King Song 4.0 ISN Key Generator + Android App Unlocked

Chriull · December 10, 2015

6 minutes ago, fearedbliss said:

The value for the last pair can't be above 255 though so you also have that lol.

The checksum is the sum of the first five anded with 255, so the value cannot be above 255?

Edit: Or is this exactly what you said?

esaj · December 10, 2015

@fearedbliss If I understood the checking right, this should be able to create working codes (roughly at the rate of generating valid serial numbers and solving the code for them at a rate of 10000 ISNs in 0.65 seconds on my machine ) :

EDIT: Meh, still had it wrong, the last value was supposed to be the 1st through 5th summed and then the lowest byte extracted, fixed here:

http://pastebin.com/yWa7zBng

Do these examples look right (from the program output):

ISN:4E:F2:A8:8E:C3:39; CODE:B1:00:0D:00:57:15
ISN:72:B9:D1:FE:0D:07; CODE:8D:00:46:00:2E:01
ISN:0E:B6:4C:37:D8:1F; CODE:F1:00:49:00:B3:ED
ISN:1B:64:75:41:79:AE; CODE:E4:00:9B:00:8A:09
ISN:D1:36:9C:41:0C:F0; CODE:2E:00:C9:00:63:5A
ISN:11:2A:81:68:0A:2E; CODE:EE:00:D5:00:7E:41
ISN:ED:ED:9B:3D:F8:AA; CODE:12:00:12:00:64:88
ISN:25:0B:8E:08:FB:C1; CODE:DA:00:F4:00:71:3F

Chriull · December 10, 2015

@esaj: in Line 35 the code[5] = 255 - ((code[0] + code[1] + code[2] + code[3] + code[4] + code[5]) & 0xFF); the "255 -" should be removed? The checksum is only the sum and then the and?

esaj · December 10, 2015

Just now, Chriull said:

@esaj: in Line 35 the code[5] = 255 - ((code[0] + code[1] + code[2] + code[3] + code[4] + code[5]) & 0xFF); the "255 -" should be removed? The checksum is only the sum and then the and?

Yeah, see my edit above

fearedbliss · December 10, 2015

@Chriull LOL yea you are right ;D

@esajThis won't work, just tested. All of your checksums are failing lol.

	Device Serial: D4:D6:C3:84:1E:64                                                                                                                                                                                                                       

	Mac Address: 64:1E:84:C3:D6:D4                                                                                                                                                                                                                         

	Serial Number: 212-214-195-132-30-100                                                                                                                                                                                                                  

	Processing Key: 9B:00:E1:00:7B:08                                                                                                                                                                                                                      

	Checksum Failed.                                                                                                                                                                                                                                       

	Invalid Key!  

ISN:64:1E:84:C3:D6:D4; CODE:9B:00:E1:00:7B:08

I'll look at optimizations later.

You can test all of this with this online java compiler:

http://www.tutorialspoint.com/compile_java_online.php

Test your codes with my verify function:

https://github.com/fearedbliss/KingSongISNKeyGenerator/blob/master/bonus/Verify.java

esaj · December 10, 2015

16 minutes ago, fearedbliss said:

@Chriull LOL yea you are right ;D

@esajThis won't work, just tested. All of your checksums are failing lol.

Device Serial: D4:D6:C3:84:1E:64

Mac Address: 64:1E:84:C3:D6:D4

Serial Number: 212-214-195-132-30-100

Processing Key: 9B:00:E1:00:7B:08

Checksum Failed.

Invalid Key!

ISN:64:1E:84:C3:D6:D4; CODE:9B:00:E1:00:7B:08

I'll look at optimizations later.

You can test all of this with this online java compiler:

http://www.tutorialspoint.com/compile_java_online.php

Test your codes with my verify function:

https://github.com/fearedbliss/KingSongISNKeyGenerator/blob/master/bonus/Verify.java

Yeah, I first put the checksum to calculate it as 0xFF - (sums of values & 0xFF), so it was wrong... did you try the version I edited in the post a good 10 minutes ago?

EDIT: Just ran 10000 serials & generated codes through your verify function, all valid

fearedbliss · December 10, 2015

@esajAh nice, just tested and it is working. Mind if I use your implementation? I'll give you credit as well. Just let me know your name, email address or w/e info you want me to put in the code/CREDITS file.

esaj · December 10, 2015

2 minutes ago, fearedbliss said:

@esajAh nice, just tested and it is working. Mind if I use your implementation? I'll give you credit as well. Just let me know your name, email address or w/e info you want me to put in the code/CREDITS file.

