BMW Security Access

General discussion about interfacing with the CAN bus
Post Reply
0wen
How the heck did I end up here?
Posts: 2
Joined: 2019 May 30 10:46

BMW Security Access

Post by 0wen » 2019 May 30 10:55

Hey I just discovered this forum researching security access. I am making a small OBD tool for my wife and I to quickly change coding when we switch cars. I've been using Esysx to find the coding and watching the canbus to see the messages but I'm stuck trying to figure out how the tool gets security access. Does anyone have experience with figuring out the seed-->key process for BMWs? If not any recommendations for what I should start looking for?

Here is a trace of the transaction:
Time Chn ID Name Dir DLC Data Data ASCII
11.163622 1 6F4 Rx 8 56 06 27 01 FF FF FF FF V.'.....
11.208782 1 656 Rx 8 F4 03 7F 27 78 32 01 F4 ...'x2..
11.532532 1 656 Rx 8 F4 10 0A 67 01 CB 03 39 ...g...9
11.532763 1 6F4 Rx 4 56 30 00 02 V0..
11.533075 1 656 Rx 8 F4 21 91 06 78 4C 15 39 .!..xL.9
11.583080 1 6F4 Rx 5 56 03 22 25 04 V."%.
11.586513 1 656 Rx 8 F4 10 12 62 25 04 01 00 ...b%...
11.588600 1 6F4 Rx 4 56 30 00 02 V0..
11.588900 1 656 Rx 8 F4 21 3C 01 00 03 01 00 .!<.....
11.591224 1 656 Rx 8 F4 22 01 02 00 0A 02 00 ."......
11.596037 1 656 Rx 8 F4 23 28 02 00 0A 02 00 .#(.....
11.602790 1 6F4 Rx 8 56 10 86 27 02 00 00 00 V..'....
11.603128 1 656 Rx 8 F4 30 00 02 00 00 00 00 .0......
11.603594 1 6F4 Rx 8 56 21 20 F9 86 E3 06 83 V! .....
11.605905 1 6F4 Rx 8 56 22 A0 27 B2 F3 4E C2 V".'..N.
11.609752 1 6F4 Rx 8 56 23 E0 29 41 06 45 9C V#.)A.E.
11.612650 1 6F4 Rx 8 56 24 A4 41 91 3D 96 23 V$.A.=.#
11.615362 1 6F4 Rx 8 56 25 A5 24 AE FE D0 AC V%.$....
11.618581 1 6F4 Rx 8 56 26 9E 0D B0 4B 47 DC V&...KG.
11.620871 1 6F4 Rx 8 56 27 1C 2C 63 CA 92 24 V'.,c..$
11.623928 1 6F4 Rx 8 56 28 03 98 AF 76 A5 9C V(...v..
11.626190 1 6F4 Rx 8 56 29 18 1C 84 7F 23 7D V)....#}
11.630135 1 6F4 Rx 8 56 2A B9 68 DB 88 14 3B V*.h...;
11.633226 1 6F4 Rx 8 56 2B 12 17 56 DF 67 EA V+..V.g.
11.635848 1 6F4 Rx 8 56 2C E6 96 0D 03 4E 03 V,....N.
11.639241 1 6F4 Rx 8 56 2D 9F BF FE BB C7 B0 V-......
11.642247 1 6F4 Rx 8 56 2E 22 70 B3 A6 6A 07 V."p..j.
11.644778 1 6F4 Rx 8 56 2F 7C 6D A7 5D 89 96 V/|m.]..
11.648724 1 6F4 Rx 8 56 20 03 7A D6 B4 1E 7A V .z...z
11.651301 1 6F4 Rx 8 56 21 E6 6C 0D 29 C8 04 V!.l.)..
11.655401 1 6F4 Rx 8 56 22 3E 92 02 6A DB 44 V">..j.D
11.658846 1 6F4 Rx 8 56 23 3D DA 8A 56 80 04 V#=..V..
11.661134 1 6F4 Rx 8 56 24 EF 2E B0 09 9A 3C V$.....<
11.664455 1 6F4 Rx 8 56 25 1A 1E 07 2A 3E 37 V%...*>7
11.668540 1 6F4 Rx 8 56 26 75 E6 F3 FF FF FF V&u.....
11.715379 1 656 Rx 8 F4 03 7F 27 78 0A 02 00 ...'x...
11.858572 1 656 Rx 8 F4 02 67 02 78 0A 02 00 ..g.x...

