Wednesday, August 2, 2017

Reverse Engineering VW online key programming function for Fun And Profit.


 
VW has an online service called GEKO which allows you to program keys to a vehicle. The thing is, what if you don't have internet access or cannot come to the dealer ?

What is GeKo?

GeKo (security and component protection) is a feature, which is available to users with the online connection of the Offboard Diagnostic Information System software and allows teaching of engine immobiliser components (e.g. instrument clusters, engine control unit), keys and component protection (e.g. air conditioner, navigation, etc.) of the vehicle. ”

This is a walk-through of how I disassembled the control unit firmware to identify the routines and procedure to perform this function of key programming offline.

I managed to obtain a sniffed CAN log on adding a key to a VW with an UDS dashboard, below is a snippet of that log. This adding of a key function is done with online access, but what happens if we don‘t have online access or car is too far away from dealer?  I’ll explain here…

A log makes understanding a lot easier.


02 10 03
06 50 03 00 32 00 C8
03 22 02 ED
0B 62 02 ED 06 00 01 FE 03 00 03 00
03 22 F1 A5
03 7F 22 31
03 22 02 E0
07 62 02 E0 C2 CC 1C E6
03 22 02 ED
0B 62 02 ED 06 00 01 FE 03 00 03 00
09 2E F1 98 80 00 00 04 44 1F
03 6E F1 98
06 2E F1 99 17 06 27
03 6E F1 99
02 10 03
06 50 03 00 32 00 C8
07 2E 02 E1 A2 F5 01 01
03 7F 2E 78
03 6E 02 E1

In the logs I identified some significant byte changes. They are marked in RED. But how to determine what is done here? The changes seem like random junk, so the way to get some structure and understanding lets get a flashdump of a dashboard.

There are several ways to obtain this. We covered this in our training sessions and will soon do some articles on this method of obtaining vehicle control unit flash dumps.

Tools I used -:

1)    Hexeditor
2)    IDA PRO

Let me breakdown the log file a little for the sake of completeness.

02 10 03                      start extended diagnosticSession (0x03)
06 50 03 00 32 00 C8
03 22 02 ED                   read data by common identifier (0x02ED)
0B 62 02 ED 06 00 01 FE 03 00 03 00
03 22 F1 A5                   read data by common identifier (0xF1A5)
03 7F 22 31
03 22 02 E0                   read data by common identifier (0x02E0)
07 62 02 E0 C2 CC 1C E6
03 22 02 ED                   read data by common identifier (0x02ED)
0B 62 02 ED 06 00 01 FE 03 00 03 00
09 2E F1 98 80 00 00 04 44 1F write data by common identifier (0xF198 → WSN*)
03 6E F1 98
06 2E F1 99 17 06 27          write data by common identifier (0xF198 → date)
03 6E F1 99
02 10 03                      start extended diagnosticSession (0x03)
06 50 03 00 32 00 C8
07 2E 02 E1 A2 F5 01 01       write data by common identifier (0x02E1)
03 7F 2E 78
03 6E 02 E1
WSN* → Workshopnumber


The very first step after loading the dashboard firmware into IDA is to look for the command-handlers. From the log, I understand that I need to get the answer of the 22 02 E0 command and the processing of the 2E 02 E1 command.

So in hexeditor i looked for 22000000 and 2E000000 (at least in this example) and made a struct in IDA with the address found.




After establishing where the 0x22 and the 0x2E commands are handled. Lets start to track down firstly the 0x22 command. After some tracing in the disassembler there is a switch for the different subcommands. I look for the 02 E0 and it’s find it first in the table.





Here is the final 22 02 E0 function which takes data from 0x3FF496D and puts that into the answer (19[ep] etc)



Now we look at the 2E 02 E1.



There is no table or switch this time for the subcommands, just a hardcoded compare and jump. After some more tracing I find some interesting function that XORS the immo-Pin with some calculated value and compares it with the first two bytes of the 2E 02 E1 command.



The address I marked with xor_2_byte_for_pin is where I should start investigating.

The RAM address points to several functions, but most of them just read some data from the xor_2_byte_for_pin address. I need the function that WRITES data to the xor_2_byte_for_pin address. This function found, is where the xor_2_byte_for_pin address builds some table with data generated from the two main functions and then stores it to our location.



The first function is this and it takes some fixed values from flash, 6 bytes of the CS (a random number used in VAG Immo systems) and the answer of the 22 02 E0 command. Bingo !!!!



So after converting all this stuff to some more readable C-code I can try the calc.



And the final output




Compared with the log we received, it fits perfect.

We can now set the project “Adding a key like online programming in an offline mode” as SOLVED…


Automotive control unit - Reverse Engineering Training

If you interested in learning about automotive control unit disassembly let us know, we setting up a list of interested people.

Course will cover -:

- Creating CAN log
- Finding / extracting firmware to disassemble
- Loading firmware into IDA
- IDA basics
- Disassembling firmware to find the SKC (Seed&Key Calculation)
- Confirming the calculation looking at OEM or other tools which support this function logs.



Sunday, August 31, 2014

Ecu data and flashing with Google Glass

Hi

So for a long while now we have been testing Google Glass and creating an app for flashing of ECU's as well as displaying of real time data of the ECU's while racing. We are happy to announce the the app is now ready and fully functional, it should be available on the play store for Google Glass once we go through the necessary procedures...

Another first in SA and other parts of the world.



Friday, March 28, 2014

UAV development

Hello All

We have been hard at work releasing our surveillance drones equipped with thermal camera's, so far here are some videos of the results.


Monday, June 3, 2013

Ford Ranger 3.2 TDCi

So most of the testing has been completed and this is what we managed to achieve on the Ford Ranger 3.2 TDCi

Trying to get into contact with some Ford dealers or the Ford Racing team to get their thoughts on the current gains and what they achieving currently on these vehicles.





Tuesday, December 11, 2012

Project Dubai - fastest MB 63 in the UAE

السلام عليكم

PROJECT DUBAI

We looking to work with any speed freaks in the UAE to do what we have done in South Africa and make the fastest Mercedes C/E/ML/CLS 63/55 in UAE

If you and your pocket are up for the challenge we ready to work with you !!!

email us on info@adamengineering.co.za


P.S This is a project for MB but if you have any other vehicle you want to make the strongest in UAE, we definitely can help.

merry racing...


And again....