[{"data":1,"prerenderedAt":678},["Reactive",2],{"kb-chapters":3,"kb-doc:/knowledge-base/reverse-engineering/ecu-flashing/":169},[4,11,17,23,29,35,41,47,53,59,65,71,77,83,89,96,102,108,114,120,126,132,138,144,151,157,163],{"_path":5,"title":6,"description":7,"part":8,"_file":9,"chapterNumber":10},"/knowledge-base/networks/introduction","Introduction","Overview of the communication networks used in modern vehicles, from LIN to Automotive Ethernet.","Vehicle Networks & Protocols","7.knowledge-base/1.networks/1.introduction.md",1,{"_path":12,"title":13,"description":14,"part":8,"_file":15,"chapterNumber":16},"/knowledge-base/networks/vehicle-documentation","Vehicle Documentation","Where to find manufacturer wiring diagrams, J2534 passthrough devices, and the different types of diagrams that are useful when researching a vehicle.","7.knowledge-base/1.networks/2.vehicle-documentation.md",2,{"_path":18,"title":19,"description":20,"part":8,"_file":21,"chapterNumber":22},"/knowledge-base/networks/lin-bus","Local Interconnect Network (LIN)","Local Interconnect Network — a single-wire low-speed bus used as a low-cost alternative to CAN for non-critical body electronics.","7.knowledge-base/1.networks/3.lin-bus.md",3,{"_path":24,"title":25,"description":26,"part":8,"_file":27,"chapterNumber":28},"/knowledge-base/networks/controller-area-network","Controller Area Network (CAN)","ISO 11898 — the differential bus that became the backbone of automotive networking. Frames, bit timing, errors, CAN FD, message contents, and practical attacks.","7.knowledge-base/1.networks/4.controller-area-network.md",4,{"_path":30,"title":31,"description":32,"part":8,"_file":33,"chapterNumber":34},"/knowledge-base/networks/secure-onboard-communication","Secure Onboard Communication (SecOC)","AUTOSAR's standard for cryptographic message authentication on in-vehicle networks — freshness values, MAC computation and key management.","7.knowledge-base/1.networks/5.secure-onboard-communication.md",5,{"_path":36,"title":37,"description":38,"part":8,"_file":39,"chapterNumber":40},"/knowledge-base/networks/flexray","FlexRay","Time-triggered, deterministic automotive bus standardized as ISO 17458, designed for higher speeds and drive-by-wire systems.","7.knowledge-base/1.networks/6.flexray.md",6,{"_path":42,"title":43,"description":44,"part":8,"_file":45,"chapterNumber":46},"/knowledge-base/networks/automotive-ethernet","Automotive Ethernet","Automotive variants of Ethernet — 100BASE-T1, 1000BASE-T1, and 10BASE-T1S — built around single twisted-pair cabling and strict EMC requirements.","7.knowledge-base/1.networks/7.automotive-ethernet.md",7,{"_path":48,"title":6,"description":49,"part":50,"_file":51,"chapterNumber":52},"/knowledge-base/diagnostics/introduction","Overview of automotive diagnostic protocols — ISO-TP, OBD-II, UDS, CCP and XCP — and how they layer on top of CAN.","Diagnostic Protocols","7.knowledge-base/2.diagnostics/1.introduction.md",8,{"_path":54,"title":55,"description":56,"part":50,"_file":57,"chapterNumber":58},"/knowledge-base/diagnostics/iso-tp","ISO 15765-2 (ISO-TP)","ISO 15765-2 transport layer for sending diagnostic payloads larger than 8 bytes over CAN — single, first, consecutive and flow-control frames.","7.knowledge-base/2.diagnostics/2.iso-tp.md",9,{"_path":60,"title":61,"description":62,"part":50,"_file":63,"chapterNumber":64},"/knowledge-base/diagnostics/vw-tp20","VW Transport Protocol 2.0 (TP 2.0)","Volkswagen's pre-ISO-TP transport layer for KWP2000 over CAN — channel setup, parameter negotiation, and the data exchange counter scheme.","7.knowledge-base/2.diagnostics/3.vw-tp20.md",10,{"_path":66,"title":67,"description":68,"part":50,"_file":69,"chapterNumber":70},"/knowledge-base/diagnostics/obd-ii","On-board diagnostics (OBD-II)","On-Board Diagnostics II — the J1962 connector, signal protocols, service IDs, parameter IDs, and DTC encoding.","7.knowledge-base/2.diagnostics/4.obd-ii.md",11,{"_path":72,"title":73,"description":74,"part":50,"_file":75,"chapterNumber":76},"/knowledge-base/diagnostics/uds","Unified Diagnostic Services (UDS)","ISO 14229-1 — the modern diagnostic protocol for sessions, Read/Write DID, Security Access, Routine Control and firmware Request Download / Upload.","7.knowledge-base/2.diagnostics/6.uds.md",12,{"_path":78,"title":79,"description":80,"part":50,"_file":81,"chapterNumber":82},"/knowledge-base/diagnostics/ccp","CAN Calibration Protocol (CCP)","A low-level debug/calibration protocol over CAN — Command Receive Object, Data Transfer Object, and the commands used to read and write ECU memory.","7.knowledge-base/2.diagnostics/7.ccp.md",13,{"_path":84,"title":85,"description":86,"part":50,"_file":87,"chapterNumber":88},"/knowledge-base/diagnostics/xcp","Universal Measurement and Calibration Protocol (XCP)","ASAM XCP — successor to CCP supporting CAN, CAN FD, FlexRay, and Ethernet, with synchronous data acquisition, stimulation, and calibration.","7.knowledge-base/2.diagnostics/8.xcp.md",14,{"_path":90,"title":91,"description":92,"part":93,"_file":94,"chapterNumber":95},"/knowledge-base/reverse-engineering/ecu-flashing","ECU Flashing","How a control unit is reprogrammed over the wire with UDS, walked through step by step, why the sequence is staged the way it is, and how the SecurityAccess seed/key gate works, from weak proprietary LFSR ciphers to the Volkswagen SA2 script.","Reverse Engineering","7.knowledge-base/3.reverse-engineering/1.ecu-flashing.md",15,{"_path":97,"title":98,"description":99,"part":93,"_file":100,"chapterNumber":101},"/knowledge-base/reverse-engineering/oem-update-files","OEM Update Files","Where to find official ECU firmware, why OEMs ship it, and how the major manufacturer update container formats (VW FRF/ODX, Toyota CUW, Ford VBF, BMW psdzdata, Tesla BHX) are structured, decrypted, and unpacked.","7.knowledge-base/3.reverse-engineering/2.oem-update-files.md",16,{"_path":103,"title":6,"description":104,"part":105,"_file":106,"chapterNumber":107},"/knowledge-base/existing-research/introduction","Landmark papers from 2010 to 2016 that defined automotive security research and demonstrated the first complete remote exploit chain against a production vehicle.","Existing Research","7.knowledge-base/4.existing-research/1.introduction.md",17,{"_path":109,"title":110,"description":111,"part":105,"_file":112,"chapterNumber":113},"/knowledge-base/existing-research/engine-control-units","Engine Control Units","Public reverse-engineering work on engine ECUs, focusing on bri3d's documented exploit chains for the Volkswagen Group Simos 18 ECU and its Infineon TriCore TC1791 processor.","7.knowledge-base/4.existing-research/2.engine-control-units.md",18,{"_path":115,"title":116,"description":117,"part":105,"_file":118,"chapterNumber":119},"/knowledge-base/existing-research/ev-charging","EV Charging","Research covering two distinct attack surfaces introduced by electric vehicle charging, the HomePlug Green PHY powerline data layer used by the Combined Charging System, and the AC charger as a peer device with its own firmware and bidirectional communications.","7.knowledge-base/4.existing-research/3.ev-charging.md",19,{"_path":121,"title":122,"description":123,"part":105,"_file":124,"chapterNumber":125},"/knowledge-base/existing-research/fault-injection","Fault Injection","Published fault injection research relevant to automotive microcontrollers, covering voltage glitching, EMFI, debug access, and secure-boot bypasses on Renesas, Infineon, NXP/Freescale, and Tesla compute platforms.","7.knowledge-base/4.existing-research/4.fault-injection.md",20,{"_path":127,"title":128,"description":129,"part":105,"_file":130,"chapterNumber":131},"/knowledge-base/existing-research/infotainment-telematics","Infotainment & Telematics","Sixteen published research entries covering remote exploitation of infotainment and telematics systems across Tesla, BMW, Mercedes-Benz, Volkswagen Group, and Nissan vehicles, plus a cross-industry web API survey.","7.knowledge-base/4.existing-research/5.infotainment-telematics.md",21,{"_path":133,"title":134,"description":135,"part":105,"_file":136,"chapterNumber":137},"/knowledge-base/existing-research/sensors-and-radios","Other Wireless Attack Surfaces","Research covering wireless attack surfaces beyond the primary CAN and telematics interfaces, including tire pressure sensors and DAB radio receivers, both of which accept untrusted RF input and have historically performed no