jglim
commented
1 week ago Some CBFs do not have a SecurityAccess DLL or JAR and instead they have a custom scripting language inside of them where seed/key can be accessed?
Yes that's true. No DLLs are embedded in the CBF for both of those targets. They are capable of unlocking the ECU for flashing the firmware, and the keys are generated through their own scripting language.
How can I execute/run them or see their logic/decompile their instruction set?
Vediamo is probably the easiest way to get that done. Some discussion in the issue here: https://github.com/jglim/UnlockECU/issues/12 , there's also an experimental DLL hook to trace the instructions as they are getting executed.
It isn't clear to me if when CaesarSuite runs a diagnostic job if it can run this custom language from the interpreter or if it skips over it?
I've reversed the interpreter far enough to build a partially-functional interpreter. However this is only available in the v2 branch, which is a significant rewrite and is missing a lot of functionality from the current version.
At this point, there are enough implemented opcodes for the IC204 on my bench to be flashed successfully, purely using the logic from the CBF file, though I am far from confident enough to recommend it for general use.
brandonros
I see this is hidden by default/off by default:
https://github.com/jglim/CaesarSuite/blob/main/Caesar/Diogenes/Forms/MainForm.Designer.cs#L375-L376
I seem it goes to this:
https://github.com/jglim/CaesarSuite/blob/main/Caesar/Caesar/DSCContext.cs
I also see your comment here:
https://github.com/jglim/UnlockECU/issues/13#issuecomment-1001097755
Can you help clarify if this is true:
Some CBFs do not have a SecurityAccess DLL or JAR and instead they have a custom scripting language inside of them where seed/key can be accessed?
You did a great job being able to dump and extract properly these
PALfiles. I just wanted to better understand their structure. How can I execute/run them or see their logic/decompile their instruction set?It isn't clear to me if when CaesarSuite runs a diagnostic job if it can run this custom language from the interpreter or if it skips over it?