TC1791_CAN_BSL
crchack
TC1791_CAN_BSL | crchack | |
---|---|---|
1 | 1 | |
48 | 181 | |
- | - | |
0.0 | 6.8 | |
over 2 years ago | about 2 months ago | |
C | C | |
- | The Unlicense |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
TC1791_CAN_BSL
-
Simos18 Supplier Bootloader (SBOOT) Exploit: Reading Boot Passwords
In addition to the RSA signature, all Simos18 code blocks are also checked against a simple CRC checksum. And, in this case, SBOOT tries to validate the CRC checksum before it validates the RSA signature. It turns out the CRC validation is performed using an address header, and the address header has weak bounds checking. So, we can ask the ECU to checksum the boot passwords, and send us the checksum back. Since CRC is not a cryptographic hash (it is reversible), we can use the CRC values to back-calculate the boot passwords. Unfortunately, we can't do this cleanly, because the high side of the address range IS correctly bounds-checked. So instead, we have to start the CRC checksum process, then rapidly reboot into the Tricore Bootstrap Loader and dump the contents of RAM, to see the intermediate/temporary CRC values that have been calculated for only the boot passwords. https://github.com/bri3d/TC1791_CAN_BSL/blob/main/bootloader.py#L113
crchack
-
Simos18 Supplier Bootloader (SBOOT) Exploit: Reading Boot Passwords
After the Seed/Key process was figured out, the CRC exploit was very obvious as the bounds checking is blatantly broken. https://github.com/resilar/crchack came in handy to take the CRC + unknown data and back-generate the correct data used to produce the CRC.
What are some alternatives?
ghidra_tc1791_registers
gtkhash - A cross-platform desktop utility for computing message digests or checksums
HackBGRT - Windows boot logo changer for UEFI systems
digest-crc - A Cyclic Redundancy Check (CRC) library for Ruby.
Simos18_SBOOT - Documentation and tools about Simos18 SBOOT (Supplier Bootloader), including a Seed/Key bypass and Tricore boot password recovery tool.
sa2_seed_key - VW SA2 Seed/Key Authentication for Programming Sessions
odf-nano - ODF-Nano lets you deploy OpenShift Data Foundation on your Laptop (CRC)
virtualcar - A virtual car. Because you wouldn't download a car, would you?
VW_Flash - Flashing tools for VW AG control units over UDS. Compression, encryption, RSA bypass, and checksums are supported for Simos18.1/6/10, DQ250-MQB, DQ381-MQB, and Haldex4Motion-Gen5-MQB.
radare2-book - Radare2 official book