Simos18_SBOOT

Documentation and tools about Simos18 SBOOT (Supplier Bootloader), including a Seed/Key bypass and Tricore boot password recovery tool. (by bri3d)

Simos18_SBOOT Alternatives

Similar projects and alternatives to Simos18_SBOOT

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a better Simos18_SBOOT alternative or higher similarity.

Simos18_SBOOT discussion

Log in or Post with

Simos18_SBOOT reviews and mentions

Posts with mentions or reviews of Simos18_SBOOT. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-04-05.
  • Can Injection: keyless car theft
    2 projects | news.ycombinator.com | 5 Apr 2023
    I did find an older VW "emergency start" product that claims to only work with Bosch MED17 and MED9, and I suspect it's using a memory-access primitive (either UDS or CCP) to release the immobilizer.

    It's trivial to disable an immobilizer in software by re-flashing the ECU, yes, but modern ECUs have two strong protections against this:

    * Cryptographic signature checking against update/re-flash payloads (I've done extensive research on these on VW Continental ECUs - https://github.com/bri3d/VW_Flash )

    and an even better and more obvious protection:

    * The ECU application software won't descend into the re-flash software (Customer Bootloader) unless the immobilizer is free (a valid key is present).

    This is a lot of what helps to reduce surface area from an "emergency start" style attack to an AKL attack - now that the Customer Bootloader won't start without the Immobilizer being unlocked, an attacker needs to remove the control unit to flash it with a Supplier Bootloader exploit ( https://github.com/bri3d/simos18_sboot ) or physical access (BDM/JTAG).

  • ECU resources
    8 projects | /r/CarHacking | 29 Aug 2022
    SIMOS18 SBOOT: https://github.com/bri3d/simos18_sboot Illustrates common security vulnerabilities in modern control units (inadequate RNG entropy, reset exploits). Illustrates common "SBOOT recovery mode break-in" / "TSW Mode" concept that many control units have.
  • Hyundai car software update private keys came from easily Googleable sample code
    7 projects | news.ycombinator.com | 13 Aug 2022
    That's pretty cool! I wonder how properly they were really signed - there are _so many_ mistakes even in systems that at least don't use an example key off the Internet.

    The most common ones I know of are:

    * Out-of-bounds write issues allowing "signature was validated" flags to be overwritten in Flash memory, like https://github.com/jglim/UnsignedFlash

    * State machine mistakes, like https://github.com/bri3d/VW_Flash/blob/master/docs/docs.md - allowing Flash to be written again after it was already written, without an erase first.

    * Filesystem parsing mistakes, like those in a number of VW AG head units: https://github.com/jilleb/mib2-toolbox/issues/122

    * The use of RSA with E=3 and inadequate padding validation, like https://words.filippo.io/bleichenbacher-06-signature-forgery... .

    * Failure to understand the system boundaries, like in the second part of https://github.com/bri3d/simos18_sboot where "secret" data can be recovered by halting the system during a checksum process.

    * Hardware fault injection issues, as used in https://fahrplan.events.ccc.de/congress/2015/Fahrplan/system... .

    Fundamentally this is of course, a very hard problem, since in the "protect against firmware modification" case, the attacker has physical access. But, compared to the state of the art in mobile devices and game consoles, automotive stuff is still way behind.

  • Hacking a VW Golf Power Steering ECU
    4 projects | /r/ReverseEngineering | 4 Jan 2022
    My writeups and JG Lim's cover three of the common mistakes in modern modules (supplier backdoor bugs in Simos supplier bootloader, state machine issues in Simos VW bootloader, and block buffer validity confusion / bounds check issues in Mercedes instrument cluster).
  • Simos18 Supplier Bootloader (SBOOT) Exploit: Reading Boot Passwords
    4 projects | /r/CarHacking | 7 Mar 2021
    I have glossed over all of the actual data details here for brevity. For details including exact messages (and code!), please visit https://github.com/bri3d/Simos18_SBOOT
  • A note from our sponsor - SaaSHub
    www.saashub.com | 8 Dec 2024
    SaaSHub helps you find the best software and product alternatives Learn more →

Stats

Basic Simos18_SBOOT repo stats
5
95
0.0
over 2 years ago

Sponsored
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com

Did you konow that Python is
the 2nd most popular programming language
based on number of metions?