# AES-128, ECB mode

In [1]:
from Crypto.Cipher import AES

KEY = 0x000102030405060708090a0b0c0d0e0f
PLAINTEXT = 0x00112233445566778899aabbccddeeff

key_byte = KEY.to_bytes(16, byteorder='big')
text_byte = PLAINTEXT.to_bytes(16, byteorder='big')

cipher = AES.new(key_byte, AES.MODE_ECB)
cipher_byte = cipher.encrypt(text_byte)

CIPHERTEXT = cipher_byte.hex()
print(CIPHERTEXT)

69c4e0d86a7b0430d8cdb78070b4c55a


# AES-128, CBC mode

* **Encrypt Block #1**

In [2]:
from Crypto.Cipher import AES

KEY = 0x2b7e151628aed2a6abf7158809cf4f3c
IV = 0x000102030405060708090a0b0c0d0e0f
PLAINTEXT = 0x6bc1bee22e409f96e93d7e117393172a

input_var = IV ^ PLAINTEXT
AES_INPUT = format(input_var, 'x')
print(AES_INPUT)

key_byte = KEY.to_bytes(16, byteorder='big')
input_byte = input_var.to_bytes(16, byteorder='big')

cipher = AES.new(key_byte, AES.MODE_ECB)
cipher_byte = cipher.encrypt(input_byte)

AES_OUTPUT = cipher_byte.hex()
print(AES_OUTPUT)

6bc0bce12a459991e134741a7f9e1925
7649abac8119b246cee98e9b12e9197d


* **Encrypt Block #2**

In [3]:
PLAINTEXT = 0xae2d8a571e03ac9c9eb76fac45af8e51

input_var = int(AES_OUTPUT, 16) ^ PLAINTEXT
AES_INPUT = format(input_var, 'x')
print(AES_INPUT)

input_byte = input_var.to_bytes(16, byteorder='big')

cipher = AES.new(key_byte, AES.MODE_ECB)
cipher_byte = cipher.encrypt(input_byte)

AES_OUTPUT = cipher_byte.hex()
print(AES_OUTPUT)

d86421fb9f1a1eda505ee1375746972c
5086cb9b507219ee95db113a917678b2


* **Encrypt Block #3**

In [4]:
PLAINTEXT = 0x30c81c46a35ce411e5fbc1191a0a52ef

input_var = int(AES_OUTPUT, 16) ^ PLAINTEXT
AES_INPUT = format(input_var, 'x')
print(AES_INPUT)

input_byte = input_var.to_bytes(16, byteorder='big')

cipher = AES.new(key_byte, AES.MODE_ECB)
cipher_byte = cipher.encrypt(input_byte)

AES_OUTPUT = cipher_byte.hex()
print(AES_OUTPUT)

604ed7ddf32efdff7020d0238b7c2a5d
73bed6b8e3c1743b7116e69e22229516


* **Encrypt Block #4**

In [5]:
PLAINTEXT = 0xf69f2445df4f9b17ad2b417be66c3710

input_var = int(AES_OUTPUT, 16) ^ PLAINTEXT
AES_INPUT = format(input_var, 'x')
print(AES_INPUT)

input_byte = input_var.to_bytes(16, byteorder='big')

cipher = AES.new(key_byte, AES.MODE_ECB)
cipher_byte = cipher.encrypt(input_byte)

AES_OUTPUT = cipher_byte.hex()
print(AES_OUTPUT)

8521f2fd3c8eef2cdc3da7e5c44ea206
3ff1caa1681fac09120eca307586e1a7


* **Encrypt Block #1~#4 One-time**

In [6]:
from Crypto.Cipher import AES
from textwrap import wrap

KEY = 0x2b7e151628aed2a6abf7158809cf4f3c
IV = 0x000102030405060708090a0b0c0d0e0f

key_byte = KEY.to_bytes(16, byteorder='big')
iv_byte = IV.to_bytes(16, byteorder='big')

PLAINTEXT = [0x6bc1bee22e409f96e93d7e117393172a, \
             0xae2d8a571e03ac9c9eb76fac45af8e51, \
             0x30c81c46a35ce411e5fbc1191a0a52ef, \
             0xf69f2445df4f9b17ad2b417be66c3710]

text_byte = b''
for t in PLAINTEXT:
    text_byte += t.to_bytes(16, byteorder='big')

cipher = AES.new(key_byte, AES.MODE_CBC, iv_byte)
cipher_byte = cipher.encrypt(text_byte)

