Hey I just discovered this forum researching security access. I am making a small OBD tool for my wife and I to quickly change coding when we switch cars. I've been using Esysx to find the coding and watching the canbus to see the messages but I'm stuck trying to figure out how the tool gets security access. Does anyone have experience with figuring out the seed-->key process for BMWs? If not any recommendations for what I should start looking for?
Here is a trace of the transaction:
Time Chn ID Name Dir DLC Data Data ASCII
11.163622 1 6F4 Rx 8 56 06 27 01 FF FF FF FF V.'.....
11.208782 1 656 Rx 8 F4 03 7F 27 78 32 01 F4 ...'x2..
11.532532 1 656 Rx 8 F4 10 0A 67 01 CB 03 39 ...g...9
11.532763 1 6F4 Rx 4 56 30 00 02 V0..
11.533075 1 656 Rx 8 F4 21 91 06 78 4C 15 39 .!..xL.9
11.583080 1 6F4 Rx 5 56 03 22 25 04 V."%.
11.586513 1 656 Rx 8 F4 10 12 62 25 04 01 00 ...b%...
11.588600 1 6F4 Rx 4 56 30 00 02 V0..
11.588900 1 656 Rx 8 F4 21 3C 01 00 03 01 00 .!<.....
11.591224 1 656 Rx 8 F4 22 01 02 00 0A 02 00 ."......
11.596037 1 656 Rx 8 F4 23 28 02 00 0A 02 00 .#(.....
11.602790 1 6F4 Rx 8 56 10 86 27 02 00 00 00 V..'....
11.603128 1 656 Rx 8 F4 30 00 02 00 00 00 00 .0......
11.603594 1 6F4 Rx 8 56 21 20 F9 86 E3 06 83 V! .....
11.605905 1 6F4 Rx 8 56 22 A0 27 B2 F3 4E C2 V".'..N.
11.609752 1 6F4 Rx 8 56 23 E0 29 41 06 45 9C V#.)A.E.
11.612650 1 6F4 Rx 8 56 24 A4 41 91 3D 96 23 V$.A.=.#
11.615362 1 6F4 Rx 8 56 25 A5 24 AE FE D0 AC V%.$....
11.618581 1 6F4 Rx 8 56 26 9E 0D B0 4B 47 DC V&...KG.
11.620871 1 6F4 Rx 8 56 27 1C 2C 63 CA 92 24 V'.,c..$
11.623928 1 6F4 Rx 8 56 28 03 98 AF 76 A5 9C V(...v..
11.626190 1 6F4 Rx 8 56 29 18 1C 84 7F 23 7D V)....#}
11.630135 1 6F4 Rx 8 56 2A B9 68 DB 88 14 3B V*.h...;
11.633226 1 6F4 Rx 8 56 2B 12 17 56 DF 67 EA V+..V.g.
11.635848 1 6F4 Rx 8 56 2C E6 96 0D 03 4E 03 V,....N.
11.639241 1 6F4 Rx 8 56 2D 9F BF FE BB C7 B0 V-......
11.642247 1 6F4 Rx 8 56 2E 22 70 B3 A6 6A 07 V."p..j.
11.644778 1 6F4 Rx 8 56 2F 7C 6D A7 5D 89 96 V/|m.]..
11.648724 1 6F4 Rx 8 56 20 03 7A D6 B4 1E 7A V .z...z
11.651301 1 6F4 Rx 8 56 21 E6 6C 0D 29 C8 04 V!.l.)..
11.655401 1 6F4 Rx 8 56 22 3E 92 02 6A DB 44 V">..j.D
11.658846 1 6F4 Rx 8 56 23 3D DA 8A 56 80 04 V#=..V..
11.661134 1 6F4 Rx 8 56 24 EF 2E B0 09 9A 3C V$.....<
11.664455 1 6F4 Rx 8 56 25 1A 1E 07 2A 3E 37 V%...*>7
11.668540 1 6F4 Rx 8 56 26 75 E6 F3 FF FF FF V&u.....
11.715379 1 656 Rx 8 F4 03 7F 27 78 0A 02 00 ...'x...
11.858572 1 656 Rx 8 F4 02 67 02 78 0A 02 00 ..g.x...
