Reverse VIN lookup by part numbers

Back story

As part of an out-of-country car repair, my partner’s dad suspected that his transmission had been switched out for a faulty one without his permission. He noticed that after a second trip to a different mechanic, the car was not performing as expected so he asked me to help find out when his part was changed.

The vehicle was a Hyundai Santa Fe 2008 bought in Bulgaria. It had a VIN of KMHSH81WP8U272568, with a transmission number of U7LFP467454. The new replaced transmission part had a number U8LFG677211. I needed to find the corresponding VIN.

Note: the original VIN and transmission number above are not his actual vehicle information, but are really close. The new tranmission number is the real one.

Problem

The problem is that only the transmission number is known, there weren’t any free or paid (I may be wrong) which offered reverse VIN lookups from car parts. With the VIN, I can find out what country the car was manufactured for, but not with tranmission number unless you do what I did.

What is a VIN?

The Vehicle Identification Number is a fingerprint of an automobile. It includes information about a vehicle such as; country of origin, build date, build factory, name/model, model date, engine type, serial number and more.

A VIN is 17-characters long which can be further split into three parts: World Manufacturer Identifier (WMI) – large list on available Wiki, Vehicle Description Section (VDS) and Vehicle Identification Section (VIS).

VIN example

Here is an example of a 2020 Lamborghini Huracan VIN ZHW UT4ZF8 LLA13213. You can also use the Lamborghini VIN format available on Wikibooks. Below shows how it can be decoded:

• World Manufacturer Identifier ZHW
  • 1st Z the manufacturer region (Italy).
  • 2nd and 3rd HW the manufacturer (Lamborghini).
• Vehicle Description Section UT4ZF8
  • 4th U the model type which is Huracan.
  • 5th T the market which is US.
  • 6th 4 the body type which is Convertible.
  • 7th Z the engine type which is 470 kw/hp.
  • 8th F features which are Passive Seatbelts, Driver & Passenger Airbags.
  • 9th 8 the VIN check/security code.
• Vehicle Identification Section LLA13213
  • 10th L the model year which is 2020.
  • 11th L the manufacturer plant which is in Italy.
  • 12th, 13th and 14th A13 the Manufacting Code.
  • 15th, 16th and 17th 213 the Serial Number.

VIN lookup sites

There are plenty of VIN lookup sites, some also are able to check whether the vehicle has been stolen, a UK based site called isitnicked.com. Or USA based site called www.nicb.org.

Many sites do not provide the same level of information. For example the site en.vindecoder.pl doesn’t show any assoicated parts like engine numbers or tranmission numbers, whilst others such as www.vindecoderz.com do.

You can see the tranmission number U7LFP467454 is shown, as well as the engine number, and much more. It also shows the Country [C17] Spain of where the vehicle was manufactured for, this was quite important in my case.

Analysis

To help with this project I used a software that has a large collection of VINs. It does require a paid license but you can still extract VIN numbers and other useful information.

Microcat software

Microcat is a software product by Infomedia Ltd that enables professionals such as car dealerships, mechanics or diagnostic engineers to perform searches and identify vehicles as well as their associated parts.

This product offers a selection of manufacturer databases, each with specific year range. In this post I will be using the Microcat Hyundai 2008-2018 version which is over 21GB. Note: this is a paid product, however, you can still find some downloads online by searching HYUNDAI 08-2018 Setup.

Installation

The installation includes three discs or ISOs, each taking about 7GB. The size of the database is down to the vast amount of information that is included for each model Hyundai between 2008-2018, covering all models and assoicated parts.

Now since I know the vehicle model and year range, I deselected all the default Hyundai models, and only selected a few. This way I won’t have to waste my VM’s storage on models that I’m not interested in. I only selected the Santa Fe model with the range of 2006-2012.

Initial assessment

I knew part of this project may involve brute-forcing at some point. So I started my intitial analysis by examining the installation folder created by the Microcat software. By default, two folders inside the C:\ directory are created. One called HYW_Data and the other called MCHYW. The HYW_Data folder takes up most of storage (20GB worth), so I decided to have a closer look.

A folder called VIN immediately peaked my interest:

C:\HYW_Data\VIN>dir
 Volume in drive C has no label.
 Volume Serial Number is 9AAC-43BE

 Directory of C:\HYW_Data\VIN

06/03/2022  17:02    <DIR>          .
06/03/2022  17:02    <DIR>          ..
04/07/2017  00:26             1,300 ckdcatmap.idx
22/06/2018  22:31           902,074 model.idx
21/02/2022  22:20    <DIR>          options
21/02/2022  22:20    <DIR>          Rego
22/06/2018  22:31     1,243,335,328 vin.idx
22/06/2018  22:50       725,762,912 vinrev.idx
               4 File(s)  1,970,001,614 bytes
               4 Dir(s)   9,730,449,408 bytes free

Inside this directory a file called vin.idx exists, which is over 1.2GB.

Using strings

The software is only available on Windows systems, and so I used WSL (Ubuntu) which comes with simple reverse engineering tools like strings, grep, xxd and more by default. I like using strings on files because it’s a very simple and a quick way of identifying ASCII characters that may resemble something meaningful.