CIPHERTEXT = cipher_byte.hex()
CIPHERTEXT = wrap(CIPHERTEXT, 32)

for cipher in CIPHERTEXT:
    print(cipher)

7649abac8119b246cee98e9b12e9197d
5086cb9b507219ee95db113a917678b2
73bed6b8e3c1743b7116e69e22229516
3ff1caa1681fac09120eca307586e1a7


* **Decrypt Block #1**

In [7]:
from Crypto.Cipher import AES

KEY = 0x2b7e151628aed2a6abf7158809cf4f3c
IV = 0x000102030405060708090a0b0c0d0e0f
CIPHERTEXT1 = 0x7649abac8119b246cee98e9b12e9197d

key_byte = KEY.to_bytes(16, byteorder='big')
cipher_byte = CIPHERTEXT1.to_bytes(16, byteorder='big')

text = AES.new(key_byte, AES.MODE_ECB)
output_byte = text.decrypt(cipher_byte)

AES_OUTPUT = output_byte.hex()
print(AES_OUTPUT)

output_var = int(AES_OUTPUT, 16) ^ IV
PLAINTEXT = format(output_var, 'x')
print(PLAINTEXT)

6bc0bce12a459991e134741a7f9e1925
6bc1bee22e409f96e93d7e117393172a


* **Decrypt Block #2**

In [8]:
CIPHERTEXT2 = 0x5086cb9b507219ee95db113a917678b2
cipher_byte = CIPHERTEXT2.to_bytes(16, byteorder='big')

text = AES.new(key_byte, AES.MODE_ECB)
output_byte = text.decrypt(cipher_byte)

AES_OUTPUT = output_byte.hex()
print(AES_OUTPUT)

output_var = int(AES_OUTPUT, 16) ^ CIPHERTEXT1
PLAINTEXT = format(output_var, 'x')
print(PLAINTEXT)

d86421fb9f1a1eda505ee1375746972c
ae2d8a571e03ac9c9eb76fac45af8e51


* **Decrypt Block #3**

In [9]:
CIPHERTEXT3 = 0x73bed6b8e3c1743b7116e69e22229516
cipher_byte = CIPHERTEXT3.to_bytes(16, byteorder='big')

text = AES.new(key_byte, AES.MODE_ECB)
output_byte = text.decrypt(cipher_byte)

AES_OUTPUT = output_byte.hex()
print(AES_OUTPUT)

output_var = int(AES_OUTPUT, 16) ^ CIPHERTEXT2
PLAINTEXT = format(output_var, 'x')
print(PLAINTEXT)

604ed7ddf32efdff7020d0238b7c2a5d
30c81c46a35ce411e5fbc1191a0a52ef


* **Decrypt Block #4**

In [10]:
CIPHERTEXT4 = 0x3ff1caa1681fac09120eca307586e1a7
cipher_byte = CIPHERTEXT4.to_bytes(16, byteorder='big')

text = AES.new(key_byte, AES.MODE_ECB)
output_byte = text.decrypt(cipher_byte)

AES_OUTPUT = output_byte.hex()
print(AES_OUTPUT)

output_var = int(AES_OUTPUT, 16) ^ CIPHERTEXT3
PLAINTEXT = format(output_var, 'x')
print(PLAINTEXT)

8521f2fd3c8eef2cdc3da7e5c44ea206
f69f2445df4f9b17ad2b417be66c3710


* **Decrypt Block #1~#4 One-time**

In [11]:
from Crypto.Cipher import AES
from textwrap import wrap

KEY = 0x2b7e151628aed2a6abf7158809cf4f3c
IV = 0x000102030405060708090a0b0c0d0e0f

key_byte = KEY.to_bytes(16, byteorder='big')
iv_byte = IV.to_bytes(16, byteorder='big')