authentication or input validation.","7.knowledge-base/4.existing-research/6.sensors-and-radios.md",22,{"_path":139,"title":140,"description":141,"part":105,"_file":142,"chapterNumber":143},"/knowledge-base/existing-research/remote-keyless-entry","Remote Keyless Entry and Immobilisers","Research on cryptographic attacks against passive keyless entry systems, transponder-based immobilisers, rolling-code RKE, and the CAN-injection theft chain.","7.knowledge-base/4.existing-research/7.remote-keyless-entry.md",23,{"_path":145,"title":146,"description":147,"part":148,"_file":149,"chapterNumber":150},"/knowledge-base/tools/can-adapters","CAN Adapters","USB-to-CAN adapters — comma.ai red panda and PEAK-System PCAN — and the standard DB-9 pinout for CAN.","Tools","7.knowledge-base/5.tools/1.can-adapters.md",24,{"_path":152,"title":153,"description":154,"part":148,"_file":155,"chapterNumber":156},"/knowledge-base/tools/can-analysis","CAN Analysis","Tools for analysing and reverse-engineering CAN traffic — comma.ai cabana, SavyCAN, VehicleSpy, and Wireshark.","7.knowledge-base/5.tools/2.can-analysis.md",25,{"_path":158,"title":159,"description":160,"part":148,"_file":161,"chapterNumber":162},"/knowledge-base/tools/scripting","Scripting","Python libraries and CLI tools for talking to a CAN bus — comma.ai panda, SocketCAN can-utils, python-can, and Scapy with ISO-TP and UDS examples.","7.knowledge-base/5.tools/3.scripting.md",26,{"_path":164,"title":165,"description":166,"part":148,"_file":167,"chapterNumber":168},"/knowledge-base/tools/dbc-files","DBC Files","The DBC file format used to describe the contents of CAN messages — nodes, messages, signals, comments, and value tables.","7.knowledge-base/5.tools/4.dbc-files.md",27,{"_path":90,"_dir":170,"_draft":171,"_partial":171,"_locale":172,"title":91,"description":92,"part":93,"references":173,"body":190,"_type":674,"_id":675,"_source":676,"_file":94,"_extension":677},"reverse-engineering",false,"",[174,181,186],{"id":175,"authors":176,"title":177,"publisher":178,"year":179,"url":180},"btb","Jan Van den Herrewegen, Flavio D. Garcia","Beneath the Bonnet: a Breakdown of Diagnostic Security","ESORICS 2018, 23rd European Symposium on Research in Computer Security, Springer LNCS 11098",2018,"https://flaviodgarcia.com/publications/BtB.pdf",{"id":182,"authors":183,"title":184,"url":185},"sa2-seed-key","Brian Ledbetter (bri3d)","sa2_seed_key, a VW SA2 Seed/Key authentication implementation for programming sessions","https://github.com/bri3d/sa2_seed_key",{"id":187,"authors":183,"title":188,"url":189},"vw-flash","VW_Flash, flashing tools for VW AG control units over UDS","https://github.com/bri3d/VW_Flash",{"type":191,"children":192,"toc":666},"root",[193,201,238,245,250,254,259,437,448,454,480,484,489,496,507,572,581,587,639,656,662],{"type":194,"tag":195,"props":196,"children":198},"element","h1",{"id":197},"ecu-flashing",[199],{"type":200,"value":91},"text",{"type":194,"tag":202,"props":203,"children":204},"p",{},[205,207,213,215,220,222,228,230,236],{"type":200,"value":206},"Flashing is replacing the program in an ECU's non-volatile memory with a new one, for example when installing a software update at the dealer. Almost every ECU splits its memory into two section. A small ",{"type":194,"tag":208,"props":209,"children":210},"strong",{},[211],{"type":200,"value":212},"bootloader",{"type":200,"value":214}," runs first on power-up and is the only code that can erase and rewrite the much larger ",{"type":194,"tag":208,"props":216,"children":217},{},[218],{"type":200,"value":219},"application",{"type":200,"value":221}," area. The split also makes flashing recoverable: an application validity flag is set only once the new image is transferred ",{"type":194,"tag":223,"props":224,"children":225},"em",{},[226],{"type":200,"value":227},"and",{"type":200,"value":229}," checked (e.g. CRC or proper signature validation). An interrupted flash leaves the bootloader in control and the flash can simply be retried. The reprogramming sequence uses the UDS services from the ",{"type":194,"tag":231,"props":232,"children":233},"a",{"href":72},[234],{"type":200,"value":235},"diagnostics