Pages: 1 [2] 3
Author Topic: Tricore bootmode canbus protocol  (Read 10743 times)
H2Deetoo
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 100


« Reply #15 on: December 24, 2015, 05:14:42 AM »

Could be so .. but the problem is then why my logger isn't showing the initial bootloader upload.
Perhaps it uses a different baudrate, and only later they switch to 500 kbps.

I guess I need to hook up a scope and do some measuring ...

>The fact that it uses the same CAN ID for requests and response is a simple way to obfuscate a bit the exchanges but it does not matter.
Yes it doesn't matter.

>For the password transaction itself, it is well detailed in the Infineon documentation
Do you have documentation describing this then?


Mery Christmas en best wishes to all here!

Rgs Bonny
Logged
pollux
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 5


« Reply #16 on: December 26, 2015, 12:46:35 PM »

Could be so .. but the problem is then why my logger isn't showing the initial bootloader upload.
Perhaps it uses a different baudrate, and only later they switch to 500 kbps.

I guess I need to hook up a scope and do some measuring ...

Some well known tools out there use some CAN tricks to detect sniffing and won't start the bootloader upload in that case.

Quote from: H2Deetoo
>For the password transaction itself, it is well detailed in the Infineon documentation
Do you have documentation describing this then?

You can find it on the Infineon website:
http://www.infineon.com/dgdl/TC1797_UM_v1.1.pdf?fileId=db3a30431ed1d7b2011efeae5efc6b76

Look for "Command Sequence Definitions" in the PMU chapter of the Tricore user manual.

Merry Christmas
Logged
dream3R
Hero Member
*****

Karma: +13/-6
Offline Offline

Posts: 1202


« Reply #17 on: December 27, 2015, 12:29:25 PM »

Some well known tools out there use some CAN tricks to detect sniffing and won't start the bootloader upload in that case.

You can find it on the Infineon website:
http://www.infineon.com/dgdl/TC1797_UM_v1.1.pdf?fileId=db3a30431ed1d7b2011efeae5efc6b76

Look for "Command Sequence Definitions" in the PMU chapter of the Tricore user manual.

Merry Christmas

Good to know re sniffing guess test turning ack off would fix?
Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
pollux
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 5


« Reply #18 on: December 27, 2015, 12:39:23 PM »

Good to know re sniffing guess test turning ack off would fix?

It should. But not all CAN devices/controllers allow you to do that easily.
Logged
dream3R
Hero Member
*****

Karma: +13/-6
Offline Offline

Posts: 1202


« Reply #19 on: December 27, 2015, 12:54:01 PM »

A simple chipkit for example can, silent mode or something iirc.

Does  this proc run on Simos 8.4?

Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
H2Deetoo
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 100


« Reply #20 on: December 28, 2015, 12:55:31 AM »

>Look for "Command Sequence Definitions" in the PMU chapter of the Tricore user manual.

Pollux, you're wrong here.
The password they are talking about in the datasheet is for flash sector protection. This has got nothing to do with the password used to authenticate with the loader.


Rgs H2Deetoo
Logged
pollux
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 5


« Reply #21 on: December 28, 2015, 01:44:25 AM »

>Look for "Command Sequence Definitions" in the PMU chapter of the Tricore user manual.

Pollux, you're wrong here.
The password they are talking about in the datasheet is for flash sector protection. This has got nothing to do with the password used to authenticate with the loader.

So far I haven't seen any authentication with a loader. If you need authentication, this is specific to the loader you're using. The Tricore MCU itself does not enforce such thing. Anyway, you don't need any authentication if you're using your own loader.
Logged
H2Deetoo
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 100


« Reply #22 on: December 28, 2015, 02:00:23 AM »

Yes of course I agree completely.
But my bet is that most tools use the same loader ;-)

Same practice with clusters; there is one smart guy (perhaps even employee of VDO) who writes a loader, even with some form of authentication, and each and every tool out there uses this loader.


Rgs H2Deetoo
Logged
pollux
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 5


« Reply #23 on: December 28, 2015, 02:12:19 AM »

Implementing some strong authentication in a loader is a tricky thing. Since you can potentially sniff the upload, dump the binary in IDA and figure out how the authentication works.
Logged
H2Deetoo
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 100


« Reply #24 on: December 28, 2015, 02:21:20 AM »

If the upload of the loader is plain then you're right of course.
But once you encrypt the loader (for example with RSA) then you'll have a hard time decrypting it before you can start analyzing.

Fortunately the tools, which support the authentication algo, are often easier to crack to extract the needed algos.

But in case of Tricore the loader is indeed plain ...


Rgs H2Deetoo
Logged
dream3R
Hero Member
*****

Karma: +13/-6
Offline Offline

Posts: 1202


« Reply #25 on: December 28, 2015, 03:44:58 AM »

If the upload of the loader is plain then you're right of course.
But once you encrypt the loader (for example with RSA) then you'll have a hard time decrypting it before you can start analyzing.

Fortunately the tools, which support the authentication algo, are often easier to crack to extract the needed algos.

But in case of Tricore the loader is indeed plain ...


Rgs H2Deetoo

are you making your own loader?  I'm reading the datasheet stage so a bit behind. lol  Weird how Simos is lo-hi
Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
H2Deetoo
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 100


« Reply #26 on: December 28, 2015, 04:40:29 AM »

No no I have no intentions of writing a loader.
I just was curious to which loader was used by Galletto and Byteshooter for example, and how they do the password transaction.

Anyways, a log is made (indeed in silent mode) and enough is clear now about this subject.


Regards,
H2Deetoo
Logged
dream3R
Hero Member
*****

Karma: +13/-6
Offline Offline

Posts: 1202


« Reply #27 on: December 28, 2015, 06:49:57 AM »

No no I have no intentions of writing a loader.
I just was curious to which loader was used by Galletto and Byteshooter for example, and how they do the password transaction.

Anyways, a log is made (indeed in silent mode) and enough is clear now about this subject.


Regards,
H2Deetoo

Can you share the raw logs pleeeeease?  Which ECU?
Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
dream3R
Hero Member
*****

Karma: +13/-6
Offline Offline

Posts: 1202


« Reply #28 on: December 28, 2015, 07:00:51 AM »

I have the vag loader info for simos 8.4 which I *think* uses that cpu or the tc1766xx (TBC).



Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
dream3R
Hero Member
*****

Karma: +13/-6
Offline Offline

Posts: 1202


« Reply #29 on: January 08, 2016, 11:56:03 PM »

No no I have no intentions of writing a loader.
I just was curious to which loader was used by Galletto and Byteshooter for example, and how they do the password transaction.

Anyways, a log is made (indeed in silent mode) and enough is clear now about this subject.


Regards,
H2Deetoo

??
Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
Pages: 1 [2] 3
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.022 seconds with 17 queries. (Pretty URLs adds 0s, 0q)