CIPHERTEXT = [0x7649abac8119b246cee98e9b12e9197d, \
              0x5086cb9b507219ee95db113a917678b2, \
              0x73bed6b8e3c1743b7116e69e22229516, \
              0x3ff1caa1681fac09120eca307586e1a7]

cipher_byte = b''
for c in CIPHERTEXT:
    cipher_byte += c.to_bytes(16, byteorder='big')

text = AES.new(key_byte, AES.MODE_CBC, iv_byte)
text_byte = text.decrypt(cipher_byte)

PLAINTEXT = text_byte.hex()
PLAINTEXT = wrap(PLAINTEXT, 32)

for text in PLAINTEXT:
    print(text)

6bc1bee22e409f96e93d7e117393172a
ae2d8a571e03ac9c9eb76fac45af8e51
30c81c46a35ce411e5fbc1191a0a52ef
f69f2445df4f9b17ad2b417be66c3710


# AES-CMAC

* **Subkey Generation**

In [12]:
from Crypto.Cipher import AES

KEY = 0x2b7e151628aed2a6abf7158809cf4f3c
key_byte = KEY.to_bytes(16, byteorder='big')

CONST_R128 = 0x87
CONST_ZERO = 0x00
const_zero_byte = CONST_ZERO.to_bytes(16, byteorder='big')

cipher = AES.new(key_byte, AES.MODE_ECB)
cipher_byte = cipher.encrypt(const_zero_byte)

CIPHERTEXT = cipher_byte.hex()
print(CIPHERTEXT)

MASK_1bit_ONE = 0x01
MASK_128bit_ONE = int('f'*32, 16)

CIPHER_L = int(CIPHERTEXT, 16)
CIPHER_L_MSB = (CIPHER_L >> 127) & MASK_1bit_ONE

if CIPHER_L_MSB == 0:
    K1_MAC = CIPHER_L << 1
else:
    K1_MAC = (CIPHER_L << 1) ^ CONST_R128

K1_MSB = (K1_MAC >> 127) & MASK_1bit_ONE

if K1_MSB == 0:
    K2_MAC = K1_MAC << 1
else:
    K2_MAC = (K1_MAC << 1) ^ CONST_R128

K1_OUT = (K1_MAC & MASK_128bit_ONE).to_bytes(16, byteorder='big').hex()
K2_OUT = (K2_MAC & MASK_128bit_ONE).to_bytes(16, byteorder='big').hex()
print(K1_OUT)
print(K2_OUT)

7df76b0c1ab899b33e42f047b91b546f
fbeed618357133667c85e08f7236a8de
f7ddac306ae266ccf90bc11ee46d513b


* **CMAC Example 1 -  Message Length 128 bit**

In [13]:
msg_empty = False

if not msg_empty:
    MESSAGE = 0x6bc1bee22e409f96e93d7e117393172a
    input_var = MESSAGE ^ int(K1_OUT, 16)
else:
    MESSAGE = int('1' + 127 * '0', 2)
    input_var = MESSAGE ^ int(K2_OUT, 16)

mac_byte = input_var.to_bytes(16, byteorder='big')

cipher = AES.new(key_byte, AES.MODE_ECB)
mac_output = cipher.encrypt(mac_byte)

CMAC_OUT = mac_output.hex()
print(CMAC_OUT)

070a16b46b4d4144f79bdd9dd04a287c


* **CMAC Example 2 -  Message Length 320 bit**

In [14]:
need_padding = True

if need_padding:
    MESSAGES = [0x6bc1bee22e409f96e93d7e117393172a, \
                0xae2d8a571e03ac9c9eb76fac45af8e51, \
                0x30c81c46a35ce411]
else:
    MESSAGES = [0x6bc1bee22e409f96e93d7e117393172a, \
                0xae2d8a571e03ac9c9eb76fac45af8e51, \
                0x30c81c46a35ce411e5fbc1191a0a52ef, \
                0xf69f2445df4f9b17ad2b417be66c3710]

cipher = AES.new(key_byte, AES.MODE_ECB)
mac_output = b'\x00'

for idx in range(len(MESSAGES)-1):
    if idx == 0:    
        mac_output = cipher.encrypt(MESSAGES[idx].to_bytes(16, byteorder='big'))
    else:
        mac_input = int(mac_output.hex(), 16) ^ MESSAGES[idx]
        mac_output = cipher.encrypt(mac_input.to_bytes(16, byteorder='big'))

