Also, to turn to seed into the key you simply add the password. By observing OBD11 perform a few seed-key procedures I could deduce the seed/key is 4 bytes in length. Luckily for me the OBD11 software has a log in function, and very helpfully suggests a default password that allows access to some (but not all) diagnostics modes. In my experience this can be anywhere between 1 and 8 bytes, and the computation varies from a single xor to some more complex cryptography. In KWP2000 and UDS this is done by requesting a “seed”, performing some kind of computation to turn the “seed” into a “key” and sending it back to the ECU. Not all diagnostics modes can be entered immediately, some require going through a log in procedure. However, this is good news as it means the endpoint does exist, but can only be accessed from a different diagnostics mode than the default (0x89). Trying ReadMemoryByAddress resulted in an access denied error. Unfortunately, the RequestUpload service was not available. Since I can already talk to the ECU over the KWP2000 diagnostics protocol, the next step would be to try using the RequestUpload or ReadMemoryByAddress service. Finally, I will load the binary into Ghidra and make some initial guesses at the architecture and memory map of this unknown microcontroller.
VW FLASH FILES UPGRADE
Second I’ll describe how I found a VW upgrade file and decrypted 1 it.
VW FLASH FILES HOW TO
However, this resulted in some knowledge on how to brute-force the authentication and enter a password protected diagnostics mode. In this part, I’ll describe how to obtain the application firmware running on the ECU.įirst, I tried to extract the firmware over the CAN bus, but did not succeed. In the previous part, I obtained a copy of the module, and did some preliminary research. This is the second post in my series on attempting to modify the firmware running on an Electronic Power Steering (EPS) ECU from a 2010 Volkswagen Golf. Hacking a VW Golf Power Steering ECU - Part 2 Jan 2, 2022
0 kommentar(er)
