IC204

[cityba]

The algorithm searches for solutions and ideas for levels 7 and 9. All we have to say is that the 8-8 seed-key pair needs the SW version, and I think it generates a hash value from the 4 pairs we get, which will be the key 8. I would also be interested in extracting the seed value or disassembling the key value.

[cityba]

@jglim could you make a version where the @Fezex code calls the sw0 version plus and generates a hash value from it to have 8-8 pairs?

[mgeguren]

Level 27 09
5C 97 A0 A5 52 FB 02 05 seed
D8 F1 69 D6 8D 5D 17 B6 key

Level 27 0D
C1 EB F4 F9 4C A0 A7 A6 seed
49 D4 BE 45 A0 B6 DF F3 key

Sw 2049022903
I hope that helps

[cityba]

@Feezex Did I find reference values, see any relationship between IC_204 sw and key?
here again, perhaps the sw is inserted in the last 8 values ​​as in IC172 ....... 57 49 4C 59?

sw0= 2049022903
seed= 5C97A0A552FB0205 key5=D8F169D68D5D17BA securitylevel=9
seed= C1EBF4F94CA0A7A6 key7=49D4BE45A0B6DFF3 securitylevel=13

sw0= 2129026108
seed= 212A2F38F98A8BD7 key5=775588C8850CF244 securitylevel=9
seed= 28C1050F7B52C7CE key7=1C12895D44EFDF54 securitylevel=13

[jglim]

For actively developing on the algorithm, it would be best to directly fetch a copy of the project from the repository, then edit and build it based on your hypothesis.

When there are solid leads (good example here), I will be able to step in to fit the algo into the project.

The 204 will likely require disassembling the firmware; from my observation, it has more steps and the algo cannot be fully derived from comparing seed/key pairs.

[FlashY7]

Hey guys, maybe this information will help to solve something out.
When you have the Seed calculating for IC204 older ones, its working without problems. Even FVDI, CGDI can read / write the EEPROM in full. But newer coloured cluster, lets say W204 2014, will not work anymore by this Seed calculations or FVDI/CGDI.
So in this way, you can downgrade the #P0 level to: 2049020003.cff and the seedkey unlock will work!

You can also do it this way: downgrade the P0 level to the file i wrote, take FVDI, CGDI or similar tools and you will be able to Read and Write the whole EEPROM! Of course after your changes on EEPROM you have done, you will have to Restore the Original P0 File.
I have tested it myself on many coloured IC204 cluster from W204, W212 and W218. All succesfull, All alive ;)

I think this Tools i wrote are carrying this Algo / Seedunlock inside it, but they are not able to use it on unkown / newer cff Versions.

Hope this helps somehow to find the solution for IC204!

[sayansiva]

hey guys, I am currently also trying to find the algo for this ECU. So if I can do anything, please let me know. I am a complete newbie but maybe I can help somehow. I have a huge javascript background but really no idea about algos. Let me know if there is any way I can help.

[FlashY7]

if you know how, you can try to dissemble the tools Software mentioned upper. they should have all we need for it inside

[sayansiva]

Are there any articles I can read through? A list of Softwares I need for that would also be very helpful.
For now I only have some dlls like the IC_204_IC_204_01_51_11_00.dll.
Is it useful?

[sayansiva]

So I have done some research. I have learned about the dll files, cff and cbf files. Which one shall I try to decompile?
I tried to use binwalk on the cff files but with no luck...

[rukakolink]

i also would like to know. there any thing that i can help?

[nourmehdi]

Hi , disassembling the firmware would be good but i think that the firmware is encrypted and is decrypted on the fly by the MCU during flash or update, if this is the case would be difficult to make progress . I've seen other paid solution for ic204,ic213... so the solution is somewhere need just to dig deeper . Maybe they have access to smr-d unlock files

[Feezex]

2705 8-4 for Reprogramming (Version:93E1..4|97E1..4|94E1..3|A8E4) Development
2705 8-4 for Reprogramming (Version:13E4|13E5) Production
2705 8-4 for Reprogramming (Version:17E4|17E5|17E6) Production
2705 8-4 for Reprogramming (Version:14E6|14E7) Production
2705 8-4 for Reprogramming (Version:FFFF) Production

2701 8-8 for Unlock_ECU_Level_1
2703 8-8 for Unlock_ECU_Level_3
2709 8-8 for Unlock_EE_Data_Access
270D 8-8 for Unlock_EE_Data_Access

SW0 List:
2044420121
2044420221
2044420621
2044420721
2044420921
2044421121
2044421221
2044421521
2044421621
2044421921
2044422121
2044422221
2044422521
2044422621
2044422921
2044423021
2044423621
2044423721
2044423921

2049020003
2049020303
2049020703
2049021202
2049021203
2049022403
2049022600
2049022602
2049022700
2049022702
2049022903
2049023401
2049023500
2049023600
2049023903
2049024102
2049024301
2049024602
2049024802
2049025003
2049025403
2049026403
2049026503
2049027003
2049027103
2049027203
2049027401
2049027500
2049028202
2049028303
2049028501
2049028802
2049028902

2124420421
2124420721
2124421021

2129020302
2129020501
2129021909
2129022008
2129023005
2129023402
2129024109
2129026108
2129026203
2129026510
2129029710
2129029806

2189020500
2189021001
2189023500
2189025205
2189025400
2189026900
2189027600
2189027900
2189027903
2189028400

[mbw211]

Hello
Are there any results?

[hoerbi1000]

Hi,

Is There any News?
May There is also something to Help Out?

Regards

[AffectedArc07]

Is there any update on this?