Seed key brute force program.
Re: Seed key brute force program.
so you think this would work for say bcm ipc or other modules id like to play with hmmmmm? would at least get me started on reading them out or programming custon bins to them.
Re: Seed key brute force program.
I've mentioned elsewhere about a no-rom call dumper I made years ago for 8 bit stuff. All I would need to make it work on this stuff is the hardware register byte location/number of the I/O register. I can assemble a bs vb app pretty quick. Hoping to help
-
- Posts: 590
- Joined: Thu Feb 13, 2020 11:32 pm
- cars: Mainly GM trucks, a Cruze and an Equinox for dailys..
Re: Seed key brute force program.
I'd love to hear more about this no-rom dumper?In-Tech wrote:I've mentioned elsewhere about a no-rom call dumper I made years ago for 8 bit stuff. All I would need to make it work on this stuff is the hardware register byte location/number of the I/O register. I can assemble a bs vb app pretty quick. Hoping to help
Re: Seed key brute force program.
Code: Select all
AD 38 4A AD 1F 26 FB 71 80 92 C6 8E 20 04 30 00 9D 9D AD 26 3C 8F 26 F1 3C 8E 26 ED 3C 8A A6 80 B7 8E 20 E5 B7 52 A6 F0 4A 26 FD B6 52 81 9D 9D 9D 9D 9D 9D 9D 9B A6 55 20 C6 B7 52 4F AD E9 AE 0A 43 11 00 AD DE 20 00 10 00 AD D8 98 25 04 11 00 20 04 10 00 20 00 AD CB 48 5A 26 F0 10 00 81
0080: AD38 bsr $00BA ;Branch to subroutine at 00BA
0082: 4A deca ;
0083: AD1F bsr $00A4 ;
0085: 26FB bne $0082 ;
0087: 7180 ;Set Page to 80
0089: 92C68E lda [$8Eh.w] ;
008C: 2004 bra $0092 ;
008E: 3000 neg $00 ;
0090: 9D nop ;
0091: 9D nop ;
0092: AD26 bsr $00BA ;
0094: 3C8F inc $8F ;
0096: 26F1 bne $0089 ;
0098: 3C8E inc $8E ;
009A: 26ED bne $0089 ;
009C: 3C8A inc $8A ;
009E: A680 lda #$80 ;
00A0: B78E sta $8E ;
00A2: 20E5 bra $0089 ;
00A4: B752 sta $52 ;
00A6: A6F0 lda #$F0 ;
00A8: 4A deca ;
00A9: 26FD bne $00A8 ;
00AB: B652 lda $52 ;
00AD: 81 rts ;
00AE: 9D nop ;
00AF: 9D nop ;
00B0: 9D nop ;
00B1: 9D nop ;
00B2: 9D nop ;
00B3: 9D nop ;
00B4: 9D nop ;
00B5: 9B sei ;
00B6: A655 lda #$55 ;
00B8: 20C6 bra $0080 ;
00BA: B752 sta $52 ;
00BC: 4F clra ;
00BD: ADE9 bsr $00A8 ;
00BF: AE0A ldx #$0A ;
00C1: 43 coma ;
00C2: 1100 bclr0 $00 ;
00C4: ADDE bsr $00A4 ;
00C6: 2000 bra $00C8 ;
00C8: 1000 bset0 $00 ;
00CA: ADD8 bsr $00A4 ;
00CC: 98 clc ;
00CD: 2504 bcs $00D3 ;
00CF: 1100 bclr0 $00 ;
00D1: 2004 bra $00D7 ;
00D3: 1000 bset0 $00 ;
00D5: 2000 bra $00D7 ;
00D7: ADCB bsr $00A4 ;
00D9: 48 asla ;
00DA: 5A decx ;
00DB: 26F0 bne $00CD ;
00DD: 1000 bset0 $00 ;
00DF: 81 rts ;
Here is a sample instruction set
Re: Seed key brute force program.
