1) According to29services ofAPCEmodel, the process includes the key transfer process required for secure diagnostic communication after successful authentication (secure diagnostic communication).
2)Decomposing this process, in two-way authenticationclientauthenticatesserver in a manner that is no different from one-way authentication, just in the opposite direction;
clientsend the certificate toserver, the certificate containsclient's public key
serverconfirms the validity of the certificate after receiving it (using thePKIcertificate validity check function), verifying whether theclientis legitimate. If it is not legitimate, the authentication process is stopped, and a negative response is returned; if it is legitimate, the authentication process continues.
serversends achallengemessage regarding the certificate, requestingclientto prove ownership of the issued certificate (proof of ownership), the message includes the random number required for authentication
clientreceivedchallengeand used the private key to compute the signature of the received random number, which is included in the response message sent toserver
serverusesclient'spublic key to decryptand verify the signature information in the response message, comparing it withthe challengemessage, and replies tothe clientwith the authentication result
3)Therefore, the key to penetration testing is whether it is possible to obtainX.509 which is a public key certificate in cryptography.
3-1) Try to loadMCU firmware intoIDA, and attempt to reverse engineerMCU firmware. Before reversing, confirm the chip model and architecture information:
According to the silkscreen on the chip, the chip model isTricore architecture, the chip model isTC387QP, after loading the firmware usingIDA, wait forIDA to complete preprocessing, then select the device type:
However, fromIDAsupported models, I did not seethe TC387series, so I temporarily chosethe TC1766to try loading:
The entire loading process takes about fifteen minutes.
3-2)After the loading is complete, confirm whether the cross-reference is available. If the cross-reference is available, it indicates that the firmware has been successfully loaded:
3-3) However, further analysis revealed that the system cannot recognize all code segments, and string references cannot be recognized properly. Therefore, it is determined thatIDA's default loading address does not meet the requirements of the current chip version. Further analysis ofIDA loadingAURIX shows that we need to define the memory architecture information for theTC387QP series, such as the definition ofTC1797:
3-4) According to the chip manual andIDA's format, increase support forTC3xxseries chips as much as possible:
After adding the memory mapping, useIDAto reload the firmware, and then select our newly addedTC-3xx:
3-5)However, since the entire firmware lacks a symbol table, it is necessary to find a way to repair the basic symbol table before better analyzing the meaning based on context.
3-6) PrepareTircore development environment, and call as manyAPI functions as possible based on the examples provided by the official documentation:
3-7After writing the code, try to compile it to generate the firmware:
3-8)UseIDAto load the compiled firmware and save theidbfiles of the firmware to be analyzed and the manually compiled firmware.
3-9)Attempted to use function similarity matching algorithms to identify functions in the symbol table, but the comparison results were not ideal; the identified functions were merely individual digits:
3-10) Try to findTircore integration autosar development tools, attempt to manually compile autosar symbol information firmware, but found that autosar compilation environment requires a subscription to use:
Therefore, this approach cannot continue.
3-11) Attempt to connect the large model to the decompilation tool, allowing the large model to automatically identify function functionality, asIDAcannot generateTirCorearchitecture pseudocode, soGhidrawas chosen to perform this step, and the script for calling theGhidrato invokeLLM model is as follows:
Load the project intoGhidra. Add the directory where we have stored our scripts, and then double-click to execute and call theAI model generation function annotations:
After waiting for the script to complete execution, annotations for all functions will be generated:
WithAI's intervention, successfully located the relevant code snippets for encryption and decryption:
Then trace the code forwardCall tree:
And the upper-level function call of this function isentry function. Based on the context and semantic analysis, this function should be responsible for initializing some encryption algorithm modules.
3-12) Look for keywords related to certificates in the completed code and check if there are anycertificate files:
It can be seen that no information related to the certificate was found. Therefore, it is determined that the certificate is stored inTEE, and the certificates stored in the firmware are encrypted and not stored in plaintext.
4) Individual verification29Function of the service
Send the PDU of 29 01, receive a negative response NRC of 12, indicating the presence of permission verification control
Send PDU 29 02, received negative response, NRC is 22, there is permission verification control
Send PDU 29 03, received negative response, NRC is 22, there is permission verification control
Send PDU 29 04, received negative response, NRC is 12, this function is not supported
Send PDU 29 08, received negative response, received negative response, NRC is 22, there is permission verification control
Send PDU 29 00, receive negative response, receive negative response, NRC is 22, there is permission verification control
5) In summary, the certificate cannot be obtained through reverse engineering,29 and the service has security checks, so this case is valid.
|