其他
网鼎杯-武为止戈
date Thu Apr 2 10:37:15.950 am 2020base hex timestamps absoluteinternal events logged// version 8.2.1 0.005921 CAN 1 Status:chip status error active 1.005921 CAN 1 Status:chip status error active 2.005922 CAN 1 Status:chip status error active 3.005922 CAN 1 Status:chip status error active 4.000621 1 7DF Tx d 8 02 3E 80 00 00 00 00 00 Length = 0 BitCount = 124 ID = 2015 // 1 OTP(01) Atom 7DF->7DF : SF Length: 02 [ 3E 80 ] 4.005922 CAN 1 Status:chip status error active 5.005922 CAN 1 Status:chip status error active 6.005923 CAN 1 Status:chip status error active 7.005923 CAN 1 Status:chip status error active 8.000537 1 7DF Tx d 8 02 3E 80 00 00 00 00 00 Length = 0 BitCount = 124 ID = 2015 // 1 OTP(02) Atom 7DF->7DF : SF Length: 02 [ 3E 80 ] 8.005923 CAN 1 Status:chip status error active 9.005924 CAN 1 Status:chip status error active 9.498709 1 7DF Tx d 8 02 10 02 AA AA AA AA AA Length = 0 BitCount = 116 ID = 2015 // 1 OTP(03) Atom 7DF->7DF : SF Length: 02 [ 10 02 ] 9.499693 1 7B0 Rx d 8 06 50 02 00 32 01 F4 00 Length = 235910 BitCount = 122 ID = 1968...略... 10.314499 1 730 Tx d 8 02 37 01 AA AA AA AA AA Length = 222259 BitCount = 114 ID = 1840 10.315695 1 7B0 Rx d 8 06 77 01 C6 B6 5E 10 00 Length = 225910 BitCount = 117 ID = 1968 10.318529 1 730 Tx d 8 04 31 01 DF FF AA AA AA Length = 226244 BitCount = 116 ID = 1840 10.319707 1 7B0 Rx d 8 03 7F 31 78 00 00 00 00 Length = 233910 BitCount = 121 ID = 1968 10.320695 1 7B0 Rx d 8 05 71 01 DF FF 00 00 00 Length = 233910 BitCount = 121 ID = 1968 10.322633 1 730 Tx d 8 04 31 01 FF 01 AA AA AA Length = 226244 BitCount = 116 ID = 1840 10.323695 1 7B0 Rx d 8 05 71 01 FF 01 00 00 00 Length = 233910 BitCount = 121 ID = 1968 10.325697 1 7DF Tx d 8 02 11 01 AA AA AA AA AA Length = 0 BitCount = 115 ID = 2015 // 1 OTP(04) Atom 7DF->7DF : SF Length: 02 [ 11 01 ] 10.326689 1 7B0 Rx d 8 03 7F 11 78 00 00 00 00 Length = 233910 BitCount = 121 ID = 1968 11.005924 CAN 1 Status:chip status error active 11.326752 1 7B0 Rx d 8 02 51 01 00 00 00 00 00 Length = 235910 BitCount = 122 ID = 1968 12.000742 1 7DF Tx d 8 02 3E 80 00 00 00 00 00 Length = 0 BitCount = 124 ID = 2015 // 1 OTP(05) Atom 7DF->7DF : SF Length: 02 [ 3E 80 ] 12.005925 CAN 1 Status:chip status error active 13.005925 CAN 1 Status:chip status error active 14.005925 CAN 1 Status:chip status error active 15.005926 CAN 1 Status:chip status error active 16.000532 1 7DF Tx d 8 02 3E 80 00 00 00 00 00 Length = 0 BitCount = 124 ID = 2015 // 1 OTP(06) Atom 7DF->7DF : SF Length: 02 [ 3E 80 ] 16.005926 CAN 1 Status:chip status error activeN_PDU : N_AI,N_PCI,N_Data //The protocol data unit (N_PDU)N_AI : N_SA,N_TA,N_TAtype[,N_AE] //Address information (N_AI)N_PCI : //Protocol control information (N_PCI)N_Data : //Data Field (N_Data)(3.2)实例
如下:
9.498709 1 7DF Tx d 8 02 10 02 AA AA AA AA AA Length = 0 BitCount = 116 ID = 2015 9.499693 1 7B0 Rx d 8 06 50 02 00 32 01 F4 00 Length = 235910 BitCount = 122 ID = 1968(A)N_PCI高四位 N_PCIType 指示了N_PCI的类型:
0x0*为单帧SF
0x1*为多帧中的首
0x2*为多帧中的后续帧
0x3*为流控制
(B)如以下通讯对话:
7DF Tx d 8 02 10 02 AA AA AA AA AA
7B0 Rx d 8 06 50 02 00 32 01 F4 00
表示给汽车ECU单元发送Tx单帧0x02&0xF0=0=SF,单帧中的有效内容为0x02&0x0F=2字节 10 02;后面的AA AA AA AA AA为多余被丢弃的数据
而接收Tx到来自汽车ECU单元反馈的单帧0x06&0xF0=0=SF,单帧中有效内容为0x06&0x0F=6字节 50 02 00 32 01 F4;后面的00为多余被丢弃的数据。
TesterPresent (0x3E) service
实际题目中的汽车ECU并不需要进行链路保持,这算是测试者Tester作为客户端有备无患的策略,甭管服务端是否需要链路保持,总不定时发送链路保持。
如果服务端有需要链路保持,其Tester端会收到服务端的链路保持正响应。如
【02 7E 80】
这里通知ECU开启编程会话,得到了服务器的正响应【50 02】并返回了部分编程会话参数。
正响应都是请求的服务ID(这里SID=0x10)与0x40或运算为0x50;会话出错或拒绝的否定响应都是7F SID +错误代码等内容。
| |programmingSession enables all diagnostic services required to support the memory programming of a server. |DiagnosticSessionControl (10 hex) service:used to enable different diagnostic sessions in the server(s).
