VW has an online service called GEKO which allows
you to program keys to a vehicle. The thing is, what if you don't have internet
access or cannot come to the dealer ?
“ What
is GeKo?
GeKo (security and component protection) is a
feature, which is available to users with the online connection of the Offboard
Diagnostic Information System software and allows teaching of engine
immobiliser components (e.g. instrument clusters, engine control unit), keys
and component protection (e.g. air conditioner, navigation, etc.) of the
vehicle. ”
This is a walk-through of how I
disassembled the control unit firmware to identify the routines and procedure
to perform this function of key programming offline.
I managed to obtain a sniffed CAN log on adding
a key to a VW with an UDS dashboard, below is a snippet of that log. This
adding of a key function is done with online access, but what happens if we
don‘t have online access or car is too far away from dealer? I’ll explain here…
A log makes
understanding a lot easier.
02 10 03
06 50 03 00
32 00 C8
03 22 02 ED
0B 62 02 ED
06 00 01 FE 03 00 03 00
03 22 F1 A5
03 7F 22 31
03 22 02 E0
07 62 02 E0 C2 CC 1C E6
03 22 02 ED
0B 62 02 ED
06 00 01 FE 03 00 03 00
09 2E F1 98
80 00 00 04 44 1F
03 6E F1 98
06 2E F1 99
17 06 27
03 6E F1 99
02 10 03
06 50 03 00
32 00 C8
07 2E 02 E1 A2 F5 01 01
03 7F 2E 78
03 6E 02 E1
In the logs
I identified some significant byte changes. They are marked in RED. But
how to determine what is done here? The changes seem like random junk, so the
way to get some structure and understanding lets get a flashdump of a
dashboard.
There are
several ways to obtain this. We covered this in our training sessions and will
soon do some articles on this method of obtaining vehicle control unit flash
dumps.
Tools I used
-:
1)
Hexeditor
2)
IDA
PRO
Let me
breakdown the log file a little for the sake of completeness.
02 10
03 start extended
diagnosticSession (0x03)
06 50 03 00
32 00 C8
03 22 02 ED read data by common
identifier (0x02ED)
0B 62 02 ED
06 00 01 FE 03 00 03 00
03 22 F1
A5 read data by common
identifier (0xF1A5)
03 7F 22 31
03 22 02
E0 read data by common
identifier (0x02E0)
07 62 02 E0 C2 CC 1C E6
03 22 02
ED read data by common
identifier (0x02ED)
0B 62 02 ED
06 00 01 FE 03 00 03 00
09 2E F1 98
80 00 00 04 44 1F write data by common identifier (0xF198 → WSN*)
03 6E F1 98
06 2E F1 99
17 06 27 write data by common
identifier (0xF198 → date)
03 6E F1 99
02 10
03 start extended
diagnosticSession (0x03)
06 50 03 00
32 00 C8
07 2E 02 E1 A2 F5 01 01
write data by common identifier (0x02E1)
03 7F 2E 78
03 6E 02 E1
WSN* →
Workshopnumber
The very
first step after loading the dashboard firmware into IDA is to look for the
command-handlers. From the log, I understand that I need to get the answer of
the 22 02 E0 command
and the processing of the 2E
02 E1 command.
So in
hexeditor i looked for 22000000 and 2E000000 (at least in this example) and
made a struct in IDA with the address found.
After
establishing where the 0x22 and the 0x2E commands are handled. Lets start to track
down firstly the 0x22 command. After some tracing in the disassembler there is
a switch for the different subcommands. I look for the 02 E0 and it’s find it
first in the table.
Here is the
final 22 02 E0 function which takes data from 0x3FF496D and puts that into the
answer (19[ep] etc)
Now we look
at the 2E 02 E1.
There is no
table or switch this time for the subcommands, just a hardcoded compare and
jump. After some more tracing I find some interesting function that XORS the
immo-Pin with some calculated value and compares it with the first two bytes of
the 2E 02 E1 command.
The address I marked with xor_2_byte_for_pin is
where I should start investigating.
The RAM address
points to several functions, but most of them just read some data from the
xor_2_byte_for_pin address. I need the function that WRITES data to the
xor_2_byte_for_pin address. This function found, is where the
xor_2_byte_for_pin address builds some table with data generated from the two
main functions and then stores it to our location.
The first
function is this and it takes some fixed values from flash, 6 bytes of the CS
(a random number used in VAG Immo systems) and the answer of the 22 02 E0
command. Bingo !!!!
So after converting
all this stuff to some more readable C-code I can try the calc.
And the
final output
Compared with the log we received, it fits
perfect.
We can now set the project “Adding a key like
online programming in an offline mode” as SOLVED…
Automotive
control unit - Reverse Engineering Training
If you interested in learning about automotive control unit disassembly
let us know, we setting up a list of interested people.
Course will cover -:
- Creating CAN log
- Finding / extracting firmware to disassemble
- Loading firmware into IDA
- IDA basics
- Disassembling firmware to find the SKC (Seed&Key
Calculation)
- Confirming the calculation looking at OEM or other tools which
support this function logs.
