Pages: [1] 2
Author Topic: Protocol, seed/key, CS  (Read 23776 times)
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« on: August 20, 2017, 01:07:14 PM »

I wonder how companies like CMD, Alientech etc retrieve info about seed key, CS, RSA, TProt etc.
Disassembling? Sniffer? Or they have a custom debugger or smth like that? Or maybe they buy info?

It's just impossible to add so many protocols for a such short time. But they do, so maybe it's not so difficult and exists an easy way?
Logged
jcsbanks
Full Member
***

Karma: +19/-3
Offline Offline

Posts: 146


« Reply #1 on: August 21, 2017, 03:52:39 AM »

Interested because I've done a lot of reverse eng (but not of flash protocols and would like to), more related to engine function.

I'm just putting together a scriptable Tricore instruction set simulator because the existing ones were not doing what I wanted (register tracking in IDA Pro to better resolve cross refs). With a binary available, something like that could be useful for reversing and testing this sort of stuff.
Logged
superglitch
Jr. Member
**

Karma: +4/-0
Offline Offline

Posts: 45


« Reply #2 on: August 21, 2017, 07:57:57 PM »

There's only one protocol for VAG seed/key.  CS are easy to figure out.  RSA and TPROT stuff requires some trickery, but there's people out there that know the solution and can sell it.

If you're seriously in to get protocols completed, connect with people and you can get a good chunk of information needed to do most VAG cars for pretty cheap.
« Last Edit: August 21, 2017, 08:03:01 PM by superglitch » Logged
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #3 on: August 21, 2017, 11:31:39 PM »

The "trickery" is what I want to learn, I don't want to buy someones solution ;(

I'm just putting together a scriptable Tricore instruction set simulator because the existing ones were not doing what I wanted (register tracking in IDA Pro to better resolve cross refs). With a binary available, something like that could be useful for reversing and testing this sort of stuff.

But there are so many registers! I guess you're making it for a subset of the registers? I think JTAG with Trace32 or something is what Alientech,etc use
« Last Edit: August 21, 2017, 11:41:08 PM by nihalot » Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« Reply #4 on: August 22, 2017, 04:52:23 AM »

CS are easy to figure out. 

Easy? Bosch and Siemens have many CS blocks. Maybe exists CS routine, but how to find it?
Of course, I can buy solution, but it's like buying tuned file from someone. And it needs me not for making money so I'm not ready to pay 1000$ for it.
I think JTAG with Trace32 or something is what Alientech,etc use


As I understand TRACE32 works only with source code, so you can't trace machine code only. Maybe Alientech created they own JTAG debugger, but where to get Tricore's JTAG protocol?
Logged
jcsbanks
Full Member
***

Karma: +19/-3
Offline Offline

Posts: 146


« Reply #5 on: August 22, 2017, 08:44:41 AM »

Simulators will trace a binary, but need a bit of help in how to run it. They can get trapped in loops, so I would like to take functions from IDA Pro and iterate through them following all the code cross references (calls, jumps, switches, both sides of conditional branches). I'm just trying to glue it together as IDA Python is too slow, but the instruction simulator is working simulating far more registers than I will ever need to resolve most x-refs better than IDA can itself. Marking the cross refs in IDA is a bit obstinate so far.
Logged
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« Reply #6 on: August 22, 2017, 10:39:40 AM »

Simulator is a good thing but what if:
a15 equ 0xD400xxxx

calli      a15

I can read RAM (on some softs), but this was just for example. Also simulator will make mistakes.
Actually I don't know even where is a start point of the program.
In C167 it's RESET HANDLER as I understand, but what about Tricore?
Logged
prj
Hero Member
*****

Karma: +1072/-482
Offline Offline

Posts: 6038


« Reply #7 on: August 22, 2017, 11:43:03 AM »

In many newer ECU's main bootloader is not in flashable area.
If you figure out how to unpack the sgo/frf you can already see which areas you can ignore (just to read the metadata from them is super simple, because it's not actually crypted like the ecu content).