msg_bit_len = len(hex(MESSAGES[-1])[2:]) * 4

if msg_bit_len < 128:
    padding_num = 128 - msg_bit_len - 1
    LAST_MSG_BIN = bin(MESSAGES[-1])[2:] + '1' + '0' * padding_num
    LAST_MSG = int(LAST_MSG_BIN, 2)
    mac_input = int(mac_output.hex(), 16) ^ LAST_MSG ^ int(K2_OUT, 16)
else:
    mac_input = int(mac_output.hex(), 16) ^ MESSAGES[-1] ^ int(K1_OUT, 16)

mac_output = cipher.encrypt(mac_input.to_bytes(16, byteorder='big'))
CMAC_OUT = mac_output.hex()
print(CMAC_OUT)

dfa66747de9ae63030ca32611497c827


# Miyaguchi-Preneel Compression Function

In [15]:
from Crypto.Cipher import AES

def AES_MP_Compression(padded_msgs):
    use_key_value = 0x00
    use_key_byte = use_key_value.to_bytes(16, byteorder='big')
    
    for m in padded_msgs:
        cipher = AES.new(use_key_byte, AES.MODE_ECB)
        
        msg_byte = m.to_bytes(16, byteorder='big')
        cipher_byte = cipher.encrypt(msg_byte)
        
        use_key_value = int(cipher_byte.hex(), 16) ^ use_key_value ^ m
        use_key_byte = use_key_value.to_bytes(16, byteorder='big')
    
    return use_key_byte.hex()

PADDING_STR = 0x80000000000000000000000000000100

MESSAGES = [0x6bc1bee22e409f96e93d7e117393172a, \
            0xae2d8a571e03ac9c9eb76fac45af8e51, \
            PADDING_STR]

res = AES_MP_Compression(MESSAGES)
print(res)

c7277a0dc1fb853b5f4d9cbd26be40c6


# Key Derivation

In [16]:
K = 0x000102030405060708090a0b0c0d0e0f
C = 0x010153484500800000000000000000b0

MESSAGES = [K, C]

res = AES_MP_Compression(MESSAGES)
print(res)

118a46447a770d87828a69c222e2d17e


# Pseudo Random Number Generation

* **PRNG Keys Derivation**

In [17]:
SECRET_KEY = 0x2b7e151628aed2a6abf7158809cf4f3c

# Constant Values
PRNG_SEED_KEY_C = 0x010553484500800000000000000000B0
PRNG_KEY_C = 0x010453484500800000000000000000B0

PRNG_SEED_KEY = AES_MP_Compression([SECRET_KEY, PRNG_SEED_KEY_C])
print(PRNG_SEED_KEY)

PRNG_KEY = AES_MP_Compression([SECRET_KEY, PRNG_KEY_C])
print(PRNG_KEY)

8abc8f6e2a8264fd38088be622ca0416
a1be019264992b2b725a4dd4c7767002


* **Calculate Updated PRNG_SEED**

In [18]:
PRNG_SEED = 0x6bc1bee22e409f96e93d7e117393172a

prng_seed_key_byte = bytes.fromhex(PRNG_SEED_KEY)
prng_seed_byte = PRNG_SEED.to_bytes(16, byteorder='big')

cipher = AES.new(prng_seed_key_byte, AES.MODE_ECB)
cipher_byte = cipher.encrypt(prng_seed_byte)

# Updated PRNG_SEED
PRNG_SEED_UPDATE = cipher_byte.hex()
print(PRNG_SEED_UPDATE)

41f21213bca0434b3eb3bafcb0a19d74


* **Calculate New Random Value**

In [19]:
# PRNG_STATE will be copy from the updated PRNG_SEED
PRNG_STATE = PRNG_SEED_UPDATE
print(PRNG_STATE)

prng_key_byte = bytes.fromhex(PRNG_KEY)
prng_state_byte = bytes.fromhex(PRNG_STATE)

cipher = AES.new(prng_key_byte, AES.MODE_ECB)
prng_byte = cipher.encrypt(prng_state_byte)

PRNG_STATE_UPDATE = prng_byte.hex()
print(PRNG_STATE_UPDATE)

