Honda Seed Key #38
Comments
|
Give us more key pairs |
|
I found this very interesting "HondaReflashTool" application which focuses on Honda ECUs and appears to have progress on figuring out their seed/keys. Perhaps you might be able to get a head start from that repo? |
Seed: 0xE3 0x60 => Key: 0xEA 0x66 / +7 +6 |
I did investigate and i was not successful using the software to create the .bin file from the .rwd honda firmware file with the process the program provides. i also tried rwd xray which is another popular one and was unsuccessful. |
|
Are you using This thread #25 is a handy reference for the sort of descriptions and details that comes in handy. From what I see, the implementation for ushort seed = 0;
ushort k0_xor = 0;
ushort k1_mul = 0;
ushort k2_mod = 0;
int key = seed * k1_mul;
if (k2_mod != 0)
{
key %= k2_mod;
}
key ^= k0_xor + seed;
key &= 0xFFFF;The key generation components |
|
Seeds logged over can from HDS. But I see, my variant id is not listed. I can add my variant ID in the text document most likely but then the next question is where do the 12 digit and 6 digits values come from. How are those determined? |
|
Using this test script, your definition is very likely public class HondaAlgoSandbox
{
public static ulong[] KeyDefinition = new ulong[] { 0x122208180223, 0x011149568773, 0x19970BB69392, 0x010407211010, 0x200805030696, 0x122108170222, 0x11220114ABCD, 0x78EE17629A11, 0xD537139AFE99, 0x24689BDF1357, 0x13579BDF2468, 0x07C20001001A, 0x191031512473, 0x271704130602, 0x07BB00070016, 0x122007100517, 0x527012890844, 0x190931502472, 0x122410090501, 0x07DC0406064F, 0x132067FF87AC, 0x009024544016, 0xA5744B385F00, 0x39D00E49CC20, 0x944442349449, 0x342DA24F66E8, 0x944642369451, 0x2D20F444E911, 0x944542359450, 0x7AB9AD4D7551, 0x97DFA18D65F2, 0x4D1F73BA3450, 0x07CACAB6A083, 0xF3276F303D4A, 0x23D0028967D5, 0xDC5BDAC8BAF9, 0xF69BD8E4B7C1, 0x0558C8E40289, 0xA41A93155481, 0x2E86746E34F3, 0x5C1D124D14EF, 0x849D4B2F160E, 0x71AC279461E7, 0x863665C92878, 0x70AC209460E7, 0xB7A43BBEDF13, 0x711C27146117, 0x8BD1C5CA98D0, 0xA1AC2A9461A7, 0x1A0DA6A46C79, 0x6A19BF8B8F50, 0xC2293422A9DE, 0xB9135CC7219F, 0x3C3528E26877, 0x21AE6E522F8A, 0xBD0DB9C386CB, 0xA539AA287119, 0x4D93781C835A, 0x3DFB00201400, 0x93E256E71D80, 0xA62BBDBC8C9F, 0x046A37BEC234, 0x0A1D6474276A, 0xC708ABD77358, 0x337055D11CC4, 0xB4AEF852F0DF, 0x08C0C9009DD1, 0x9405595C1F31, 0xB5B90FF1FE30, 0x08F2EB0CD7CF, 0x7CF1CFA5A86C, 0x287B66AB292C, 0x44D3280C643D, 0xF332D213C344, 0x11115555EEEE, 0x9B9D1214080D, 0xE71EC727155D, 0x565638A194B5, 0x192222116001, 0xE1113441EE01, 0xF500F501F502, 0xF530F531F532, 0x015A125A235A, 0x346A456A566A, 0x676A786A896A, 0x050309070213, 0x1234AA551111, 0x009013831042, 0x31334D354230, 0x012905250220, 0x012905251025, 0x303632303030, 0x30374D2D5747, 0x31302D324350, 0x009083043584, 0x30383250584C, 0x030908010509, 0x729305907273, 0x081805030612, 0x303832504449, 0x30392D32534F, 0x303755514C34, 0x022402200630, 0x063008100712, 0x9DD68FFFFEDC, 0x31334D354B30, 0x31334D354B31, 0x032411170920, 0x032411170406, 0x006100330096, 0x514600713002, 0x554800632493, 0x5A5100712809, 0x123456789ABC, 0x5F494B454441, 0x5455424F5F49, 0x1A2B1C2D1E2F, 0x9345C7A00000, 0xFA684EF41859, 0xA51FA80F6E53, 0x6B6BD129AAE4, 0x2289A8AD6F23, 0xF4138B434BC1, 0xF546AFF078EA, 0x64047132320D, 0x9DC914021906, 0x9DC013511752, 0xF47D97E85A23, 0x4B9264ED27CA, 0xDAB9ADF9763A, 0x8BF3C81C9C6B, 0x8EC0F999F35B, 0xDFEF3E24F158, 0xD6E045B412FA, 0x0349CAD1A0AE, 0x671C98785ACE, 0xDB92C53197E4, 0x2D18F172E3B7, 0x7FB8FB81F716, 0xA9B808474493, 0xF5D1C09B90E8, 0x204711D313DC, 0xCA50FE25FC4D, 0xD369E964D4C7, 0x001100121020, 0x011101121120, 0x021102121220, 0x2A535ACF7355, 0x495A2A5368BB, 0x38DA75FA3ADD, 0x126A122C102E, 0x679B122C102E, 0xD303DEDFC207, 