From b007eb8a49b9bfcfadf3c7406b31dcf2bb5cd849 Mon Sep 17 00:00:00 2001 From: Willem Melching Date: Sun, 21 Apr 2024 09:14:58 +0200 Subject: [PATCH 1/3] infinite loop after extracting keys --- payload.bin | Bin 4096 -> 4096 bytes shellcode/build_docker.sh | 2 +- shellcode/main.c | 8 ++++++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/payload.bin b/payload.bin index 87076964fff42a6ee9cec0199d5d02a304abfa17..a82995751d13f0407f6c647fb2df16a88ab83621 100644 GIT binary patch literal 4096 zcmV+b5dZIPfpR6YPuN0#idU!IZ zzUcPawzXHyN3y~*Dr4X;PTip;!p1cV?r<6ak@DEU>^&_bFfEh%(s^@5j2|=z-9Oq0 zsR2vSrI&+-Ws%C1fc+hwU{P5`Sq2cIcpueB4#Ttj*x=&-0& zprinnj4jzYix@hsd`(MFt0s(z2{`NV+|9>m8cu;rre=`YoKODUu8AtY@XgzY!LMm2NxFO=ITcn)1=k*}=}40=+s7Rwke7 z{{r{cV9;iGX3e*{B0+Em**0*IrPmT>${WRam|1#^)D{pN6% zBKCSY4HPSmfkBDu0|`(fd_L;Oi{Ju`FgiYk+~jWM+{VvFpJk(vKf$g=%PoQ+DpRMz zcBBL4x$R3F$=agcYDgAqR6e`J%aU-}cmPpYzFwK;_(sKvXNT>U{h$R|Yu)WD0jQG6%hDsR}FjtB`S>vqx9-=A|s*pe%xwJ1HPc zlbrn85~l%_?my3!t~PADBF^hTl*hiL2*!sAUuDypKjD2zal5l{k=qyYljf1tcfg!f zY|})Tx6jXAwB>P7_>iYjXj{(#Ixu7|2&tdD@wA~J9HUbopd9FgKO44KsUL@ekK>L< zs+4gGVI}yYfC9PhKN|pSM3D$DN~8Oo0+uf|kRs;WpZXXEKsvI(!5s^elemJds&M-( za-la$l6G86u&I3I8%>d4s??;h!0QZcfkUQ-$x>10#)Xa779z90js~D-$3JcFEZq5J zY2(W*rfcVx`#8SXN9Nd}IQM6)#e63w{&S=JUoKq6d~8)wC-a8O6=5pNc(sh+X`238 zujcgKP!r_?XcYDzsUxa(i z|6*7V*JmfQObt7@<`1baCVBhF60f2Jg@sChiO^!ZHn#2JwAb>jNK@(g4Ea;=+>U?% zk_$Hdy=J0x7nk$+2LqemhOsY!5G+Uo{1sVXGG03vUj3?NWFT-;$pp|QYsEqyyK0vZ zGh1wyp+JZ5*-S8+VHnc$aeM(k$1{fk63&Kz8H~1^xwb$eA8hWp@ zU~nw<0|r1GV*rru zq;G?MS`e8S{9D7N(@kt>;7q?t(HNhL4Bj7LQl zocG3D;GzzX)onViG6Oi+!2cXpbogN9bRFgD1S>5Y>aux;k$0_^($>;#jM=sFYFQ2g zUg$Y&ZjN=qXfhF;6>kc{ZG3tM;kL5gnb!$Lb05pWd1y=I5mg^D$9TA{oUyeYW-cF5MN39(9-jEL{9lDZg%ni0akP^E$Boum zt8i6?Adu7p9f!<1CZ$y(D63M(_CT&+l49NQ3k9uOP0LUv6nei;eYGo55ho(^;n6mX z7Gq9aEpcQUR4gS1KVBxQUajrp;~h>F1%O{e9SmOgv;L(T0p){tgHZ7CoKW+sqa z>@L)oUuNKqX(Acp)hvjp**va*K||mA>qKFH&{#Y|U6c-Wut^2>2#FiWNecj1)Tc}2 zP*Wduo7KEha)ps#L~wj%zP7kDU)^1Q!@%5Ja3myOoOsgjiOp*yKeOn+fFpEs9;PB? z2s#E}N&jH8_AqD4-yE#M4|UN5)H!)#o+cC2HeJ@Nsu;Y`7ApU`R*y}*Jr)!{om2wCq{r7 zK~^8J8SJfFaN5QcvZ&gRIv-d>B4I$&R`}u+eos%TR7l|g*PhYHO!rtu>9}~>60t{X z@M^fRwNG^1K<~y137+G4QWo|(hF;w^^--tetNQv*xK6vUNf`C@ZNBG|pM|9+J6_QZ zWr?