未知 CRC 计算

逆向工程 艾达 拆卸 解密 密码学
2021-06-23 00:27:13

我正在寻找对 EEPROM 内容的 CRC 计算。我尝试使用 BOSCH ECU 为我的汽车添加选项。该 ECU 中的 MCU 是 Tricore TC1793,并且 EEPROM 内容似乎被分成每个 128 字节的块。

当我尝试从一个块更改一个字节时,ECU 停止工作,所以我从另一辆车上获取另一个 ECU 并抓取一些块进行比较:

  1. 来自我的 ECU 的块:

    26 13 01 00 89 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 BD 8E

  2. 来自另一个 ECU 的相同 ID (26 13) 块:

    26 13 01 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 C1 69

  3. 除了前 2 个字节外,来自我的 ECU 的另一个块具有相同的数据(作为数字 1): 

    6A DF 01 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 A8 E5

  4. 来自我的 ECU 的另一个块:

    A9 68 01 00 1B 09 CB 0D FF 7F 00 80 FF 7F 00 80  
FF 7F 00 80 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 71 DD

  5. 0xA968 来自另一个 ECU:

    A9 68 01 00 FF 7F 00 80 FF 7F 00 80 FF 7F 00 80  
FF 7F 00 80 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 74

我认为前 2 个字节是一个 ID,我认为最后两个字节是一个校验和,我确信 CRC 是根据前两个字节的原因计算的,另一个块具有相同的数据,但前两个字节不同的 CRC 不同。

我试图通过复仇找到一些线索,但没有找到任何东西......

如果有人能帮我找到这个校验和是如何计算的,或者给我一些调查线索。

这是我的 ECU(eeprom + mcu flash TC1793)的完整数据

1个回答

MED17 功能描述文档将有助于概述 EEP 处理程序,而不是校验和例程。

通常最好使用编码工具通过前门,而不是尝试直接更改 EEPROM(实际上大多数 Tricore 上的数据闪存)。

如果有时间,我可能可以找到校验和例程并反转它们,但这不是一项小工作,修复这些可能仍然会给您留下其他依赖项或一些 TPROT EEPROM 内容,这些内容会给您带来难以修复的麻烦。

取决于你想走多深,我认为这是一个超越简单 CRC 公式的时间问题。

其它你可能感兴趣的问题
上一篇使用 shellcode 的缓冲区溢出练习 下一篇帮助从可执行文件中的地址读取变量?