[kalosbg]

Hello, 

I would like to share the process of decryption of the ISN from CAS3+ dump when we have a working key.

• Read the working key ID with Hitag2 compatible reader (1)
  
• Find the key number in the CAS3+ dump (2)
  
• Find the Crypto/ISK Low and High (3)
  
• Enter the Crypto/ISK Low and High to the Hitag2 compatible reader and read all key data (4)
  
• Copy PSW string (5) to some HEX calculator (6)
  
• Copy the "Pass" (7) from the CAS3+ dump to the HEX calculator (8)
  
• Calculate the XOR value (9)
  
• Do a "byte flip" (e.g. AA BB CC > CC BB AA) of the XOR value
  
• In a HEX calculator paste 6 times the byte flipped XOR value and remove the last 4 characters (10)
  
• Copy the encrypted ISN from the CAS3+ dump (11 )and paste it the HEX calc (12).
  
• The result of the XOR is the decrypted ISN.
  
  

[xMoses]

Damn, would be awesome if its working.

Does it work with all long ISN ?

What if i have short ISN from DME but tango/Hitag asks me for Long isn to write key?
It wont accept my short isn since its asking for the 128bit version.

How to solve this ?

[____ANGEL___]

What if i have short ISN from DME but tango/Hitag asks me for Long isn to write key?
It wont accept my short isn since its asking for the 128bit version.

How to solve this ?

Describe how did you get this...

[xMoses]

What if i have short ISN from DME but tango/Hitag asks me for Long isn to write key?
It wont accept my short isn since its asking for the 128bit version.

How to solve this ?

Describe how did you get this...

read it out with bmw explorer, could only read short isn... Car has no long isn but still tangos asks for it

[ahmadarifai]

What if i have short ISN from DME but tango/Hitag asks me for Long isn to write key?
It wont accept my short isn since its asking for the 128bit version.

How to solve this ?

Describe how did you get this...

read it out with bmw explorer, could only read short isn... Car has no long isn but still tangos asks for it

Some can get long ISN from short ISN for a fee, i didn't figure out how they do it, to solve this one time i changed encrypted eeprom with new unencrypted eeprom.

[xMoses]

Hello, 

I would like to share the process of decryption of the ISN from CAS3+ dump when we have a working key.

• Read the working key ID with Hitag2 compatible reader (1)
  
• Find the key number in the CAS3+ dump (2)
  
• Find the Crypto/ISK Low and High (3)
  
• Enter the Crypto/ISK Low and High to the Hitag2 compatible reader and read all key data (4)
  
• Copy PSW string (5) to some HEX calculator (6)
  
• Copy the "Pass" (7) from the CAS3+ dump to the HEX calculator (8)
  
• Calculate the XOR value (9)
  
• Do a "byte flip" (e.g. AA BB CC > CC BB AA) of the XOR value
  
• In a HEX calculator paste 6 times the byte flipped XOR value and remove the last 4 characters (10)
  
• Copy the encrypted ISN from the CAS3+ dump (11 )and paste it the HEX calc (12).
  
• The result of the XOR is the decrypted ISN.
  
  

So i wanted to try out ur calculation. Ive came across the fact that my TMCF/PSW of my china key is 00 00 00 and the crypted config psw is 8F 98 1D. If i calculate that against obvoiusly 0, i get

8F 98 1D as an result, if i swap bytes and paste it in 6x and delete the last 4 characters, i end up with an wrong ISN.

(I know the right ISN, just wanted to try out ur calculation).

What could cause that ? The key with 00 00 00 is working.

the real and working ISN is:

3FFA6898026A3759AB7B0736075AA367


Am I missing something ?

[kalosbg]

Hello xMoses,

To read the TMCF/PSW from the key you have to enter the correct secret as mentioned on step "Enter the Crypto/ISK Low and High to the Hitag2 compatible reader and read all key data (4)
"

Regards,

[xMoses]

Hello xMoses,

To read the TMCF/PSW from the key you have to enter the correct secret as mentioned on step "Enter the Crypto/ISK Low and High to the Hitag2 compatible reader and read all key data (4)
"

Regards,

Yeah my tmcf is 00 00 00