Hello everyone!
I am here asking about something that might as well be impossible, but it doesn't hurt to ask!
Has anyone ever found/open-sourced the Security access key / algorithm used for BMW vehicles?
I have lately been fascinated by tools like bootmod3 / MHD that allow you to unlock the ecu and tune car without needing to bench it (provided it's made pre-2020), but as a software engineer I can't help but think: how did they end up breaking the seed-key algorithm?
So, I've gotten to work, I borrowed a tuned 2016 BMW F30 340i from a friend, and started working in my free time to find what they do.
After using an MHD adapter (which works with both bootmod3 and MHD tuning app), I used wireshark to capture the packets being sent, and what I do know is this:
- The apps request security access, the cars do send a random seed everytime, and the app does respond with the appropriate key (derived from the seed)
- The seed and key change everytime, so it's not a case of the ECU being unlocked and sending the same seed or something like that,
- The seed is 8-bytes, and the key is 128 bytes.
- Both MHD Tuning app and bootmod3 can flash the ecu, and do it in more or less the same way from a tuning standpoint, and at least bootmod3 can do it offline, which means the algorithm and key both reside locally *somewhere* at the time of flashing.
Now, I have been extensively researching but haven't found any key/algorithm for bmw cars, but the MHD, bootmod3, and other apps that do the same thing must have gotten it from *somewhere*, so is there any resource I am missing? or did they just spend a lot of time reverse engineering it? I do find that a bit hard to believe because they support a wide variety of ecus that have different keys and algorithms.
It would be extremely helpful if someone can shed light at what bootmod and MHD are doing and if it can be replicated, I would eventually like to release some open-source tool that can do the same thing if I manage to find out how to do it, obviously it wouldn't have the entire feature-set of MHD/Bootmod, but it would be *something* for hobbyists that want to hack their BMWs without paying a lot of money.