FORScan PCM reprogramming (as-built) RX-8 (+other Mazdas...)

[stern0m1]

Whats the algorithm to use with the key?
Say the key is MazdA whats the algorithm on the seed?

Thanks!

[Avari]

JamieM - This is from a 2011 Mazda 3 2.0 - Any Idea if the RX8 CC enable would work?

;Block 1
7E001014A4D31424C3F
7E00102315547584251
7E001033134343136EB
7E001043331FFFFFF4D
7E00105FF2AFFFFFF13
7E00106FF0346FFFF34
7E00107FFFFFF41F11E
7E00108FFFFFFFFF0DC
7E00109FFFFFFFFFFEC
7E00110FFFFFFFFFFF3
7E00111FFFFFFFFFFF4
7E00112FFFFFFFFFFF5
7E00113FFFFFFFFFFF6
7E00114FFFFFFFFFFF7
7E00115FFFFFFFFFFF8
7E00116FFFFFFFFFFF9
7E00117FFFFFFFFFFFA
7E00118FFFFFFFFFFFB
7E00119FFFFFFFFFFFC
7E00120FFFFFFFFFF03
7E00121FFFFFFFFFF04
7E00122FFFFFFFFFF05
7E00123FFFFFFFFFF06
7E00124FFFFFFFFFF07
7E00125FFFFFFFFCAD3
7E0012680FF30BD

[JamieM]

The algorithm is a load of complicated maths, I have no idea how it works, I lifted it from here: http://illmatics.com/car_hacking.pdf

The ECOMcat / PyEcom software mentioned in that paper can be found on the internet and contains source code for an implementation of the algorithm in python. I'm not going to post the code myself for obvious reasons (security concerns / copyright etc.)

Avari - I don't think it will, no. The data block is a different length, and there's no guarantee it's even arranged the same way as the RX-8. Compare to this: https://forscan.org/forum/viewtopic.php ... =10#p16553

Where did you get that data block from?

[Avari]

It is the ASBUILT PCM data from a 2011 mazda 3. Attached is a screenshot from Forscan.

Seems like people were able to figure out CC on the first gen and third gens, but not a lot of information on the 2nd gen cars.

[JamieM]

Ah, if you're able to edit it in FORScan then there's no need for my tool anyway I only wrote it because FORScan doesn't support the RX-8 PCM for module configuration (as-built) - it doesn't show up as a programmable module. Looks like yours does!

You could try modifying with FORScan the same bytes as others with Mazda 3's and see if that works?

If it's the same as the RX-8 (I doubt it) you'd change the 7E0-01-07 line from [FFFF FF41 F11E] to [FFFE FF41 F11D]

If it's the same as bretman/baxevan for the 2011 Mazda3/2 then you could change 7E0-01-07 from [FFFF FF41 F11E] to: [FFFF FF41 F320]

Otherwise you've got some experimenting to do

(be careful! and backup first! good luck!)

[Avari]

JamieM - Hey thanks at least it's somewhere to start. I have backups at this point. Thank you!

[stern0m1]

The algorithm is a load of complicated maths, I have no idea how it works, I lifted it from here: http://illmatics.com/car_hacking.pdf

The ECOMcat / PyEcom software mentioned in that paper can be found on the internet and contains source code for an implementation of the algorithm in python. I'm not going to post the code myself for obvious reasons (security concerns / copyright etc.)

Thanks Jamie!
I believe I found it.
I'm sifting through the code... Just want to make sure I got the right one.
security.py is what I want?
Whats the variable real_key for? Seems the make thing is seed and s1-s5?
Do you know if that algorithm is part of a specific standard or manufacturer specific?

Thanks again!

