Pages: [1] 2 3
Author Topic: Simos18 SBOOT Research and Progress  (Read 40593 times)
d3irb
Full Member
***

Karma: +134/-1
Offline Offline

Posts: 195


« on: March 04, 2021, 12:37:03 PM »

Hi All,

I am sure some of you had followed along with my thread jack before at : http://nefariousmotorsports.com/forum/index.php?topic=18870.msg143053#msg143053 .

I have been researching Simos18 SBOOT's Service Mode functionality.

The quick summary is:

Simos SBOOT is similar to Bosch GPT/Service only in that it uses two PWM pins as the "break in" signal. Otherwise, the principles and methodology seem quite different. From what I am told about Bosch Service it usually works over something CCP/UDS like, and has direct access to Flash.

The Simos Service Mode works differently. It uses a custom protocol over ISO-TP (at least, I am not aware of any other protocol using the same command values), which allows the tester to upload a signed code block into RAM, just like the signed code blocks which are used for CBOOT/ASW.

Unlike low-level Tricore BSL where Flash is locked, this signed code block is then executed with Flash unlocked for write, so the factory could use this to upload a flasher. But, the Simos18 sigchecking seems pretty sound so far (the application-level exploit for port flashing is to bypass the sigchecking entirely, not an exploit in the actual signature mechanism). So, we can't use Service Mode to run code on Simos18 as far as I can tell.

The Service Mode is also protected by a Seed/Key mechanism. The Seed/Key mechanism seems quite sound on its surface - an RSA public key stored in OTP is used to encrypt 256 bytes of random data and that is sent as the Seed, and the tester is expected to send the data back decrypted as the Key, which should require the corresponding RSA factors (private key).

However, this Seed/Key mechanism it has a fatal flaw: there is no real entropy used in the seed generation.

The PRNG (Mersenne Twister) is seeded using only 31 bits of data taken from the system timer. This is vulnerable in two ways:

* A timer isn't an entropy source, so the attacker can simply control the timing of _when_ they ask for the Seed in order to predict the value of the system timer. It seems Continental may have known about this idea as they added a "minimum wait" time before the Seed can be generated using a timer task, but, a simple fixed minimum wait time doesn't make the timing any less controllable.

* Worse, there are only 31 bits (2^31) of possible key space to begin with. Modern hardware can easily calculate hundreds of thousands or even millions of Mersenne Twister -> RSA exponentiation operations per second, so even if the seed were generated off of a true entropy source, the entire key space can easily be enumerated in a matter of minutes on a fast workstation.

The combination of these two weaknesses makes prediction trivial - even using a Raspberry Pi (no real-time OS, high level code in Python) as the tester, the timer values I have observed when the Seed is generated are always within a few hundred thousand timer iterations. And, with a single core of a modern laptop able to calculate 100,000 signatures/second, it takes only 1-2 seconds to brute-force a Seed/Key match starting from an observed timing offset.

Of course, if the calculation were slower, it would also be possible to generate a table mapping Seed values back to Keys, which I spent a bit of time on before deeming it unnecessary as I can simply spend 2-3 seconds brute-forcing a match to the Seed/Key each time.

Now, once we are past the Seed/Key mechanism, we can't upload a valid code block, at least as far as I can tell. Again, the actual sigchecking in S18 seems pretty sound, and for those thinking about a block reuse attack, the signed SHA256 used in the RSA signature has addresses mixed in to prevent this very thing.

But, just like all other Simos18 software blocks, the code block also has a CRC header, and this header has very weak bounds checking. By manipulating the CRC header, we can ask the Service Mode command shell to checksum the Tricore boot passwords, then quickly RST into a normal Tricore BSL which has access to RAM.

Next, we can dump the CRC values from the temporary area where they are being stored in RAM. Since CRC is a reversible (non-cryptographic) hash, by sliding the CRC start value along by the values, we can infer boot passwords from Flash.

Here is a more detailed write-up, including some other odd bits of SBOOT : https://github.com/bri3d/Simos18_SBOOT .