0xA26B70B931A2, 0xFE2EC5F59913, 0xB330D6C2B428, 0xFED3DA76BA6D, 0xA6A1C7539B32, 0x6885AAC571EA, 0x33E785DA45FC, 0xDE89171E2167, 0x4F37882F4872, 0x669B91FE5341, 0x0E7B1AF12D5E, 0xD7B55C182121, 0x0558C8E49DA5, 0x67539B3E5E24, 0x313F792D365B, 0xC8F1DB97BC5B, 0xF70DE6A1CFC5, 0x0296AFE478D9, 0xD63433AFA6F4, 0x3C392AC4724F, 0x3E0405F02351, 0xD24BCBF2A279, 0xA0E752191A54, 0x7C97CA2A9FA6, 0xC38E561A1CF5, 0xD8F07D5E3D64, 0xB81D469B1379, 0xC8DFD9D3B957, 0x3B5CC389955A, 0xCC292D157F07, 0x6D36E970D4DD, 0xCAA206402720, 0xB6A1249553A4, 0x035653494D01, 0x8FA3C4219EFF, 0xD5710F234007, 0x65095BC8D234 };
public static ushort[] TrialSeed = new ushort[] { 0xE360, 0xD99E, 0x18EF, 0x4B35, 0xB87E, 0x382F, 0x6FBD };
public static ushort[] TrialKey = new ushort[] { 0xEA66, 0xE550, 0x2454, 0x504C, 0xC35E, 0x44EE, 0x7462 };
public static void Run()
{
foreach (var kd in KeyDefinition)
{
for (int i = 0; i < TrialSeed.Length; i++)
{
if (Generate(TrialSeed[i], kd) == TrialKey[i])
{
Console.WriteLine($"match: {kd:X12} for {TrialSeed[i]:X4} -> {TrialKey[i]:X4}");
}
}
}
}
public static ushort Generate(ushort seed, ulong def)
{
ushort k0_xor = (ushort)(def >> 32);
ushort k1_mul = (ushort)(def >> 16);
ushort k2_mod = (ushort)(def >> 0);
int key = seed * k1_mul;
if (k2_mod != 0)
{
key %= k2_mod;
}
key ^= k0_xor + seed;
key &= 0xFFFF;
return (ushort)key;
}
}output: and these are the candidate ECUs: There's also a possibility that the key was reused, but the definition doesn't exist in the ecu keys list. rwd-xray has a name guide, but I don't know enough about Honda to follow.
The algo and parameters for your exact seed/key has been figured out now, so I think you can now work backwards and let us know how that works? Again, no Honda experience here so we're counting on you for the vendor specifics. |
|
Yep it sure looks like you are correct here. I appreciate you doing this for me. 081805030612 seems to be the correct input key that makes the seed>key generation algorithm he provides work for me! I am just wondering how the 081805030612 is calculated. or where it is derived from. for example 37805-RDF-Y550 is the ECU PART NUMBER, its the calibration file downloaded from HDS. where 081805030612 ties in is unknown to me. it seems being able to find the 12 digit value associated with the ECU is what makes the algorithm succeed. I cant find that value or the hex value or the 0x0503 value (middle number) of it used in the key generation in ghidra or a hex editor of the firmware file. |
|
The implementation in https://github.com/jpancotti/rwd-xray is quite readable and I would suggest starting from there. I tried using
|
|
thank you! i just tried this and got to work exactly as described by you! very much appreciated. i tried one of my other files with this tool and block 4 reports back a 10 digit key rather than 12. which is interesting, and would be a first for Honda. as far as im concerned. |
|
I've added HondaAlgo1 in c62ef1c which also ships with 1895 definitions, and should resolve this issue. The keys are dumped from a somewhat recent HDS "Honda i-HDS 1.006.054" setup. There were originally 17,411 unique definitions, so I decided to group them by their keys (1895 unique keys) instead; their names are still searchable through the alias field. For reference, this is the raw keys as dumped from the setup: keys.txt |
Hi,How to Reverse Prohibit CAN Access Programs? |
HI,How to obtain the key after dumping? thank you |
Hello, any information or ideas to try to identify seed key algorithm for 2021+ acura I wanted to try the tool but i am not sure if it allows it or if my formatting is correct?? Any information would be helpful.
SEED: 0xE3 0x60
KEY: 0xEA 0x66
The text was updated successfully, but these errors were encountered: