Go to file
JinGen Lim 9cfd358674 IC172Algo1,2 : remove mixed indents 2021-11-08 18:00:19 +08:00
.github/ISSUE_TEMPLATE Update issue templates 2021-10-08 10:19:10 +08:00
UnlockECU IC172Algo1,2 : remove mixed indents 2021-11-08 18:00:19 +08:00
docs/resources Initial commit 2020-11-27 19:36:04 +08:00
.gitignore Initial commit 2020-11-27 19:35:06 +08:00
LICENSE Initial commit 2020-11-27 19:35:06 +08:00
README.md Add VGS provider from VGSNAG2 2021-07-02 10:47:44 +08:00

README.md

UnlockECU

Header Image

Free, open-source ECU seed-key unlocking tool.

Getting started

Try it out here in your browser, or read more on how to use a local, offline copy:

Download and unarchive the application from the Releases page, then run the main application VisualUnlockECU.exe.

Ensure that you have .NET Desktop Runtime 5.0.0. , available from here.

License

MIT

This application does not include or require copyrighted or proprietary files. Security functions and definitions have been reverse-engineered and reimplemented.

When interacting with this repository (PR, issues, comments), please avoid including copyrighted/proprietary files, as they will be removed without notice.

Features

  • There is no need for additional files such as security DLLs. The application supports a set of security providers out of the box, and definitions are stored in db.json.
  • Security functions are completely reverse engineered and re-implemented in C#.
  • The project is unencumbered by proprietary binary blobs, and can be shared freely without legal issues.

Demo

https://raw.githubusercontent.com/jglim/UnlockECU/main/docs/resources/demo.mp4

Edit: sorry, the thumbnail link does not work properly: please click here instead.

Adding definitions

Definitions specify a seed-key function for a specific ECU and security level. The input seed's size, output key's length as well as the security provider must be specified. Some security providers require specific parameters to operate.

Here is an example of a definition:

{
  "EcuName": "ME97",
  "Aliases": [],
  "AccessLevel": 1,
  "SeedLength": 2,
  "KeyLength": 2,
  "Provider": "PowertrainBoschContiSecurityAlgo1",
  "Origin": "ME97_ME97_13_10_01_J",
  "Parameters": [
    {
      "Key": "ubTable",
      "Value": "FCAD1E5941992FCD",
      "DataType": "ByteArray"
    },
    {
      "Key": "Mask",
      "Value": "4300",
      "DataType": "ByteArray"
    }
  ]
}

Currently, these security providers are available:

  • DaimlerStandardSecurityAlgo
  • DaimlerStandardSecurityAlgoMod
  • DaimlerStandardSecurityAlgoRefG
  • DRVU_PROF
  • EDIFF290
  • EsLibEd25519
  • ESPSecurityAlgoLevel1
  • MarquardtSecurityAlgo
  • OCM172
  • PowertrainBoschContiSecurityAlgo1
  • PowertrainBoschContiSecurityAlgo2
  • PowertrainDelphiSecurityAlgo
  • PowertrainSecurityAlgo
  • PowertrainSecurityAlgo2
  • PowertrainSecurityAlgoNFZ
  • RBTM
  • RDU222
  • RVC222_MPC222_FCW246_LRR3
  • SWSP177
  • VGSSecurityAlgo
  • VolkswagenSA2

The definitions file db.json should be found alongside the application's main binary.

Notes

  • If your diagnostics file has unlocking capabilities, usually your diagnostics client can already perform the unlocking without further aid. Check your client's available functions for phrases such as Entriegeln , Zugriffberechtigung , and Unlock.
  • Generally, this application operates like most DLL-based seed-key generators. If you already have a DLL-based tool, this application does not offer much more (only includes a few modern targets such as HU7).
  • Definitions are reverse-engineered from DLLs and SMR-D files. If the definition does not innately exist in those files, they will not be available here (e.g. high-level instrument cluster definitions).
  • There are ECUs that share the same seed-key function. For example, CRD3 and CRD3S2 appear to share the same function as CRD3NFZ.
  • The core of this project is a "portable" .NET 5 class library which can be reused on other platforms.
  • As the security providers are now written in a high-level language, they can be better studied. For example, DaimlerStandardSecurityAlgo performs a XOR with its private key as a final step, which allows the private key to be recovered from a known seed and key.
  • DaimlerStandardSecurityAlgo is usually used for firmware flashing, and might not unlock other capabilities such as variant-coding.

Contributing

Contributions in adding security providers and definitions are welcome.