Open brandonros opened 1 month ago
Some CBFs do not have a SecurityAccess DLL or JAR and instead they have a custom scripting language inside of them where seed/key can be accessed?
Yes that's true. No DLLs are embedded in the CBF for both of those targets. They are capable of unlocking the ECU for flashing the firmware, and the keys are generated through their own scripting language.
How can I execute/run them or see their logic/decompile their instruction set?
Vediamo is probably the easiest way to get that done. Some discussion in the issue here: https://github.com/jglim/UnlockECU/issues/12 , there's also an experimental DLL hook to trace the instructions as they are getting executed.
It isn't clear to me if when CaesarSuite runs a diagnostic job if it can run this custom language from the interpreter or if it skips over it?
I've reversed the interpreter far enough to build a partially-functional interpreter. However this is only available in the v2 branch, which is a significant rewrite and is missing a lot of functionality from the current version.
At this point, there are enough implemented opcodes for the IC204 on my bench to be flashed successfully, purely using the logic from the CBF file, though I am far from confident enough to recommend it for general use.
Thank you. I need to run through this. Let me see if I can help/test.
Where might I find this experimental hook trace DLL that logs executed instructions?
The given key '264' was not present in the dictionary on InterpreterMemory
GetTrackedObjectAtAddress
Looks like the 0x2d7 Unk2 instruction needs a touch more work:
Let me see if I can find what it is.
This might be it as well:
Unhandled opcode 0x0094 at cycle 1501
Let me see if I can find all the undefined opcodes from this CBF script I have
I see this is hidden by default/off by default:
https://github.com/jglim/CaesarSuite/blob/main/Caesar/Diogenes/Forms/MainForm.Designer.cs#L375-L376
I seem it goes to this:
https://github.com/jglim/CaesarSuite/blob/main/Caesar/Caesar/DSCContext.cs
I also see your comment here:
https://github.com/jglim/UnlockECU/issues/13#issuecomment-1001097755
Can you help clarify if this is true:
Some CBFs do not have a SecurityAccess DLL or JAR and instead they have a custom scripting language inside of them where seed/key can be accessed?
You did a great job being able to dump and extract properly these
PAL
files. I just wanted to better understand their structure. How can I execute/run them or see their logic/decompile their instruction set?It isn't clear to me if when CaesarSuite runs a diagnostic job if it can run this custom language from the interpreter or if it skips over it?