+8TE{~jH^jOw>VPq0Ya+J4|j z501@{F2Csq^@IxgbiHWDWL@6M0D0$q%!N$^#d|qR`uQL+X9yx5Ui@2~a^>uQNr}l_ zDS5tj#xgU*oc3XzeT)H(Ht8#^7rgU54kL*3P=AN?b}^1%*k1{;TSUJ}&g#?fzK1l+ zr(!5pGr8$K?vLl_BzVrwGWY|F+6O8m4EQTq!#G50?UEEmxz=7CG=>YvktrN=wmtwA zt5CCVlN-4ja!9>KB`hDWzkdN_svy$MR39|%7F@fxx$Z$!a8mMW=J9x@JdTy#H_kkw z7NVDb*0UxfLDYW+->s^t(?{uKrSw|sC0sr6%C~0qpY&>Eo|>0vU!j4Y1CQQ&FgV4$ zcm;aWq_|rD@(eM_bR+ZNtZ4`P*qGyy)1oW3Lb;D;R`xOFDf7O~w(gXWdU=W;_-&pcXkzNxDU{ zE*d#mGSHsCZOZ@;qrq{|3izV5^i9aGQiB2Jn_QsM=+WpVzta{EGtmu9s}rJq_m-MI z)B;kq`!lKo#CKuPozv>7{Ad6ab0!{YvP08%Z{TMsex0nbx-i2l|D7p50}ITIQv++vJh8jhor zjWXW>hI zWM)tu`k7=6Ucp0j+b{NrW=5;kanpU4XzHRql89OM9|s}o*UIj1kf@Juqc1307lMdF zr5-}||H4F|xr*1jW77&Fk_xFIQmcqYZS5)m&C9?=`GCCpk<=$!g?{0Rf^W18i9~3B zvk)hOM16T1)b?~2A7jVbf;Ts?BDp{BO_dO|S1U9_j-wBQ}oDTk2UWzd{E z3X95KwCTh4 zopPZcHF^)lC3oe+cM(1~B*;Ne;K@)=Hre5&W=WKwnSe^XVnF%dDaQrX9s+;b>5!}y z5*`M%?+;;X_^z%BXzNIr(H|`T^{N73 zI{W|56mTeOqP>ac4ZLcI@1TJyAjst97G}!@Gu*9crz(_w_eSNIUF>Kd7$dAl{i_H9 zaz}w{9=aNBE-wau4v83hViQkf_)|{HQccA?8^Yylu0E~BVT=RC;r+sdL13wxD8!(2?Ox^Yt9L??xkCER)ul`E+xE3%!3#V#F$WQg%cg3dyJvh`RrsGH$fBn6#k$55z}bc#g)4 zwA-XXnX0XTWtAl|%p3SZT9cFCbBK--L$1No`X_OXX4K)Az{N!iyRsj&1SuK5Ch}!A zhB<^k0vH?}9%vLoji=Hf-Do;G$dCxKInZ*(=J{YIK^;Katnb z6-3cG^Jj0a=1J?Fu!%Z)$%q8ddWFauaGip9CO-Vbv;(w0yVfVf2{FwXMW?W*S)>|m z!W)6~Lkk({pD!%p7uK$eKN%G@e}q_3ICAqJkKe_H)D|Po=Rlskriy!*iFjS|u$tSk zZmp=&?0BlVtqt(Iic5qiXg4AT z182{}1>5|`AddgED&uvBbD(E+N7;m#S`h+MNru$UHhPoZ-gOSPz>OI-Nidg@4nC(C zitFaXNQ%iijF&l#NS}exOO8Fs*-qLcR!=+U+w+h@jgmK3?vi7oW@ybFW?yrp(7DrN z>Jw`8L3bmM<@X?X-pR`dK=d-#4b_gk_2(|w_s#7FLh6Dwp#1EeZf_kNW|VWB(E7c! zbCYB#+3NyZnYiAhgQsd~s>wWGrPV+M!jxIFl47AK|JDGU%OA0if*`M#TZ$futDFXB y6{(Qz4{A#!hFA>6{z}jXC1~3BG5Ca8B|_t2&tzp>GXAo2R(^z|pgesKIv3QGE&Tcb literal 4096 zcmV+b5dZJ|Qq4J=_(Hy@xoI%?)hWW#O=x}4u&daXBd7;;mNQ2DQko#7FzfyhcMqm# z#(^N}6nDxT&`8K+SID{Et$3IAim!zASo&%f<~Icrvh?%kiV`Z}Tf;Z&y|`nEw7^px z`Fy6;?=#y&tj2TzkqoaZhQDSWStnla?SIU*lDI7;L7f|*EK1p-OC3W}VBfsTAi2x0 z2H{N$cJQ6p&WQb?0$Jzlgx-VT>a%jI8A6ezS2cf()W9z{lnhKX(}+{pp~3TPOk8J| zKQk5bC_Y)K!l25v_6904qwrNBcdi9$2~VXz*jU~N&d9<9Jh+iX6Vj-s!r)htKfH>n z-^aMVW(`{8l;C}<&tQ!2e80b?$)Or$`OwumObSm4#cBrB=SoirjskE)TXh>id@+12vZTXYV#lQ9U`RqD$5Thi}kpnAmA> zd>a;XUj93JLA!vBXILT=bs$(*B^7C9e-TP+*j5L8h%;Pj-;WuZMe*5eJXhX9v*~^B z#R_rPtQ{sa)ZTp=6dcLdAVCL7!XDtDP(9buKGHpw9iy^6C^ao0t*t9u6fDOuP0n$b ziy$_rq8g|n=0Kay*G?gnq=ujU&r`A*E|jU>;g9V%@tv2i4p(`@1v_p08_Fu6_%!}x;u?(mL-;-dHijT5qT^}nZ&O`R~<1WujZmQg-H)+$#ZR6$5lomxuY7SMY zKgTK}4*=(XYP}@vE6u@6dRFbiLQw1y`LVGGX7smA_5!!?c2WceHNk0it7ukQ{O0lX z+I?MWb|ph3C4K9+79y`?w|x^SBguEWHwBHP_7dRz1>wTIz|>v$VF^h!C|M)r>Q{N0Oq=*u8bu~wSb>NDIb!5^Ts>>aRM z)hzSruPSSk6DoHTwMx`~VTPSQmn2BOO#{k>J`{qN{gFBDN!^2QD`f;APL54;-f-Y3 zM6p4^z})*HWMu}Xlx>{AV3sGinjpZSX2Fq}-Y<5#C(lfXBud=Nua1BtTxL*&bcqdtI=NVqDD@WG|L>GEH7QmOrWBKy&L$m8j&tkwS$0lvs478aa?KO1vg6^};U6t) z;cLZQ_>%Lh5+$ViDc{Zn68bctfp!iSf)ZqToJ$0;T5VtzYgIr`K%}yoEMH*`{AOty zg(g%1o4qz%ll5>&F~5_MJ{w)V#*!dR2>AM%30Nu3{dL&Ws)=?JUngq*YQAczOc6i1 zk-u&4%``^yEmIYltO>g43*kNI9|{wGzcC1U+_QC>ysFNtnzt|o(ds(j)jIslvnO)A zhCXx`UvB3J4ib0&mHElLZv!xNfK6N9r)AUaf*u5|IZ;?SMys)-r3#q^-=cCd8B}b4 zm?JpI6*y2IO$}^2&`FIyE2mcI_CBGNbY(o-)8fS+&2wxaoAs4`-Dj&x7G`XNhnKy~B_c43R2+hT-b02RpNk(vunl z+qKagoYa{qn!jJRmk^-DC1+z5wt+7&yKjkV&>8P8Bn*scNkNAoxr$@^0<-?gwaW;j zt{N{xp(fGqOK|!ILc$yU9qz2uMb-mx)?@O0tKJ8(EqJSgHJk_6iW3S$ijARzL3yZ; zbU9dEuj*Qc66}v!S7rQjhR41nO(Xd+qk{Z=C6==VTr<12G~HE49{GW$^p;k@4z5^* z;%OiZqY~_>w2o3qFR3?aX%dp?V@|*HV`3A|O!H%kD$wibCp6Aw0%l61hcuLN@~iN=$0$H{m2mufECGrReS*|1C^AT;-1IE~V_88<`pTRy5YmsoqpnAVhAA8mi$g!GorZeD z$5G=SR2KxqE^<8Rhk}nnh zdL~6P=3yu7C^IbVE+XBX7&h0DgCH2sZGcY5Y|_40esZi2q)DyEhkYSN04V_GoLeBq zSB27l{J|SgujfXXvON3#<>4eABfv!jZXGwj8k&Cd;D68RCRxjvZoJ&Sk*;_HHT7i4 zsl{vTbwa8uUXh-Fbqo!CrbMU90RvRH;(>>ezy@ z9{!8Ia5{(5eKq&8NOX~cpCVO%u88NobbC9HemfmSpt>o7c-b_)(ePy)kMUiCJ zcT+80TLO}OJ@V0$H*v)E&AWpg`bBqq!R@uqKDL=Hbp&elRg_+U&!}!CN8=ih`$>FK zUrqam;%X7_*(PB0B?wade`kq?KmpB<&{W0!@KEZzS>uP3xAiK+$jwU%j(Y86#8=li zY`Y8#ETtBqoy`l_K9glG*? z=SV%~Pvo>0BT!yv^# zNSaB(lI(GAceKnm`;x(K_~mHI!t;yw()DuL)>L|9gH{N=h2jow;aL@3x*6RPy0=O$ zw*N+iH=B1}mkQz~?v~Y}khK?b^HK0J^wHkry8PFwpuJ!w3fZ(5^ zY04P=jEg%nO?^-(OUNq}*Qd!rq+qdV!KcMWb;w=Vb6Q80f83WEP z`v0Ro1hro=?7ZZouJ14R+hEj5(0Fxc9r>x(#^@wkU3!WFpBg!r_Q7enxVFHD)SXYP z6hbOS1Tz^j%RvFZqdgMBcIY>iVry_Hq#m=ItX@pzWi^is;hriOLqP{{(1)}MSG+Yg z(%5DuB(*4;oy;rO2GE7l7x5^Im|_4!TNpGfx{}c_8MBc73lZ;mdg$|7u@g~HtaOAf z?1p3Q8ow_m8AHfq^3vY*#{Mp+F<5T@?8qRo#Qr4joQ@)8M1(%7bTwMAe#716$8IT( zdTV#Rbc{jqg{t{2hh9=UowjdnO1D{-zz3dFe1I~+cTQ7zjXy`=p}WZ$hO@~O{njbh z9b38!rZYtyVZp?M+Ik%EWRZ|S-S+eM&kZje3Poq+5rLC^-*Cu_4v`D&qpEHDp*yC- zm#Gf`FEX|o)C)(yG$v7+3}N22xDD3P%TYNll*NLH~sTW) zk+6!5+x*Wq!5o8#Qq{8N45_X2Ex9MLE14K?u@!GmYoSxtCT)K55pn0)#j4pgK2W%K zl@jl^0@)|Oz{%8Pz;z0BV3&xumF!pdAV?xTPy+)n3(WPVXLSuHCW(CGU7h`p%jo2% z^0{z*A8d?fs_}Mw752QH3&6i@W4PuJ+^a{hXgdtO-==y{C6qNh0+c=}9{tV7dqb%^ z;i+L9zu)3*f-opfl-RXIw~kx+54!nhcUGs6C#uob%Hvw4EI#y3K!jX~OHF3L!CU{^ zwzK0;>Jbj~EH}FtdihFlRzvK9>2a!