Decrypting VAG M/EDC17 Immobiliser Data

[navatar]

Hi everyone. I've recently been studying with how the immobiliser data (PIN, CS & MAC) is stored and encrypted on VAG EDC17 ECUs.


So far my understanding is as follows:
Every 17-series ECU has a unique OTP burned from factory in to its tricore flash at 0x17F00 and is a few lines long. The EEPROM is structured in blocks 0x80 bytes long and the first byte of the block signifies its category.


The blocks of interest for immo data are blocks 08, 09 and 0A and the immo data is repeated in these blocks. Each block also has 2 checksums: a 2 byte CRC near the beginning and 4 byte CRC at the tail of the block, these algos have very kindly been RE'd and documented with source by H2Deetoo and ozzy_rp on NefMoto.


I understand that the immo data is ciphered with the OTP data and therefore the EEPROM immo data cannot be deciphered or altered without being accompanied with its respective flash read (obviously read must include the OTP section).


I am however at a total loss as to how to decrypt this small section of data. I thought it might be some sort of simple XOR/substitution and/or shuffling method but despite my many attempts, I have been unable to get this algo worked out. Have found 2 functions pointing to 0x17F10 using Ghidra but the one returns a bool and the other returns a single byte and I don't think either function/label is important.


If anyone could provide insight on the cipher or guidance in the right direction it would be hugely appreciated.

[avital]

Ghidra keep all info for NSA investigation better use Radare2 or IDA ...

[navatar]

Ghidra keep all info for NSA investigation better use Radare2 or IDA ...

I knew Ghidra was an NSA project but does it really log your usage?

I do normally use IDA though but I find for me it sometimes incorrectly analyses code as data on tricore chips, even when I've tried to set the segment maps up correctly. Although IDA is my goto for x86 and ppc