Before you can write calibration data to an ECU, you need to pass Security Access (UDS service 0x27). The ECU sends a random 3-byte seed — you must compute the correct 3-byte key and send it back. Get it wrong too many times and the ECU locks you out.
We needed the algorithm.
Finding the Algorithm Name
From SecAlg.dll — the security library — we extracted the list of supported algorithms:
FORD_COMMON_14229_SECURITY
FORD_EECV_SECURITY
NDX100_SECURITY
SIEMENS_PCM_SECURITY
SIEMENS_RCM_SECURITY
DUMMY_SECURITYThe Discovery 3 was developed when Ford owned Land Rover (pre-2008). The RLM uses FORD_COMMON_14229_SECURITY — a standard Ford diagnostic security algorithm.
Hunting in the Public Domain
A search for “Ford 14229 security” led to a GitHub repository: jakka351/Ford-ECU-Bruteforcer. This open-source C# tool brute-forces Ford ECU security access using a “keybag” — a dictionary of known 5-byte key strings extracted from Forscan.
The algorithm, named KeyGenMkI, is a 24-bit Linear Feedback Shift Register (LFSR):
def keygen_mk1(seed: int, k0-k4: int) -> int:
sknum8 = 0xC541A9 # LFSR initial state
# Mix seed through LFSR (32 iterations)
for i in range(32):
feedback = ((seed >> i) & 1) ^ (sknum8 & 1)
sknum8 = (feedback << 23) | (sknum8 >> 1)
# Mix secret key through LFSR (32 iterations)
for j in range(32):
feedback = ((combined_key >> j) & 1) ^ (sknum8 & 1)
return 24-bit resultWe confirmed this algorithm by finding the LFSR seed 0xC541A9 at offset 0xD07C in our copy of SecAlg.dll.
Finding the RLM’s Secret Key
The “keybag” contains known key strings like COLIN, DIODE, JAMES, Rowan, Bosch — extracted from Forscan. But which one belongs to the Discovery 3 RLM?
SDD stores the key for each ECU in an encrypted file called Security.exml. Using a tool from GitHub (smartgauges/exml), we decrypted it:
<SecDataGroup Index="32" Title="L319_RLM"
ProgDataRef="DC0031" DiagDataRef="DC0032"/>DC0032 is the diagnostic key: [0x78, 0x77, 0x68, 0x6B, 0x53]. Unlike the ASCII key strings in the keybag, the RLM uses raw binary key material. We also found the programming key DC0031: [0x77, 0x87, 0xA5, 0x86, 0xA3].
The Complete Security Unlock Flow
1. Send DiagnosticSessionControl (0x10 0x03) — enter extended session
2. Send SecurityAccess RequestSeed (0x27 0x01)
3. Receive 3-byte seed from ECU (e.g., 0x12 0x34 0x56)
4. Compute key = KeyGenMkI(seed, 0x78, 0x77, 0x68, 0x6B, 0x53)
5. Send SecurityAccess SendKey (0x27 0x02) with computed key
6. Receive 0x67 0x02 — access grantedWe now had the lock pick. Next step: finding the right CAN ID to even reach the RLM — but first, we had a hardware problem to solve.
Coming up in Part 8: the LilyGO CAN transceiver TX saga — two missing GPIOs and the 2-line fix that finally got CAN frames transmitting.
Disclaimer: This series documents reverse engineering for educational and research purposes. The security algorithm and key material are discussed in the context of legitimate diagnostic access to a bench ECU. Do not use this information to access vehicle systems you do not own.
Leave a Reply