Infinite loop after extracting keys

check_key_with_route.py

@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+import struct
+import argparse
+
+from Crypto.Hash import CMAC
+from Crypto.Cipher import AES
+
+from openpilot.tools.lib.route import Route
+from openpilot.tools.lib.logreader import LogReader
+
+KEY_LEN = 16
+
+def build_sync_mac(key, trip_cnt, reset_cnt, id_=0xf):
+  id_ = struct.pack('>H', id_) # 16
+  trip_cnt = struct.pack('>H', trip_cnt) # 16
+  reset_cnt = struct.pack('>I', reset_cnt << 12)[:-1] # 20 + 4 padding
+
+  to_auth = id_ + trip_cnt + reset_cnt # SecOC 11.4.1.1 page 138
+
+  cmac = CMAC.new(key, ciphermod=AES)
+  cmac.update(to_auth)
+
+  msg = "0" + cmac.digest().hex()[:7]
+  msg = bytes.fromhex(msg)
+  return struct.unpack('>I', msg)[0]
+
+
+def find_key(data, sync_msg):
+    trip_cnt = struct.unpack('>H', sync_msg[:2])[0]
+    reset_cnt = struct.unpack('>I', b'\x00' + sync_msg[2:5])[0] >> 4
+    good_mac = struct.unpack('>I', sync_msg[4:])[0] & 0xfffffff
+
+    for offset in range(len(data) - KEY_LEN + 1):
+        key = data[offset:offset + KEY_LEN]
+        mac = build_sync_mac(key, trip_cnt, reset_cnt)
+
+        if mac == good_mac:
+            print(f"Found key {key.hex()}, offset 0x{offset:x}")
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("route", help="Route to check")
+    parser.add_argument("dataflash", help="Filename to dataflash dump")
+    args = parser.parse_args()
+
+    route = Route(args.route)
+    logs = [s for s in route.log_paths() + route.qlog_paths() if s is not None]
+
+    with open(args.dataflash, 'rb') as f:
+        data = f.read()
+
+    sync_msg_seen = False
+    for path in logs:
+        log = LogReader(path)
+
+        for msg in log:
+            if msg.which == 'can':
+                for c in msg.can:
+                    if c.src == 0 and c.address == 0xf:
+                        print("Sync Msg", c.dat.hex())
+                        find_key(data, c.dat)
+                        sync_msg_seen = True
+
+    if not sync_msg_seen:
+        print("Warning: No SecOC Synchronization message in route")

extract_keys.py

@@ -181,9 +181,9 @@ def get_secoc_key(key_struct):
     erase = b"\x31\x01\xff\x00" + data
     isotp_send(panda, erase, ADDR, bus=BUS)
 
-    print("\nDumping keys...")
-    start = 0xfebe6e34
-    end = 0xfebe6ff4
+    print("\nDumping dataflash...")
+    start = 0xff200000
+    end = 0xff208000
 
     extracted = b""
 
@@ -212,24 +212,3 @@ def get_secoc_key(key_struct):
 
                     start += 4
                     pbar.update(4)
-
-    key_1_ok = verify_checksum(get_key_struct(extracted, 1))
-    key_4_ok = verify_checksum(get_key_struct(extracted, 4))
-
-    if not key_1_ok or not key_4_ok:
-        print("SecOC key checksum verification failed!")
-        exit(1)
-
-    key_1 = get_secoc_key(get_key_struct(extracted, 1))
-    key_4 = get_secoc_key(get_key_struct(extracted, 4))
-
-    print("\nECU_MASTER_KEY   ", key_1.hex())
-    print("SecOC Key (KEY_4)", key_4.hex())
-
-    try:
-        from openpilot.common.params import Params
-        params = Params()
-        params.put("SecOCKey", key_4.hex())
-        print("\nSecOC key written to param successfully!")
-    except Exception:
-        print("\nFailed to write SecOCKey param")

shellcode/build_docker.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-
+set -e
 
 docker build -t v850-gcc .
 docker run --rm -v $(pwd):/src v850-gcc ./build.sh

shellcode/main.c

@@ -10,8 +10,8 @@ void exploit() {
 
     asm("di");
 
-    int *addr = 0xfebe6e34;
-    while (addr < 0xfebe6ff4) {
+    int *addr = 0xff200000;
+    while (addr < 0xff208000) {
         int i = 0x10;
 
         if ((*(RSCFDnCFDTMSTSp + i) & 0b110) != 0) {
@@ -45,6 +45,10 @@ void exploit() {
         addr++;
     }
 
-    void (*bl_reset)(void) = (void (*)(void))0x0000157e;
-    bl_reset();
+    while (1) {
+        ;
+    }
+
+    // void (*bl_reset)(void) = (void (*)(void))0x0000157e;
+    // bl_reset();
 }