Go Down

Topic: OBD II Bike Connector - Pass via bluetooth (Read 78077 times) previous topic - next topic

aster94

I've looked at your code, and I'm truly impressed. Good job!
Thanks :D i really appreciate!

can I ask why are you reverse engineering the KDS instead of writing a software from zero? Are there some
hidden features which are not described in the ISO 14230-3?

Scissor

So far I've (mostly together with Trib a couple of years ago) found that most features described in the ISO 14230 documents are not supported by Kawasaki, or at least my Z750 from 2004. By decompiling the KDS software I hope to find which functions are supported, and more importantly, which manufacturing specific data bytes are required.

For example, as far as I know, for Kawasaki it is still unknown which requests are necessary to start actuator tests. And also if we manage to get the key for the Security Access, we may be able to do more advanced stuff.


TriB

Scissor was faster  8)

Yes, reprogramming the ECU, changing the immobilizer / learning new keys, driving/testing motors & sensors and stuff. Faking values, setting a required RPM for testing...
Reading/Writing the firmware is described within the ISO-Protocol, but does not work like that.
Testing the fan, exhaust valve, etc. works fine with Suzuki, but not with Kawasaki. There must be a difference, which the KDS-Software got inside, somewhere.

Tried to unpack the Healtech Software, but did not get further, due to no obvious tables or information I understand.
It was easier just to sniff the data via USB and also use the example files or own recordings from that software.
That way I could optimize several Suzuki calculations and understand the DTC stuff better.

The Kawa conversions are resilient, by reverse engineering the KDS-Software (but in another way) and some mathematical findings from Scissor  :D

Hiddenvision

Not promising but
disassembling and understanding software is one of my abilities.
Happy to look if needed.

HV.

aster94

All this would be astonishing! I am planning to stay on a "softer" level and stop my library at error codes and sensors

maybe fan tests, and some little other stuff but anyway i am not planning to do too deep

Scissor

#140
Apr 09, 2020, 06:18 pm Last Edit: Apr 09, 2020, 06:19 pm by Scissor
Breakthrough! :) I discovered how to get security access to the ECU!

The procedure is as follows:

1. A seed is requested, which the ECU will provide in its response.
2. You will have to respond by sending a matching key that is checked by the ECU.

However, non of this is described in the ISO 14230 documents as it's manufacturer specific. So I was afraid that the seed-key pairs were matched through complex encryption algorithms. But fortunately I have discovered that it is actually extremely simple.

There are just three hard-coded seed-key pairs.

Code: [Select]

Seed 13 52 43 64 75
Key  63 27 53 67 42

Seed 57 48 58 49 58
Key  30 20 39 48 74

Seed 58 37 48 45 95
Key  58 49 57 69 84


For example. this is what I did today as a first successful test.


I got 13 52 43 64 75 as a seed.

Code: [Select]

TX 80 11 F1 02 27 01 AC
RX 80 F1 11 08 67 01 13 52 43 64 75 34 A7


So, the matching key is 63 27 53 67 42.

Code: [Select]

TX 80 11 F1 07 27 02 63 27 53 67 42 38
RX 80 F1 11 03 67 02 34 22


Done!
 

TriB

Wow! Great  :smiley-eek:

I´ve read that functionality somewhere... Must have been somewhere in one of the 3 ISO14230 or the KWP2000 protocol. But too long ago, that I can remember. But it was in there!

From that, they created the OBD standard, which uses a similar functionality. Many manufacturers are sending the very same "seed" all the time, so it also is just a ridiculous safety wall :D
Someone hacked his Prius and overtook steering and acceleration via OBD2 and CAN-Bus. Everything with a single key, found out after 10 minutes of bruteforcing :)

Are you now able to use the download function?
Do you have to enter a different mode, that the SID´s dont´t throw an error on a request, any more?

Scissor

Yes, it follows the ISO 14230 protocol. This is described in the ISO 14230-3 document. What surprised me most is that apparently the seed-key pairs are completely independent of the bike i.e. it should work for all Kawasaki motorcycles.

I have not tried to use other functionality yet. Because I am really focusing  to make sense of the decompiled KDS software. At this point I have a decent understanding of the possible requests, which I'm now writing down comprehensively.

For instance, I have found that once you have security access you can start a "programming" diagnostic session, instead of the "workshop" diagnostic session (this terminology is really used in the ISO 14230 documents). This is probably required to access all the other functions like actuator tests and downloading/uploading and so on.

I hope to have a complete understanding of all the possibilities in the following weeks.


aster94

Code: [Select]

Seed 13 52 43 64 75
Key  63 27 53 67 42

Seed 57 48 58 49 58
Key  30 20 39 48 74

Seed 58 37 48 45 95
Key  58 49 57 69 84


Interesting! actually I didn't understood how from 13 52 43 64 75 you extrapolated the 63 27 53 67 42
Could you explain?

Scissor

I have not tried yet to find out how the seed and key are related. Actually I think I'm not even going to try, as I believe there are most likely no other seed-key pairs.

Because I found that in the KDS software there are literally just three if statements that compare the received seed with the three hardcoded ones. If the match is found, it just sends the corresponding key.

Perhaps there is some connection e.g. it could be ASCII, mathematical operation or maybe some bitwise operation. But in the end it does not matter as I really believe there are just three seed-key pairs.

Go Up