^0!Y`P_f#(8YPa6sY$V4wVLW0I7p~bKBm4K& zO80-l_j4~3mkCm2uUHbdv8@(M{aPM9%5y^EW@_Z1c`a)Iv9L_UJdkGTRfU&rt+L_F z0ihlSG>mswOlmw%;>T=dgmR*(XbpZzo2KrJua2VY)Y(6neMceE99m@9J}kQBe26Oc z?bb_;gwz_a2|WaJZ+4DczA8Lur3&j+B7$n4m-+D)fFXBW)7w={fk@!FHDgTRYtOzY zbE)nAANM8{#O1B{A{lLbhFV3IoDGcf}sc7mqwCiDqi$_ zuX3`9;W_36gB@B&ju{Wfz2)4lzXgGbmQoBxx{>>n@|t*(QZ&)=cbmXWx|fK}q_gr3 zO!DP2dx_xRjgMyEfPeeAk2gIOT~|&s@CHecmBAciP`4fJk69A<`y1)s=Q&ZuLR+6r z)W*vr|0crTPa5&>(Xz}-ubb#_B+=-UpPPsND?6+S*H9}0YR(daf_AlU-wSfTrjICS zyo%1VC1Qq$c@*`qUfuKMkz>BSrH2`3w=;2QCs&H0a_no6=$7I;X=b4=8>@0s>Flah z1FH>GY>z2|Rt2rPzvECJ1gfYb-aWPrImu z$zmc)Lm$|&IUQ$2`(say=ygSUY>IXy)XPe-AAJ)R!BkAQI{{|^ diff --git a/shellcode/build_docker.sh b/shellcode/build_docker.sh index 445a3df..bef9b36 100755 --- a/shellcode/build_docker.sh +++ b/shellcode/build_docker.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash - +set -e docker build -t v850-gcc . docker run --rm -v $(pwd):/src v850-gcc ./build.sh diff --git a/shellcode/main.c b/shellcode/main.c index f5acac0..4506950 100644 --- a/shellcode/main.c +++ b/shellcode/main.c @@ -45,6 +45,10 @@ void exploit() { addr++; } - void (*bl_reset)(void) = (void (*)(void))0x0000157e; - bl_reset(); + while (1) { + ; + } + + // void (*bl_reset)(void) = (void (*)(void))0x0000157e; + // bl_reset(); } From 162f5283d88d6af8ad492d6d2b7e1d17c4ebc79b Mon Sep 17 00:00:00 2001 From: Willem Melching Date: Mon, 29 Apr 2024 07:46:31 +0200 Subject: [PATCH 2/3] extract dataflash --- extract_keys.py | 27 +++------------------------ payload.bin | Bin 4096 -> 4096 bytes shellcode/main.c | 4 ++-- 3 files changed, 5 insertions(+), 26 deletions(-) diff --git a/extract_keys.py b/extract_keys.py index 4ab951c..1afbd63 100755 --- a/extract_keys.py +++ b/extract_keys.py @@ -181,9 +181,9 @@ def get_secoc_key(key_struct): erase = b"\x31\x01\xff\x00" + data isotp_send(panda, erase, ADDR, bus=BUS) - print("\nDumping keys...") - start = 0xfebe6e34 - end = 0xfebe6ff4 + print("\nDumping dataflash...") + start = 0xff200000 + end = 0xff208000 extracted = b"" @@ -212,24 +212,3 @@ def get_secoc_key(key_struct): start += 4 pbar.update(4) - - key_1_ok = verify_checksum(get_key_struct(extracted, 