Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
VW_Flash
Flashing tools for VW AG control units over UDS. Compression, encryption, RSA bypass, and checksums are supported for Simos18.1/6/10, DQ250-MQB, DQ381-MQB, and Haldex4Motion-Gen5-MQB.
-
Simos18_SBOOT
Documentation and tools about Simos18 SBOOT (Supplier Bootloader), including a Seed/Key bypass and Tricore boot password recovery tool.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
OpenJ2534
Open (and Closed) Source J2534 Resources for Automotive Diagnostics, Reprogramming & Tuning
JG Lim's Mercedes instrument cluster exploit: https://github.com/jglim/UnsignedFlash . A good example of a common issue in modern control units.
NefMoto flasher: https://github.com/NefMoto/NefMotoOpenSource . Good trip down memory lane. KWP/K-Line flashing (like UDS mostly but over serial). Very simple stuff - basically open a programming session, pass Seed/Key, WriteLocalIdentifier for workshop ID, RequestDownload, TransferData, ExitTransfer, Checksum routine. Modern UDS ECUs use the same basic flow over UDS/ISO-TP instead of K-Line/serial.
ME7Sum: https://github.com/nyetwurk/ME7Sum . Reads, analyzes, and fixes the complex proprietary checksum system used in old Bosch ECUs. Checksums in newer control units have mostly gotten simpler as more RAM and CPU were available and "multipoint" schemes were less necessary. Also can correct the very silly ME7.5 RSA signature system, where firmware was signed but self-checked using a public key contained... inside of the firmware. So the key could just be replaced and the firmware re-signed. Interesting read to understand the often arcane proprietary checksum routines manufacturers love to use.
ME7RomTool: https://github.com/360trev/ME7RomTool_Ferrari . A good example of using basic disassembly-based and needle-and-haystack analysis to locate code snippets in ECU binaries, and using those code snippets, find map lookups. This is a really powerful approach useful across all ECUs.
VW_Flash: https://github.com/bri3d/VW_Flash/blob/master/docs/docs.md . Modern UDS control unit flashing: Preconditions RemoteRoutine, Programming Session, SA2 Seed/Key, Workshop Identifier, RequestDownload, TransferData, ExitTransfer, Checksum RemoteRoutine, rinse and repeat. Pretty much the same for any UDS control unit. Other manufacturers have some little tweaks to the Preconditions and Workshop Identifier, but conceptually this is how UDS flashing works overall. Also contains examples of modern control unit encryption (rolling cipher for Temic DQ250, crappy XOR for Simos8, AES for Simos12 and up and DQ381) and checksums (mostly CRC based, some header-defined, some not). Crash course in SBOOT/CBOOT/ASW/CAL layout of modern control units.
SIMOS18 SBOOT: https://github.com/bri3d/simos18_sboot Illustrates common security vulnerabilities in modern control units (inadequate RNG entropy, reset exploits). Illustrates common "SBOOT recovery mode break-in" / "TSW Mode" concept that many control units have.
SA2 Seed/Key: https://github.com/bri3d/sa2_seed_key VW AG Programming Mode Seed/Key is implemented using a byte code virtual machine shared across all VW control units. Other manufacturers have more or less secure Seed/Key mechanisms, but this one is interesting and clever.