BMW Security Access
Re: BMW Security Access
Some updates since I submitted the thread:
The seed is 11 bytes:
6701A57498D42203BF5598
The Key is 132 bytes:
20335A9D82ADE16AC74220F2C9FAB0629CB2A033102909DDF19F1E141867A3FF48FC6E21D24D79FC47D6EE7F04B9DEC86CE29F8C71C27EDD85988DC451BE53F5EFB74825EA6B041B27835C3C0D381557B6D844564EBD9645FF29816EEE068DE3CEE4829D32AD2838A109A7F200848A9E38D2940105CD57BC1EECCE644C727748D3FFFFFF
After receiving the seed and before sending the key, ESYSX does a 0x22 request for did 2504 which responds the same 20 bytes of information every time:
46.438678 1 6F4 Rx 5 56 03 22 25 04 V."%.
46.440914 1 656 Rx 8 F4 10 12 62 25 04 01 00 ...b%...
46.441953 1 6F4 Rx 4 56 30 00 02 V0..
46.442307 1 656 Rx 8 F4 21 3C 01 00 03 01 00 .!<.....
46.444653 1 656 Rx 8 F4 22 01 02 00 0A 02 00 ."......
46.446997 1 656 Rx 8 F4 23 28 02 00 0A 02 00 .#(.....
01003C01000301000102000A02002802000A0200
One more thing, the scan tool does a 0x22 request for the 5 DIDs it will code and the last DID payload is the same size as the key which is pretty interesting/suspicious:
3004 Payload
4.463668 1 6F4 Rx 5 56 03 22 30 04 V."0.
4.468492 1 656 Rx 8 F4 10 87 62 30 04 00 00 ...b0...
4.468720 1 6F4 Rx 4 56 30 00 02 V0..
4.469014 1 656 Rx 8 F4 21 00 20 5F 45 2C CD .!. _E,.
4.471385 1 656 Rx 8 F4 22 A5 6B 7A FD C6 9B .".kz...
4.473722 1 656 Rx 8 F4 23 9D C1 E7 F1 4B 15 .#....K.
4.476159 1 656 Rx 8 F4 24 19 34 2D 12 35 1B .$.4-.5.
4.479581 1 656 Rx 8 F4 25 FC 84 DA 2E 8B 3A .%.....:
4.481903 1 656 Rx 8 F4 26 F0 61 6D 67 E2 AB .&.amg..
4.484357 1 656 Rx 8 F4 27 22 4D F6 17 2E 7C .'"M...|
4.486695 1 656 Rx 8 F4 28 18 1C 30 59 85 35 .(..0Y.5
4.489023 1 656 Rx 8 F4 29 10 27 9B B5 3D ED .).'..=.
4.491381 1 656 Rx 8 F4 2A 49 31 4D 26 03 CD .*I1M&..
4.493719 1 656 Rx 8 F4 2B 5D CB FB DE 47 EC .+]...G.
4.496162 1 656 Rx 8 F4 2C 8E 3E 59 5E D8 DF .,.>Y^..
4.499565 1 656 Rx 8 F4 2D FB A8 F3 59 9B 57 .-...Y.W
4.501879 1 656 Rx 8 F4 2E 90 98 81 E1 5A 61 ......Za
4.504241 1 656 Rx 8 F4 2F 2C EB D2 99 1C EE ./,.....
4.506559 1 656 Rx 8 F4 20 26 0C 1B CD D0 04 . &.....
4.508880 1 656 Rx 8 F4 21 B1 13 5C 9B 82 D4 .!..\...
4.511222 1 656 Rx 8 F4 22 FF F5 74 C3 ED 7F ."..t...
4.513537 1 656 Rx 8 F4 23 4C 50 D6 7C FE 80 .#LP.|..
4.516162 1 656 Rx 8 F4 24 29 27 51 05 44 50 .$)'Q.DP
4.519562 1 656 Rx 8 F4 25 8E 89 6D D9 2C 27 .%..m.,'
4.521872 1 656 Rx 8 F4 26 B7 2E 5E C9 2C 27 .&..^.,'
00205F452CCDA56B7AFDC69B9DC1E7F14B1519342D12351BFC84DA2E8B3AF0616D67E2AB224DF6172E7C181C3059853510279BB53DED49314D2603CD5DCBFBDE47EC8E3E595ED8DFFBA8F3599B57909881E15A612CEBD2991CEE260C1BCDD004B1135C9B82D4FFF574C3ED7F4C50D67CFE802927510544508E896DD92C27B72E5EC92C27
The seed is 11 bytes:
6701A57498D42203BF5598
The Key is 132 bytes:
20335A9D82ADE16AC74220F2C9FAB0629CB2A033102909DDF19F1E141867A3FF48FC6E21D24D79FC47D6EE7F04B9DEC86CE29F8C71C27EDD85988DC451BE53F5EFB74825EA6B041B27835C3C0D381557B6D844564EBD9645FF29816EEE068DE3CEE4829D32AD2838A109A7F200848A9E38D2940105CD57BC1EECCE644C727748D3FFFFFF
After receiving the seed and before sending the key, ESYSX does a 0x22 request for did 2504 which responds the same 20 bytes of information every time:
46.438678 1 6F4 Rx 5 56 03 22 25 04 V."%.
