So you’ve forgotten your Password on your ECU. We’ve all been there…
This article isn’t about why your ECU has a password on it, nor is it an invitation to discuss why or who might have put the password on it. We are open to discussions about how to better secure passwords on ECUs and other techniques on how to recover passwords off ECUs though.
This article is about the nuts and bolts around how to recover the password off a locked ECU.
Today’s subject is the LinkECU G4 series of ECUs, a very popular ECU for good reason, it ticks a lot of boxes for a lot of people.
Link G4 Password Removal Process
So to begin the password recovery you will need:
- A PC with PC Link G4 installed on it.
- Some form of spreadsheet software (Google sheets or Excel)
- “Notepad ++” software installed
So because this article is strictly for entertainment and education purposes, and never to be used for any actual password recovery in the wild, we’ll begin by opening PCLink G4, opening a new base map, lock it with a password, and “Save As” new file name.
Now we’ve got our password protected calibration file to try and recover the password from.
Next up we’ll close PCLink and open our new calibration file in Notepad++ and what we’re greeted with is a wall of numbers, not quite human readable but not encrypted by any means.
So you can search through these 40 thousand numbers to see if your password is in there, and at first glance it’s not there; only numbers. So where is the password? Oh it’s in there, you just need to read like a computer. The password is stored in ASCII. ASCII (American Standard Code for Information Interchange) is a character encoding system that represents text and symbols in digital devices using a 7-bit or 8-bit code.
So now we’re talking bits and bytes, but what you might have noticed in the notepad file while you were looking for your password, none of the values between the commas were below 0 or above 255. Every value between the commas is an 8-bit value, expressed in the notepad document in decimal format. (0-255) We’ll get into the differences in Binary, Decimal and Hexadecimal in another CANbus article, for now though let’s proceed and get someone else do the heavy lifting in the brain department.
We need to dump all this information into a spreadsheet and use the formula =CHAR() to find our password.
If we just copied all the data out of the LinkMemData line into our spreadsheet, each comma would make a new column, which at 14,119 would violate the maximum amount of columns you can have in a spreadsheet, so we need to transpose the data into rows before we send it into our spreadsheet.
To do this we’ll use the find and replace feature in notepad++ and replace every comma with a line break.
Finding commas, replacing it with \n, making sure the extended button is enabled, the hit replace all. This takes a second, then you’ll see you’ve got one line per number, now select all of it, and paste it into your spreadsheet.
Now with all your data pasted into your spreadsheet, you should have it all in one column, and one value per line. In a cell that’s adjacent to a number value enter the formula
=CHAR(A4)
Where A4 is the cell which has the number value in it. Then Press Enter. Your spreadsheets software might suggest an auto fill which is to do the same formula all the way through which is perfect. If it doesn’t suggest it, you can double click on the little dot in the bottom right of the cell where your formula is.
This will continue your formula down all the way to the bottom of the table.
So now you might be seeing some letters in here with some human readable text!
I’ll give you the tip, my password wasn’t 22dddddddd. So let’s keep scrolling. Scrolling, scrolling, scrolling… scrolling forever, until your mouse wheel has given up and you’ve had to swap hands lest you do yourself an injury, continue scrolling, making sure to read every letter, it might be your long lost password, keep scrolling down, hoping you haven’t missed it…
But then, you’ll see it, a string of letters, albeit vertically aligned, it’s unmistakable, and one of the best words you’ll see all day.
A word so unmistakably amazing, it evokes sweet and lustful emotions in most, promotes salivation and a desire to consume.
You’ll find this word held in the highest regard by people all over the world, its beauty and brilliance crosses all cultures and borders.
The word found on the 9784th line of this spreadsheet means a lot to me, means a lot to you.
So here is your password! Congratulations!
Make sure you use this information for good and not evil.
Also if you can’t be bothered with the Notepad++ or Spreadsheet, you can just ask chatGPT if it can see any ASCII words in the file you point it at.
Yep, we’re all doomed.
So this technique works for the Link G4 and other ECUs of a similar vintage.
Later model standalone ECUs make it a little more difficult to get the passwords out, they will encrypt the calibration files and hash the passwords which significantly increases the difficulty of recovering the passwords out of them. We’ve got other techniques for recovering those passwords which we look forward to sharing with you later.
If you liked this article, consider subscribing to our mailing list to get more juicy, nerdy, racecar articles delivered straight to your inbox.
