Pages: 1 [2] 3
Author Topic: SSM protocol as used by KTAG for PCR21 for example  (Read 24666 times)
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #15 on: April 02, 2020, 03:03:12 AM »

Can you give me some more information on SBOOT and that exploit?
I've searched on SBOOT but can't find anything related to Tricore Sad
Logged
IamwhoIam
Hero Member
*****

Karma: +52/-114
Offline Offline

Posts: 1070


« Reply #16 on: April 03, 2020, 02:49:30 AM »

CCP isn't active on PCR2.1 anyway, and activating it can be a complete *&@>
Logged

I have no logs because I have a boost gauge (makes things easier)
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #17 on: April 03, 2020, 05:24:37 AM »

Yeah I tested PCR21, not active indeed.
But CCP was working on my CP14 TPROT2 and CP46 TPROT10, so you can use it to read any part of (protected) flash.
I don't have access to TPROT11+ ecu's so can't test further..
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #18 on: April 03, 2020, 05:30:40 AM »

@prj, you are referring to SBOOT but I can't find anything about it.
Can you explain some more about it?

I mean, i know Tricore can boot directly to user code or to an internal bootrom which can be used by CAN or ASC (serial).
But both require setting some bootpins and have the same functionality, to upload a BSL, so I assume that's not what you mean with SBOOT.


Regards,
Bonny
Logged
kuebk
Jr. Member
**

Karma: +3/-0
Offline Offline

Posts: 47



« Reply #19 on: April 03, 2020, 05:31:42 AM »

SBOOT is similar to SB in EDC17.
Logged

VAG immo solutions (clone, immo off, repair) MEDC17, SIMOS, SDI, BCM2, ELV, DQ/DL/VL gearboxes, INVCON, MED9.x crypto
IamwhoIam
Hero Member
*****

Karma: +52/-114
Offline Offline

Posts: 1070


« Reply #20 on: April 03, 2020, 06:42:53 AM »

Yeah I tested PCR21, not active indeed.
But CCP was working on my CP14 TPROT2 and CP46 TPROT10, so you can use it to read any part of (protected) flash.
I don't have access to TPROT11+ ecu's so can't test further..

Continental isn't Bosch.
Logged

I have no logs because I have a boost gauge (makes things easier)
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #21 on: April 03, 2020, 10:04:26 AM »

Hi Bonny,

I’m curious about SBOOT as well (although not specifically PCR 2.1 but more about Tricore in Continental in general)

Maybe this helps with some background?

Section 21 ECRP ECU Reprogramming is an high level introduction to SBOOT & CBOOT.

https://drive.google.com/file/d/1LZxppNiWJKe2GIEbNQTpSSY34RPEd5iW/view?usp=sharing

Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #22 on: April 03, 2020, 03:36:46 PM »

Thanks, more study material ! Smiley
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #23 on: April 03, 2020, 04:31:51 PM »

After a quick read I see where I got confused.
SBOOT or SB means Secondary bootloader? (In respect to a Primary bootloader?)

I was solely thinking about Tricore bootmode where there is a very limited hardcoded bootloader, which only allows you to send your own loader and execute it. And that's it.

But you are talking about the code which gets copied to ram while upgrading an ecu in normal mode?
When going to programming diagnostic mode?
(The code that handles your commands 34,35,36,37 etc)

So that code is what you refer to as SBOOT or SB ? And in that code some bug/exploits are found?

Or am I completely missing the ball here?
Excuse me on forehand ..


Regards,
H2Deetoo
Logged
d3irb
Full Member
***

Karma: +134/-1
Offline Offline

Posts: 195


« Reply #24 on: April 03, 2020, 05:09:27 PM »

After a quick read I see where I got confused.
SBOOT or SB means Secondary bootloader? (In respect to a Primary bootloader?)

I was solely thinking about Tricore bootmode where there is a very limited hardcoded bootloader, which only allows you to send your own loader and execute it. And that's it.


SBOOT means Supplier Bootloader. It is the limited hardcoded bootloader. In normal operation it loads the second stage loader, CBOOT, or Customer Bootloader.
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #25 on: April 03, 2020, 05:13:31 PM »

Okay, thats the case for Simos, but how does that relate to Tricore?
Logged
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #26 on: April 04, 2020, 12:05:29 AM »

Okay, thats the case for Simos, but how does that relate to Tricore?

? I lost you here.

Tricore is a family of microprocessors made by Infineon Semiconductor.

Both Bosch (MEDCxxx) and Continental (Simos) use the Tricore hardware in their products

But I don't think that's what you meant?
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #27 on: April 04, 2020, 05:00:24 AM »

Sorry to be confusing, It's not clear to me.

In Tricore bootmode, there is really nothing you can do besides upload custom code (a bootstrap loader) and execute it.
There is nothing to exploit there besides writing a custom BSL which does something special (if possible).

However if you look at normal mode, how a fw update is done by go to programming diagnostics mode (some code is copied to ram which handles the erase/writes, this is the so called secondary loader? or SBOOT?)


Rgs H2Deetoo
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #28 on: April 04, 2020, 05:01:36 AM »

So the SBOOT exploits prj is referring to, is that related to that code when going to programming diagnostics mode?

Again sorry to sound stupid, these terms are new to me.
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #29 on: April 04, 2020, 05:04:22 AM »

ECU boots.
It loads the hardware bootloader.
The hardware bootloader loads the supplier bootloader (sboot).
The supplier bootloader verifies checksum and customer bootloader (cboot).

The latter two have NOTHING to do with tricore.
They are implementation specific.

It is just how it was chosen to do by Bosch and Continental.
The hardware boot is used to program the SBOOT, and the SBOOT is used to program everything else.
SBOOT takes a signed loader and executes it.

Sooo you can get a tool that does bench mode and sniff it or you can try to reverse the code and look for an exploit.
Good luck.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Pages: 1 [2] 3
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.022 seconds with 18 queries. (Pretty URLs adds 0s, 0q)