[Avari]

Jamie - Might be highjacking this thread a bit, will start a new one in a sec.

https://forscan.org/forum/viewtopic.php ... 826#p23826 - new thread

I got the ASBUILT data from MotorCraftService for my car (2011 Mazda 3 Sedan 2.0 Manual w/o Cruise)

PCM Modules
PCM 1 FFFF FFFF 0310
PCM 2 46FF FFFF FF54
PCM 3 FF41 F1FF FF42
PCM 4 FFFF F0FF FF00
PCM 5 FFFF FFFF FF10
PCM 6 FFFF FFFF FF11
PCM 7 FFFF FFFF FF12
PCM 8 FFFF FFFF FF13
PCM 9 FFFF FFFF FF14

And a craigslist car - 2011 Mazda 3 Sedan 2.0 Auto w/ Cruise

PCM Modules
PCM 1 FFFF FFFF 0310
PCM 2 46FF FFFF FF54
PCM 3 FF41 F3FF FF44
PCM 4 FFFF F0FF FF00
PCM 5 FFFF FFFF FF10
PCM 6 FFFF FFFF FF11
PCM 7 FFFF FFFF FF12
PCM 8 FFFF FFFF FF13
PCM 9 FFFF FFFF FF14

These look the only change is in PCM 3

But - when I look at my above attachment in the Forscan PCM AS BUILT for 7E0-01-07- it's similar but not quite - FFFF-FF41-F11E - What am I missing here?

[baxevan]

Hello Jamie. In the latest forscan you can at last program the pcm as built. So I guess in rx8 you can do it too.
I had a problem with your program. After connecting... it would stop with error "could not exit default session". Could it be sth from my setup? I tried it with windows xp in a small netbook and windows 10 in my tablet with the same results. (usb ELM 327).

Also in our cases, except the change in line 7e0-01-07 there was a change in vin block checksum so in 7e-01-25 data there was also a change (vin block checksum).
I figured everything thanks to your research and detailed description of how your program works, so at the end you also helped us enabling cruise control

[JamieM]

security.py is what I want?

Yep that's the one!

Whats the variable real_key for? Seems the make thing is seed and s1-s5?

There is 3 pieces of information related to the algorithm:

• The "shared secret" which is hard coded into the ROM of the PCM - that's the thing that is "MazdA" in ASCII [4d 61 7a 64 41] on an RX-8. This is what s1-s5 refer to (s1=0x4d, s2=0x61... etc. for an RX-8). The only way to find this is either dumping the ROM from your ECU (a lot of work) or brute forcing it - there's a list of the ones used by all Mazdas in one of the DLLs making up Mazda's IDS software, as explained in that paper I posted. My program loops through and tries every value in this list if neither the RX-8 one not the MazdaEdit one work.
• The "seed" - this is just a 3 byte number randomly generated by the ECU. It generates a new one for each securityAccess attempt.
• The "key" - this is the value you pass back to the ECU to authenticate yourself, also 3 bytes. You calculate it from the seed and shared secret using the algorithm (i.e. seed and shared secret are the inputs, the key is the output from the algorithm).

From memory, the security.py script can be run as is and it will calculate a key from the seed and s1-s5 you give it. The real_key variable is purely to compare if it got the answer right if you already have a known seed/key combo that works, for example by observing a successful login e.g. sniffing the OBD CAN comms between a car and IDS. You can use this to work backwards and work out an unknown shared secret by brute force. Sticking this algorithm in a loop won't take very long for a fast PC to crack the shared secret - it's only a 40-bit key space (5 bytes)...

Do you know if that algorithm is part of a specific standard or manufacturer specific?

Nope no idea!


Avari & baxevan - glad you figured it out! I completely forgot that you also needed to change the checksum at the end of the VIN block - d'oh! I'm used to it being done for me by my software, didn't realise FORScan didn't do it for you and you had to calculate it manually... Sorry about that haha! I've just had a read through your thread and all looks good to me I think you just got lucky with the checksum when you changed the VIN as you say. So the full proper change includes changing F1 to F3 in PCM3, updating the line checksum if you like (it's only for FORScan - it may not care / do it for you), and also updating the entire VIN block checksum at the end as per one of my earlier posts, as you found! Good work!

I had a problem with your program. After connecting... it would stop with error "could not exit default session"

I'm not sure why this happens, though I have an idea... I guess the session IDs are different on the two cars. I should really fix the ID I use so it's 0x05 instead of 0x85 or whatever it was, but eh, you have it working now anyway

Hello Jamie. In the latest forscan you can at last program the pcm as built. So I guess in rx8 you can do it too.

Thanks! I'll have a look / play next time I have my car plugged in