|
H2Deetoo
|
 |
« Reply #15 on: April 02, 2020, 03:03:12 AM »
|
|
|
Can you give me some more information on SBOOT and that exploit? I've searched on SBOOT but can't find anything related to Tricore  |
|
|
|
|
Logged
|
|
|
|
|
IamwhoIam
|
|
« Reply #16 on: April 03, 2020, 02:49:30 AM »
|
|
|
CCP isn't active on PCR2.1 anyway, and activating it can be a complete *&@>
|
|
|
|
|
Logged
|
I have no logs because I have a boost gauge (makes things easier)
|
|
|
|
H2Deetoo
|
|
« Reply #17 on: April 03, 2020, 05:24:37 AM »
|
|
|
Yeah I tested PCR21, not active indeed.
But CCP was working on my CP14 TPROT2 and CP46 TPROT10, so you can use it to read any part of (protected) flash.
I don't have access to TPROT11+ ecu's so can't test further..
|
|
|
|
|
Logged
|
|
|
|
|
H2Deetoo
|
|
« Reply #18 on: April 03, 2020, 05:30:40 AM »
|
|
|
@prj, you are referring to SBOOT but I can't find anything about it.
Can you explain some more about it?
I mean, i know Tricore can boot directly to user code or to an internal bootrom which can be used by CAN or ASC (serial).
But both require setting some bootpins and have the same functionality, to upload a BSL, so I assume that's not what you mean with SBOOT.
Regards,
Bonny
|
|
|
|
|
Logged
|
|
|
|
kuebk
Jr. Member
Karma: +3/-0
 Offline
Posts: 44
|
|
« Reply #19 on: April 03, 2020, 05:31:42 AM »
|
|
|
SBOOT is similar to SB in EDC17.
|
|
|
|
|
Logged
|
|
|
|
|
IamwhoIam
|
|
« Reply #20 on: April 03, 2020, 06:42:53 AM »
|
|
|
Yeah I tested PCR21, not active indeed.
But CCP was working on my CP14 TPROT2 and CP46 TPROT10, so you can use it to read any part of (protected) flash.
I don't have access to TPROT11+ ecu's so can't test further..
Continental isn't Bosch. |
|
|
|
|
Logged
|
I have no logs because I have a boost gauge (makes things easier)
|
|
|
|
|
|
H2Deetoo
|
|
« Reply #22 on: April 03, 2020, 03:36:46 PM »
|
|
|
Thanks, more study material !  |
|
|
|
|
Logged
|
|
|
|
|
H2Deetoo
|
|
« Reply #23 on: April 03, 2020, 04:31:51 PM »
|
|
|
After a quick read I see where I got confused.
SBOOT or SB means Secondary bootloader? (In respect to a Primary bootloader?)
I was solely thinking about Tricore bootmode where there is a very limited hardcoded bootloader, which only allows you to send your own loader and execute it. And that's it.
But you are talking about the code which gets copied to ram while upgrading an ecu in normal mode?
When going to programming diagnostic mode?
(The code that handles your commands 34,35,36,37 etc)
So that code is what you refer to as SBOOT or SB ? And in that code some bug/exploits are found?
Or am I completely missing the ball here?
Excuse me on forehand ..
Regards,
H2Deetoo
|
|
|
|
|
Logged
|
|
|
|
d3irb
Full Member
Karma: +131/-1
Offline
Posts: 186
|
|
« Reply #24 on: April 03, 2020, 05:09:27 PM »
|
|
|
After a quick read I see where I got confused.
SBOOT or SB means Secondary bootloader? (In respect to a Primary bootloader?)
I was solely thinking about Tricore bootmode where there is a very limited hardcoded bootloader, which only allows you to send your own loader and execute it. And that's it.
SBOOT means Supplier Bootloader. It is the limited hardcoded bootloader. In normal operation it loads the second stage loader, CBOOT, or Customer Bootloader. |
|
|
|
|
Logged
|
|
|
|
|
H2Deetoo
|
|
« Reply #25 on: April 03, 2020, 05:13:31 PM »
|
|
|
Okay, thats the case for Simos, but how does that relate to Tricore?
|
|
|
|
|
Logged
|
|
|
|
Basano
Full Member
Karma: +90/-3
Offline
Posts: 192
|
|
« Reply #26 on: April 04, 2020, 12:05:29 AM »
|
|
|
Okay, thats the case for Simos, but how does that relate to Tricore?
? I lost you here. Tricore is a family of microprocessors made by Infineon Semiconductor. Both Bosch (MEDCxxx) and Continental (Simos) use the Tricore hardware in their products But I don't think that's what you meant? |
|
|
|
|
Logged
|
|
|
|
|
H2Deetoo
|
|
« Reply #27 on: April 04, 2020, 05:00:24 AM »
|
|
|
Sorry to be confusing, It's not clear to me.
In Tricore bootmode, there is really nothing you can do besides upload custom code (a bootstrap loader) and execute it.
There is nothing to exploit there besides writing a custom BSL which does something special (if possible).
However if you look at normal mode, how a fw update is done by go to programming diagnostics mode (some code is copied to ram which handles the erase/writes, this is the so called secondary loader? or SBOOT?)
Rgs H2Deetoo
|
|
|
|
|
Logged
|
|
|
|
|
H2Deetoo
|
|
« Reply #28 on: April 04, 2020, 05:01:36 AM »
|
|
|
So the SBOOT exploits prj is referring to, is that related to that code when going to programming diagnostics mode?
Again sorry to sound stupid, these terms are new to me.
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #29 on: April 04, 2020, 05:04:22 AM »
|
|
|
ECU boots.
It loads the hardware bootloader.
The hardware bootloader loads the supplier bootloader (sboot).
The supplier bootloader verifies checksum and customer bootloader (cboot).
The latter two have NOTHING to do with tricore.
They are implementation specific.
It is just how it was chosen to do by Bosch and Continental.
The hardware boot is used to program the SBOOT, and the SBOOT is used to program everything else.
SBOOT takes a signed loader and executes it.
Sooo you can get a tool that does bench mode and sniff it or you can try to reverse the code and look for an exploit.
Good luck.
|
|
|
|
|
Logged
|
|
|
|
|
