TC1791_CAN_BSL
CAN Bootstrap Loader (BSL) for Tricore AudoMAX (TC1791 and friends), including arbitrary read/write as well as compressed read functionality. (by bri3d)
sa2_seed_key
VW SA2 Seed/Key Authentication for Programming Sessions (by bri3d)
| TC1791_CAN_BSL | sa2_seed_key | |
|---|---|---|
| 1 | 1 | |
| 48 | 64 | |
| - | - | |
| 0.0 | 10.0 | |
| over 2 years ago | over 1 year ago | |
| C | Python | |
| - | MIT License |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
TC1791_CAN_BSL
Posts with mentions or reviews of TC1791_CAN_BSL.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-03-07.
-
Simos18 Supplier Bootloader (SBOOT) Exploit: Reading Boot Passwords
In addition to the RSA signature, all Simos18 code blocks are also checked against a simple CRC checksum. And, in this case, SBOOT tries to validate the CRC checksum before it validates the RSA signature. It turns out the CRC validation is performed using an address header, and the address header has weak bounds checking. So, we can ask the ECU to checksum the boot passwords, and send us the checksum back. Since CRC is not a cryptographic hash (it is reversible), we can use the CRC values to back-calculate the boot passwords. Unfortunately, we can't do this cleanly, because the high side of the address range IS correctly bounds-checked. So instead, we have to start the CRC checksum process, then rapidly reboot into the Tricore Bootstrap Loader and dump the contents of RAM, to see the intermediate/temporary CRC values that have been calculated for only the boot passwords. https://github.com/bri3d/TC1791_CAN_BSL/blob/main/bootloader.py#L113
sa2_seed_key
Posts with mentions or reviews of sa2_seed_key.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-08-29.
-
ECU resources
SA2 Seed/Key: https://github.com/bri3d/sa2_seed_key VW AG Programming Mode Seed/Key is implemented using a byte code virtual machine shared across all VW control units. Other manufacturers have more or less secure Seed/Key mechanisms, but this one is interesting and clever.
What are some alternatives?
When comparing TC1791_CAN_BSL and sa2_seed_key you can also consider the following projects:
ghidra_tc1791_registers
Simos18_SBOOT - Documentation and tools about Simos18 SBOOT (Supplier Bootloader), including a Seed/Key bypass and Tricore boot password recovery tool.
HackBGRT - Windows boot logo changer for UEFI systems
UnsignedFlash - Firmware signature bypass on the IC204
mig - Your own MySQL guru to deal with indexes in a friendly way.
crchack - Reversing CRC for fun and profit
ME7Sum - Checksum/CRC checker/corrector for Motronic ME7.1 firmware images. Download binaries here: