MuffinFlavored
24th January, 2020, 03:40 AM
This is the routine for checksum + digital signature check after UDS transfer/flash. It is a 0x80 length signature, meaning RSA-1024. Is this signature the same in ECU + TCU, or are the private keys different? I'm wondering if the same keys leaked from MED1775/MDG1 can be used for CPCNG.
MD5 (0009037336_001.SMR-F) = dd0bd4b69743e152da38caa834101f87
1 - ISOTP frame marker
08c - payload length
31 - UDS service 31 (activate routine)
01ff04 - routine identifier
0004 - checksum length
f52dd9e5 - checksum
0080 - signature length
5c8f7d33b4efec4a25cac075a7b24a2dfa4aacc14fa85506dc 6cc6bae41894b2192effa481b1d4fc14506c25ae899197d4d7 a90d568896fcc61805ee038de0816becc36235b62c79c1f6ad b0c304c586d81cd770b83a18d544ca28d88233cc4246c2b1f7 87e9a439803aa2369e2b22745c875443724be0e2a608ef6cc6 ff0de0 - signature from SMR-F XML
<?xml version="1.0" encoding="UTF-8"?>
<TRANSFORMATION-JOB MODEL-VERSION="0.0.3">
<INPUT-ENTITY FILE="X:\data/SW/2019-22/d5914b08-d86c-49a4-a6e0-7bdbdbb33ad7\18B_CPC_NG_Data__MC1C4131_T_PROD_0009 037336_192100.odx-f" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="FILE-INPUT-ENTITY"/>
<OUTPUT-ENTITY>
<OUTPUT-PACKAGE-TYPE>FLASH</OUTPUT-PACKAGE-TYPE>
<OUTPUT-DIR>D:\Log\edlsts_tmp\smrf\apu1_22354758be16cad2ec3cf0 0\1\A0009037336_001_192100</OUTPUT-DIR>
</OUTPUT-ENTITY>
<TRANSFORMATION-DIRECTIVE DRY-RUN="false">
<HANDLE-SDG>
<SDG-INSERT xpath="/ODX/FLASH/ECU-MEMS/ECU-MEM">
<SHORT-NAME>TRANSFORMER</SHORT-NAME>
<LONG-NAME>EDLS</LONG-NAME>
<DESC/>
<VALUE>EDLS</VALUE>
</SDG-INSERT>
</HANDLE-SDG>
<FLASHDATA-HANDLING>
<FLASHKEYS>
<FLASHKEY FLASHKEY="0009037336_001_192100" NEW_FLASHKEY="0009037336_001">
<DATABLOCK-PROPERTIES>
<DATABLOCK-PROPERTY CREATE-NEW-SECURITY-ELEMENT="false" DATABLOCK-SHORTNAME="EDATA_18B_CPCNG_MC1C4131_T_PROD">
<SECURITY-CLASS>CCC</SECURITY-CLASS>
<SECURITY-KEY>A0009011107</SECURITY-KEY>
<SIGNATURE>5C8F7D33B4EFEC4A25CAC075A7B24A2DFA4AACC14FA85506DC 6CC6BAE41894B2192EFFA481B1D4FC14506C25AE899197D4D7 A90D568896FCC61805EE038DE0816BECC36235B62C79C1F6AD B0C304C586D81CD770B83A18D544CA28D88233CC4246C2B1F7 87E9A439803AA2369E2B22745C875443724BE0E2A608EF6CC6 FF0DE0</SIGNATURE>
</DATABLOCK-PROPERTY>
</DATABLOCK-PROPERTIES>
</FLASHKEY>
</FLASHKEYS>
</FLASHDATA-HANDLING>
</TRANSFORMATION-DIRECTIVE>
</TRANSFORMATION-JOB>
Does anybody know how to get CPCNG bootloader readout so we can find RSA-1024 key used to validate signature?
MD5 (0009037336_001.SMR-F) = dd0bd4b69743e152da38caa834101f87
1 - ISOTP frame marker
08c - payload length
31 - UDS service 31 (activate routine)
01ff04 - routine identifier
0004 - checksum length
f52dd9e5 - checksum
0080 - signature length
5c8f7d33b4efec4a25cac075a7b24a2dfa4aacc14fa85506dc 6cc6bae41894b2192effa481b1d4fc14506c25ae899197d4d7 a90d568896fcc61805ee038de0816becc36235b62c79c1f6ad b0c304c586d81cd770b83a18d544ca28d88233cc4246c2b1f7 87e9a439803aa2369e2b22745c875443724be0e2a608ef6cc6 ff0de0 - signature from SMR-F XML
<?xml version="1.0" encoding="UTF-8"?>
<TRANSFORMATION-JOB MODEL-VERSION="0.0.3">
<INPUT-ENTITY FILE="X:\data/SW/2019-22/d5914b08-d86c-49a4-a6e0-7bdbdbb33ad7\18B_CPC_NG_Data__MC1C4131_T_PROD_0009 037336_192100.odx-f" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="FILE-INPUT-ENTITY"/>
<OUTPUT-ENTITY>
<OUTPUT-PACKAGE-TYPE>FLASH</OUTPUT-PACKAGE-TYPE>
<OUTPUT-DIR>D:\Log\edlsts_tmp\smrf\apu1_22354758be16cad2ec3cf0 0\1\A0009037336_001_192100</OUTPUT-DIR>
</OUTPUT-ENTITY>
<TRANSFORMATION-DIRECTIVE DRY-RUN="false">
<HANDLE-SDG>
<SDG-INSERT xpath="/ODX/FLASH/ECU-MEMS/ECU-MEM">
<SHORT-NAME>TRANSFORMER</SHORT-NAME>
<LONG-NAME>EDLS</LONG-NAME>
<DESC/>
<VALUE>EDLS</VALUE>
</SDG-INSERT>
</HANDLE-SDG>
<FLASHDATA-HANDLING>
<FLASHKEYS>
<FLASHKEY FLASHKEY="0009037336_001_192100" NEW_FLASHKEY="0009037336_001">
<DATABLOCK-PROPERTIES>
<DATABLOCK-PROPERTY CREATE-NEW-SECURITY-ELEMENT="false" DATABLOCK-SHORTNAME="EDATA_18B_CPCNG_MC1C4131_T_PROD">
<SECURITY-CLASS>CCC</SECURITY-CLASS>
<SECURITY-KEY>A0009011107</SECURITY-KEY>
<SIGNATURE>5C8F7D33B4EFEC4A25CAC075A7B24A2DFA4AACC14FA85506DC 6CC6BAE41894B2192EFFA481B1D4FC14506C25AE899197D4D7 A90D568896FCC61805EE038DE0816BECC36235B62C79C1F6AD B0C304C586D81CD770B83A18D544CA28D88233CC4246C2B1F7 87E9A439803AA2369E2B22745C875443724BE0E2A608EF6CC6 FF0DE0</SIGNATURE>
</DATABLOCK-PROPERTY>
</DATABLOCK-PROPERTIES>
</FLASHKEY>
</FLASHKEYS>
</FLASHDATA-HANDLING>
</TRANSFORMATION-DIRECTIVE>
</TRANSFORMATION-JOB>
Does anybody know how to get CPCNG bootloader readout so we can find RSA-1024 key used to validate signature?