1)) - key_4_ok = verify_checksum(get_key_struct(extracted, 4)) - - if not key_1_ok or not key_4_ok: - print("SecOC key checksum verification failed!") - exit(1) - - key_1 = get_secoc_key(get_key_struct(extracted, 1)) - key_4 = get_secoc_key(get_key_struct(extracted, 4)) - - print("\nECU_MASTER_KEY ", key_1.hex()) - print("SecOC Key (KEY_4)", key_4.hex()) - - try: - from openpilot.common.params import Params - params = Params() - params.put("SecOCKey", key_4.hex()) - print("\nSecOC key written to param successfully!") - except Exception: - print("\nFailed to write SecOCKey param") diff --git a/payload.bin b/payload.bin index a82995751d13f0407f6c647fb2df16a88ab83621..24580bad9973c540319da52f1ec7b2916380542d 100644 GIT binary patch delta 4038 zcmV;%4>|CFAb=o{V1J7KA0@#$M1HYX09`9d26o*{PWaP&lVRk%d$6e-zK18j3j9H9 z$U&CyV$^m_Z1~6#WjoR1gs7V0y=hf5-#N75_NC&Q7YC1>EXCDZwa&SbE^00iXHR|k z&-pn1+Y4WZ{g8B;K`VgnPfQQ;&@x^SX@yR zkKh}g169QF3pr2lGiaZ`yr5cgE`dX@|8V5Q8ZlBt8KQt5v96oy2C?Q+n3I%qfCP5g2i-CY{YEVk%`6vMI&qF|0d*5S7*MApndtYM(IIUP-Pjchs=UU#3nR>s zizVZ3e3+2prsVOv3@0?2op%|Ab-k|)X_bszyYvIPgbnkP9zwDa>DuK)nNxVwp>|I< zfVsc*eScpa!CXg5-b}HX#6MqpW5phZK^T&WFY5I;r&e?7nzb8W>nZEs7^XwLoU~R# z_?JY9*+2%%Fmeor>LueeO@;a`Nz%k*W@-zdipko#=z3foGz#15;;SsVE>6=u(7@Rx zT~s!dmt9AmAxDXcti<)++yxCyG>hqDMueYDet))!YAtke{(T9r*q6Zw)*P_{sYrR#1o~>J1qFK5_ri!%jo1sl7 z()tokz(%bZBJ7g{%&Ks-d&3SF%!70!q+yW3)7!Fotc=kIQIQO{qI8uM^qGrGWQ=pw zr55UWX!)^?R*G!e=qxWA)mOV94gJbs6o0?Jk{-mM7LE-D0Mrk* z7~tg%*3{*yirFyUu;e1n|yMp9W++%N9-7k;$}5f{Bs}(M+}}? zxwlP7&Vs}{arG=aIC_-w@$*a)A$dUqBj7cPuLy?m z<3;s?U2MY(z-aDdy8LCP$McS}{=m0aY%lJN%l@vnxx@|z#WtxG{E&uXNHqlQ4+Fl+ znZuJZL;?=-pTAK93cI3jG`UOQPy}uoP?k@KL*~_=R>06nWdIusZXkM~bAJ$zAddu= zb|8r>!J#OqZTLEdDY7bn7*|?e0~rj~5_#_8(5f~uSQB*es@V{lYQDO(RTkWV!4FZi zp*hJ}L;+0|!h4sc4KgKR_2X*R06HolhM`j09~q%eobNJ2Ec}sI)4Zwv|0Bbu&(7J^hD(^q0{+_*}|N?eJVjG!;q1*7(pJa z2FfpwPM~5_A&}3cH$n)LGKB`+swLKRu>KZ4T7PThup(dX@jV$m2mS7E$Hx1+xA!~{mJGhD8^v+#Zyf{q z(V1NdjJjckxNvbbWMQfJ6P|-E3$gO!LEn4q`1F&pml8Z!N`UX=Z*N6bs=q=w2d0bI zNp-nN;C>Hu879HbDSw-Q$#S+#s`bGj3SAF#6=k{1Wf4RZ4*z=iyyQK1&Uq;Ff`ky7 z0s==FCAsd&D>KOVj#BSd@TJjtF2p0Tg%IbAVWg$)S^z+QvT6vjkhH@8oYWi|HxU}o zXS7s$Yd-)l)Cgg9x*iUZd32xM}Xa~y{fW)CvO*!%QC;Yy;|jIugXkhPmW|*T z|3rIXsVKTa0<20=`-@kpyND5vK!7|jFv#U&)V{}za8x4NnX_TtO(Tbm3kfr;f}RwP z9orFbWb84%(|?