41f21213bca0434b3eb3bafcb0a19d74
614aae8a7bb8fff31ac3230e6240506b


* **Extending the Seed**

In [20]:
ENTROPY = 0xae2d8a571e03ac9c9eb76fac45af8e51
PRNG_EXTENSION_C = 0x80000000000000000000000000000100

PRNG_SEED_EXT = AES_MP_Compression([int(PRNG_SEED_UPDATE, 16), ENTROPY, PRNG_EXTENSION_C])
print(PRNG_SEED_EXT)

PRNG_STATE_EXT = AES_MP_Compression([int(PRNG_STATE_UPDATE, 16), ENTROPY, PRNG_EXTENSION_C])
print(PRNG_STATE_EXT)

7c92bea252d03015e4f5c2bca69a6f8a
cf475ceb98f8ba6be1f55f97fdda9634


# Memory Update Protocol

* **Derive K1 and K2 from KEY_AuthID**

In [21]:
# Default Value
# KEY_AUTH_ID = 0x000102030405060708090a0b0c0d0e0f

# Value Pending Change
KEY_AUTH_ID = 0x11111111111111111111111111111111
# KEY_AUTH_ID = 0x0f0e0d0c0b0a090807060504030201bb

KEY_UPDATE_ENC_C = 0x010153484500800000000000000000b0
KEY_UPDATE_MAC_C = 0x010253484500800000000000000000b0

K1 = AES_MP_Compression([KEY_AUTH_ID, KEY_UPDATE_ENC_C])
print(K1)

K2 = AES_MP_Compression([KEY_AUTH_ID, KEY_UPDATE_MAC_C])
print(K2)

f40080c903c8f1cec8dc721390d27878
a20c49ce7f14af80ab48c2a1043a118f


* **Generate M1**

In [22]:
# Default Value
UID_SHE_MODULE = 0x000000000000000000000000000001

# Value Pending Change
# UID_SHE_MODULE = 0x000000000000000000000000000000

# The UID is specified to 120 bits
UID_BIT_LEN = 120
uid_bytes = UID_SHE_MODULE.to_bytes(UID_BIT_LEN//8, byteorder='big')

# Key slot ID is a 4 bits value
# 0x04 is the ID of KEY_1
ID_KEY_SLOT = 0x2

# AuthID is a 4 bits value
# 0x01 is the ID of MASTER_ECU_KEY
AuthID = 0x1

def M_Value_Print(m_value_str):
    counter = 0
    for m_hex in m_value_str:
        counter += 1
        print(m_hex.upper(), end='')
        if counter == 2:
            counter = 0
            print(' ', end='')
    print()

# M1 is the concatenation of the UID, the ID of Key to be updated, and the AuthID
M1 = uid_bytes.hex() + str(ID_KEY_SLOT) + str(AuthID)
M_Value_Print(M1)

00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 21 


* **Generate M2**

In [23]:
# The new key value
KEY_ID_NEW = 0x0f0e0d0c0b0a09080706050403020100
# KEY_ID_NEW = 0x11111111111111111111111111111111

# New Counter Value
# CID = 0x0000001
CID = 0x00003ff
CID_BIT_LEN = 28
CID_BIN_STR = bin(CID)[2:].zfill(CID_BIT_LEN)

WRITE_PROTECTION = '0'
BOOT_PROTECTION = '0'
DEBUGGER_PROTECTION = '0'
KEY_USAGE = '0'
WILDCARD = '0'
FID_BIT_LEN = 5
FID = WRITE_PROTECTION + BOOT_PROTECTION + DEBUGGER_PROTECTION + KEY_USAGE + WILDCARD

FILL_GAP_ZEROS = '0' * (128 - CID_BIT_LEN - FID_BIT_LEN)

from Crypto.Cipher import AES
from textwrap import wrap

KEY = K1
IV = 0x0

key_byte = bytes.fromhex(KEY)
iv_byte = IV.to_bytes(16, byteorder='big')
INPUT_INFO = [int(CID_BIN_STR + FID + FILL_GAP_ZEROS, 2), KEY_ID_NEW]

cipher_byte = b''
for c in INPUT_INFO:
    cipher_byte += c.to_bytes(16, byteorder='big')

cipher = AES.new(key_byte, AES.MODE_CBC, iv_byte)
M2_byte = cipher.encrypt(cipher_byte)

