|
prj
|
 |
« Reply #30 on: February 11, 2023, 02:23:06 AM »
|
|
|
How much do you charge to help?  I'm not for hire. |
|
|
|
|
Logged
|
|
|
|
R32Dude
Full Member
Karma: +45/-10
 Offline
Posts: 246
|
|
« Reply #31 on: February 12, 2023, 03:37:27 AM »
|
|
|
Struggling to get security access for level 3.
Add A05B to seed! |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #32 on: February 14, 2023, 06:36:54 AM »
|
|
|
Add A05B to seed!
This is different for different ECU types. It's SLOGIN I believe. I think it's possible to bypass the security access entirely by abusing $2C and $3B to write the correct value into the security access status byte in the ECU. SLOGIN sets it to 0x11 nad KLOGIN sets it to 0x10. After that it should be possible to just switch session. Working on that now for my logger. |
|
|
|
|
Logged
|
|
|
|
R32Dude
Full Member
Karma: +45/-10
Offline
Posts: 246
|
|
« Reply #33 on: February 14, 2023, 07:32:08 AM »
|
|
|
This is different for different ECU types. It's SLOGIN I believe.
It is called CW_SECURITY_ACCESS_1 in the 7.1.1 I looked at. Gets you into 3/4 but still blocks RBMA. This ecu also has 5/6 |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #34 on: February 14, 2023, 11:17:10 AM »
|
|
|
It is called CW_SECURITY_ACCESS_1 in the 7.1.1 I looked at.
Gets you into 3/4 but still blocks RBMA.
This ecu also has 5/6
Yeah just tested. RMBA is still blocked, but you can change baudrate. You can also bypass this one by setting a certain ram value to FF via write, then it thinks it's already authenticated. Tbh, $2C and $3B work well enough, and this unlocks the speed switch into dev session, so I think it's enough. |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #35 on: February 15, 2023, 04:50:49 AM »
|
|
|
So about $23:
Besides the two service tables (pointers and table with offset to pointer table), there's another small table that gets copied into RAM from the flash.
I did not reverse it fully, but basically it's a large bitfield where it is possible to enable/disable services, based on some logic.
The bitfields are found in the flash, near the service table, and are loaded based on which diagnostic service is started.
For 40mhz 1.8T ($23 blocked):
97 05 86 10 07 48 0E
03 04 80 00 FF 48 0E
97 05 87 10 FF 4F 0C - loaded for development session
97 05 8F 10 FF EF 0C
And for 32mhz 2.7T ($23 not blocked):
97 05 87 10 07 48 0E
03 04 80 00 FF 48 0E
97 05 8F 10 FF EF 0C - loaded for development session
The development permissions are different. The last one on 40mhz gets loaded from StartDiagnosticSession as well, but I did not reverse far enough as to which session needs to be requested for it.
Since it is in RAM, it is possible to just write to this directly to force enable the services, and override whatever in the flash, after that $23/$3D should work, I also didn't test it, but I think setting the 4F to EF is enough.
Note, the ECU I checked does not have level 5 security access. Only 1 and 3 are supported.
|
|
|
|
« Last Edit: February 15, 2023, 05:10:58 AM by prj »
|
Logged
|
|
|
|
R32Dude
Full Member
Karma: +45/-10
Offline
Posts: 246
|
|
« Reply #36 on: February 15, 2023, 08:17:35 AM »
|
|
|
So about $23:
Besides the two service tables (pointers and table with offset to pointer table), there's another small table that gets copied into RAM from the flash.
I did not reverse it fully, but basically it's a large bitfield where it is possible to enable/disable services, based on some logic.
The bitfields are found in the flash, near the service table, and are loaded based on which diagnostic service is started.
For 40mhz 1.8T ($23 blocked):
97 05 86 10 07 48 0E
03 04 80 00 FF 48 0E
97 05 87 10 FF 4F 0C - loaded for development session
97 05 8F 10 FF EF 0C
And for 32mhz 2.7T ($23 not blocked):
97 05 87 10 07 48 0E
03 04 80 00 FF 48 0E
97 05 8F 10 FF EF 0C - loaded for development session
The development permissions are different. The last one on 40mhz gets loaded from StartDiagnosticSession as well, but I did not reverse far enough as to which session needs to be requested for it.
Since it is in RAM, it is possible to just write to this directly to force enable the services, and override whatever in the flash, after that $23/$3D should work, I also didn't test it, but I think setting the 4F to EF is enough.
Note, the ECU I checked does not have level 5 security access. Only 1 and 3 are supported.
I can confirm that changing 4F to EF in the RAM, after having entered development mode, does indeed unblock $3D for both level 1 and 3. in the 022906032CE st10. |
|
|
|
|
Logged
|
|
|
|
|
adam-
|
|
« Reply #37 on: February 15, 2023, 08:25:26 AM »
|
|
|
PRJ, you're an absolute legend. Thank you!
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #38 on: February 15, 2023, 08:48:41 AM »
|
|
|
I also implemented the $2C/$3B workaround into my logger now, but I did not bother unlocking the RAM functions. I just stumbled onto this while doing the reversing.
This is because the moment I am in development session I use a custom handler that I upload anyway, so makes no difference to me.
For security access, delay always gets reset to 0x12C after you enter a wrong key, on powerup, and every time you request the seed (300 seconds).
So to bypass it just read RAM, then re-request seed every time and search for 0x12C or 0x12B in extram 0x380000-0x381000. Once you find it, wait for 1 second, then read it again.
If the value is now 0x12B or 0x12A, then you found your location. Set it to zero and the timeout is gone...
|
|
|
|
« Last Edit: February 15, 2023, 08:51:44 AM by prj »
|
Logged
|
|
|
|
R32Dude
Full Member
Karma: +45/-10
Offline
Posts: 246
|
|
« Reply #39 on: February 15, 2023, 05:25:55 PM »
|
|
|
When I was writing a logger for my car, (since me7logger did not work on the st10), I came across the locked services very early on. In desperation $2C/$3B was experimented with and found hat it did the job.The only issue I found is that writing more than a certain number of bytes(30 something?) bytes causes the byte "F1" to be written to the ram, so a few commands are needed for such operations.
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #40 on: February 15, 2023, 07:10:56 PM »
|
|
|
Yes, around 30-32 is the limit after that it starts to write garbage.
|
|
|
|
|
Logged
|
|
|
|
|
adam-
|
|
« Reply #41 on: February 16, 2023, 02:23:40 AM »
|
|
|
Need to do a bit more digging but the BG file already has EF. I'll have a play tonight.
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #42 on: February 16, 2023, 04:38:02 AM »
|
|
|
Dump the IRAM and check that this is what is loaded into it.
|
|
|
|
|
Logged
|
|
|
|
|
adam-
|
|
« Reply #43 on: March 20, 2023, 12:39:49 PM »
|
|
|
Got it working!
97 05 87 10 07 48 0E
03 04 80 00 FF 48 0E
97 05 8F 10 FF EF 0C
97 05 8F 10 FF EF 0C
On 022 906 032 EG & BG.
|
|
|
|
|
Logged
|
|
|
|
|