9.499693 1 7B0 Rx d 8 06 50 02 00 32 01 F4 00 Length = 235910 BitCount = 122 ID = 1968 | | | | | | | |P2*Server_max = 0x01F4*10ms = 5000ms | | |P2Server_max = 0x0032*1ms = 50ms | | | | | |sessionParameterRecord[] | |diagnosticSessionType |DiagnosticSessionControl Response Service Id(3.1)因为是编程会话,可以刷写汽车上的ECU单元,安全等级较高,需要进行安全验证。
安全验证的基本过程:
(3.2)关于这个安全算法algo_op
9.740585 1 730 Tx d 8 02 27 05 AA AA AA AA AA Length = 222015 BitCount = 114 ID = 1840
9.741697 1 7B0 Rx d 8 06 67 05 11 22 33 44 00 Length = 223910 BitCount = 116 ID = 1968
如果这里Tester发送的key=EE DD CC BB AA不是使用与汽车ECU相同的algo_op计算的,汽车ECU将匹配失败,拒绝后续会话。
9.782739 1 730 Tx d 8 06 27 06 EE DD CC BB AA Length = 226244 BitCount = 116 ID = 1840
9.783703 1 7B0 Rx d 8 02 67 06 00 00 00 00 00 Length = 235910 BitCount = 122 ID = 1968
Tester请求汽车ECU执行擦除eraseMemory过程,参数是,内存开始地址,和内存大小。
其中44分别标记后面的地址和大小的字宽都是4字节,即要擦除 0x08000000 处 大小 0x00002000 的存储。
9.788131 1 730 Tx d 8 10 0D 31 01 FF 00 44 08 Length = 232000 BitCount = 119 ID = 1840 9.788431 1 7B0 Rx d 8 30 08 00 00 00 00 00 00 Length = 239910 BitCount = 124 ID = 1968 9.788947 1 730 Tx d 8 21 00 00 00 00 00 20 00 Length = 244244 BitCount = 125 ID = 1840 9.789707 1 7B0 Rx d 8 05 71 01 FF 00 00 00 00 Length = 233910 BitCount = 121 ID = 1968
31 01 FF 00 44 08 00 00 00 00 00 20 00 | | | | | | | | | | | |routineControlOptionRecord[] // defined by the vehicle manufacturer. | | |routineIdentifier:=0xFF00 eraseMemory >> used to start the server's memory erase routine | |routineControlType RoutineControl Request SID := startRoutine |RoutineControl (0x31) service:used by the client to execute a defined sequence of steps and obtain any relevant results.
