UnsignedFlash
NefMotoOpenSource
UnsignedFlash | NefMotoOpenSource | |
---|---|---|
3 | 1 | |
8 | 83 | |
- | - | |
4.2 | 10.0 | |
over 2 years ago | almost 5 years ago | |
C# | ||
- | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
UnsignedFlash
-
ECU resources
JG Lim's Mercedes instrument cluster exploit: https://github.com/jglim/UnsignedFlash . A good example of a common issue in modern control units.
-
Hyundai car software update private keys came from easily Googleable sample code
That's pretty cool! I wonder how properly they were really signed - there are _so many_ mistakes even in systems that at least don't use an example key off the Internet.
The most common ones I know of are:
* Out-of-bounds write issues allowing "signature was validated" flags to be overwritten in Flash memory, like https://github.com/jglim/UnsignedFlash
* State machine mistakes, like https://github.com/bri3d/VW_Flash/blob/master/docs/docs.md - allowing Flash to be written again after it was already written, without an erase first.
* Filesystem parsing mistakes, like those in a number of VW AG head units: https://github.com/jilleb/mib2-toolbox/issues/122
* The use of RSA with E=3 and inadequate padding validation, like https://words.filippo.io/bleichenbacher-06-signature-forgery... .
* Failure to understand the system boundaries, like in the second part of https://github.com/bri3d/simos18_sboot where "secret" data can be recovered by halting the system during a checksum process.
* Hardware fault injection issues, as used in https://fahrplan.events.ccc.de/congress/2015/Fahrplan/system... .
Fundamentally this is of course, a very hard problem, since in the "protect against firmware modification" case, the attacker has physical access. But, compared to the state of the art in mobile devices and game consoles, automotive stuff is still way behind.
-
Hacking a VW Golf Power Steering ECU
My writeups and JG Lim's cover three of the common mistakes in modern modules (supplier backdoor bugs in Simos supplier bootloader, state machine issues in Simos VW bootloader, and block buffer validity confusion / bounds check issues in Mercedes instrument cluster).
NefMotoOpenSource
-
ECU resources
NefMoto flasher: https://github.com/NefMoto/NefMotoOpenSource . Good trip down memory lane. KWP/K-Line flashing (like UDS mostly but over serial). Very simple stuff - basically open a programming session, pass Seed/Key, WriteLocalIdentifier for workshop ID, RequestDownload, TransferData, ExitTransfer, Checksum routine. Modern UDS ECUs use the same basic flow over UDS/ISO-TP instead of K-Line/serial.
What are some alternatives?
mib2-toolbox - The ultimate MIB2-HIGH toolbox.
ME7Sum - Checksum/CRC checker/corrector for Motronic ME7.1 firmware images. Download binaries here:
Simos18_SBOOT - Documentation and tools about Simos18 SBOOT (Supplier Bootloader), including a Seed/Key bypass and Tricore boot password recovery tool.
ME7RomTool_Ferrari - Bosch ME7.3H4 RomTool for Ferrari 360's
apps-inoeg - Kiebitz Web Applications (for users, providers and mediators). Still a work-in-progress, use with care!
sa2_seed_key - VW SA2 Seed/Key Authentication for Programming Sessions
VW_Flash - Flashing tools for VW AG control units over UDS. Compression, encryption, RSA bypass, and checksums are supported for Simos18.1/6/10, DQ250-MQB, DQ381-MQB, and Haldex4Motion-Gen5-MQB.
OpenJ2534 - Open (and Closed) Source J2534 Resources for Automotive Diagnostics, Reprogramming & Tuning