Here is a Seed/Key brute force tool. It takes two command-line parameters as hex strings: the "initial" timer value to start from (to speed up the process, once you've run the exploit once with a given tool, you know the general range of where the timer values will land), and the first 32 bits of the Seed data sent from the ECU (I haven't found a collision yet... maybe I should expand the matcher to a few more bits though!). Once a match is recovered, will return the full Seed/Key data as well as the timer value used to create them.

https://github.com/bri3d/Simos18_SBOOT/blob/main/twister.c

And here is an implementation of the CAN comms stack and the overall break-in process, including the necessary PWM signals (sorry, it is mixed with normal Tricore BSL since the exploit requires doing an RST into the Tricore BSL to dump RAM):

https://github.com/bri3d/TC1791_CAN_BSL/blob/main/bootloader.py

Cheers and enjoy!
« Last Edit: March 04, 2021, 06:04:26 PM by d3irb » Logged
prj
Hero Member
*****

Karma: +1072/-480
Online Online

Posts: 6034


« Reply #1 on: March 04, 2021, 01:51:32 PM »

Good job.
What is pretty unfortunate though is that the booting S18 requires a lot of wiring, as the CAN isn't hooked up by default.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
fastboatster
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 78


« Reply #2 on: March 04, 2021, 05:22:59 PM »

great work as always!
Logged
nihalot
Full Member
***

Karma: +41/-3
Offline Offline

Posts: 117


« Reply #3 on: March 06, 2021, 09:22:50 AM »

This is some seriously cool stuff! Thanks for sharing, this will definitely help with what I'm trying to learn wrt exploit dev
Logged

www.tangentmotorsport.com

multimap/LC/rolling antilag for MG1/MED17/EDC17/MED9/EDC15

contact for reverse engineering services of any ECU/TCU
unicornux
Full Member
***

Karma: +2/-6
Offline Offline

Posts: 83


« Reply #4 on: March 11, 2021, 07:57:37 AM »

Thanks d3irb. I think Bosch VAG ECU's are different in details but are the same in general.
Do you think this is logical?
Logged
H2Deetoo
Sr. Member
****

Karma: +26/-1
Offline Offline

Posts: 257


« Reply #5 on: May 15, 2021, 03:13:50 PM »

Impressive, thank you!


Rgs H2Deetoo
Logged
fastboatster
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 78


« Reply #6 on: May 18, 2021, 07:39:13 PM »

Since this has inspired me to take a look at the related albeit older Simos 8.x ECU, I guess I'll also share what I could gather so far using the clues from the data and code you posted. I know, it's a lot less relevant than Simos 18 and hardly of interest to many people, but anyway. Seems like the boot passwords are in the same location in both 8 and 18, 8001420c, and recovery shell is also easy to find. As of know, I don't yet understand if 8 is enforcing any conditions on the range bounds for the crc header you mentioned. I.e. seems like almost any addresses can be supplied, but I'm not 100% positive on this. Not sure where the intermediate checksum value is stored in the memory either, perhaps I just need to set the sboot up in qemu and try to run it.
« Last Edit: May 18, 2021, 07:40:49 PM by fastboatster » Logged
d3irb
Full Member
***

Karma: +134/-1
Offline Offline

Posts: 195


« Reply #7 on: May 18, 2021, 08:15:03 PM »

I've been working on PCR due to a message I received here, and the basic concept is identical. In the case of PCR, the bootloader has the same commands (albeit totally different addresses due to the different CPU), and similar bounds checking (albeit slightly weaker) - but, the RSA public key is different - and, the RSA is also 1024 bit instead of 2048 bit, so everything is half the size (the seed/key as well as the RSA key).

There's also some subtle difference in the way the seed is constructed that I haven't nailed down completely yet which is breaking my code - although I expect it to be a stupid off by one mistake somewhere.

In older Simos ECUs there is also an exploit that can gain arbitrary code execution this way, due to a buffer overflow in the RSA signature checking which was fixed in a newer aslarm/nvmcrypt - once the seed/key is passed, a code block crafted to defeat the signature checking can be constructed and executed.

Given that enumerating the entire 31-bit keyspace should take less than an hour on available modern/super fast hardware, I think this means that older Simos may be possible to exploit without needing to open the ECU, so I've been investigating this route. Simos18 will always need to open the ECU - in order to access the RST and HWCFG pins to descend into the Tricore BSL and dump the CRC. But for older Simos, if the Seed/Key can be passed without needing to control the RST timing too carefully, that means arbitrary code can be uploaded using the RSA exploit, much like the Bosch TSW exploit.
Logged
fastboatster
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 78


« Reply #8 on: May 18, 2021, 11:38:37 PM »

Thanks for your reply! In general, it would be nice to have something open-source which could allow reading, backing up, and writing "eBay ecus", i.e. ecus without matching immobilizer system modules. For the time being, however, I'm just trying to back my ecu up in case I brick it. In principle, given that I can flash my ECU with PCM Flash, I could probably extract the boot passwords by, say, modifying the UDS service 22 table and repoint some of the "measuring blocks" to boot password location:
Quote