0wen
How the heck did I end up here?
Posts: 2
Joined: 2019 May 30 10:46

Re: BMW Security Access

Post by 0wen » 2019 May 31 12:40

Some updates since I submitted the thread:

The seed is 11 bytes:
6701A57498D42203BF5598

The Key is 132 bytes:
20335A9D82ADE16AC74220F2C9FAB0629CB2A033102909DDF19F1E141867A3FF48FC6E21D24D79FC47D6EE7F04B9DEC86CE29F8C71C27EDD85988DC451BE53F5EFB74825EA6B041B27835C3C0D381557B6D844564EBD9645FF29816EEE068DE3CEE4829D32AD2838A109A7F200848A9E38D2940105CD57BC1EECCE644C727748D3FFFFFF

After receiving the seed and before sending the key, ESYSX does a 0x22 request for did 2504 which responds the same 20 bytes of information every time:
46.438678 1 6F4 Rx 5 56 03 22 25 04 V."%.
46.440914 1 656 Rx 8 F4 10 12 62 25 04 01 00 ...b%...
46.441953 1 6F4 Rx 4 56 30 00 02 V0..
46.442307 1 656 Rx 8 F4 21 3C 01 00 03 01 00 .!<.....
46.444653 1 656 Rx 8 F4 22 01 02 00 0A 02 00 ."......
46.446997 1 656 Rx 8 F4 23 28 02 00 0A 02 00 .#(.....
01003C01000301000102000A02002802000A0200

One more thing, the scan tool does a 0x22 request for the 5 DIDs it will code and the last DID payload is the same size as the key which is pretty interesting/suspicious:

3004 Payload
4.463668 1 6F4 Rx 5 56 03 22 30 04 V."0.
4.468492 1 656 Rx 8 F4 10 87 62 30 04 00 00 ...b0...
4.468720 1 6F4 Rx 4 56 30 00 02 V0..
4.469014 1 656 Rx 8 F4 21 00 20 5F 45 2C CD .!. _E,.
4.471385 1 656 Rx 8 F4 22 A5 6B 7A FD C6 9B .".kz...
4.473722 1 656 Rx 8 F4 23 9D C1 E7 F1 4B 15 .#....K.
4.476159 1 656 Rx 8 F4 24 19 34 2D 12 35 1B .$.4-.5.
4.479581 1 656 Rx 8 F4 25 FC 84 DA 2E 8B 3A .%.....:
4.481903 1 656 Rx 8 F4 26 F0 61 6D 67 E2 AB .&.amg..
4.484357 1 656 Rx 8 F4 27 22 4D F6 17 2E 7C .'"M...|
4.486695 1 656 Rx 8 F4 28 18 1C 30 59 85 35 .(..0Y.5
4.489023 1 656 Rx 8 F4 29 10 27 9B B5 3D ED .).'..=.
4.491381 1 656 Rx 8 F4 2A 49 31 4D 26 03 CD .*I1M&..
4.493719 1 656 Rx 8 F4 2B 5D CB FB DE 47 EC .+]...G.
4.496162 1 656 Rx 8 F4 2C 8E 3E 59 5E D8 DF .,.>Y^..
4.499565 1 656 Rx 8 F4 2D FB A8 F3 59 9B 57 .-...Y.W
4.501879 1 656 Rx 8 F4 2E 90 98 81 E1 5A 61 ......Za
4.504241 1 656 Rx 8 F4 2F 2C EB D2 99 1C EE ./,.....
4.506559 1 656 Rx 8 F4 20 26 0C 1B CD D0 04 . &.....
4.508880 1 656 Rx 8 F4 21 B1 13 5C 9B 82 D4 .!..\...
4.511222 1 656 Rx 8 F4 22 FF F5 74 C3 ED 7F ."..t...
4.513537 1 656 Rx 8 F4 23 4C 50 D6 7C FE 80 .#LP.|..
4.516162 1 656 Rx 8 F4 24 29 27 51 05 44 50 .$)'Q.DP
4.519562 1 656 Rx 8 F4 25 8E 89 6D D9 2C 27 .%..m.,'
4.521872 1 656 Rx 8 F4 26 B7 2E 5E C9 2C 27 .&..^.,'
00205F452CCDA56B7AFDC69B9DC1E7F14B1519342D12351BFC84DA2E8B3AF0616D67E2AB224DF6172E7C181C3059853510279BB53DED49314D2603CD5DCBFBDE47EC8E3E595ED8DFFBA8F3599B57909881E15A612CEBD2991CEE260C1BCDD004B1135C9B82D4FFF574C3ED7F4C50D67CFE802927510544508E896DD92C27B72E5EC92C27

Post Reply