If anyone is wondering why there are jumps all over the place and the nops, it was to get the timing in range so it would work with all the built in clock jitter that was used in this particular application. The "ticks" were critical. Also figuring out the landing pad was a pita. My initial "Fake" packets were used with a loop strategy so I could guestimate landing pad glitch attacks.
-
- Posts: 8
- Joined: Mon Feb 24, 2020 7:13 pm
- cars: G20 4X4 7.4 l gen 6
Re: Seed key brute force program.
Hi to all I have tested this software and it works I have been battling to find some form of software to unlock a e38 and this works like a dream I will be testing on a locked e38 that i do not know what the code is and will let it run until I get the code. Will give feed back as soon as I get the code.
Thanks
Thanks
-
- Posts: 590
- Joined: Thu Feb 13, 2020 11:32 pm
- cars: Mainly GM trucks, a Cruze and an Equinox for dailys..
Re: Seed key brute force program.
If you post the seed of an E38 we can give you the key as long as it hasn't been locked by a tuner or semi-bricked.. As in if it's a regular unlock, we can get the key from the seed pretty easily.Overdrive915 wrote:Hi to all I have tested this software and it works I have been battling to find some form of software to unlock a e38 and this works like a dream I will be testing on a locked e38 that i do not know what the code is and will let it run until I get the code. Will give feed back as soon as I get the code.
Thanks
Re: Seed key brute force program.
Can you explain what exactly that code is doing?? Little bit lost for what its purpose isIn-Tech wrote:If anyone is wondering why there are jumps all over the place and the nops, it was to get the timing in range so it would work with all the built in clock jitter that was used in this particular application. The "ticks" were critical. Also figuring out the landing pad was a pita. My initial "Fake" packets were used with a loop strategy so I could guestimate landing pad glitch attacks.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
-
- Posts: 8
- Joined: Mon Feb 24, 2020 7:13 pm
- cars: G20 4X4 7.4 l gen 6
Re: Seed key brute force program.
ironduke wrote:If you post the seed of an E38 we can give you the key as long as it hasn't been locked by a tuner or semi-bricked.. As in if it's a regular unlock, we can get the key from the seed pretty easily.Overdrive915 wrote:Hi to all I have tested this software and it works I have been battling to find some form of software to unlock a e38 and this works like a dream I will be testing on a locked e38 that i do not know what the code is and will let it run until I get the code. Will give feed back as soon as I get the code.
Thanks
It was locked by a Tuner I managed to get the key after 2 day.
Seed 27F6
Key 22F0
Checked that with and the standard key was supposed to be Key 810C. Now I am trying to reprogram with PowerPCM and it keeps going to 810C to program and tells me that its not ok is there any way to change the key in powerPCM to 22F0 so that I can get into to program?
-
- Posts: 590
- Joined: Thu Feb 13, 2020 11:32 pm
- cars: Mainly GM trucks, a Cruze and an Equinox for dailys..
Re: Seed key brute force program.
I've never used it but.. your supposed to be able to use the dropdown on the right where you would select e38 or E67 and select the 0xffff and click that and type in the key you want to use.. I would definitively suggest a read before writing.. if it was tunerlocked then it was tuned so I'd want a copy of that just in case..Overdrive915 wrote:ironduke wrote:If you post the seed of an E38 we can give you the key as long as it hasn't been locked by a tuner or semi-bricked.. As in if it's a regular unlock, we can get the key from the seed pretty easily.Overdrive915 wrote:Hi to all I have tested this software and it works I have been battling to find some form of software to unlock a e38 and this works like a dream I will be testing on a locked e38 that i do not know what the code is and will let it run until I get the code. Will give feed back as soon as I get the code.
Thanks
It was locked by a Tuner I managed to get the key after 2 day.
Seed 27F6
Key 22F0
Checked that with and the standard key was supposed to be Key 810C. Now I am trying to reprogram with PowerPCM and it keeps going to 810C to program and tells me that its not ok is there any way to change the key in powerPCM to 22F0 so that I can get into to program?