XOR algo and VAGSA2 algo?

[GBozkir]

Hello,

In the readme says that XOR algo an VAGSA2 algo is supported. I downloaded the application but don't see it. Also not in the webapplication. Something happend on it ? :-).

Brgds

[Feezex]

what is VAGSA2 ???? which readme? post a text that points to that ecu

[GBozkir]

Look at the line beginning with ###..

Currently, these security providers are available:

DaimlerStandardSecurityAlgo DaimlerStandardSecurityAlgoMod DaimlerStandardSecurityAlgoRefG DRVU_PROF EDIFF290 EsLibEd25519 ESPSecurityAlgoLevel1 IC172Algo1 IC172Algo2 MarquardtSecurityAlgo OCM172 PowertrainBoschContiSecurityAlgo1 PowertrainBoschContiSecurityAlgo2 PowertrainDelphiSecurityAlgo PowertrainSecurityAlgo PowertrainSecurityAlgo2 PowertrainSecurityAlgo3 PowertrainSecurityAlgoNFZ RBTM RDU222 RVC222_MPC222_FCW246_LRR3 SWSP177 VGSSecurityAlgo ### VolkswagenSA2 XorAlgo

[Feezex]

XorAlgo made for CR3_UP ecu, SA2 implemented at UnlockECU/UnlockECU/Security/VolkswagenSA2.cs but theres no definition on it

[GBozkir]

So how to get seeds calculated for Vag ecu?

[Feezex]

add definition to db.json

[GBozkir]

What I don't understand.; is this alghortime used for all of these ecus ?

[Feezex]

Im not specialist at VAG, maybe you give us an answer

[GBozkir]

I can give you the answer if i can get add the function to db.json :-)

[Feezex]

Lets ask a boss to add it in right way. public override bool GenerateKey(byte[] inSeed, byte[] outKey, int accessLevel, List<Parameter> parameters) { byte[] tape = GetParameterBytearray(parameters, "InstructionTape"); this may be the main trouble. As far as i understand - this algo is shared over internet, if you knew InstructionTape for different ecus = you can generate keys

[GBozkir]

Aha ok.. trying to get the instructiontape for a ecu that is locked.. so the firmware is encrypted.. first have to find out how to get this instructiontape.. the instructiontape should be on line 0x000001bc..

[Feezex]

at OTP ? xDD

[Feezex]

read here .sgo files (at 0x000001bc) inside ROM dumps in different locations. So you have to find SGO with exact number , and extract Tape value

[GBozkir]

Right.. but the problem is.. a virtual cockoit don't have a sgo or frf file.. there are only sd card flash softwares available..

[Feezex]

[jglim]

Sergey answers correctly in this post. The algos are implemented, but there are no definitions.

The VW SA2 algo is implemented from https://github.com/bri3d/sa2_seed_key. I haven't got to extracting the key parameters yet as I don't have a source for the FRF/ODX files (there's a good guide in the same repo). That being said, I don't think this will solve your issue as your key material isn't in the FRF/ODX.