search

bri3d / VW_Flash

Flashing tools for VW AG control units over UDS. Compression, encryption, RSA bypass, and checksums are supported for Simos18.1/6/10, DQ250-MQB, DQ381-MQB, and Haldex4Motion-Gen5-MQB.
Other
315 stars 80 forks source link

Outline how to hook #1

Closed brandonros closed 3 years ago

brandonros commented 3 years ago

you have to create a hook to it so that when code executes, it redirects to your loader code

bri3d commented 3 years ago

Yes, because the CBOOT loader I've written is position independent (doesn't use relative addressing at all) it's really easy to find it a home in ASW and hook to it. I like putting it in ASW3, waiting to write over ASW1 is painful. Because we can only flip bits up, we need to find some nops to overwrite.

In my O20 version ASW3, there's a nice task initialization function starting at 8088962c with a big long sled of nop at 8088965c. The nop sled is so long that you can put whatever you want there, really - either a short position-dependent call instruction or even a full blown load-and-call.

There's also a truly enormous sea of free space to add the function to near the end of ASW3.

Assuming we pick 808fdd00 as the free space to overwrite with the function and we want to boundary-align our patch,

80889660 91 00 09 f8     movh.a     a15,#0x8090
80889664 d9 ff c0 4d     lea        a15,[a15]-0x2300
80889668 2d 0f 00 00     calli      a15=>FUN_808fdd00

Does the trick well.

I'll add this to the docs once I upload the end-to-end solution for my O20 ASW, since I will then include the full ASW3 overlay payload