Sure, "esaj" as credit is just fine. I like these kinds of "puzzles"

fearedbliss · December 10, 2015

Great. Will get a new version with this implemented. It just from O(n^6) to pretty much instant. That seems like an improvement to me LOL.

fearedbliss · December 10, 2015

@esaj, @Chriull So I tried to do the math that I was originally trying to do yesterday before I went with brute force and yea it's basically similar to the one you guys came up with, there aren't many other ways to do this considering it's pretty straight forward. Modifying the function I originally had I came up with this.

Quote

for (value5 = 0; value5 < 255; value5++) {
for(value3 = 0; value3 < 255; value3++) {
for(value1 = 0; value1 < 255; value1++) {
checksum = (value1 + value3 + value5) & 0xFF;

   int test = doesValueMatchCorrectlyWithAnyInDeviceSerial(value1);
                                   if (test == -1) continue;

                                   test = doesValueMatchCorrectlyWithAnyInDeviceSerial(value3);
                                   if (test == -1) continue;

                                   test = doesValueMatchCorrectlyWithAnyInDeviceSerial(value5);
                                   if (test == -1) continue;

                                   return getIntegersToHexAsString(value1,value2,value3,value4,value5,checksum);
}
}
}

Seems to be the same as with @esaj came up with but his is more compact since the each for loop and inner tests are compressed in your implementation :D.

So not really O(1) times but still it went down from O(n^6) to O(n^3). Still way faster and it only loops through the values that are important.

Calculating key for 77:1B:EF:84:BE:C4 ...



Solution: 10:00:10:00:10:30

Solution: 3B:00:10:00:10:5B

Solution: 41:00:10:00:10:61

Solution: 7B:00:10:00:10:9B

Solution: 88:00:10:00:10:A8

Solution: E4:00:10:00:10:04

.. More solutions

Solution: 10:00:88:00:E4:7C

Solution: 3B:00:88:00:E4:A7

Solution: 41:00:88:00:E4:AD

Solution: 7B:00:88:00:E4:E7

Solution: 88:00:88:00:E4:F4

Solution: E4:00:88:00:E4:50

Solution: 10:00:E4:00:E4:D8

Solution: 3B:00:E4:00:E4:03

Solution: 41:00:E4:00:E4:09

Solution: 7B:00:E4:00:E4:43

Solution: 88:00:E4:00:E4:50

Solution: E4:00:E4:00:E4:AC

There are 216 solutions for 77,1B,EF,84,BE,C4

Hah!

Chriull · December 10, 2015

10 minutes ago, fearedbliss said:

@esaj, @Chriull So I tried to do the math that I was originally trying to do yesterday before I went with brute force and yea it's basically similar to the one you guys came up with, there aren't many other ways to do this considering it's pretty straight forward. Modifying the function I originally had I came up with this.

Seems to be the same as with @esaj came up with but his is more compact since the each for loop and inner tests are compressed in your implementation :D.

So not really O(1) times but still it went down from O(n^6) to O(n^3). Still way faster and it only loops through the values that are important.

You have the serial number given? So why you don't just set value1=255-Serial1, value3=255-serial3, value5=255-serial5 instead of looping through all the values? Would be O(1) then again...

esaj · December 10, 2015

9 minutes ago, fearedbliss said:

@esaj, @Chriull So I tried to do the math that I was originally trying to do yesterday before I went with brute force and yea it's basically similar to the one you guys came up with, there aren't many other ways to do this considering it's pretty straight forward. Modifying the function I originally had I came up with this.

Seems to be the same as with @esaj came up with but his is more compact since the each for loop and inner tests are compressed in your implementation :D.

So not really O(1) times but still it went down from O(n^6) to O(n^3). Still way faster and it only loops through the values that are important.

There's no need to loop, the code can be calculated directly from the serial:

       int[] code = new int[6];

       code[0] = 255 - serialNumber[0];
       code[2] = 255 - serialNumber[1];
       code[4] = 255 - serialNumber[2];
       //Calculate checksum from other values
       code[5] = ((code[0] + code[1] + code[2] + code[3] + code[4]) & 0xFF);

That's it, the rest around it is just testing code. I only added loops in the test-code to generate bogus serials (with valid checksums) and for checking the result (and of repeating the process for 10000 different bogus serials). So it should be O(1).

fearedbliss · December 10, 2015

@Chriull @esaj Yea you guys are right, but isn't it cool to see that there are 216 possible solutions Muahahahha.

esaj · December 10, 2015

1 hour ago, fearedbliss said:

@Chriull @esaj Yea you guys are right, but isn't it cool to see that there are 216 possible solutions Muahahahha.

