jglim / UnlockECU

Free, open-source ECU seed-key unlocking tool.
MIT License
254 stars 55 forks source link

Nice! #31

Closed Manevolent closed 12 months ago

Manevolent commented 1 year ago

I just came across your project and I am really loving the work you're doing here. I found it by googling one of the AES keys I happened across; the repo where I've been working so far is,

https://github.com/atlas-tuning/utilities

If it helps I have figured out the Subaru pak/pk2 file encryption in that repository, perhaps that could lead you somewhere on this project. If you need all the decrypted stuff I've done so far, I have a private GH repo I can share.

I am currently working on trying to figure out what the encryption is for Subaru ECU data on their DIT ECU, which seems to be some sort of Feistel cipher. If you have any leads on that it would be much appreciated!

jglim commented 1 year ago

Hello, thanks for sharing about your work! It's very cool to see a new set of open-source automotive tools.

So far, the bulk of my Subaru reversing is confined within CMD_FhiCan.dll. Most of the prior Subaru discussion is available here: https://github.com/jglim/UnlockECU/issues/25. That is also the same thread where we were figuring out the AES keys. We also made progress on decrypting their xml definitions.

As far as I know..

They seem to like AES, so it could be useful to trace calls to CryptoAPI. Beyond that, I do not know enough about DIT ECUs to be of meaningful help. Tagging @jnewb1 as he's the Subaru expert around here; perhaps he might be able to advise further.

jnewb1 commented 12 months ago

I just came across your project and I am really loving the work you're doing here. I found it by googling one of the AES keys I happened across; the repo where I've been working so far is,

https://github.com/atlas-tuning/utilities

If it helps I have figured out the Subaru pak/pk2 file encryption in that repository, perhaps that could lead you somewhere on this project. If you need all the decrypted stuff I've done so far, I have a private GH repo I can share.

I am currently working on trying to figure out what the encryption is for Subaru ECU data on their DIT ECU, which seems to be some sort of Feistel cipher. If you have any leads on that it would be much appreciated!

Unfortunately I don't know much more than what we discovered here: https://github.com/jglim/UnlockECU/issues/25

but I saw that you decrypted the pk2 files! I'm definitely interested in that for my work on openpilot for subaru! I will check out your work!

Manevolent commented 12 months ago

@jnewb1 if I learn more about the encrypted flash data I will share back! I'm glad it's going to be of use! I just shared you an invite to the aforementioned private GH repo to save you the trouble of decrypting the library yourself

jnewb1 commented 11 months ago

Did a bit of looking, managed to replicate your results and extract the MOT files from a pk2 file, which seem like they would be the raw memory that is flashed, but it also appears like that is encrypted too (high entropy on the extracted binary version). There is an “encode.exe” file within flashwrite that is referenced, and also appears to have to AES functions within it (found an expanded key and AES sbox/ibox, I’m wondering if that could be the final decryption before it’s transferred to the ECU? https://github.com/jnewb1/eps-subaru