In the end you can localize the bootloader with precision of about 0x8000 block in code, and it's not so hard to go from there and reverse it.
Both SGO and FRF tell you which sections to flash, erase etc. Using that info you can guess with veeeery high probability where the bootloader resides.

The hard part is dumping the ECU contents when you don't have access to it. When you already have the full ECU dump using some sort of hardware vulnerability or just unprotected direct hardware access, then making an OBD protocol from that is very easy when you are doing this every day. All you have to do is reverse engineer the encryption/compression from the bootloader to be able to make the payload, and then do exactly like the FRF/SGO instructs you to, to establish comms.

As I said - the hard part is breaking into new ECU's where you don't have the full flash dump. This means you either must find some 0day hardware exploit, or some way to gain remote code execution ECU, which is a software exploit. This is where the skill comes in.
And trust me, only ONE company usually does this. All the tuning companies all have each others tools so after one has done it, the rest just copy paste it by sniffing comms.

In fact I dare say, in many cases one of the companies just BUYS the solution that is crated by some big-name or independent tuner... or someone takes an early retirement package and some private keys are leaked.
« Last Edit: August 22, 2017, 11:50:23 AM by prj » Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
jcsbanks
Full Member
***

Karma: +19/-3
Offline Offline

Posts: 146


« Reply #8 on: August 22, 2017, 11:48:17 AM »

Simulator is a good thing but what if:
a15 equ 0xD400xxxx

calli      a15

I can read RAM (on some softs), but this was just for example. Also simulator will make mistakes.
Actually I don't know even where is a start point of the program.
In C167 it's RESET HANDLER as I understand, but what about Tricore?

a15 is in the upper context so saved across calls and undefined within until set, so this example simulates well, with either a RAM dump or simulation populated RAM. No tool is perfect, just an adjunct.

There is a reset vector but eventually it reaches a loop as it waits for interrupt/timer driven code to be run. Although that can be simulated too, it isn't worth it for my application which is mainly resolving x-refs in tuning related code/data.
« Last Edit: August 22, 2017, 12:17:55 PM by jcsbanks » Logged
vwaudiguy
Hero Member
*****

Karma: +53/-37
Offline Offline

Posts: 2024



« Reply #9 on: August 22, 2017, 10:18:56 PM »

In many newer ECU's main bootloader is not in flashable area.
If you figure out how to unpack the sgo/frf you can already see which areas you can ignore (just to read the metadata from them is super simple, because it's not actually crypted like the ecu content).

In the end you can localize the bootloader with precision of about 0x8000 block in code, and it's not so hard to go from there and reverse it.
Both SGO and FRF tell you which sections to flash, erase etc. Using that info you can guess with veeeery high probability where the bootloader resides.

The hard part is dumping the ECU contents when you don't have access to it. When you already have the full ECU dump using some sort of hardware vulnerability or just unprotected direct hardware access, then making an OBD protocol from that is very easy when you are doing this every day. All you have to do is reverse engineer the encryption/compression from the bootloader to be able to make the payload, and then do exactly like the FRF/SGO instructs you to, to establish comms.

As I said - the hard part is breaking into new ECU's where you don't have the full flash dump. This means you either must find some 0day hardware exploit, or some way to gain remote code execution ECU, which is a software exploit. This is where the skill comes in.
And trust me, only ONE company usually does this. All the tuning companies all have each others tools so after one has done it, the rest just copy paste it by sniffing comms.

In fact I dare say, in many cases one of the companies just BUYS the solution that is crated by some big-name or independent tuner... or someone takes an early retirement package and some private keys are leaked.

Thanks for the explanation.
Logged

"If you have a chinese turbo, that you are worried is going to blow up when you floor it, then LOL."
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« Reply #10 on: August 23, 2017, 04:29:21 AM »

In many newer ECU's main bootloader is not in flashable area.
If you figure out how to unpack the sgo/frf you can already see which areas you can ignore (just to read the metadata from them is super simple, because it's not actually crypted like the ecu content).

