Thanks to visit codestin.com
Credit goes to github.com

Skip to content

jglim/UnlockECU

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

57 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

UnlockECU

Header Image

Free, open-source ECU seed-key unlocking tool.

Getting started

Try it out here in your browser instantly, or download a local, offline copy:

Latest Offline: Select the most recent build from the automated builds, then download the zip artifact.

Stable Offline: Download and unarchive the application from the Releases page, then run the main application VisualUnlockECU.exe.

Ensure that you have .NET Desktop Runtime 5.0.0. , available from here.

License

MIT

This application does not include or require copyrighted or proprietary files. Security functions and definitions have been reverse-engineered and reimplemented.

When interacting with this repository (PR, issues, comments), please avoid including copyrighted/proprietary files, as they will be removed without notice.

Features

  • There is no need for additional files such as security DLLs. The application supports a set of security providers out of the box, and definitions are stored in db.json.
  • Security functions are completely reverse engineered and re-implemented in C#.
  • The project is unencumbered by proprietary binary blobs, and can be shared freely without legal issues.

Demo

ue_demo.mp4

Adding definitions

Definitions specify a seed-key function for a specific ECU and security level. The input seed's size, output key's length as well as the security provider must be specified. Some security providers require specific parameters to operate.

Here is an example of a definition:

{
  "EcuName": "ME97",
  "Aliases": [],
  "AccessLevel": 1,
  "SeedLength": 2,
  "KeyLength": 2,
  "Provider": "PowertrainBoschContiSecurityAlgo1",
  "Origin": "ME97_ME97_13_10_01_J",
  "Parameters": [
    {
      "Key": "ubTable",
      "Value": "FCAD1E5941992FCD",
      "DataType": "ByteArray"
    },
    {
      "Key": "Mask",
      "Value": "4300",
      "DataType": "ByteArray"
    }
  ]
}

Currently, these security providers are available:

  • DaimlerStandardSecurityAlgo
  • DaimlerStandardSecurityAlgoMod
  • DaimlerStandardSecurityAlgoRefG
  • DRVU_PROF
  • EDIFF290
  • EsLibEd25519
  • ESPSecurityAlgoLevel1
  • IC172Algo1
  • IC172Algo2
  • MarquardtSecurityAlgo
  • OCM172
  • PowertrainBoschContiSecurityAlgo1
  • PowertrainBoschContiSecurityAlgo2
  • PowertrainDelphiSecurityAlgo
  • PowertrainSecurityAlgo
  • PowertrainSecurityAlgo2
  • PowertrainSecurityAlgo3
  • PowertrainSecurityAlgoNFZ
  • RBTM
  • RDU222
  • RVC222_MPC222_FCW246_LRR3
  • SWSP177
  • VGSSecurityAlgo
  • VolkswagenSA2
  • XorAlgo

The definitions file db.json should be found alongside the application's main binary.

Notes

  • If your diagnostics file has unlocking capabilities, usually your diagnostics client can already perform the unlocking without further aid. Check your client's available functions for phrases such as Entriegeln , Zugriffberechtigung , and Unlock.
  • Generally, this application operates like most DLL-based seed-key generators. If you already have a DLL-based tool, this application does not offer much more (only includes a few modern targets such as HU7).
  • Definitions are reverse-engineered from DLLs and SMR-D files. If the definition does not innately exist in those files, they will not be available here (e.g. high-level instrument cluster definitions).
  • There are ECUs that share the same seed-key function. For example, CRD3 and CRD3S2 appear to share the same function as CRD3NFZ.
  • The core of this project is a "portable" .NET 5 class library which can be reused on other platforms.
  • As the security providers are now written in a high-level language, they can be better studied. For example, DaimlerStandardSecurityAlgo performs a XOR with its private key as a final step, which allows the private key to be recovered from a known seed and key.
  • DaimlerStandardSecurityAlgo is usually used for firmware flashing, and might not unlock other capabilities such as variant-coding.

Contributing

Contributions in adding security providers and definitions are welcome.