diff --git a/check_key_with_route.py b/check_key_with_route.py new file mode 100755 index 0000000..a318561 --- /dev/null +++ b/check_key_with_route.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python3 +import struct +import argparse + +from Crypto.Hash import CMAC +from Crypto.Cipher import AES + +from openpilot.tools.lib.route import Route +from openpilot.tools.lib.logreader import LogReader + +KEY_LEN = 16 + +def build_sync_mac(key, trip_cnt, reset_cnt, id_=0xf): + id_ = struct.pack('>H', id_) # 16 + trip_cnt = struct.pack('>H', trip_cnt) # 16 + reset_cnt = struct.pack('>I', reset_cnt << 12)[:-1] # 20 + 4 padding + + to_auth = id_ + trip_cnt + reset_cnt # SecOC 11.4.1.1 page 138 + + cmac = CMAC.new(key, ciphermod=AES) + cmac.update(to_auth) + + msg = "0" + cmac.digest().hex()[:7] + msg = bytes.fromhex(msg) + return struct.unpack('>I', msg)[0] + + +def find_key(data, sync_msg): + trip_cnt = struct.unpack('>H', sync_msg[:2])[0] + reset_cnt = struct.unpack('>I', b'\x00' + sync_msg[2:5])[0] >> 4 + good_mac = struct.unpack('>I', sync_msg[4:])[0] & 0xfffffff + + for offset in range(len(data) - KEY_LEN + 1): + key = data[offset:offset + KEY_LEN] + mac = build_sync_mac(key, trip_cnt, reset_cnt) + + if mac == good_mac: + print(f"Found key {key.hex()}, offset 0x{offset:x}") + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument("route", help="Route to check") + parser.add_argument("dataflash", help="Filename to dataflash dump") + args = parser.parse_args() + + route = Route(args.route) + logs = [s for s in route.log_paths() + route.qlog_paths() if s is not None] + + with open(args.dataflash, 'rb') as f: + data = f.read() + + sync_msg_seen = False + for path in logs: + log = LogReader(path) + + for msg in log: + if msg.which == 'can': + for c in msg.can: + if c.src == 0 and c.address == 0xf: + print("Sync Msg", c.dat.hex()) + find_key(data, c.dat) + sync_msg_seen = True + + if not sync_msg_seen: + print("Warning: No SecOC Synchronization message in route") diff --git a/extract_keys.py b/extract_keys.py index 4ab951c..1afbd63 100755 --- a/extract_keys.py +++ b/extract_keys.py @@ -181,9 +181,9 @@ def get_secoc_key(key_struct): erase = b"\x31\x01\xff\x00" + data isotp_send(panda, erase, ADDR, bus=BUS) - print("\nDumping keys...") - start = 0xfebe6e34 - end = 0xfebe6ff4 + print("\nDumping dataflash...") + start = 0xff200000 + end = 0xff208000 extracted = b"" @@ -212,24 +212,3 @@ def get_secoc_key(key_struct): start += 4 pbar.update(4) - - key_1_ok = verify_checksum(get_key_struct(extracted, 1)) - key_4_ok = verify_checksum(get_key_struct(extracted, 4)) - - if not key_1_ok or not key_4_ok: - print("SecOC key checksum verification failed!") - exit(1) - - key_1 = get_secoc_key(get_key_struct(extracted, 1)) - key_4 = get_secoc_key(get_key_struct(extracted, 4)) - - print("\nECU_MASTER_KEY ", key_1.hex()) - print("SecOC Key (KEY_4)", key_4.hex()) - - try: - from openpilot.common.params import Params - params = Params() - params.put("SecOCKey", key_4.hex()) - print("\nSecOC key written to param successfully!") - except Exception: - print("\nFailed to write SecOCKey param") diff --git a/payload.bin b/payload.bin index 8707696..24580ba 100644 Binary files a/payload.bin and b/payload.bin differ diff --git a/shellcode/build_docker.sh b/shellcode/build_docker.sh index 445a3df..bef9b36 100755 --- a/shellcode/build_docker.sh +++ b/shellcode/build_docker.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash - +set -e docker build -t v850-gcc . docker run --rm -v $(pwd):/src v850-gcc ./build.sh diff --git a/shellcode/main.c b/shellcode/main.c index f5acac0..ae529de 100644 --- a/shellcode/main.c +++ b/shellcode/main.c @@ -10,8 +10,8 @@ void exploit() { asm("di"); - int *addr = 0xfebe6e34; - while (addr < 0xfebe6ff4) { + int *addr = 0xff200000; + while (addr < 0xff208000) { int i = 0x10; if ((*(RSCFDnCFDTMSTSp + i) & 0b110) != 0) { @@ -45,6 +45,10 @@ void exploit() { addr++; } - void (*bl_reset)(void) = (void (*)(void))0x0000157e; - bl_reset(); + while (1) { + ; + } + + // void (*bl_reset)(void) = (void (*)(void))0x0000157e; + // bl_reset(); }