NefMoto

Technical => Reverse Engineering => Topic started by: unicornux on March 08, 2021, 12:25:09 AM



Title: Reading E2PROM with loader by OBD
Post by: unicornux on March 08, 2021, 12:25:09 AM
Hi guys,
Recently I wrote my own loader for reading E2PROM (In C166 Arch).
But no matter how hard I tried, I couldn't.

How I can write this loader into ram area that it can read EEPROM?
I tried 0x3D and 0x36 cmd, but it doesn't work.

Basically I wanna to know that what I should look for?

P.S: EEPROM: M95320

Thanks.


Title: Re: Reading E2PROM with loader by OBD
Post by: prj on March 08, 2021, 02:27:52 AM
So let's say you succeed to write to memory.
WriteMemoryByAddress needs development session btw.
How are you going to get the ECU to execute this code?

If you really want to read the eeprom you need to write a bootstrap loader and do it in boot mode.

Otherwise you can use ReadMemoryByAddress to read the mirror.


Title: Re: Reading E2PROM with loader by OBD
Post by: unicornux on March 08, 2021, 03:37:41 AM
I try to write my loader into RAM area (0xE000 - 0xE7FF). I have done this before for another ECU by SID 0x3D. But, here I can't write my bootstrap loader.

According to your reply:
1 - Do you explain me in nutshell that how can I calculate the correct address in RAM area?
2 - How can I calculate the correct address of mirror area? (For Plan B)

I prefer to use the bootstrap loader way.


Title: Re: Reading E2PROM with loader by OBD
Post by: prj on March 08, 2021, 04:47:51 AM
I don't understand anything you are saying.

You are talking about KWP2000 SID's then you are talking about bootstrap loading.
Two completely different things, what does one have to do with the other?

Bootstrap is bootmode, with bootpin to ground. There are no SID's there, there is no service stack. Just low level communication:
http://alt.ife.tugraz.at/datashts/Siemens/ap160701.pdf (http://alt.ife.tugraz.at/datashts/Siemens/ap160701.pdf)
You write your own communication logic.

WTF do KWP2000 SID's have to do with it?


Title: Re: Reading E2PROM with loader by OBD
Post by: unicornux on March 08, 2021, 05:10:12 AM
I don't understand anything you are saying.

You are talking about KWP2000 SID's then you are talking about bootstrap loading.
Two completely different things, what does one have to do with the other?

Bootstrap is bootmode, with bootpin to ground. There are no SID's there, there is no service stack. Just low level communication:
http://alt.ife.tugraz.at/datashts/Siemens/ap160701.pdf (http://alt.ife.tugraz.at/datashts/Siemens/ap160701.pdf)
You write your own communication logic.

WTF do KWP2000 SID's have to do with it?

Oh, Ok. Misunderstood.
I have a bootloader file for an ECU(Bosch ME7.4.4 with c166 arch). I write this bootloader on RAM area with KWP protocol. (with SID 0x3D).
After write the bootloader I sent the command that shown in below:
     0x81 0x11 0xF1 0xFF 0x82

After this E2PROM reading goes to start. And the operation ended successfully.

All of these operations done with OBD.
Now, I want to do these Operations with another ECU. But when I sent the 0x3D SID to ECU it returns 0x7f 0x31 to me.

Is it possible that an ECU cannot write to RAM?


Title: Re: Reading E2PROM with loader by OBD
Post by: prj on March 08, 2021, 05:17:57 AM
You are not writing a bootloader.
Nothing you do has anything to do with bootloading.
Use the correct words to describe what you are doing.

No idea what command you are sending to other ECU, it is not part of KWP2000 protocol.

Also call services by their names instead of hex ID's.
3D is writeMemoryByAddress, I already told you, you need a development session, not the default session.

Also I am not aware of a such blatant remote code execution on VAG ME7. You can probably force one, by trashing some ram executed routine, but uploading a payload to RAM and executing it while the ECU is running? Nope.

Sounds to me like you copypasted some tool, and not done any of this yourself.
You seem to not understand the very basics.


Title: Re: Reading E2PROM with loader by OBD
Post by: unicornux on March 08, 2021, 05:57:10 AM
You are not writing a bootloader.
Nothing you do has anything to do with bootloading.
Use the correct words to describe what you are doing.

No idea what command you are sending to other ECU, it is not part of KWP2000 protocol.

Also call services by their names instead of hex ID's.
3D is writeMemoryByAddress, I already told you, you need a development session, not the default session.

Also, I am not aware of a such blatant remote code execution on VAG ME7. You can probably force one, by trashing some ram executed routine, but uploading a payload to RAM and executing it while the ECU is running? Nope.

Sounds to me like you copypasted some tool, and not done any of this yourself.
You seem to not understand the very basics.

Thanks for your generous reply.
So, yes, I copy a file(or bootloader or etc.…  ) and I sniffed an operating that done this operation. Actually, I have a file that can read EEPROM and send to me by OBD , but I change some point of this file and now, I want to write that on another ECU. It seem it's not complicated. :)
Change the file is my job and I try to learn other stuff from you.

BTW, I heard you said before that I should use the development session. Right?
But I use the standard session For the previous ECU. How did it work for that ECU? I have shown that below:

Tool:0x81 0x11 0xF1 0x81 0x04
ECU:0x83 0xF1 0x11 0xC1 0xEF 0x8F 0xC4

Tool:0x82 0x11 0xF1 0x10 0x86 0x1A
ECU:0x82 0xF1 0x11 0x50 0x86 0x5A












Title: Re: Reading E2PROM with loader by OBD
Post by: prj on March 08, 2021, 06:37:19 AM
Once you understand what you are actually sending to ECU, and then what the hex means that you're getting back, then we can talk.
Until then there is no sense for me to continue this discussion, because you do not understand anything of what I am saying.

Also super duper assumption that comms stacks and open services across different makes are the same.
That's not even close to being the case. Especially when you are using some custom undocumented SID's.


Title: Re: Reading E2PROM with loader by OBD
Post by: woj on March 08, 2021, 02:03:52 PM
Otherwise you can use ReadMemoryByAddress to read the mirror.

Not sure about VAG ME-s, but on my ECU the EEPROM mirror area is read-protected. Read-protection can be switched off by setting one of the CW-s in the Flash, so OBD re-flash first, then read the mirror. Perhaps there is a special diagnostics session (the development one, never knew it has this name, is necessary to do any ReadMemoryByAddress on my ECU IIRC) that bypasses the read-protection, but I never figured it out.

What the OP is on about - sounds like an undocumented monitor capability of some sort, can be an interesting thing from the ECU exploitation point of view ;)


Title: Re: Reading E2PROM with loader by OBD
Post by: unicornux on March 09, 2021, 12:29:19 AM
While we were dealing with the names here, I was able to solve the problem.
I could read a mirror of EEPROM with SID 0x23. Only the correctness of the addresses was important and I successfully to calculate the correct address from ECU dump file.
Very simple.
Fortunately, the EEPROM mirror was not read protected, so I get EEPROM data clear.
Thanks.


Title: Re: Reading E2PROM with loader by OBD
Post by: prj on March 09, 2021, 02:12:32 AM
I told you to do that in the first post. Duh.


Title: Re: Reading E2PROM with loader by OBD
Post by: unicornux on March 09, 2021, 03:50:56 AM
I obeyed your orders, Sir.
Thanks a lot <3