46.440914 1 656 Rx 8 F4 10 12 62 25 04 01 00 ...b%...
46.441953 1 6F4 Rx 4 56 30 00 02 V0..
46.442307 1 656 Rx 8 F4 21 3C 01 00 03 01 00 .!<.....
46.444653 1 656 Rx 8 F4 22 01 02 00 0A 02 00 ."......
46.446997 1 656 Rx 8 F4 23 28 02 00 0A 02 00 .#(.....
01003C01000301000102000A02002802000A0200
One more thing, the scan tool does a 0x22 request for the 5 DIDs it will code and the last DID payload is the same size as the key which is pretty interesting/suspicious:
3004 Payload
4.463668 1 6F4 Rx 5 56 03 22 30 04 V."0.
4.468492 1 656 Rx 8 F4 10 87 62 30 04 00 00 ...b0...
4.468720 1 6F4 Rx 4 56 30 00 02 V0..
4.469014 1 656 Rx 8 F4 21 00 20 5F 45 2C CD .!. _E,.
4.471385 1 656 Rx 8 F4 22 A5 6B 7A FD C6 9B .".kz...
4.473722 1 656 Rx 8 F4 23 9D C1 E7 F1 4B 15 .#....K.
4.476159 1 656 Rx 8 F4 24 19 34 2D 12 35 1B .$.4-.5.
4.479581 1 656 Rx 8 F4 25 FC 84 DA 2E 8B 3A .%.....:
4.481903 1 656 Rx 8 F4 26 F0 61 6D 67 E2 AB .&.amg..
4.484357 1 656 Rx 8 F4 27 22 4D F6 17 2E 7C .'"M...|
4.486695 1 656 Rx 8 F4 28 18 1C 30 59 85 35 .(..0Y.5
4.489023 1 656 Rx 8 F4 29 10 27 9B B5 3D ED .).'..=.
4.491381 1 656 Rx 8 F4 2A 49 31 4D 26 03 CD .*I1M&..
4.493719 1 656 Rx 8 F4 2B 5D CB FB DE 47 EC .+]...G.
4.496162 1 656 Rx 8 F4 2C 8E 3E 59 5E D8 DF .,.>Y^..
4.499565 1 656 Rx 8 F4 2D FB A8 F3 59 9B 57 .-...Y.W
4.501879 1 656 Rx 8 F4 2E 90 98 81 E1 5A 61 ......Za
4.504241 1 656 Rx 8 F4 2F 2C EB D2 99 1C EE ./,.....
4.506559 1 656 Rx 8 F4 20 26 0C 1B CD D0 04 . &.....
4.508880 1 656 Rx 8 F4 21 B1 13 5C 9B 82 D4 .!..\...
4.511222 1 656 Rx 8 F4 22 FF F5 74 C3 ED 7F ."..t...
4.513537 1 656 Rx 8 F4 23 4C 50 D6 7C FE 80 .#LP.|..
4.516162 1 656 Rx 8 F4 24 29 27 51 05 44 50 .$)'Q.DP
4.519562 1 656 Rx 8 F4 25 8E 89 6D D9 2C 27 .%..m.,'
4.521872 1 656 Rx 8 F4 26 B7 2E 5E C9 2C 27 .&..^.,'
00205F452CCDA56B7AFDC69B9DC1E7F14B1519342D12351BFC84DA2E8B3AF0616D67E2AB224DF6172E7C181C3059853510279BB53DED49314D2603CD5DCBFBDE47EC8E3E595ED8DFFBA8F3599B57909881E15A612CEBD2991CEE260C1BCDD004B1135C9B82D4FFF574C3ED7F4C50D67CFE802927510544508E896DD92C27B72E5EC92C27
Re: BMW Security Access
Hello 0wen,
Perhaps I can help you with the seed/key. Contact me if interested.
Perhaps I can help you with the seed/key. Contact me if interested.