This may sound like a complicated topic, but the industry has over complicated its explanation.
Security unlocking is the process where a scantool is allowed access to perform actions such as writing updates, changing VINs or other programming related tasks. Every automotive manufacture implements this process which we have broken down into three main parts of this article.
Contents
Algorithms
In order to describe the relationship between a seed and the key, first we must cover what an algorithm is. I have always found it easier to understand this by using the following analogy. For those that are old enough to remember getting prizes in your cereal box, its possible you received a decoder ring.
With that decoder ring you were able to write an encrypted message. Well let’s say you were to pass that message along to your friend at school and the teacher grabbed it. The teacher wouldn’t be able to make since of the letter. Reason being that decoder ring is the algorithm and without it the message cannot be decrypted.
How do software companies figure our these algorithms? Well, this is where reverse engineering comes into play, which can include decompiling routines or even factory operating systems to generated the required unlocking algorithm.
Seed and Key
Now that we have described an algorithm, we can discuss what the seed and key are.
The seed is the decrypted version of the key. When entering a programming session, the tool will request the seed from the module. Now the software will need to properly encrypt the seed using the correct algorithm in order to produce the key. If the key is correctly calculated and sent to the ECU, it will be allowed access to perform programming actions.
The purpose of the seed/key is to act as the first line of defence in module protection. This is most manufactures way of trying to prevent 3rd party developers (Just like us!) from being able to create software to perform custom tasks. Without these algorithms, we would be unable to perform any programming.
The seed/keys can vary in length, these can vary anywhere from 2bytes through to 28bytes. If using GM modules for example, we see 2,5 and even 28byte seed/keys in the latest generation of modules.
Due to every series of module having its own algorithm, the calculated key would not be the same if two different series modules shared the same seed.
Custom Keys and Tuner Locks
Sometimes a calculated key can be reported back as incorrect.
This can occur due to 3 main reasons:
- Corrupted flash
- Corrupted eeprom
- Tuner Lock
Corrupted flash and eeprom can occur due to failed flashing attempts, or occasional from failing ecus (bad flash memory).
With corrupted memory, this causes the ECU to report back a random or invalid seed value, so when a scantool attempts to unlock the ECU with a calculated key, it will fail as it is invalid.
The next most common reason is due to a tuner lock which is where a tuner applies a custom key to the ECU which means the factory algorithm no longer calculates the correct key. his practice is common among tuners when doing extensive tuning in order to protect their intellectual property and to prevent tampering
Depending on the manufacture, a key can be bruteforced to recover an ECU. On GM vehicles, a 2byte seed/key can take up to 7days. Whereas a 5byte seed/key would take thousands of years! Other manufactures have a rolling seed value, meaning it changes on each request thus brute forcing is not an option.
Application Development
Understanding the security unlocking process gives you more insight into just part of the process required to perform custom programming in any automotive module.
This is why we offer our custom development services for individuals and companies looking to have a specific application created. For more information, please contact us with requirements and we will get back to you with a solution!