71 01 FF 00 00 |routineInfo //is vehicle manufacuter specific and provides a mechanismTester请求下载数据RequestDownload,这个概念跟我们进行嵌入式开发时,最终需要把内容下载烧写到片上flash类似。
这里的44与上面的意思相同,指示后面参数字宽;下载数据到汽车ECU的0x08000000位置,数据大小为 0x00002000。
这里的正响应告诉Tester,每次接收的数据大小最大可为 maxNumberOfBlockLength:=0x0102字节。
9.791765 1 730 Tx d 8 10 0B 34 00 44 08 00 00 Length = 236244 BitCount = 121 ID = 1840 9.792061 1 7B0 Rx d 8 30 08 00 00 00 00 00 00 Length = 239910 BitCount = 124 ID = 1968 9.792625 1 730 Tx d 8 21 00 00 00 20 00 AA AA Length = 234244 BitCount = 120 ID = 1840 9.793715 1 7B0 Rx d 8 04 74 20 01 02 00 00 00 Length = 233910 BitCount = 121 ID = 1968
34 00 44 08 00 00 00 00 00 20 00 | | | | | | | | | |memorySize:=0x00002000 | | | |memoryAddress:=0x08000000 is the starting address of the server memory where the data is to be written to | | |addressAndLengthFormatIdentifier | | |bit 7 - 4: Length (number of bytes) of the memorySize parameter | | |bit 3 - 0: Length (number of bytes) of the memoryAddress parameter | |dataFormatIdentifier:0x00 compressionMethod-encryptingMethod | |0x00 specifies that neither compressionMethod nor encryptingMethod is used |RequestDownload (34 hex) service:used by the client to initiate a data transfer from the client to the server (download)
74 20 01 02 | | | | | |maxNumberOfBlockLength:=0x0102 | |bit 3 - 0: reserved by document, to be set to '0'. | |bit 7 - 4: Length (number of bytes) of the maxNumberOfBlockLength parameter. | |lengthFormatIdentifier |RequestDownload Response SIDTester 开始给汽车ECU传送刷写的数据,如上所提。
maxNumberOfBlockLength为0x0102,除去[36 xx],有效的数据每次最多可以发送0x102-2=256个字节。
但Tester在这里每次只发送一半,有所保留,即0x80=128个字节。
9.795987 1 7B0 Rx d 8 30 08 00 00 00 00 00 00 Length = 239910 BitCount = 124 ID = 1968 9.796548 1 730 Tx d 8 21 45 01 00 08 21 03 00 Length = 236244 BitCount = 121 ID = 1840 9.796790 1 730 Tx d 8 22 08 23 03 00 08 27 03 Length = 236244 BitCount = 121 ID = 1840 9.797030 1 730 Tx d 8 23 00 08 2B 03 00 08 2F Length = 234000 BitCount = 120 ID = 1840 9.797278 1 730 Tx d 8 24 03 00 08 00 00 00 00 Length = 242000 BitCount = 124 ID = 1840 9.797526 1 730 Tx d 8 25 00 00 00 00 00 00 00 Length = 242000 BitCount = 124 ID = 1840 9.797770 1 730 Tx d 8 26 00 00 00 00 00 33 03 Length = 238000 BitCount = 122 ID = 1840 9.798012 1 730 Tx d 8 27 00 08 35 03 00 08 00 Length = 236000 BitCount = 121 ID = 1840 9.798256 1 730 Tx d 8 28 00 00 00 37 03 00 08 Length = 238000 BitCount = 122 ID = 1840 9.798556 1 7B0 Rx d 8 30 08 00 00 00 00 00 00 Length = 239910 BitCount = 124 ID = 1968 9.799088 1 730 Tx d 8 29 39 03 00 08 5F 01 00 Length = 232259 BitCount = 119 ID = 1840 9.799329 1 730 Tx d 8 2A 08 5F 01 00 08 5F 01 Length = 234259 BitCount = 120 ID = 1840 9.799569 1 730 Tx d 8 2B 00 08 5F 01 00 08 5F Length = 234015 BitCount = 120 ID = 1840 9.799809 1 730 Tx d 8 2C 01 00 08 5F 01 00 08 Length = 234015 BitCount = 120 ID = 1840 9.800049 1 730 Tx d 8 2D 5F 01 00 08 5F 01 00 Length = 234015 BitCount = 120 ID = 1840 9.800291 1 730 Tx d 8 2E 08 5F 01 00 08 5F 01 Length = 236015 BitCount = 121 ID = 1840 9.800531 1 730 Tx d 8 2F 00 08 5F 01 00 08 5F Length = 234015 BitCount = 120 ID = 1840 9.800773 1 730 Tx d 8 20 01 00 08 5F 01 00 08 Length = 236015 BitCount = 121 ID = 1840 9.801077 1 7B0 Rx d 8 30 08 00 00 00 00 00 00 Length = 239910 BitCount = 124 ID = 1968 9.801509 1 730 Tx d 8 21 5F 01 00 08 5F 01 00 Length = 234244 BitCount = 120 ID = 1840 9.801745 1 730 Tx d 8 22 08 5F 01 00 08 AA AA Length = 230244 BitCount = 118 ID = 1840 |TransferData (36 hex) service