__n?b0F`si<#S>m9* z{+uba8s(SLgBv?xbC&fm$O(_+68gf%Z0=&cQ;_8l3xC>*ZlR~~n2K9r)c0_L0D|I= zWR`?HUMhP9%k@HLJK(G&H3ou;^#tv2|2?6NJiv!}oZ%nYC;MG+3`n|_aM{Yc(kFAo z6yVydc!QS zxB$Fo0e`bsdF<_MK?hJp?4ic_CbttJZ<`8-^4#-HGo=;=t9RqBd*{YZ z=I3H80b$`1e;W@w4|OZ`kpAc?oF&2ifq!vaF@JXV)f={gO2c@3QW2hMuB};u4}Mzr z9=u#$tdB>@QE_WbH59ZaFg|<`9#^Oo_Kr2}A-UP0kl2`}n~&gWNqPAvZqL^FgT%lZ z072(<)D1AN*|L3tEVKji>GNw{XH}4L<3w+n^(kKeu0%S)gdt-~ZuPc3@fYf+>Y-8p zP=9{Fbn69lsX_%MgZoKYV!&3#9g{7~K3Yd89s(N#xh#^9YdEFcY&*$^{>j!0Q3kPa zFDOl0{yEiqK@w^u-f`TKB{TzC;WiOkj^g4V!2e?u9B_6dA+LS!w%s(kJqTp2Et!{H zwdj%fJMx?=Z~(zT(LG5fpfeJXh`wwubbp9A_oqWY8^!<9zq@7S$5Pg;Y@E@lSu+q` zg{c|ogdIzD5H{>21>_YzU*p2F<`EhIP!*_&gBtH7cx*e6nj*`Qj7!fd# z^=7Um?6Ik-14Zbfo|+d1xYs{l-f?uWItLTY;>G^``fiL+=DdJrW*R?|>li zc{_cEO1!fgXVJ0Dx>g2X)S+WJ5r11_zDQG|G42mHNQj2KU_V{mbAhig^ueLm9eQQ5 z0iJ1V)jueFNeuf6w1IVD1_&BJA^%C6dt4JrXp>g=I? zwj2q&`gJ2#>bb70tCSW+YJUh)#8$HOw8ZR^OYLUp`T@DYYX%w(d8?NcnkGOk;%v#0 zV$DiivZaxtB+dT`hQ%9?`O_B%ekY0N>~p;*Ap(%#=(c$u9rhl9)VM3M+VdJ3M7R3% z9UOj^*7K|ro=jMy{{EdIXK!`an+8_Nb#Y$c;63-x$uh-`u@^$~AAgcMBDgtHJlQuq zytKIlUxP$YrLNQ`$pPX1Cg5E*Q1cg;D=PRzu1?Qs5 z>I`^$w1b7aCSw-b|98YjTh1GK{}%=M*O5|<;%n&rhg+Yuqs>6?$cVopG>}sbDS64P za$L%$O;cb!m~I@*wtts$>Wz*z!W~?{IrxI;=>_*@0cx<@30W8fm6VH~b z@!;%@95+zkipzClStl#!3kER{3HtQNj*i2nFEzC#tNs^gwM_v6s!0=&8KsA?1Zwhk<*ww)WXnGWSx5x0vKRrMVh4OC^lWdrOfl>+vECZ$aS);ij5?ycC>&^IM sNBhL>1nD9@(jy!Va{QMK??(Y4)K)-bx(y7kA}sDX_J4ILLgn+nh66gx`v3p{ delta 4038 zcmV;%4>|CFAb=o{V1KB-==R#SwO7qYvcfYeW8g1N-JvDI#x)D>a2f!S^4P%aJuM?J zEtC4vd2>aKA2bNvKiUYX0ZY)OmxG37k;;^S{T-fQQCUS<&IO1Q$gJyk2o9@QCx?Ou zpDAOnwG+l%LwX_Tu&7m_qyUzTE!jDX7&@(dO-oO!CX9&*IDhN$+|9>m8cu;rre=`YoKODUu8AtY@XgzY!LMm2NxFO=ITc zn)1=k*}=}40=+s7Rwke7{{r{cV9;iGX3e*{B0+Em**0*IrP zmT>${WRam|1%Gpq1O4W3mLm3gISmvmj)6gm>jMc;B78pT$BW4 zMxSM)kUzn$MawOMASzR*!gizs<+<%k9Ld_E-fBn|Yg9hF#LJR!*?0g^SiWAF=J-a% ziD!rH!GmZNA~po~8sPB4yU`SB?7K%BmDAN_2}7gO>3`L63dc>-Esk4);4@=}x~te_ zA1}1b$<28j?SI*dlz)c^pLarwDo_fvF2Ei=1vms0J9aW*&=xUd;6A`$EnwhcbpNT1 zQlGwXp(8#2YdaWxPC%C%p_<#H#9c$+OO_Q5lGLja@y%*feB!01)kTEi8#LgORM%al z{7+td-hbN`3`1#ksWd>pGm(%^Ku9h;o1@#bfRjx?r?L_k#NYay#AU{*HW^n9eV46S zgnj8njFD9n8PpkxEfd%*d2`(v(F$RN2`TqF!;PQFCq)C)z>Bs~d?