artikel:ipc:firmware_insides:uds_security_algorithm

UDS Security Access

Original IDA Pro decompile: 

int __fastcall uds_calcKey(_BYTE *a1)
{
  int v1; // r4
  int v2; // r6
  unsigned int v3; // r5
  signed int v4; // r0
  unsigned __int8 *v5; // r0
  unsigned int v6; // r2
  unsigned int v7; // r2
  unsigned int v8; // r1
  int v9; // r1
  char v10; // r0
  char v11; // r2
  int result; // r0
  _BYTE *v13; // [sp+0h] [bp-18h]

  v13 = a1;
  v1 = 1;
  v2 = 0;
  byte_400017F3 = 8;     #0
  byte_400017F4 = 0x30;  #1
  byte_400017F5 = 0x61;  #2
  byte_400017F6 = 0x55;  #3
  byte_400017F7 = 0xAAu; #4
  
  byte_400017ED = 0xA9u; #5
  byte_400017EE = 0x41;  #6
  byte_400017EF = 0xC5u; #7
  v3 = 0;
  do
  {
    sub_4538();
    v4 = 1;
    if ( !((unsigned __int8)seedByte1[v2] & (unsigned __int8)v1) )
      v4 = 0;
    v5 = (unsigned __int8 *)(v4 ^ byte_400017ED & 1);
    if ( v1 == 128 )
    {
      v1 = 1;
      v2 = (v2 + 1) & 0xFF;
    }
    else
    {
      v1 = 2 * v1 & 0xFF;
    }
    v6 = (unsigned int)(unsigned __int8)byte_400017ED >> 1;
    byte_400017ED = (unsigned __int8)byte_400017ED >> 1;
    if ( (unsigned __int8)byte_400017EE << 31 )
      byte_400017ED = v6 | 0x80;
    v7 = (unsigned int)(unsigned __int8)byte_400017EE >> 1;
    byte_400017EE = (unsigned __int8)byte_400017EE >> 1;
    if ( (unsigned __int8)byte_400017EF << 31 )
      byte_400017EE = v7 | 0x80;
    v8 = ((unsigned int)(unsigned __int8)byte_400017EF >> 1) | v5[0x4615];
    byte_400017ED ^= v5[0x461B];
    byte_400017EE ^= v5[0x4619];
    byte_400017EF = v8 ^ v5[0x4617];
    v3 = (v3 + 1) & 0xFF;
  }
  while ( v3 < 0x40 );
  v9 = (unsigned __int8)byte_400017ED;
  v10 = byte_400017EE;
  *v13 = ((unsigned __int8)byte_400017ED >> 4) | 16 * byte_400017EE;
  v11 = byte_400017EF;
  v13[1] = v10 & 0xF0 | ((unsigned __int8)byte_400017EF >> 4);
  result = v11 & 0xF | 16 * v9;
  v13[2] = result;
  return result;
}

Bereinigte Funktion: 

void uds_calcKey(char* seed)
{
  char entropy[8] = { 0x08, 0x30, 0x61, 0x55, 0xAA, 0xA9, 0x41, 0xC5 };
  int seedIndex = 0;
  char v1 = 1;
  char v2 = 0;
  char v4;
  char v5;
  char v6;
  char v7;
  char v8;
  for (int i=0; i<0x40; i++)
  {
    if ( ! (seed[seedIndex] & v1)) {
      v4 = 0;
    }
    else {
      v4 = 1;
    }
    
    v5 = v4 ^ entropy[5] & 1;
    
    if (v1 == 0x80) {
      v1 = 1;
      v2 = (v2 + 1) & 0xFF;
    }
    else {
      v1 = 2 * v1 & 0xFF;
    }
    
    v6 = entropy[5] >> 1;
    entropy[5] = entropy[5] >> 1;
    if (entropy[6] << 31) {
      entropy[5] = v6 | 0x80;
    }
    
    v7 = entropy[6] >> 1;
    entropy[6] = entropy[6] >> 1;
    if (entropy[7] << 31) {
      entropy[6] = v7 | 0x80;
    }
    
    v8 = (entropy[7] >> 1) | v5[0x4615];
    
    entropy[5] ^= v5[0x461B];
    entropy[6] ^= v5[0x4619];
    entropy[7] = v8 ^ v5[0x4617]; 
  }
  v9 = entropy[5];
  v10 = entropy[6];
  *v13 = ((unsigned __int8)byte_400017ED >> 4) | 16 * byte_400017EE;
  v11 = entropy[7];
  seed[1] = v10 & 0xF0 | (entropy[7] >> 4);
  result = v11 & 0x0F | 16 * v9;
  seed[2] = result;
  return result; 
}
  • artikel/ipc/firmware_insides/uds_security_algorithm.txt
  • Zuletzt geändert: Tue. 07.03.2023 08:11
  • von go4it