+- CarTechnoloGY (https://cartechnology.co.uk)
+-- Forum: All About IMMO/ECU , ChiPTuninG , Dashboard , Locksmith , AirbaG , Carradio (https://cartechnology.co.uk/forumdisplay.php?fid=3)
+--- Forum: IMMO & LOCKSMITH (https://cartechnology.co.uk/forumdisplay.php?fid=9)
+--- Thread: How to decrypt ISN from CAS3+ dump with а working key (/showthread.php?tid=79130)
How to decrypt ISN from CAS3+ dump with а working key - kalosbg - 21-05-2023
Hello,
I would like to share the process of decryption of the ISN from CAS3+ dump when we have a working key.
- Read the working key ID with Hitag2 compatible reader (1)
- Find the key number in the CAS3+ dump (2)
- Find the Crypto/ISK Low and High (3)
- Enter the Crypto/ISK Low and High to the Hitag2 compatible reader and read all key data (4)
- Copy PSW string (5) to some HEX calculator (6)
- Copy the "Pass" (7) from the CAS3+ dump to the HEX calculator (8)
- Calculate the XOR value (9)
- Do a "byte flip" (e.g. AA BB CC > CC BB AA) of the XOR value
- In a HEX calculator paste 6 times the byte flipped XOR value and remove the last 4 characters (10)
- Copy the encrypted ISN from the CAS3+ dump (11 )and paste it the HEX calc (12).
- The result of the XOR is the decrypted ISN.
RE: How to decrypt ISN from CAS3+ dump with а working key - xMoses - 02-09-2023
Damn, would be awesome if its working.
Does it work with all long ISN ?
What if i have short ISN from DME but tango/Hitag asks me for Long isn to write key?
It wont accept my short isn since its asking for the 128bit version.
How to solve this ?
RE: How to decrypt ISN from CAS3+ dump with а working key - ____ANGEL___ - 06-09-2023
(02-09-2023, 01:40 AM)xMoses Wrote: What if i have short ISN from DME but tango/Hitag asks me for Long isn to write key?
It wont accept my short isn since its asking for the 128bit version.
How to solve this ?
Describe how did you get this...
RE: How to decrypt ISN from CAS3+ dump with а working key - xMoses - 06-09-2023
(06-09-2023, 14:33 PM)____ANGEL___ Wrote:(02-09-2023, 01:40 AM)xMoses Wrote: What if i have short ISN from DME but tango/Hitag asks me for Long isn to write key?
It wont accept my short isn since its asking for the 128bit version.
How to solve this ?
Describe how did you get this...
read it out with bmw explorer, could only read short isn... Car has no long isn but still tangos asks for it
RE: How to decrypt ISN from CAS3+ dump with а working key - ahmadarifai - 12-10-2023
(06-09-2023, 16:36 PM)xMoses Wrote:Some can get long ISN from short ISN for a fee, i didn't figure out how they do it, to solve this one time i changed encrypted eeprom with new unencrypted eeprom.(06-09-2023, 14:33 PM)____ANGEL___ Wrote:(02-09-2023, 01:40 AM)xMoses Wrote: What if i have short ISN from DME but tango/Hitag asks me for Long isn to write key?
It wont accept my short isn since its asking for the 128bit version.
How to solve this ?
Describe how did you get this...
read it out with bmw explorer, could only read short isn... Car has no long isn but still tangos asks for it
RE: How to decrypt ISN from CAS3+ dump with а working key - xMoses - 11-01-2024
(21-05-2023, 16:02 PM)kalosbg Wrote: Hello,
I would like to share the process of decryption of the ISN from CAS3+ dump when we have a working key.
- Read the working key ID with Hitag2 compatible reader (1)
- Find the key number in the CAS3+ dump (2)
- Find the Crypto/ISK Low and High (3)
- Enter the Crypto/ISK Low and High to the Hitag2 compatible reader and read all key data (4)
- Copy PSW string (5) to some HEX calculator (6)
- Copy the "Pass" (7) from the CAS3+ dump to the HEX calculator (8)
- Calculate the XOR value (9)
- Do a "byte flip" (e.g. AA BB CC > CC BB AA) of the XOR value
- In a HEX calculator paste 6 times the byte flipped XOR value and remove the last 4 characters (10)
- Copy the encrypted ISN from the CAS3+ dump (11 )and paste it the HEX calc (12).
- The result of the XOR is the decrypted ISN.
So i wanted to try out ur calculation. Ive came across the fact that my TMCF/PSW of my china key is 00 00 00 and the crypted config psw is 8F 98 1D. If i calculate that against obvoiusly 0, i get
8F 98 1D as an result, if i swap bytes and paste it in 6x and delete the last 4 characters, i end up with an wrong ISN.
(I know the right ISN, just wanted to try out ur calculation).
What could cause that ? The key with 00 00 00 is working.
the real and working ISN is:
3FFA6898026A3759AB7B0736075AA367
Am I missing something ?
RE: How to decrypt ISN from CAS3+ dump with а working key - kalosbg - 31-01-2024
Hello xMoses,
To read the TMCF/PSW from the key you have to enter the correct secret as mentioned on step "Enter the Crypto/ISK Low and High to the Hitag2 compatible reader and read all key data (4)
"
Regards,
RE: How to decrypt ISN from CAS3+ dump with а working key - xMoses - 01-02-2024
(31-01-2024, 16:23 PM)kalosbg Wrote: Hello xMoses,
To read the TMCF/PSW from the key you have to enter the correct secret as mentioned on step "Enter the Crypto/ISK Low and High to the Hitag2 compatible reader and read all key data (4)
"
Regards,
Yeah my tmcf is 00 00 00