(;4Z`hoU2ni?a zcG47&R{CbP7_>iYjXj{(#Ixu7|2&tdD@wA~J z9HUbopd9FgKO44KsUL@ekK>L+CU7$O@B!cXcq_$%MF*W>LPdVjC8U~nw<0|r1GV*rruq;G?MS` ze8S{9D7N(@kt>;7q?t(HNhL4Bj7LQlocG3D;GzzX)onViG6Oi+!2cXpbbt6@<#Zk8 z>I5q-8|t!ohLLxzm(teKZH(Eq@@iQQ177GkY;KNq!DuoOoE2{h!fkwd2jRA|-kT>l zjLcU8amWXsv79%e2d zQAJBeY#yHYwESO%L4_1lynk`DlK;nz)>*4?RfQms)B_!d%sM8eRU#;>Qpff{u3(a4 z-SGk|F8N3K{ufL*0Ux|&DJRnG+V&fG(E}zUi0$6xheSceK)unL$;p?(I zGBJW=OSz$h`Ryv8i9fsAaVxRxg9NR5!uWY94H_i;e{FJFRmkw7+dTdRl?5~SvAgcT z8k!btjN0;+K702=&FwVSkY+<|DIf@DCXih0F4UJ_X5fu!A{pb=EQqMtJg$I2L*M%A zL}7o>SUf^qln!;UNq+_Q2#FiWNecj1)Tc}2P*Wduo7KEha)ps#L~wj%zP7kDU)^1Q z!@%5Ja3myOoOsgjiOp*yKeOn+fFpEs9;PB?2s#E}N&jH8_AqD4-yE#M4|(^(!>;2!+-zP?Z89`Pbu^H^GTX5RO6tbw=k2)V%L?U58 z(^mN66n;-ns#Hkf0oR_<$V~TGM(MbC+7huxYw&8gv9(Wh+(7Tf3JIR$cv2SjIfh={ zHuX`br6xOG(G6vZwPRYxLmfAkPE?zuK=j&_Impw?$8|NZZeKMPhcwHlVklNKx#>ObkLTzlc+So;_yddD z2Pz~C_$yh%I7Djgk`zX{)?OVnh6~7%DI9aQJ^&S~P_u878@U>CNWDfSEFZ7Ge*t8w zAkxiLAAdCN7F@fxx$Z$!a8mMW=J9x@JdTy#H_kkw7NVDb*0UxfLDYW+->s^t(?{uK zrSw|sC0sr6%C~0qpY&>Eo|>0vU!j4Y1CQQ&FgV4$cm;aWq_|rD@(eM_bR+ZNtZ4`P z*qGfuV>v)U}iiPG@uqaO-Z^%vMw4qSu)U`zirC^52L|x&QpXOsf;3efO4{KGXtIwfi%w1H^Y>(4Eujs{CjG z6n}Fj9%`~f=;(YG{pS4`JJz~IAmQB@3eunM`riC#Wyk~oSZk&?YnNSEDtg|9UgEnv z_Y5#yNC6janPd%K!9#T0FZPIL zMyu6v(|wj`>Y_f9h*|a@2O;X$%IFDP0Uf`~$;9zyp2!bG6Cir2ei(+VS! z3aKGdtB6Kz?J5Ax%fLnXfV}&W)F)eoe&LFOZ?p`FL}-7r5GR5}eR&(y_HdE4hJWob z>~2A7jVbf;Ts?BDp{BO_dO|S1U9_j-wBQ}oDTk2UWzd{E3X95KwCTh4opPZcHF^)lC3oe+cM(1~ zB*;Ne;K@)=Hre5&W=WKwnSe^XVt+vS-zmoh)gA(W+Ubz26%rl>weJsMYxu6N3TW#{ zn9(0CD?ogSd}D%NVMjrM=WjHxJNMkXs14blC&l!E?0wZ^pYBB$UQf)SP6Q1Y)0~$h z_KxL4TG+zdCuTW39ZHq6kaHA#i{az2WfOUA{!?8fZv(1arzwF&=a|w8*nj-xn=`;$ zR)|8lOuvW;JXIX7uhatr0E_}@E>XH=;b?xeL@twaDIT}a8s9M-GQ_Da;HsP$cFyHM z%mhVa>ij8k3EBmTB$~4C%P9*Kn7AkZcE={M4*R0jQ7O;1kNsYRcvboazU|9;7h*iA zGL`L(n0|(Ildk4QleM~f_J5B!%O>ewQPDq$Y?etX!$Y^w?aZ^h6Bhqd$;S3EH{$WU zp~Xo_<;Fb(d!!p(@^Frn1sa5ki9Wkb=%3L z`VdfC5V%z|@Gxalv!^2_bB`;HU1)bhJmlra(EZQYO>qTI2QC2VP=D#xC#?D)u86)r z(*e2{$6CIFoBu3PGbX3pI7;|*GQ)h+VGV$6_?b9)LqY~<=(>73I{W|56mTeOqP>ac z4ZLcI@1TJyAjst97G}!@Gu*9crz(_w_eSNIUF>Kd7$dAl{i_H9az}w{9=aNBE-wau z4v83hViQkf_)|{HQ-7BjD^AWyzai#X7QAhnNQZ8X~i*|jTqL)5L#g7#{3n$ACw*U=S3(K_>IZ?5J^ z>z%NPI(o^71b@(ag~%Fkoq~8KKK#S91GGN7)+fXXG0ho8r?974q#A9)8-esg3mNI3 zFD&90)~<^`85K2ugji8Ha`PXL-^GU179-B*K%Ts&ihG!ecwO?an%l8%t*FxMc&fSM z{yC#P6@L>39m3Dp`0ewd6RwzTC;3n1uF5}LK_QBBw0|*&rart9DKc+`>tqt(Iic5q ziXg4AT182{}1>5|` zAddgED&uvBbD(E+N7;m#S`h+MNru$UHhPoZ-gOSPz>OI-Nidg@4nC(CitFaXNQ%ii zjF&l#NPnM!