[JasonACT]

A quick update: I have not seen another match yet, but plenty of the same one I already have the "key" for (request=seed, response=key according to the people who designed this). I.E. request/seed AE 14 25 unlocks with response/key 00 00 BC

Well, seeing no others, and being the weekend where I have more time, I devised a new program (a few actually) to get the 65K of secret keys I knew existed and plug them in one by one. The damn thing unlocked first go. Must have been a bug in the software. All my debug statements were enabled to see what was happening, but again, on the next run, unlocked first go. The device is telling me "yep" that's the code/key I needed - debug statements confirmed it.

The penny drops, so I write another program to check if the 65K of secret keys I have all produce the same key for any given seed. They do. So I have 65,536 working keys. I modified the program to show me the ones that are "readable"... Got quite a few, but I'm going with...

pLaRM

And this confirms Ford updated the keys back in 2011/12 when they got hacked, but they didn't change the seed-key algorithm.

Now I just have to be real careful, so I don't run the clear-flash command while the device is unlocked. I may have to spend some time working out how to dump the V850 firmware before I start sending in random commands.