Jump to content

King Song 4.0 ISN Key Generator + Android App Unlocked


fearedbliss

Recommended Posts

Posted

Hello folks,

So since I feel that King Song intentionally locking their units by default to 13 MPH until we request a ISN number from them is ridiculous, I decided to modify the application so that it automatically allows us to become an "Advanced User" without a code. All you have to do is install the app, and when you get to the ISN screen, just press "Accept". No code is needed, and it will automatically work.

If you install the stock King Song application again, it will become locked. I only tested this by connecting it and unlocking it (since it's 2:41 AM at the moment and don't want to go outside at this time to push it to 30 kph hah :D), and then setting the speeds up to 30 kph. After that, the application will set its own safe defaults. Setting anything to 30 kph seems to work and says "Setting successful".

The unlocked KS 4.0 android app is attached in this email. Please test and let me know if it works for you.

If you don't want to use the Android app and would prefer to use the stock app, you could instead generate your own key that you can use to unlock it yourself. I would recommend you to do this actually.. I'm leaving the Android app here just for historical purposes.

PT9Vlve.png

More information at the below post:

- Jonathan

King_Song_4.0_Unlocked.apk

  • Replies 61
  • Created
  • Last Reply
Posted

@fearedbliss, that's impressive. I agree that 30kph-out-of-the-box is not that unreasonable for this wheel, especially since those buying it are presumably going to be 'advanced' riders. To be honest, I haven't really spent much time with the App, but will this modified .APK work independently of the Wheel?

 

Posted

@Jason McNeilNot sure what you mean work independently. Basically it will let you become an advanced use so it will let you play with any features that were previously locked on the machine. The settings seem to save as well.

It seems once I uninstall and install the stock version, it asks for the code again, but if I install my version I can just re-unlock it. I will keep looking at the code and release a better unlocked version if needed.

I have the code for the math they used for verifying if the serial number entered is legit, given time, it is possible for me to make a separate app that generates a valid number for each user... Essentially you become the king song server, ;).

Posted

Well, I was able to completely reverse engineer their verification function so now I fully understand exactly how they are checking to see if serial numbers are valid. With this done, I went ahead and wrote a key generator, you will be able to give it your wheel's serial number and after a few minutes (Brute force solution ;() it will reply with an answer. Once I get home I will test it on the actual bot itself, but from my QA of my verification function, using both incorrect and correct solutions (The one that I received from King Song), if seems to be successful where it needs to be, and fails for others.

I will release it once I test it and and clean it up. 

Sneak peak:

Key Generator:

MRaXqPO.png

Testing my Verification Function with key King Song gave me:

hSZbAzk.png

Testing my Verification Function with self found key:

EV8NrGx.png

I'll explain more when I get home home :D.

Posted
6 minutes ago, fearedbliss said:

Well, I was able to completely reverse engineer their verification function so now I fully understand exactly how they are checking to see if serial numbers are valid. With this done, I went ahead and wrote a key generator, you will be able to give it your wheel's serial number and after a few minutes (Brute force solution ;() it will reply with an answer. Once I get home I will test it on the actual bot itself, but from my QA of my verification function, using both incorrect and correct solutions (The one that I received from King Song), if seems to be successful where it needs to be, and fails for others.

I will release it once I test it and and clean it up. 

Sneak peak:

Key Generator:

MRaXqPO.png

Testing my Verification Function with key King Song gave me:

hSZbAzk.png

Testing my Verification Function with self found key:

EV8NrGx.png

I'll explain more when I get home home :D.

I understood about 2% of what he said above.. Telling you, this guy is a freaking genious

Posted

It's sounding like Kinsong needs to hire @fearedbliss to write the apps.  Fearedbliss could you write an app like 9bot's, so we have a list of Who, and Who's riding...a list of who rode the most?... all the fancy stuff I hear 9bot has???

Great Job!!

