|
H2Deetoo
|
 |
« Reply #15 on: December 24, 2015, 05:14:42 AM »
|
|
|
Could be so .. but the problem is then why my logger isn't showing the initial bootloader upload.
Perhaps it uses a different baudrate, and only later they switch to 500 kbps.
I guess I need to hook up a scope and do some measuring ...
>The fact that it uses the same CAN ID for requests and response is a simple way to obfuscate a bit the exchanges but it does not matter.
Yes it doesn't matter.
>For the password transaction itself, it is well detailed in the Infineon documentation
Do you have documentation describing this then?
Mery Christmas en best wishes to all here!
Rgs Bonny
|
|
|
|
|
Logged
|
|
|
|
pollux
Newbie
Karma: +1/-0
 Offline
Posts: 5
|
|
« Reply #16 on: December 26, 2015, 12:46:35 PM »
|
|
|
Could be so .. but the problem is then why my logger isn't showing the initial bootloader upload.
Perhaps it uses a different baudrate, and only later they switch to 500 kbps.
I guess I need to hook up a scope and do some measuring ...
Some well known tools out there use some CAN tricks to detect sniffing and won't start the bootloader upload in that case. >For the password transaction itself, it is well detailed in the Infineon documentation
Do you have documentation describing this then?
You can find it on the Infineon website: http://www.infineon.com/dgdl/TC1797_UM_v1.1.pdf?fileId=db3a30431ed1d7b2011efeae5efc6b76Look for "Command Sequence Definitions" in the PMU chapter of the Tricore user manual. Merry Christmas |
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #17 on: December 27, 2015, 12:29:25 PM »
|
|
|
Good to know re sniffing guess test turning ack off would fix? |
|
|
|
|
Logged
|
|
|
|
pollux
Newbie
Karma: +1/-0
Offline
Posts: 5
|
|
« Reply #18 on: December 27, 2015, 12:39:23 PM »
|
|
|
Good to know re sniffing guess test turning ack off would fix?
It should. But not all CAN devices/controllers allow you to do that easily. |
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #19 on: December 27, 2015, 12:54:01 PM »
|
|
|
A simple chipkit for example can, silent mode or something iirc.
Does this proc run on Simos 8.4?
|
|
|
|
|
Logged
|
|
|
|
|
H2Deetoo
|
|
« Reply #20 on: December 28, 2015, 12:55:31 AM »
|
|
|
>Look for "Command Sequence Definitions" in the PMU chapter of the Tricore user manual.
Pollux, you're wrong here.
The password they are talking about in the datasheet is for flash sector protection. This has got nothing to do with the password used to authenticate with the loader.
Rgs H2Deetoo
|
|
|
|
|
Logged
|
|
|
|
pollux
Newbie
Karma: +1/-0
Offline
Posts: 5
|
|
« Reply #21 on: December 28, 2015, 01:44:25 AM »
|
|
|
>Look for "Command Sequence Definitions" in the PMU chapter of the Tricore user manual.
Pollux, you're wrong here.
The password they are talking about in the datasheet is for flash sector protection. This has got nothing to do with the password used to authenticate with the loader.
So far I haven't seen any authentication with a loader. If you need authentication, this is specific to the loader you're using. The Tricore MCU itself does not enforce such thing. Anyway, you don't need any authentication if you're using your own loader. |
|
|
|
|
Logged
|
|
|
|
|
H2Deetoo
|
|
« Reply #22 on: December 28, 2015, 02:00:23 AM »
|
|
|
Yes of course I agree completely.
But my bet is that most tools use the same loader ;-)
Same practice with clusters; there is one smart guy (perhaps even employee of VDO) who writes a loader, even with some form of authentication, and each and every tool out there uses this loader.
Rgs H2Deetoo
|
|
|
|
|
Logged
|
|
|
|
pollux
Newbie
Karma: +1/-0
Offline
Posts: 5
|
|
« Reply #23 on: December 28, 2015, 02:12:19 AM »
|
|
|
Implementing some strong authentication in a loader is a tricky thing. Since you can potentially sniff the upload, dump the binary in IDA and figure out how the authentication works.
|
|
|
|
|
Logged
|
|
|
|
|
H2Deetoo
|
|
« Reply #24 on: December 28, 2015, 02:21:20 AM »
|
|
|
If the upload of the loader is plain then you're right of course.
But once you encrypt the loader (for example with RSA) then you'll have a hard time decrypting it before you can start analyzing.
Fortunately the tools, which support the authentication algo, are often easier to crack to extract the needed algos.
But in case of Tricore the loader is indeed plain ...
Rgs H2Deetoo
|
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #25 on: December 28, 2015, 03:44:58 AM »
|
|
|
If the upload of the loader is plain then you're right of course.
But once you encrypt the loader (for example with RSA) then you'll have a hard time decrypting it before you can start analyzing.
Fortunately the tools, which support the authentication algo, are often easier to crack to extract the needed algos.
But in case of Tricore the loader is indeed plain ...
Rgs H2Deetoo
are you making your own loader? I'm reading the datasheet stage so a bit behind. lol Weird how Simos is lo-hi |
|
|
|
|
Logged
|
|
|
|
|
H2Deetoo
|
|
« Reply #26 on: December 28, 2015, 04:40:29 AM »
|
|
|
No no I have no intentions of writing a loader.
I just was curious to which loader was used by Galletto and Byteshooter for example, and how they do the password transaction.
Anyways, a log is made (indeed in silent mode) and enough is clear now about this subject.
Regards,
H2Deetoo
|
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #27 on: December 28, 2015, 06:49:57 AM »
|
|
|
No no I have no intentions of writing a loader.
I just was curious to which loader was used by Galletto and Byteshooter for example, and how they do the password transaction.
Anyways, a log is made (indeed in silent mode) and enough is clear now about this subject.
Regards,
H2Deetoo
Can you share the raw logs pleeeeease? Which ECU? |
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #28 on: December 28, 2015, 07:00:51 AM »
|
|
|
I have the vag loader info for simos 8.4 which I *think* uses that cpu or the tc1766xx (TBC).
|
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #29 on: January 08, 2016, 11:56:03 PM »
|
|
|
No no I have no intentions of writing a loader.
I just was curious to which loader was used by Galletto and Byteshooter for example, and how they do the password transaction.
Anyways, a log is made (indeed in silent mode) and enough is clear now about this subject.
Regards,
H2Deetoo
?? |
|
|
|
|
Logged
|
|
|
|
|