True dat, it's a bit peculiar way of doing checksumming... if you still want to squeeze computing all the combinations much faster, you could just build an algorithm to calculate all the possible combinations of the serial-bytes, including using the same "position" (=index) multiple times, and then just calculate the code + checksum from those... Another thing might be making a web-page that uses javascript to calculate the code, then it would work in mobiles too out-of-the-box (as long as there's an internet connection to load the page in the first place).

I was expecting they'd have implemented the code-checking in hardware instead of just in the app.

fearedbliss · December 10, 2015

@esaj I'll leave that up to the web programmers .

I've released the new version 1.0.1 that includes this O(1) solution. Thanks @esaj, @Chriull

https://github.com/fearedbliss/KingSongISNKeyGenerator

Chriull · December 10, 2015

3 hours ago, fearedbliss said:

@Chriull @esaj Yea you guys are right, but isn't it cool to see that there are 216 possible solutions Muahahahha.

You ought to have 256*256 solutions for each serial number, since one can choose 2 bytes freely.

edwin_rm · January 22, 2016

Btw, I take it this great stuff will work with the upcoming King Song 16", correct?

esaj · January 22, 2016

51 minutes ago, edwin_rm said:

Btw, I take it this great stuff will work with the upcoming King Song 16", correct?

Depends whether they change the code generation or not.

Teb · January 25, 2016

Hi Freaedbliss and other guys,

thank you so much for contributing this genius solution for King Song owners to unlock their wheels. I have had mine for a few weeks and the beeping at slow speeds is really starting to s%#$ me. Problem is ({problems}).. a) the app solution i cant get going (i think its because i have v1), and "b: I havn't a clue how to run a .jav file on my macbook. i have tried a whole bunch of things and even made some file in terminal using vin (i really did not know what i was doing), trying to "add my java bin directory" to my "environment variables". I really tried as hard as i could to figure this out but i just cant. I am not a programmer in any way. Is there a way to get a key for my wheel that doesn't involve programming skills? could someone out there run my wheel number for me maybe...?

it comes up in bluetooth on my computer as 20-15-05-13-52-65

thanks

T

Chriull · January 25, 2016

Could be df:00:fa:00:ad:86

if not wait for @esaj or @fearedbliss to start up the number generator

fearedbliss · January 25, 2016

@Teb, I don't think new versions of OS X come with Java installed anymore (for security reasons). You shouldn't need to add anything to your path though, all you would need to do is install Java and the installer should automatically do that for you. You can download the JRE from Oracle's website:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

esaj · January 26, 2016

I quickly made a small Javascript-version so people don't need to download the program and fight with Java (in case they haven't got it installed):

Sweet M · January 30, 2016

@esaj is it possible to have more than one working result? I was just curious, so I typed in the ISN for my KS 18A already knowing my authorization code and the result did not match the code that I was given to unlock it. I also realize that my level of understanding re: this stuff is far below (what I consider) the genius of those on this forum, so maybe I'm missing something? :-)

esaj · January 30, 2016

14 minutes ago, Sweet M said:

@esaj is it possible to have more than one working result? I was just curious, so I typed in the ISN for my KS 18A already knowing my authorization code and the result did not match the code that I was given to unlock it. I also realize that my level of understanding re: this stuff is far below (what I consider) the genius of those on this forum, so maybe I'm missing something? :-)

Yes, due to the way the calculation & checksum works, there are lots of options. Out of the 6 hex-values of the ISN, only three are used in the actual code, out of the remaining three, two can be anything and the last one acts as a checksum.

Calculating quickly from that off the top of my head, that gives at least 2^16 possibilities (2 random bytes), so about 65536 options or more?

@Sweet M: You could actually help to check that this is working correctly, if you give me your ISN and 2nd and 4th value of the code, I should be able to calculate the code you've received Or just give the entire code, then I won't have to ask you whether it matches.

Sweet M · January 30, 2016

@esaj Interesting!!!

Here is my info and, of course, I'd still like to here if it matches.......

ISN is 6A:3A:EF:84:BE:C4 and my authorization code was 95:63:C5:8E:7B:C6.

Sign In

King Song 4.0 ISN Key Generator + Android App Unlocked

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived