As part of an out-of-country car repair, my partner’s dad suspected that his transmission had been switched out for a faulty one without his permission. He noticed that after a second trip to a different mechanic, the car was not performing as expected so he asked me to help find out when his part was changed.
The vehicle was a
Hyundai Santa Fe 2008 bought in Bulgaria. It had a VIN of
KMHSH81WP8U272568, with a transmission number of
U7LFP467454. The new replaced transmission part had a number
U8LFG677211. I needed to find the corresponding VIN.
Note: the original VIN and transmission number above are not his actual vehicle information, but are really close. The new tranmission number is the real one.
The problem is that only the transmission number is known, there weren’t any free or paid (I may be wrong) which offered reverse VIN lookups from car parts. With the VIN, I can find out what country the car was manufactured for, but not with tranmission number unless you do what I did.
What is a VIN?
The Vehicle Identification Number is a fingerprint of an automobile. It includes information about a vehicle such as; country of origin, build date, build factory, name/model, model date, engine type, serial number and more.
A VIN is 17-characters long which can be further split into three parts: World Manufacturer Identifier (WMI) – large list on available Wiki, Vehicle Description Section (VDS) and Vehicle Identification Section (VIS).
Here is an example of a 2020 Lamborghini Huracan VIN
ZHW UT4ZF8 LLA13213. You can also use the Lamborghini VIN format available on Wikibooks. Below shows how it can be decoded:
- World Manufacturer Identifier
Zthe manufacturer region (Italy).
- 2nd and 3rd
HWthe manufacturer (Lamborghini).
- Vehicle Description Section
Uthe model type which is Huracan.
Tthe market which is US.
4the body type which is Convertible.
Zthe engine type which is 470 kw/hp.
Ffeatures which are Passive Seatbelts, Driver & Passenger Airbags.
8the VIN check/security code.
- Vehicle Identification Section
Lthe model year which is 2020.
Lthe manufacturer plant which is in Italy.
- 12th, 13th and 14th
A13the Manufacting Code.
- 15th, 16th and 17th
213the Serial Number.
VIN lookup sites
Many sites do not provide the same level of information. For example the site en.vindecoder.pl doesn’t show any assoicated parts like engine numbers or tranmission numbers, whilst others such as www.vindecoderz.com do.
You can see the tranmission number
U7LFP467454 is shown, as well as the engine number, and much more. It also shows the Country
[C17] Spain of where the vehicle was manufactured for, this was quite important in my case.
To help with this project I used a software that has a large collection of VINs. It does require a paid license but you can still extract VIN numbers and other useful information.
Microcat is a software product by Infomedia Ltd that enables professionals such as car dealerships, mechanics or diagnostic engineers to perform searches and identify vehicles as well as their associated parts.
This product offers a selection of manufacturer databases, each with specific year range. In this post I will be using the Microcat Hyundai 2008-2018 version which is over 21GB. Note: this is a paid product, however, you can still find some downloads online by searching
HYUNDAI 08-2018 Setup.
The installation includes three discs or ISOs, each taking about 7GB. The size of the database is down to the vast amount of information that is included for each model Hyundai between 2008-2018, covering all models and assoicated parts.
Now since I know the vehicle model and year range, I deselected all the default Hyundai models, and only selected a few. This way I won’t have to waste my VM’s storage on models that I’m not interested in. I only selected the Santa Fe model with the range of 2006-2012.
I knew part of this project may involve brute-forcing at some point. So I started my intitial analysis by examining the installation folder created by the Microcat software. By default, two folders inside the
C:\ directory are created. One called
HYW_Data and the other called
HYW_Data folder takes up most of storage (20GB worth), so I decided to have a closer look.
A folder called
VIN immediately peaked my interest:
Volume in drive C has no label.
Volume Serial Number is 9AAC-43BE
Directory of C:\HYW_Data\VIN
06/03/2022 17:02 <DIR> .
06/03/2022 17:02 <DIR> ..
04/07/2017 00:26 1,300 ckdcatmap.idx
22/06/2018 22:31 902,074 model.idx
21/02/2022 22:20 <DIR> options
21/02/2022 22:20 <DIR> Rego
22/06/2018 22:31 1,243,335,328 vin.idx
22/06/2018 22:50 725,762,912 vinrev.idx
4 File(s) 1,970,001,614 bytes
4 Dir(s) 9,730,449,408 bytes free
Inside this directory a file called
vin.idx exists, which is over 1.2GB.
The software is only available on Windows systems, and so I used WSL (Ubuntu) which comes with simple reverse engineering tools like
strings, grep, xxd and more by default. I like using
strings on files because it’s a very simple and a quick way of identifying ASCII characters that may resemble something meaningful.
strings command on the file named
vin.idx showed the following:
tester@DESKTOP-02HBA66:/mnt/c/HYW_Data/VIN$ strings vin.idx
Each record is on new line which makes it easier to understand. The first 8 digits
20061205 is the date of when the vehicle was made. The next 17-characters
5NMSG13D27H057982 is the actual VIN. And the remaining characters are some sort of data format.
There are approxmiately
42,873,633 valid Hyundai VINs in this database.
tester@DESKTOP-02HBA66:/mnt/c/HYW_Data/VIN$ strings vin.idx | wc -l
By manually scrolling through the database I was seeing all sorts VINs of Hyundai models, even though I excluded them during installation. I also noticed there were vehicles from
1992 which I thought were not part of the database.
Anyway, I needed to start searching for only certain types of models and years.
I started off by confirming the VIN
KMHSH81WP8U272568 actually exists, which it did.
tester@DESKTOP-02HBA66:/mnt/c/HYW_Data/VIN$ strings vin.idx | grep 'KMHSH81WP8U272568'
Now that the database is confirmed to be legitimate, the next step would be to decrease the database size (1.2GB) by only focusing on
Santa Fe models with specific engine types and years.
I tried recursively searching for the transmission number
U7LFP467454 but that didn’t get any hits. That would be too easy, right ;)
Looking for patterns
I started to search for only the
U7LFP chunk of the tranmission number to see if there were other examples. Many of the results were on b-parts.com, a website which sold replacement parts, and also sometimes included the associated VIN.
By comparing VINs, they both seem quite similar. I used www.ilcats.ru to find the full transmission number which was
U7LFP361217. The table shows the comparison.
I did the same thing for new transmission number
U8LFG677211 (the one that I need to find the VIN for). Again, only searching for just the
U8LFG part. A product listing page on ww.zapchast.com.ua was found that included some useful information.
Even though the description says the model is year
2008, it is actually from
2009 based on the VIN. The table shows the comparison,
#1 is the VIN I want to find.
From all the information I could gather, the first few characters of the VIN
KMHSH81WP stayed consistant throughtout three years. And since the transmission number
U8LFG?????? was assoicated with a VIN that mostly likely was from the year 2009, I had another search parameter.
Based on the two parameters, I created two much smaller files from the massive
vin.idx database. This meant that the VINs were much easier to process, and by process I mean to brute-force.
One for models with
SH81W and year
strings vin.idx | grep -e ^2008 | grep -e SH81W | cut -c 9-25 >> santa_fe_vin_2008.txt
And same model but with year
strings vin.idx | grep -e ^2009 | grep -e SH81W | cut -c 9-25 >> santa_fe_vin_2009.txt
Going from 1.2GB to:
You might might of noticed I used
cut -c 9-25 to only select the VIN. Below is some example output data:
I know I could’ve just used the entire
vin.idxdatabase, but I would prefer not to hammer random VIN lookup sites with my requests. It’s also likely I’d get blocked.
Now that I have a good dictionary wordlist, I can use any online VIN lookup site which also reveals the transmission number, and then just filter their response. I’m very familar with Burpsuite, so I opted to use Intruder to send my HTTP requests. I found www.hyundaiforum.pro – (non-https) to be the most responsive.
An example request looks like this:
GET /view_vin_res.php?lang_code=EN&vin=KMHSH81WP9U440726 HTTP/1.1
Setting the Attack type in Intruder as
Sniper and position:
And importing a simple list of VINs as the payload:
The reason why the request payload count is only
1,819 was because I did some further manual searches and found that
P9U440002 - R9U448317 is the “goldilocks” VIN range I needed to focus on.
Once Burpsuite had finished the attack, I quickly applied a filter on the response to only show requests which have the string
U8LFG677211 for the transmision number:
After applying the filter, only one request matched. Bingo!
You can also see in the following screenshot this part was in Turkey, which was the same country where my partner’s dad had his car serviced.
It was very interesting to dive into how VIN numbers are made-up, and what information they contain. In addition, the Microcat software is a powerful tool not only for professional mechanics but also for reverse engineering certain car parts.