36 01 28 04 00 20 45 01 00 08 21 03 00 .. 08 5F 01 00 08 | | |transferRequestParameterRecord[] //For a download, the transferRequestParameterRecord include the data to be transferred | |blockSequenceCounter |TransferData (0x36) service 9.802687 1 7B0 Rx d 8 03 7F 36 78 00 00 00 00 Length = 233910 BitCount = 121 ID = 1968 9.802931 1 7B0 Rx d 8 02 76 01 00 00 00 00 00 Length = 235910 BitCount = 122 ID = 1968 10.314499 1 730 Tx d 8 02 37 01 AA AA AA AA AA Length = 222259 BitCount = 114 ID = 1840 | |RequestTransferExit (0x37) service 10.315695 1 7B0 Rx d 8 06 77 01 C6 B6 5E 10 00 Length = 225910 BitCount = 117 ID = 1968 10.318529 1 730 Tx d 8 04 31 01 DF FF AA AA AA Length = 226244 BitCount = 116 ID = 1840 10.319707 1 7B0 Rx d 8 03 7F 31 78 00 00 00 00 Length = 233910 BitCount = 121 ID = 1968 10.320695 1 7B0 Rx d 8 05 71 01 DF FF 00 00 00 Length = 233910 BitCount = 121 ID = 1968 |startRoutine | 0xDFFF This range of values is reserved for vehicle manufacturer specific use 10.322633 1 730 Tx d 8 04 31 01 FF 01 AA AA AA Length = 226244 BitCount = 116 ID = 1840 10.323695 1 7B0 Rx d 8 05 71 01 FF 01 00 00 00 Length = 233910 BitCount = 121 ID = 1968 | 0xFF01 checkProgrammingDependencies 10.325697 1 7DF Tx d 8 02 11 01 AA AA AA AA AA Length = 0 BitCount = 115 ID = 2015 // 1 OTP(04) Atom 7DF->7DF : SF Length: 02 [ 11 01 ] 10.326689 1 7B0 Rx d 8 03 7F 11 78 00 00 00 00 Length = 233910 BitCount = 121 ID = 1968 11.005924 CAN 1 Status:chip status error active 11.326752 1 7B0 Rx d 8 02 51 01 00 00 00 00 00 Length = 235910 BitCount = 122 ID = 1968 | ECUReset (0x11) service我们通过编辑器正则替换,删除与下载数据【36 xx】无关的通讯帧,得到附件中的0x08000000_0x2000.binstr。
其中每19行发送完一个大小为0x80的有效数据块。
通过下述python代码,我们将0x08000000_0x2000.binstr提取出刷写的内容0x08000000_0x2000.bin(参考附件)
with open(r'.0x08000000_0x2000.binstr','rb') as fin: fs = fin.read()
lns = fs.split('\n')import refp = re.compile(r'(?sm)730 Tx d 8 10 82 36 (.. .. .. .. ..)')dp = re.compile(r'(?sm)730 Tx d 8 2. (.. .. .. .. .. .. ..)')hexstr = ''for i in range(64): sl = i*19 ff = [fp.match(lns[sl]).groups()[0][3:]] for j in range(1,18): ff.append(dp.match(lns[sl+j]).groups()[0]) ff.append(dp.match(lns[sl+18]).groups()[0][:-6]) hexstr+=' '.join(ff).replace(' ','').decode('hex')
with open(r'.\0x08000000_0x2000.bin','wb') as fout: fout.write(hexstr)from unicorn import *from unicorn.arm_const import *import sarkimport idc
segs = list(sark.segments())elf_base = segs[0].eaelf_size = segs[-1].ea+segs[-1].sizeelf_size = 0x1000*((elf_size+0x0FFF)/0x1000)stack_size = 4*1024*1024mem_size = 4*1024*1024mem_ptr = elf_base + elf_size + stack_sizeall_size = elf_size + stack_size + mem_sizestack_init = elf_base + elf_size + stack_size/2mu = Uc(UC_ARCH_ARM, UC_MODE_ARM)mu.mem_map(elf_base, all_size)print("Init Module: base:= {:06X} size:= {:04X}".format(elf_base,all_size))for seg in segs: segdata = idc.get_bytes(seg.ea,seg.size) mu.mem_write(seg.ea, segdata) print("Init Seg: base:= {:06X} size:= {:04X}".format(seg.ea,seg.size))
mu.reg_write(UC_ARM_REG_SP,stack_init)mu.reg_write(UC_ARM_REG_R4, 0x80002C8)mu.emu_start(0x08000180+1, 0x800028C)mu.mem_read(0x080002C8,0x2c)看雪ID:HHHso
https://bbs.pediy.com/user-463990.htm
推荐文章++++
好书推荐