Clone Mondeo MK4 BCM

[Syntax]

Are you sure that the VBF contains data up to FFFF_FFFF?
I have checked the 3 blocks in the VBF and they are only up to FFFE_0000 and the vector table is from FFFF_FFDC.
Below are the starting adresses + length of the block = ending address:
FFF4_0000 + 794D0 = FFFB_94D0
FFFB_9868 + 4B98 = FFFB_E400
FFFD_FFD8 + 28 = FFFE_0000

Anyway I was trying to load the bin in Ghidra but there is no support for the R32C.. I have found on github plugin for the M16C which should be the whole family including the R32C but it still did not recognize any code. Only programs that support it are IDA and Binary ninja but both paid

[Go4IT]

Here you are, mate. Attached the full readout of a FL BCM (XK-Type with full features).

[Go4IT]

Well... not exactly...
In the Data space most probabbly is also at least some part of the IMMO algorithm.

I see, very interesting!
If it's time i would love to talk with you about KVM keyless module.

[Syntax]

Here you are, mate. Attached the full readout of a FL BCM (XK-Type with full features).

Thank you, I have loaded everything to IDA and it immediately disassembled (most of) the code but unfortunately there is no pseudocode decompiler for this architecture
The e2 and data flash does not seems to contain any code but in the main fw there is code + data past the FFFB_94D0 up to FFFF_FFFF.
There are also mapped the SFR so you can see those 3 CAN channels and each having 32 mailboxes and what code is using those registers but I dont know how to utilize that yet as the IDA interface is kind of cumbersome.
So the next step would be to find handling of something like UDS or usage of some other register that the algorithm needs?

Maybe if someone has code of the pre 2010 algorithm I might try to translate it to R32C assembly and then look for similar instruction sequence in the facelift FW.

[Go4IT]

Hey, what do you think about a shared/live hack session on my slack channel? Should i invite you and we arrange a date and time?

[Go4IT]

Hey guys, i still look for a way to read the BCM flashes by CAN. Anybody knows how to do this? With the update bootloader should be able to do this, per principle...

[DGAlexandru]

If we only had source code for Ursadon's Update IPC ...
we could modify it for other modules.

I tried to do one simillar, but I never was able to have a stable RS232 communication (even the ones for Mondeo 4 and FF3 Simulators for IPC are crap) and also I couldn't implement the SEED key even with having some clues already on this forum.

[Go4IT]

Per principle, the bootloader take full control of the module (BCM) and provide a comm channel via a CAN protocol to receive commands to read and send, or receive and program the modules internal and external flash memories.

One solution could be to develop an own bootloader, which would be a huge challenge but would give all possibilities. Then one could decide on the CAN protocol as well. But i think it's easier to use the existing ones.

Another choice would be to omitt the use of a bootloader and find existing UDS programming functions that could be used to read and write the necessary areas of the chip to clone the key areas.

No matter what, in both cases we need security access to the module, using a tool which initiates the secure session, receives a seed and send the right key. As far as i know there is no bruteforce detection or throttling build in the BCM code. So we might simply try out all possible seeds and store the right keys into a databse, instead of reverse engineering the key algorithm and implement that, which still needs to have the secret password.

But first of all we need to build a tool which can communicate safely with the CAN bus, using existing interfaces.