M2_Hex = M2_byte.hex()
M2 = wrap(M2_Hex, 32)

for msg in M2:
    M_Value_Print(msg)
    
M_Value_Print(M2_Hex)

C7 62 2D 59 7A 17 2B C3 49 B0 9C 2B 85 91 C1 D8 
B8 BF 14 E4 63 23 E8 BD AB 13 BD 3D 69 DA 77 48 
C7 62 2D 59 7A 17 2B C3 49 B0 9C 2B 85 91 C1 D8 B8 BF 14 E4 63 23 E8 BD AB 13 BD 3D 69 DA 77 48 


* **Generate M3**

In [24]:
from Crypto.Cipher import AES

# KEY is a key string
# MESSAGES is a list contains message strings
def AES_CMAC(KEY, MESSAGE):
    MASK_1bit_ONE = 0x01
    MASK_128bit_ONE = int('f'*32, 16)
    CONST_R128 = 0x87
    CONST_ZERO = 0x00
    
    # Step1: Generate sub-keys
    key_byte = bytes.fromhex(KEY)
    cipher = AES.new(key_byte, AES.MODE_ECB)

    cipher_byte = cipher.encrypt(CONST_ZERO.to_bytes(16, byteorder='big'))
    CIPHERTEXT = cipher_byte.hex()
    CIPHER_L = int(CIPHERTEXT, 16)
    CIPHER_L_MSB = (CIPHER_L >> 127) & MASK_1bit_ONE

    if CIPHER_L_MSB == 0:
        K1_MAC = CIPHER_L << 1
    else:
        K1_MAC = (CIPHER_L << 1) ^ CONST_R128

    K1_MSB = (K1_MAC >> 127) & MASK_1bit_ONE

    if K1_MSB == 0:
        K2_MAC = K1_MAC << 1
    else:
        K2_MAC = (K1_MAC << 1) ^ CONST_R128

    K1_OUT = (K1_MAC & MASK_128bit_ONE).to_bytes(16, byteorder='big').hex()
    K2_OUT = (K2_MAC & MASK_128bit_ONE).to_bytes(16, byteorder='big').hex()

    # Step2: Start computing MAC using the sub-keys
    MESSAGES = []
    for idx, msg in enumerate(MESSAGE):
        if len(msg) != 0:
            MESSAGES.append(int(msg, 16))
        else:
            MESSAGES.append(0)

    mac_output = b'\x00'
    for idx in range(len(MESSAGES)-1):
        if idx == 0:    
            mac_output = cipher.encrypt(MESSAGES[idx].to_bytes(16, byteorder='big'))
        else:
            mac_input = int(mac_output.hex(), 16) ^ MESSAGES[idx]
            mac_output = cipher.encrypt(mac_input.to_bytes(16, byteorder='big'))

    msg_bit_len = len(MESSAGE[-1]) * 4

    if msg_bit_len < 128:
        padding_num = 128 - msg_bit_len - 1
        LAST_MSG_BIN = bin(MESSAGES[-1])[2:] + '1' + '0' * padding_num
        LAST_MSG = int(LAST_MSG_BIN, 2)
        mac_input = int(mac_output.hex(), 16) ^ LAST_MSG ^ int(K2_OUT, 16)
    else:
        mac_input = int(mac_output.hex(), 16) ^ MESSAGES[-1] ^ int(K1_OUT, 16)

    mac_output = cipher.encrypt(mac_input.to_bytes(16, byteorder='big'))

    return mac_output.hex()

KEY_IN = K2
MESSAGE_IN = [M1] + M2

M3 = AES_CMAC(KEY_IN, MESSAGE_IN)
M_Value_Print(M3)

A3 3E 9A CC C5 54 9A C6 81 47 D3 B3 63 F4 32 2D 


* **Derive K3 and K4 from KEY_ID_NEW**

In [25]:
# The new key value
# KEY_ID_NEW = 0x0f0e0d0c0b0a09080706050403020100

# Constant value from SHE Constants
KEY_UPDATE_ENC_C = 0x010153484500800000000000000000b0
KEY_UPDATE_MAC_C = 0x010253484500800000000000000000b0

K3 = AES_MP_Compression([KEY_ID_NEW, KEY_UPDATE_ENC_C])
print(K3)

