I managed to disassemble most of the PBL. Compared to the main RTOS code, it is relatively simple
PBL can be divided into two parts:
1. Initialization of the Periphery
2. The main loop
1. Init
After starting, the processor executes the command at address 0x00000000
In general, at the beginning of the address space is an interrupt table, and at address 0 there is a reset vector After reset, initiate stack:
Code: Select all
PBL:00001018 LDR R0, =STACK_BOTTOM_4000BEFC ; Load from Memory
PBL:0000101C MSR CPSR_c, #0xD2 ; mode = IRQ
PBL:00001020 SUB SP, R0, #0x100 ; Rd = Op1 - Op2
PBL:00001024 MSR CPSR_c, #0x5F ; '_' ; mode = SYS
PBL:00001028 B loc_3DBC
| 0x2000000 | videoram |
| 0x3000000 | external flash |
| 0x6000000 | is not mapped - uses the native functions. |
Also PBL check "magic number" - "0x7C, 0xC7, 0x55, 0xAA, 0xAA, 0x55" at the beginning and at the end of main flash(0x5000 & 0xFFFF8)
@function j_PBL_check_mainflash_sig If the test fails, PBL proceeds to the second stage - the so-called “boot loop”. This is when the hazard light is blinking, otherwise control passed to RTOS (0x00005304)
2. PBL main loop
PBL_main_loop() - 0x00001110
The main thread is the "while (1)" loop, where the CAN bus is constantly polled (interval - 1 ms). There are no interrups -
Read CAN bus errors -> update TIF2 -> [if magic_key is ok, then exit from PBL] -> read CAN data
2.1 Reading CAN bus
PBL_CAN_routine() - 0x0000240E
Possible UDS commands:
- PBL_UDS_DiagnosticSessionControl (0x10) [@0x000019A2] - is used to enable different diagnostic sessions
Possible values:- 0x1 - defaultSession
- 0x2 - programmingSession
- PBL_UDS_ECUReset (0x11) [@0x000018FC]- The ECUReset service is used by the client to request a server reset. Нurn off the watchdog and die in an infinite "while (1) {}" loop
- PBL_UDS_ReadDataByIdentifier (0x22) [@0x00001A70]
Possible subFunctions:- 0xD100 - current security status (2 - security access granted, 1 - security access not granted)
- 0xF101 & 0xF102 - not implemented, returns requestOutOfRange error code
- 0xF162 - returns 0xF162
- 0xF180 - Software version string (bootloader version)
- 0xF18C - Serial number - from eeprom @0x7A8 (0x10 bytes)
- 0xF191 - Part number - from eeprom @0x7B8 (0x18 bytes)
- PBL_UDS_TesterPresent (0x3E) [@0x00002372] - This service is used to indicate to a server (or servers) that a client is still connected to the vehicle and that certain diagnostic services and/or communications that have been previously activated are to remain active.
- PBL_UDS_RequestDownload (0x34) [@0x00001E28] - The requestDownload service is used by the client to initiate a data transfer from the client to the server (download).
- PBL_UDS_RequestUpload (0x35) [@0x00001F92] - The RequestUpload service is used by the client to initiate a data transfer from the server to the client (upload).
This is where the magic begins with the secondary bootloader (SBL). In PBL mode, there is a memory area reserved for the SBL: 0x40000D70 - 0x40001570 (800 bytes). The first call to this function always places the loaded data in this area. Therefore, the address of the SBL function call is not 0x00000000 (like in .vbf), but 0x40000D70 All subsequent read / write requests are pre-checked for compliance with the memory blocks (start - end- function_id to deal with it (read/write)): - PBL_UDS_TransferData (0x36) [@0x000022E0] - The TransferData service is used by the client to transfer data either from the client to the server (download)
or from the server to the client (upload). - PBL_UDS_RequestTransferExit (0x37) [@0x000022EC] - This service is used by the client to terminate a data transfer between client and server (upload or download).
- PBL_UDS_SecurityAccess (0x27) [@0x00001B14] - The purpose of this service is to provide a means to access data and/or diagnostic services which have restricted access for security, emissions or safety reasons.
There is no bruteforce detection. Key generation algorithm - Galois LFSR with modified multiplicator. Secret key is {0x08, 0x30, 0x61, 0x55, 0xAA}.
I want to focus on an interesting random value generation algorithm - since the MAC7116 does not have a hardware generator, the CAN channel timer value is used as an entropy source (PBL_generate_securitySeed(), 0x00003184): If the generated seed does not meet expectations, a predefined value is used - {0x1D, 0x65, 0x65} - PBL_UDS_RoutineControl (0x31) [@0x00001CBC] - The RoutineControl service is used by the client to start a routine,stop a routine, and request routine results.
Possible routineID:- 0xD100 - current security status (2 - security access granted, 1 - security access not granted)
- 0x301 - call to SBL functions
- 0xFF00 - erase memory
- 0xFF01 - check memory (try to read)
- None of the PBL functions are used in the RTOS
- RTOS in not OSEK-compatible (unlike Volvo's V50 IPC).
- @Go4IT- I don’t know how you broke your IPC 2 years ago - FLASHPROT is disabled during PBL
SBL detailed functionality clarification
------------
P.S. I don't share sources, I share knowledge
