; DLC REQUEST DATA 1 FROM BUFFER
D2FA C1 00 CMPB #$00 ; LEVEL 0 ONLY SUPPORTED
D2FC 27 05 BEQ $D303 ;
D2FE BD DC 15 JSR $DC15 ; SUB-FUNCTION NOT SUPPORTED/INVALID FORMAT
D301 20 0B BRA $D30E ; TRANSMIT GENERAL RESPONSE MESSAGE
D303 F7 18 C9 STAB $18C9 ; REPLY DATA BUFFER 1 IS LEVEL
D306 14 7D 80 BSET @$7D,$80 ; DISABLE BACKGROUND MESSAGES
D309 C6 02 LDAB #$02 ; SET REPLY LENGTH
D30B F7 18 C7 STAB $18C7 ;
D30E BD DE 88 JSR $DE88 ; TRANSMIT REPLY
D311 39 RTS ; DONE
************************************************
* ENABLE NORMAL MESSAGE TRANSMISSION
* MODE 29
************************************************
D312 01 ; MINIMUM REQUEST LENGTH
D313 01 ; MAXIMUM REQUEST LENGTH
D314 15 7D 80 BCLR @$7D,$80 ; ENABLE BACKGROUND MESSAGES
D317 C6 01 LDAB #$01 ; SET REPLY LENGTH
D319 F7 18 C7 STAB $18C7 ;
D31C BD DE 88 JSR $DE88 ; TRANSMIT REPLY
D31F 39 RTS ; DONE
Hi,
I wrote a program to take the PCM seed and generate 256 keys (one for each of the algorithms) and throw it in a file. I ran into a problem with the complement instruction. The document defines it as
• 0x2A = Complement – if HH>LL use 2’s complement, else use 1’s complement
When I follow this, my key is off by one. I think this is because the high and low are reversed (LL > HH) or the sign is flipped (HH<LL). The difference is between one's and two's complement. I don't have the resources to figure this out.
When I run the program as it is in the attachment, I get the correct result for algorithm 0x5.
Hope this is of use to someone.
Cheers,
Tom
Bookmarks