The strings command on the file named vin.idx showed the following:

tester@DESKTOP-02HBA66:/mnt/c/HYW_Data/VIN$ strings vin.idx
...
200612055NMSG13D27H057982uh
200612055NMSG13D27H058050uh
200612055NMSG13D27H058095uh
200612055NMSG13D27H058100uh
200612075NMSG13D27H058176uh
200612065NMSG13D27H058209uh
200612065NMSG13D27H058226uh
200612065NMSG13D27H058274
...

Each record is on new line which makes it easier to understand. The first 8 digits 20061205 is the date of when the vehicle was made. The next 17-characters 5NMSG13D27H057982 is the actual VIN. And the remaining characters are some sort of data format.

There are approxmiately 42,873,633 valid Hyundai VINs in this database.

tester@DESKTOP-02HBA66:/mnt/c/HYW_Data/VIN$ strings vin.idx | wc -l
42873633

By manually scrolling through the database I was seeing all sorts VINs of Hyundai models, even though I excluded them during installation. I also noticed there were vehicles from 1992 which I thought were not part of the database.

Anyway, I needed to start searching for only certain types of models and years.

Search queries

I started off by confirming the VIN KMHSH81WP8U272568 actually exists, which it did.

tester@DESKTOP-02HBA66:/mnt/c/HYW_Data/VIN$ strings vin.idx | grep 'KMHSH81WP8U272568'
20070907KMHSH81WP8U272568^8

Now that the database is confirmed to be legitimate, the next step would be to decrease the database size (1.2GB) by only focusing on Santa Fe models with specific engine types and years.

I tried recursively searching for the transmission number U7LFP467454 but that didn’t get any hits. That would be too easy, right ;)

Looking for patterns

I started to search for only the U7LFP chunk of the tranmission number to see if there were other examples. Many of the results were on b-parts.com, a website which sold replacement parts, and also sometimes included the associated VIN.

By comparing VINs, they both seem quite similar. I used www.ilcats.ru to find the full transmission number which was U7LFP361217. The table shows the comparison.

I did the same thing for new transmission number U8LFG677211 (the one that I need to find the VIN for). Again, only searching for just the U8LFG part. A product listing page on ww.zapchast.com.ua was found that included some useful information.

Even though the description says the model is year 2008, it is actually from 2009 based on the VIN. The table shows the comparison, #1 is the VIN I want to find.

From all the information I could gather, the first few characters of the VIN KMHSH81WP stayed consistant throughtout three years. And since the transmission number U8LFG?????? was assoicated with a VIN that mostly likely was from the year 2009, I had another search parameter.

Making wordlists

Based on the two parameters, I created two much smaller files from the massive vin.idx database. This meant that the VINs were much easier to process, and by process I mean to brute-force.

One for models with SH81W and year 2008:

strings vin.idx | grep -e ^2008 | grep -e SH81W | cut -c 9-25 >> santa_fe_vin_2008.txt

And same model but with year 2009:

strings vin.idx | grep -e ^2009 | grep -e SH81W | cut -c 9-25 >> santa_fe_vin_2009.txt

Going from 1.2GB to:

• santa_fe_vin_2008.txt is 484KB
• santa_fe_vin_2009.txt is 112KB

You might might of noticed I used cut -c 9-25 to only select the VIN. Below is some example output data:

...
KMHSH81WR9U466119
KMHSH81WR9U466125
KMHSH81WR9U466130
KMHSH81WR9U466134
KMHSH81WR9U466138
KMHSH81WR9U466143
KMHSH81WR9U466148
KMHSH81WR9U466153
...

Bruteforce

I know I could’ve just used the entire vin.idx database, but I would prefer not to hammer random VIN lookup sites with my requests. It’s also likely I’d get blocked.

Now that I have a good dictionary wordlist, I can use any online VIN lookup site which also reveals the transmission number, and then just filter their response. I’m very familar with Burpsuite, so I opted to use Intruder to send my HTTP requests. I found www.hyundaiforum.pro – (non-https) to be the most responsive.

An example request looks like this:

GET /view_vin_res.php?lang_code=EN&vin=KMHSH81WP9U440726 HTTP/1.1

Host: www.hyundaiforum.pro
[...]
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

Setting the Attack type in Intruder as Sniper and position:

And importing a simple list of VINs as the payload:

The reason why the request payload count is only 1,819 was because I did some further manual searches and found that P9U440002 - R9U448317 is the “goldilocks” VIN range I needed to focus on.

Once Burpsuite had finished the attack, I quickly applied a filter on the response to only show requests which have the string U8LFG677211 for the transmision number:

After applying the filter, only one request matched. Bingo!

You can also see in the following screenshot this part was in Turkey, which was the same country where my partner’s dad had his car serviced.

Summary

It was very interesting to dive into how VIN numbers are made-up, and what information they contain. In addition, the Microcat software is a powerful tool not only for professional mechanics but also for reverse engineering certain car parts.

Resources

• Hyundai VIN Format
• Word Manufacturer Identities (WMI)
• Reverse engineering Microcat US Database