K4 = AES_MP_Compression([KEY_ID_NEW, KEY_UPDATE_MAC_C])
print(K4)

ed2de7864a47f6bac319a9dc496a788f
ec9386fefaa1c598246144343de5f26a


* **Generate M4**

In [26]:
# UID is specified to 120 bits
# UID_SHE_MODULE = 0x000000000000000000000000000001
# UID_BIT_LEN = 120

uid_bytes = UID_SHE_MODULE.to_bytes(UID_BIT_LEN//8, byteorder='big')

# Key slot ID is a 4 bits value
# 0x04 is the ID of KEY_1
# ID_KEY_SLOT = 0x4

# AuthID is a 4 bits value
# 0x01 is the ID of MASTER_ECU_KEY
# AuthID = 0x1

# The first 128 bits is the concatenation of the UID, the ID of Key to be updated, and the AuthID
M4_BLOCK1 = uid_bytes.hex() + str(ID_KEY_SLOT) + str(AuthID)

# New Counter Value
# CID = 0x0000001
CID_BIT_LEN = 28
CID_BIN_STR = bin(CID)[2:].zfill(CID_BIT_LEN)
CID_PAD = '1' + (128 - 1- CID_BIT_LEN) * '0'

m4_star_info = int(CID_BIN_STR + CID_PAD, 2)
m4_star_byte = m4_star_info.to_bytes(16, byteorder='big')

from Crypto.Cipher import AES

KEY = K3
key_byte = bytes.fromhex(KEY)

cipher = AES.new(key_byte, AES.MODE_ECB)
m4_cipher_byte = cipher.encrypt(m4_star_byte)
M4_STAR = m4_cipher_byte.hex()

M4 = [M4_BLOCK1, M4_STAR]

for msg in M4:
    M_Value_Print(msg)

00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 21 
84 17 B9 3A 2B 07 35 48 71 6B 9F 5A FD 2D DF 99 


* **Generate M5**

In [27]:
KEY_IN = K4
MESSAGE_IN = M4

M5 = AES_CMAC(KEY_IN, MESSAGE_IN)
M_Value_Print(M5)

4E 8F B5 9D 98 D5 A5 31 A1 70 DB 69 8F D7 90 DA 


# AES-CMAC Function Test

In [28]:
KEY = 0x2b7e151628aed2a6abf7158809cf4f3c
KEY_IN = KEY.to_bytes(16, byteorder='big').hex()

MESSAGES0 = ['']
res0 = AES_CMAC(KEY_IN, MESSAGES0)
print(res0)

MESSAGES1 = ['6bc1bee22e409f96e93d7e117393172a']
res1 = AES_CMAC(KEY_IN, MESSAGES1)
print(res1)

MESSAGES2 = ['6bc1bee22e409f96e93d7e117393172a', \
             'ae2d8a571e03ac9c9eb76fac45af8e51', \
             '30c81c46a35ce411']
res2 = AES_CMAC(KEY_IN, MESSAGES2)
print(res2)

MESSAGES3 = ['6bc1bee22e409f96e93d7e117393172a', \
             'ae2d8a571e03ac9c9eb76fac45af8e51', \
             '30c81c46a35ce411e5fbc1191a0a52ef', \
             'f69f2445df4f9b17ad2b417be66c3710']
res3 = AES_CMAC(KEY_IN, MESSAGES3)
print(res3)

bb1d6929e95937287fa37d129b756746
070a16b46b4d4144f79bdd9dd04a287c
dfa66747de9ae63030ca32611497c827
51f0bebf7e3b9d92fc49741779363cfe


# Failure Analysis of SHE

In [29]:
MASTER_ECU_KEY = 0x000102030405060708090a0b0c0d0e0f
DEBUG_KEY_C = 0x010353484500800000000000000000b0

K_DEBUG = AES_MP_Compression([MASTER_ECU_KEY, DEBUG_KEY_C])
print(K_DEBUG)

CHALLENGE = '40abdeab16de77b9599964b3d2dd7261'
UID = '000000000000000000000000000001'
AUTHORIZATION = AES_CMAC(K_DEBUG, [CHALLENGE, UID])
print(AUTHORIZATION)

1b5f959633c8c39ec42e965132bcec9b
953cb601d8ffa1954795fab3cad72c53