Posted

I keep telling him he should write some code to allow user to disable / enable the wheel operation with a click of a button on the phone. This will resolve the debate about installing a lock on the wheel to prevent turning the wheel on and riding away by someone else, while the owner is in a store shopping and leaves the wheel outside. @fearedbliss keeps resisting, but i think we can convince him in time:)

Posted

So I've used the official app inputted with my correct authorization key and this unlocked app...... but somehow even though I am an advanced user I cannot change the alert/tiltback settings. I can change the values and it even says that it is "successful", but the settings revert back to the default values (< 20 kph) when I go back into the settings. This is confirmed when I ride the wheel after its supposed to enable higher speeds. Anybody know whats up?

Posted

@ColestienLol hah.

Alright folks, so I've published the key generator application, all open source and stuff. I also added the reversed engineered Verify function that I learned. This will only be useful for people that are interested in the way that King Song implemented their Verify function. It took about 10 hours probably for me to put it all together, but was a fun learning experience.

You can download the app at my github: https://github.com/fearedbliss/KingSongISNKeyGenerator

It is a Java application. The nice thing about this vs the modified .apk that I released is that this will also work for iOS since it is independent of the application. Also another nice thing about it is that it will run on Windows, Mac, Linux, FreeBSD, and any other OS that has a JVM.

Please test and give feedback. It will take several minutes for it to find your code (Sometimes it is fast though if you are lucky) since I'm using a brute force technique to do it (Was lazy to try to find a more efficient mathematical way to do it).

9Vpm9EH.png

To briefly explain how they did it.. basically they first reverse your bluetooth mac address in order to make a "Serial Number" out of it (This is the number you see in the ISN window). After that they will generate a code that satisfies the following requirements:

If your ISN is 77 1B EF 84 BE C4,

and the King Song code is: 88 58 10 00 10 00

The first 5 pairs added all up and ANDed with 0xFF must equal the last pair.

(77 + 1B + EF + 84 + BE) & 0xFF == C4

Then after that checksum is passed, they basically only check that the first, third, and fifth pair + any number in the ISN number adds up to 255 (0xFF).

First Wave [First Position]

88 + {Try Each one until it equals 255 :: 77 , 1B, EF, 84, BE, C4}

Second Wave [Third Pair]

10 + {Try each one until it equals 255}

Third Wave [Fifth Pair]

10 + {Try each one until it equals 255}

If any of these three pairs end up not adding to 255, then the verification will fail.

My program just tries each possibility till infinity that satisfies all of these requirements.

Enjoy.

6 minutes ago, Michael Vu said:

So I've used the official app inputted with my correct authorization key and this unlocked app...... but somehow even though I am an advanced user I cannot change the alert/tiltback settings. I can change the values and it even says that it is "successful", but the settings revert back to the default values (< 20 kph) when I go back into the settings. This is confirmed when I ride the wheel after its supposed to enable higher speeds. Anybody know whats up?

That is because you are inputting an invalid input. It will reset all of your values if you do this. 30 seems to be the max value for me.

Posted

I'm not getting invalid parameters. The values I've been putting in is level 1 - 20 kph, level 2 - 25 kph, level 3 -30 kph. Rocker at 28 kph. I then hit "sure" and it says "successful". But it always reverts back to default values under 20 kph.

Posted
33 minutes ago, Michael Vu said:

I'm not getting invalid parameters. The values I've been putting in is level 1 - 20 kph, level 2 - 25 kph, level 3 -30 kph. Rocker at 28 kph. I then hit "sure" and it says "successful". But it always reverts back to default values under 20 kph.

Just curios why is your 3rd alarm higher than tiltback? Isnt the tilt back lower than any alarm defeatingthe point of setting that alarm? It may be embedded in the app logic that tilt back is the highest level. Try setting 3rd alarm lower than tiltback. 

Posted

Nice work with reverse-engineering this.  Not to sound presumptuous, but:

7 hours ago, fearedbliss said:

It will take several minutes for it to find your code (Sometimes it is fast though if you are lucky) since I'm using a brute force technique to do it (Was lazy to try to find a more efficient mathematical way to do it).

If your ISN is 77 1B EF 84 BE C4,

and the King Song code is: 88 58 10 00 10 00

The first 5 pairs added all up and ANDed with 0xFF must equal the last pair.