        **************************************************************
                             * VWLogicalSoftwareBlockVersion - 22,F1,AB                   *
        **************************************************************
        80080de4 ab f1 0c        uds22_row2
                 00 0f 03
                 00 00 90
           80080de4 ab              undefined1ABh                     id_2
           80080de5 f1              undefined1F1h                     id_1
           80080de6 0c              db        Ch                      len
           80080de7 00              ??        00h                     field_0x3
           80080de8 0f              ??        0Fh                     field_0x4
           80080de9 03              ??        03h                     field_0x5
           80080dea 00              ??        00h                     field_0x6
           80080deb 00              ??        00h                     field_0x7
           80080dec 90 00 04 a0     addr      s_CCBAEV_ECM30TFS0218K  handler       = "CCBAEV_ECM30TFS
Say, change the address from 0xa0040090 to 0x8001420c and get them out. Caveat here is that this asw change might brick it if there's something else I don't know about.
Logged
IamwhoIam
Hero Member
*****

Karma: +52/-114
Offline Offline

Posts: 1070


« Reply #9 on: May 19, 2021, 09:04:23 AM »


Given that enumerating the entire 31-bit keyspace should take less than an hour on available modern/super fast hardware, I think this means that older Simos may be possible to exploit without needing to open the ECU, so I've been investigating this route. Simos18 will always need to open the ECU - in order to access the RST and HWCFG pins to descend into the Tricore BSL and dump the CRC. But for older Simos, if the Seed/Key can be passed without needing to control the RST timing too carefully, that means arbitrary code can be uploaded using the RSA exploit, much like the Bosch TSW exploit.

Simos12.1 and 12.2 and PCR bench (TSW exploit) has been out for quite some time now.
Logged

I have no logs because I have a boost gauge (makes things easier)
d3irb
Full Member
***

Karma: +134/-1
Offline Offline

Posts: 195


« Reply #10 on: May 19, 2021, 09:19:03 AM »

Simos12.1 and 12.2 and PCR bench (TSW exploit) has been out for quite some time now.

Without opening ECU?

With opening ECU for RST/HWCFG (CRC RGH / memory inspection exploit), all Simos is identical to Simos18 just with different addresses and RSA keys.

Without opening ECU is more interesting since it involves chaining the old RSA exploit into the process as well.

I know some tools do the Seed/Key process online with a pre-generated prefix tree / rainbow table too (which in addition to being fast, also makes the exploit harder to steal).

Yes, nothing I have discovered is new, I just like figuring it out clean and providing documentation instead of stealing everything and hoarding it. I don't try to claim I'm doing original research here, just actually sharing what's going on Smiley
« Last Edit: May 19, 2021, 10:29:34 AM by d3irb » Logged
d3irb
Full Member
***

Karma: +134/-1
Offline Offline

Posts: 195


« Reply #11 on: May 19, 2021, 09:22:06 AM »

Thanks for your reply! In general, it would be nice to have something open-source which could allow reading, backing up, and writing "eBay ecus", i.e. ecus without matching immobilizer system modules. For the time being, however, I'm just trying to back my ecu up in case I brick it. In principle, given that I can flash my ECU with PCM Flash, I could probably extract the boot passwords by, say, modifying the UDS service 22 table and repoint some of the "measuring blocks" to boot password location:Say, change the address from 0xa0040090 to 0x8001420c and get them out. Caveat here is that this asw change might brick it if there's something else I don't know about.


Yes, if you don't have immo-lock and you have a CBOOT/port-flash exploit, you can go this route - by altering the read handlers or you can just write your own UDS handler which directly reads the passwords. Most people just hang it off 3E since the logic is simple. But, this doesn't help for immo-locked ECUs of course.
Logged
prj
Hero Member
*****

Karma: +1072/-480
Online Online

Posts: 6034


« Reply #12 on: May 19, 2021, 09:49:59 AM »

IIRC everything older than SIMOS18/SIMOS16(?) can be r/w without opening the ECU.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
d3irb
Full Member
***

Karma: +134/-1
Offline Offline

Posts: 195


« Reply #13 on: May 19, 2021, 10:29:07 AM »

IIRC everything older than SIMOS18/SIMOS16(?) can be r/w without opening the ECU.

Thanks, sounds like everyone else is already using the exploit chain I have in mind then!
Logged
IamwhoIam
Hero Member
*****

Karma: +52/-114
Offline Offline

Posts: 1070


« Reply #14 on: May 19, 2021, 11:58:20 PM »

Without opening ECU?



Yes, without opening the ECU, duuuh.
Logged

I have no logs because I have a boost gauge (makes things easier)
Pages: [1] 2 3
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.048 seconds with 18 queries. (Pretty URLs adds 0s, 0q)