Thanks for reply! Maybe I misunderstood you but looks like SGO is fully crypted. I attached sgo and decrypt. I've tried to open SGO in IDA and it hasn't found any routine.
And even if bootloader in 0x8000 area, but what about CS, RSA, TPROT? I really interested for EEPROM CS.
And are you sure they simply disassemble it without JTAG debugger? I'm not sure there is no protection though.
« Last Edit: August 23, 2017, 05:04:22 AM by terminator » Logged
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« Reply #11 on: August 23, 2017, 04:43:10 AM »

There is a reset vector but eventually it reaches a loop as it waits for interrupt/timer driven code to be run.

Could you please point the offset of reset vector in the file I attached above?
Logged
prj
Hero Member
*****

Karma: +1072/-482
Offline Offline

Posts: 6038


« Reply #12 on: August 23, 2017, 05:45:07 AM »

Thanks for reply! Maybe I misunderstood you but looks like SGO is fully crypted. I attached sgo and decrypt. I've tried to open SGO in IDA and it hasn't found any routine.
And even if bootloader in 0x8000 area, but what about CS, RSA, TPROT? I really interested for EEPROM CS.
And are you sure they simply disassemble it without JTAG debugger? I'm not sure there is no protection though.

SGO is a container, that contains metadata. It is not crypted in any way.
Only thing that is packed/xored is the flash data, everything else is there in plain sight if you would care to read it.

It is a proprietary binary format.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
prj
Hero Member
*****

Karma: +1072/-482
Offline Offline

Posts: 6038


« Reply #13 on: August 23, 2017, 05:47:47 AM »

Let me get out my spoon.

Quote
C:\Tuning\sgoxtract>python sgounpack.py
File loaded: 1215214 byte(s)

Finding key using section 1...  FAILED!
Finding key using section 3...  SUCCESS! key: 42695762427544313031 (ASCII: BiWbBuD101)

Section: 1
Address: 0x4000
Length : 0xBF00
Erase  : 0x4000 - 0xFFFF
Prog   : 0x4000 - 0xFEFF
Crypt  : 11
SGO adr: 0x1C7
SGO len: 0xB941
Output : 06J906026AB_9775.sgo.bin @ 0x4000

Finding key using section 1...  FAILED!
Finding key using section 3...  SUCCESS! key: 42695762427544313031 (ASCII: BiWbBuD101)

Section: 2
Address: 0x80000
Length : 0xF8000
Erase  : 0x80000 - 0x177FFF
Prog   : 0x80000 - 0x177FFF
Crypt  : 11
SGO adr: 0xBB21
SGO len: 0xE3CDE
Output : 06J906026AB_9775.sgo.bin @ 0x80000

Finding key using section 1...  FAILED!
Finding key using section 3...  SUCCESS! key: 42695762427544313031 (ASCII: BiWbBuD101)

Section: 3
Address: 0x20000
Length : 0x20000
Erase  : 0x20000 - 0x3FFFF
Prog   : 0x20000 - 0x3FFFF
Crypt  : 11
SGO adr: 0xEF818
SGO len: 0x18F70
Output : 06J906026AB_9775.sgo.bin @ 0x20000

Finding key using section 1...  FAILED!
Finding key using section 3...  SUCCESS! key: 42695762427544313031 (ASCII: BiWbBuD101)

Section: 4
Address: 0x40000
Length : 0x40000
Erase  : 0x40000 - 0x7FFFF
Prog   : 0x40000 - 0x7FFFF
Crypt  : 11
SGO adr: 0x1087A1
SGO len: 0x20320
Output : 06J906026AB_9775.sgo.bin @ 0x40000

All done...
Press ENTER to continue...

This is just some of the data. SGO also contains baud rate, seed key, everything you need to flash ECU.
« Last Edit: August 23, 2017, 05:49:18 AM by prj » Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
SB_GLI
Hero Member
*****

Karma: +116/-10
Offline Offline

Posts: 1022


« Reply #14 on: August 23, 2017, 06:17:24 AM »

Let me get out my spoon.

This is just some of the data. SGO also contains baud rate, seed key, everything you need to flash ECU.

care to share the deets on sgounpack.py?
Logged
Pages: [1] 2
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.053 seconds with 17 queries. (Pretty URLs adds 0s, 0q)