(Myg!$=OcYBUVp4=iBp;LXDC)R_>BxqGo8#9cEv1q|mw3W9k!X^g(wc zkLC9uc;3m&2tf2Q*A3N Date: Tue, 30 Apr 2024 09:44:17 +0200 Subject: [PATCH 3/3] Add script to find key in dump --- check_key_with_route.py | 65 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100755 check_key_with_route.py diff --git a/check_key_with_route.py b/check_key_with_route.py new file mode 100755 index 0000000..a318561 --- /dev/null +++ b/check_key_with_route.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python3 +import struct +import argparse + +from Crypto.Hash import CMAC +from Crypto.Cipher import AES + +from openpilot.tools.lib.route import Route +from openpilot.tools.lib.logreader import LogReader + +KEY_LEN = 16 + +def build_sync_mac(key, trip_cnt, reset_cnt, id_=0xf): + id_ = struct.pack('>H', id_) # 16 + trip_cnt = struct.pack('>H', trip_cnt) # 16 + reset_cnt = struct.pack('>I', reset_cnt << 12)[:-1] # 20 + 4 padding + + to_auth = id_ + trip_cnt + reset_cnt # SecOC 11.4.1.1 page 138 + + cmac = CMAC.new(key, ciphermod=AES) + cmac.update(to_auth) + + msg = "0" + cmac.digest().hex()[:7] + msg = bytes.fromhex(msg) + return struct.unpack('>I', msg)[0] + + +def find_key(data, sync_msg): + trip_cnt = struct.unpack('>H', sync_msg[:2])[0] + reset_cnt = struct.unpack('>I', b'\x00' + sync_msg[2:5])[0] >> 4 + good_mac = struct.unpack('>I', sync_msg[4:])[0] & 0xfffffff + + for offset in range(len(data) - KEY_LEN + 1): + key = data[offset:offset + KEY_LEN] + mac = build_sync_mac(key, trip_cnt, reset_cnt) + + if mac == good_mac: + print(f"Found key {key.hex()}, offset 0x{offset:x}") + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument("route", help="Route to check") + parser.add_argument("dataflash", help="Filename to dataflash dump") + args = parser.parse_args() + + route = Route(args.route) + logs = [s for s in route.log_paths() + route.qlog_paths() if s is not None] + + with open(args.dataflash, 'rb') as f: + data = f.read() + + sync_msg_seen = False + for path in logs: + log = LogReader(path) + + for msg in log: + if msg.which == 'can': + for c in msg.can: + if c.src == 0 and c.address == 0xf: + print("Sync Msg", c.dat.hex()) + find_key(data, c.dat) + sync_msg_seen = True + + if not sync_msg_seen: + print("Warning: No SecOC Synchronization message in route")