XOR algo and VAGSA2 algo?

[GBozkir]

Hello,

In the readme says that XOR algo an VAGSA2 algo is supported. I downloaded the application but don't see it. Also not in the webapplication. Something happend on it ? :-).

Brgds

[Feezex]

what is VAGSA2 ???? which readme? post a text that points to that ecu

[GBozkir]

Look at the line beginning with ###..

Currently, these security providers are available:

DaimlerStandardSecurityAlgo
DaimlerStandardSecurityAlgoMod
DaimlerStandardSecurityAlgoRefG
DRVU_PROF
EDIFF290
EsLibEd25519
ESPSecurityAlgoLevel1
IC172Algo1
IC172Algo2
MarquardtSecurityAlgo
OCM172
PowertrainBoschContiSecurityAlgo1
PowertrainBoschContiSecurityAlgo2
PowertrainDelphiSecurityAlgo
PowertrainSecurityAlgo
PowertrainSecurityAlgo2
PowertrainSecurityAlgo3
PowertrainSecurityAlgoNFZ
RBTM
RDU222
RVC222_MPC222_FCW246_LRR3
SWSP177
VGSSecurityAlgo
### VolkswagenSA2
XorAlgo

[Feezex]

XorAlgo made for CR3_UP ecu,
SA2 implemented at UnlockECU/UnlockECU/Security/VolkswagenSA2.cs but theres no definition on it

[GBozkir]

So how to get seeds calculated for Vag ecu?

[Feezex]

add definition to db.json

[GBozkir]

What I don't understand.; is this alghortime used for all of these ecus ?

[Feezex]

Im not specialist at VAG, maybe you give us an answer

[GBozkir]

I can give you the answer if i can get add the function to db.json :-)

[Feezex]

Lets ask a boss to add it in right way.
public override bool GenerateKey(byte[] inSeed, byte[] outKey, int accessLevel, List<Parameter> parameters) { byte[] tape = GetParameterBytearray(parameters, "InstructionTape");
this may be the main trouble.
As far as i understand - this algo is shared over internet, if you knew InstructionTape for different ecus = you can generate keys

[GBozkir]

Aha ok.. trying to get the instructiontape for a ecu that is locked.. so the firmware is encrypted.. first have to find out how to get this instructiontape.. the instructiontape should be on line 0x000001bc..

[Feezex]

at OTP ? xDD

[Feezex]

read here
.sgo files (at 0x000001bc)
inside ROM dumps in different locations.
So you have to find SGO with exact number , and extract Tape value

[GBozkir]

Right.. but the problem is.. a virtual cockoit don't have a sgo or frf file.. there are only sd card flash softwares available..

[Feezex]

[jglim]

Sergey answers correctly in this post. The algos are implemented, but there are no definitions.

The VW SA2 algo is implemented from https://github.com/bri3d/sa2_seed_key. I haven't got to extracting the key parameters yet as I don't have a source for the FRF/ODX files (there's a good guide in the same repo). That being said, I don't think this will solve your issue as your key material isn't in the FRF/ODX.