(77 + 1B + EF + 84 + BE) & 0xFF == C4

Quickly skimming through your code, you don't actually check for this in you application, do you? Not that it really matters, unless the user inputs an invalid ISN by accident, and then wait for minutes for nothing... ;)

Quote

Then after that checksum is passed, they basically only check that the first, third, and fifth pair + any number in the ISN number adds up to 255 (0xFF).

First Wave [First Position]

88 + {Try Each one until it equals 255 :: 77 , 1B, EF, 84, BE, C4}

Second Wave [Third Pair]

10 + {Try each one until it equals 255}

Third Wave [Fifth Pair]

10 + {Try each one until it equals 255}

If any of these three pairs end up not adding to 255, then the verification will fail.

My program just tries each possibility till infinity that satisfies all of these requirements.

Enjoy.

If it's really that simple (I haven't looked at the newer original King Song app, only the older Gotway-"compatible" version), you don't need to use brute force. 255 = x + y, where x = one hexadecimal value from the ISN, and y is the unknown code => y = 255 -x  (0xFF - x). The result could be simply calculated as (just for example, using positions from the ISN that match your result):

First position = 0xFF- 0x77 = 0x88
Third position = 0xFF - 0xEF = 0x10
Fifth position = 0xFF - 0xEF = 0x10

If the check is really that simple, what is the second number (0x58) in the code for? Just for "decoy"? If any position in the ISN is ok for the check, you could simply use something like:

int[] code = new int[5];
code[0] = 255 - isn[0];
code[2] = 255 - isn[1];
code[4] = 255 - isn[2];

And be done in a blink of an eye.

Posted

@esaj haha, yea I do check for the checksum. In the regenerator it is the first check that the brute force algorithm must pass before it goes on to see if the potential candidate passes the other three "waves". In the verify function, it is also one of the first checks I do which explicitly will fail and let the user know that the code was invalid.

It really is that simple ;). Thing you are forgetting is that it isn't simply a math problem of 0xFF divided over three values (specifically 1, 3, and 5 th place values), but those 3 values (plus 2, and 4 place ones - which we can just make 0 for padding) must also pass the first check which is the checksum. So not any position is ok, the code specifically only checks three values in a series of loops, the first, third, and fifth. The second and fourth value aren't use during this time, and it basically is only used when calculating the checksum in the beginning (first five pairs added up and then ANDed with 0xFF == last pair)

The second number is there because when I was writing it, I noticed that I was not finding any solutions (it could be because I had mest up my math though at this point since later on in the development I rework the math a bit), so what I did was was to add the other 3 values in the brute force loop so that it increases the range of values that it will consider.

Since at this point this is already done, I will look at it more and see if I can improve the math or do some optimizations to decrease running time ;).

In the github account, I also provided my reconstructed verify function. That will also help you better understand this, and you could test your own ISN & KS provided key as well.

- Jonathan

Posted

@fearedbliss: Could be that I understood it wrong or missed something, I just quickly skimmed through the code as I'm still at work... I'm fairly sure that there should be a solution that's faster than searching through a 2566  -search space though ;)  Not that it really matters to wait a few minutes that much, as people probably won't use it but once to get the code. I don't have a King Song myself, only Firewheel.

Posted

@esajhaha you are right. I have some optimizations that I'm going to be making but yea there definitely should be a way faster solution. My thing is O(n^6), horrible!! But that's what I get for using brute force. I'm just happy that it works at this point lol.

Posted
54 minutes ago, fearedbliss said:

...

It really is that simple ;). Thing you are forgetting is that it isn't simply a math problem of 0xFF divided over three values (specifically 1, 3, and 5 th place values), but those 3 values (plus 2, and 4 place ones - which we can just make 0 for padding) must also pass the first check which is the checksum.

...

 

So you could calculate the values for the 1st 3rd and 5th place like esaj suggested, take any number for place 2 and 4 and then you calculate the checksum of this 5 pairs. This you take as value for the 6th pair and voila you have your code.

Or did i miss something?

Posted
12 minutes ago, Chriull said:

So you could calculate the values for the 1st 3rd and 5th place like esaj suggested, take any number for place 2 and 4 and then you calculate the checksum of this 5 pairs. This you take as value for the 6th pair and voila you have your code.

Or did i miss something?

The value for the last pair can't be above 255 though so you also have that lol.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...