MSD80/81 SBOOT

808AWD325xi · Jan 12, 2024

Has anyone successfully performed the recovery shell seed/key authentication?

The MSD80/81 SBOOT appears to be very similar to the VAG SIMOS 18:
https://github.com/bri3d/Simos18_SBOOT/tree/main

When I send the "54" command to the shell, I receive what appears to be the encrypted random seed.

carabuser · Jan 14, 2024

That's a really interesting read, but from what i understand that just gives you access to SBOOT commands which is something that you can do by erasing the DME.

That bypass allows you to write custom CBOOT code in but that is already possible from a CBOOT level thanks to the RSA relocation bypass.

Maybe I'm misunderstanding it. If it's something you wanted assistance with then I can help. I do have a good decompilation if the SBOOT and some understanding of the KWP routines in there. I also have some project software that can handle the KWP comms using ediabaslib.

carabuser · Jan 14, 2024

I took a quick look at the SBOOT area (0-BFFF) and I don't see any KWP routines, just calls to the KWP routines stored in the CBOOT (C000-1FFFF). Most of the SBOOT looks like the flash write routines and CAN management.

So I'm not sure this exploit is relevant to the MSD8x. I don't know how you would read and write to the DME without using the CBOOT.

808AWD325xi · Jan 14, 2024

carabuser said:
I took a quick look at the SBOOT area (0-BFFF) and I don't see any KWP routines, just calls to the KWP routines stored in the CBOOT (C000-1FFFF). Most of the SBOOT looks like the flash write routines and CAN management.

So I'm not sure this exploit is relevant to the MSD8x. I don't know how you would read and write to the DME without using the CBOOT.

Thanks, carabuser! That's great information. I would like to read the boot password(s).

carabuser · Jan 14, 2024

I assume those are the 2 4-byte passwords labelled as "flash_pw1" and "flash_pw2". I can read them on my bench DME but I assume they are individual to each DME?

I can send you a file that you can flash to the DME that will allow that data to be read out using INPA. What is your current DME software? Are you using MHD or another tuning platform?

808AWD325xi · Jan 14, 2024

Those are the ones. I believe that they are unique to each DME. That would be awesome, thank you!

My bench MSD81 is stock, no tune (IJE0S). ZB# 7626382

carabuser · Jan 16, 2024

Send you a PM with some files that should let you read it.

fstbtstr · Apr 14, 2024

carabuser said:
I took a quick look at the SBOOT area (0-BFFF) and I don't see any KWP routines, just calls to the KWP routines stored in the CBOOT (C000-1FFFF). Most of the SBOOT looks like the flash write routines and CAN management.

So I'm not sure this exploit is relevant to the MSD8x. I don't know how you would read and write to the DME without using the CBOOT.

SBOOT on its own is not designed to let you read or write the flash, it's just allows to upload RSA-signed bootloader. I.e., it's the job of the bootloader to implement that. In the context of the SBOOT exploit, it just allows you to get the flash passwords which can be used to access the flash when you start the ECU/DME in CAN BSL mode (see TC1796 docs). I am curious if MSD 80/81 allows to write via KWP routines when CAS with valid car key is not connected.

MSD80/81 SBOOT

808AWD325xi

Lurker

carabuser

Lieutenant

carabuser

Lieutenant

808AWD325xi

Lurker

carabuser

Lieutenant

808AWD325xi

Lurker

carabuser

Lieutenant

fstbtstr

New Member

Similar threads