Pages: [1] 2 3
Author Topic: SSM protocol as used by KTAG for PCR21 for example  (Read 1175 times)
H2Deetoo
Full Member
***

Karma: +14/-0
Offline Offline

Posts: 202


« on: March 22, 2020, 07:04:35 AM »

Hi guys,


See topic, does anyone have some information about this SSM protocol, and what it can be used for?


Regards,
H2Deetoo
Logged
H2Deetoo
Full Member
***

Karma: +14/-0
Offline Offline

Posts: 202


« Reply #1 on: March 22, 2020, 07:10:05 AM »

I just read this on Alientech site:

Connection cable for the Continental Simos PCR 2.1 Ecus
This is needed to retrieve the Password from the ECU when working on the bench.


Can somebody explain why/when a password is needed?
I have never needed any password yet in the EDC17 I've done on table ..


Rgs H2Deetoo
Logged
IamwhoIam
Hero Member
*****

Karma: +27/-44
Offline Offline

Posts: 779


« Reply #2 on: March 23, 2020, 12:17:38 PM »

LOL
Logged

I have no logs because I have a boost gauge (makes things easier)
prj
Hero Member
*****

Karma: +337/-63
Offline Offline

Posts: 3854


« Reply #3 on: March 23, 2020, 12:24:56 PM »

LOL
Logged
dragon187
Full Member
***

Karma: +7/-5
Online Online

Posts: 82


« Reply #4 on: March 23, 2020, 02:31:49 PM »

Wrong hobby maybe ?
 Grin
Logged
H2Deetoo
Full Member
***

Karma: +14/-0
Offline Offline

Posts: 202


« Reply #5 on: March 23, 2020, 03:38:04 PM »

Not so respectful this guys!

I'm an expert on VW clusters and can do many things with them others can't.

But I'm a novice regarding ecu's, I agree.
That's why I ask a question about it and I get such answers..... blegh!

Keep on the (not so) good work then !
Logged
prj
Hero Member
*****

Karma: +337/-63
Offline Offline

Posts: 3854


« Reply #6 on: March 25, 2020, 04:09:59 PM »

Stupid question gets stupid answer!

The user manuals for all the TriCore chips are public, and you can read how flash is accessed.
If you spend even 5 minutes on that, you will see why what you said is very funny.
Logged
H2Deetoo
Full Member
***

Karma: +14/-0
Offline Offline

Posts: 202


« Reply #7 on: March 26, 2020, 06:18:26 AM »

I agree I found it in the manual.
The question that then arises is how to find out the password for the older TPROT versions?

Next thing is which tricks or protocols they use to read passwords for TPROT8+ ?

As far as I am concerned there are no stupid questions!
Logged
IamwhoIam
Hero Member
*****

Karma: +27/-44
Offline Offline

Posts: 779


« Reply #8 on: March 27, 2020, 03:06:37 AM »

Not being a programmer per se, all I know about older TPROT versions is that the pw is calculated with some XOR values on the CPU ID, each byte having a different XOR value as far as I can remember, but don't quote me on that, I am not a programmer.
Logged

I have no logs because I have a boost gauge (makes things easier)
H2Deetoo
Full Member
***

Karma: +14/-0
Offline Offline

Posts: 202


« Reply #9 on: March 27, 2020, 05:21:56 AM »

Thanks, I'll check that out !
Logged
prj
Hero Member
*****

Karma: +337/-63
Offline Offline

Posts: 3854


« Reply #10 on: March 27, 2020, 09:26:36 AM »

Older TPROT upto v5 the password was a simple algorithm from MCUID.
So once that was found out, it was pretty much useless, as you didn't even need the password.

Then on most ECU's CCP was active and it was possible to read it via CCP through ECU pins.
After that CCP got closed, but in the SBOOT there was a function that allowed you to checksum any area. This function was not protected by authentication(!)
So it would ask checksum for where the password was stored byte by byte and then because the algorithm was known and you were "checksumming" 1 byte, you could read the password. This was called "GPT" mode.

This was patched, for example in MED17.1.62 this approach no longer worked...
And then the "silver bullet" got released - by exploiting a vulnerability in the SBOOT you could upload your own unsigned bootloader. After this even opening the ECU became unnecessary.

On SIMOS the "SSM" is basically SBOOT access, and I don't know exactly how it works, but there is also a vulnerability that allows you to read the password. In some (PCR2.1 for example) it has been exploited to allow full R/W too.

The weakness of TC17xx is that the password to r/w the flash is stored in the flash. Otherwise updating the ECU would be impossible in the field.

They fixed that in Aurix. It's stored in the HSM, and the HSM decides everything. So you can't read it out even if you can run unsigned code.
The MG1 bench r/w is also a full SBOOT exploit that allows you to upload and run an unsigned bootloader.
MPC5557 is another thing entirely, but because the SBOOT is the same the same exploit works there. But also the password can not be read out.

Not that the password is very important - unless you mess up the SBOOT you already have a full exploit. This is similar to a DFU exploit on an iPhone. The SBOOT can not be updated in the field, so all the ECU's ever released are vulnerable to it and always will be.

Hope you enjoyed a brief lesson.

And yes, there are IMO stupid questions. If it's something you can learn from a publicly available datasheet, and it is not obscure in any way (literally: How do i program the flash?) then that is a pretty stupid question.
In my language there is a saying - 1 dumb man can ask more questions than 10 wise men can ever answer. I am not saying you are dumb, but you could have expended at least a little effort.
« Last Edit: March 27, 2020, 09:33:12 AM by prj » Logged
H2Deetoo
Full Member
***

Karma: +14/-0
Offline Offline

Posts: 202


« Reply #11 on: March 28, 2020, 08:03:35 AM »

Thank you for your nice explanation.
I have a habit of when doing research I ask and read and ask and read, not necessarily in the right order. 
So yes I could have found my answer before asking the question.

But still I dont like such answers and will let that know regardless. Most likely anyone will give a sh*t though.

Thanks again,
H2Deetoo
Logged
Geremia
Newbie
*

Karma: +7/-0
Offline Offline

Posts: 19


« Reply #12 on: March 31, 2020, 02:51:25 PM »

siemens SBOOT hack (recently used in pcr21, but it's an old hack used in other siemens ecu since 3 years, like MSD85 for example), in few words is similar to bosch SB benchmode hack: bypass a couple of RSA and exec your piece of code = full access
Logged
H2Deetoo
Full Member
***

Karma: +14/-0
Offline Offline

Posts: 202


« Reply #13 on: April 01, 2020, 09:43:10 AM »

Alright, I have worked out the CCP protocol to retreive the password for TPROT8+
The CANID's for CCP are described in the ecu's A2L and are often (always?) 0x7C3/7C4.

I've found another log of a similar approach to get the password but it seems to use UDS with CANID's 0x524/523.
Does anybody which protocol (name) this is?

Here's an example:
524 [8] 10 0A 31 01 01 7F 90 01
523 [8] 30 00 00 00 00 00 00 00
524 [8] 21 7F 90 12 34 00 00 00
523 [8] 02 71 01 00 00 00 00 00


Rgs H2Deetoo
Logged
prj
Hero Member
*****

Karma: +337/-63
Offline Offline

Posts: 3854


« Reply #14 on: April 02, 2020, 01:45:02 AM »

There is no point to read it via CCP, much better to implement SBOOT exploit.
Logged
Pages: [1] 2 3
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.022 seconds with 18 queries. (Pretty URLs adds 0.001s, 0q)