chapter",{"type":200,"value":237},".",{"type":194,"tag":239,"props":240,"children":242},"h2",{"id":241},"the-flash-sequence",[243],{"type":200,"value":244},"The Flash Sequence",{"type":194,"tag":202,"props":246,"children":247},{},[248],{"type":200,"value":249},"A typical UDS reprogramming runs through the same services in a fixed order. Scroll through them below: the memory map on the right tracks where the program counter is, what the application region holds, and whether the ECU currently considers its application valid.",{"type":194,"tag":251,"props":252,"children":253},"ecu-flash-steps",{},[],{"type":194,"tag":202,"props":255,"children":256},{},[257],{"type":200,"value":258},"The shape of the sequence is always the same, even when the details differ between manufacturers:",{"type":194,"tag":260,"props":261,"children":262},"ul",{},[263,291,308,333,350,374,391,420],{"type":194,"tag":264,"props":265,"children":266},"li",{},[267,281,283,289],{"type":194,"tag":208,"props":268,"children":269},{},[270,272,279],{"type":200,"value":271},"DiagnosticSessionControl (",{"type":194,"tag":273,"props":274,"children":276},"code",{"className":275},[],[277],{"type":200,"value":278},"0x10 0x02",{"type":200,"value":280},")",{"type":200,"value":282}," drops the ECU into the programming session (sub-function ",{"type":194,"tag":273,"props":284,"children":286},{"className":285},[],[287],{"type":200,"value":288},"0x02",{"type":200,"value":290},"), which reboots it into the bootloader. The functional application is no longer running.",{"type":194,"tag":264,"props":292,"children":293},{},[294,306],{"type":194,"tag":208,"props":295,"children":296},{},[297,299,305],{"type":200,"value":298},"SecurityAccess (",{"type":194,"tag":273,"props":300,"children":302},{"className":301},[],[303],{"type":200,"value":304},"0x27",{"type":200,"value":280},{"type":200,"value":307}," gates everything that follows. Until the tester passes the seed/key challenge, the bootloader refuses to erase or write a single byte. This is the lock most reverse engineering effort goes into, and it gets its own section below.",{"type":194,"tag":264,"props":309,"children":310},{},[311,331],{"type":194,"tag":208,"props":312,"children":313},{},[314,316,322,324,330],{"type":200,"value":315},"RoutineControl ",{"type":194,"tag":273,"props":317,"children":319},{"className":318},[],[320],{"type":200,"value":321},"0xFF00",{"type":200,"value":323}," (",{"type":194,"tag":273,"props":325,"children":327},{"className":326},[],[328],{"type":200,"value":329},"0x31",{"type":200,"value":280},{"type":200,"value":332}," is the standard eraseMemory routine: it tells the bootloader to wipe the application region. From this point until the new image is validated the ECU is not driveable, so a power cut here leaves only the bootloader, which is why a botched flash \"bricks\" a unit.",{"type":194,"tag":264,"props":334,"children":335},{},[336,348],{"type":194,"tag":208,"props":337,"children":338},{},[339,341,347],{"type":200,"value":340},"RequestDownload (",{"type":194,"tag":273,"props":342,"children":344},{"className":343},[],[345],{"type":200,"value":346},"0x34",{"type":200,"value":280},{"type":200,"value":349}," declares the address, the uncompressed/compressed size, and the data-format byte of the image about to be sent. The region is already erased and waiting.",{"type":194,"tag":264,"props":351,"children":352},{},[353,365,367,372],{"type":194,"tag":208,"props":354,"children":355},{},[356,358,364],{"type":200,"value":357},"TransferData (",{"type":194,"tag":273,"props":359,"children":361},{"className":360},[],[362],{"type":200,"value":363},"0x36",{"type":200,"value":280},{"type":200,"value":366}," carries the firmware itself, split into blocks sized to the ECU's buffer, each prefixed with a block-sequence counter that increments and wraps so the bootloader can detect a dropped or duplicated block. A full image is many ",{"type":194,"tag":273,"props":368,"children":370},{"className":369},[],[371],{"type":200,"value":363},{"type":200,"value":373}," requests back to back, filling the region a block at a time.",{"type":194,"tag":264,"props":375,"children":376},{},[377,389],{"type":194,"tag":208,"props":378,"children":379},{},[380,382,388],{"type":200,"value":381},"RequestTransferExit (",{"type":194,"tag":273,"props":383,"children":385},{"className":384},[],[386],{"type":200,"value":387},"0x37",{"type":200,"value":280},{"type":200,"value":390}," ends the transfer and lets the bootloader checksum what it actually received against the size it was promised.",{"type":194,"tag":264,"props":392,"children":393},{},[394,411,413,418],{"type":194,"tag":208,"props":395,"children":396},{},[397,398,404,405,410],{"type":200,"value":315},{"type":194,"tag":273,"props":399,"children":401},{"className":400},[],[402],{"type":200,"value":403},"0xFF01",{"type":200,"value":323},{"type":194,"tag":273,"props":406,"children":408},{"className":407},[],[409],{"type":200,"value":329},{"type":200,"value":280},{"type":200,"value":412}," runs the \"check programming dependencies\" routine: the integrity and (where present) signature checks that decide whether the new image is allowed to be marked bootable. ",{"type":194,"tag":273,"props":414,"children":416},{"className":415},[],[417],{"type":200,"value":403},{"type":200,"value":419}," is the standard identifier from the ISO specification, but the actual routine ID varies by manufacturer.",{"type":194,"tag":264,"props":421,"children":422},{},[423,435],{"type":194,"tag":208,"props":424,"children":425},{},[426,428,434],{"type":200,"value":427},"ECUReset (",{"type":194,"tag":273,"props":429,"children":431},{"className":430},[],[432],{"type":200,"value":433},"0x11",{"type":200,"value":280},{"type":200,"value":436}," restarts the unit. The bootloader boots the freshly validated image, and the ECU is back to normal operation on the new firmware.",{"type":194,"tag":202,"props":438,"children":439},{},[440,442,447],{"type":200,"value":441},"The exact byte layout of each of these requests, including the addressAndLengthFormatIdentifier and the block-counter handling, is covered service by service in the ",{"type":194,"tag":231,"props":443,"children":444},{"href":72},[445],{"type":200,"value":446},"UDS chapter",{"type":200,"value":237},{"type":194,"tag":239,"props":449,"children":451},{"id":450},"security-access-algorithms",[452],{"type":200,"value":453},"Security Access Algorithms",{"type":194,"tag":202,"props":455,"children":456},{},[457,459,464,466,471,473,478],{"type":200,"value":458},"The lock on the whole sequence is service ",{"type":194,"tag":273,"props":460,"children":462},{"className":461},[],[463],{"type":200,"value":304},{"type":200,"value":465},", SecurityAccess. It is a classic challenge-response: the tester asks for a ",{"type":194,"tag":208,"props":467,"children":468},{},[469],{"type":200,"value":470},"seed",{"type":200,"value":472},", the ECU returns a random value, the tester transforms that seed into a ",{"type":194,"tag":208,"props":474,"children":475},{},[476],{"type":200,"value":477},"key",{"type":200,"value":479}," with a secret algorithm, and the ECU grants access only if the returned key matches what it computed itself.",{"type":194,"tag":481,"props":482,"children":483},"seed-key-exchange",{},[],{"type":194,"tag":202,"props":485,"children":486},{},[487],{"type":200,"value":488},"The security rests entirely on the tester not being able to compute the key without knowing the secret. Two extra measures make brute-forcing harder: after a number of wrong keys the ECU arms a (time-delay) lockout, and many ECUs require a minimum delay between power-on and the first seed request, which also masks a weak random number generator that would otherwise hand out the same seed every boot. None of that helps if the algorithm itself is weak or if the secret is recoverable, which is the usual situation.",{"type":194,"tag":490,"props":491,"children":493},"h3",{"id":492},"breaking-weak-seedkey-schemes",[494],{"type":200,"value":495},"Breaking Weak Seed/Key Schemes",{"type":194,"tag":202,"props":497,"children":498},{},[499,501,505],{"type":200,"value":500},"For decades manufacturers built their seed/key transforms in-house and kept them secret, and that secrecy was the whole defence. In the paper \"Beneath the Bonnet\" researchers reverse engineered the ciphers out of the firmware of four major manufacturers and found the same family of weaknesses everywhere ",{"type":194,"tag":502,"props":503,"children":504},"citation",{"id":175},[],{"type":200,"value":506},". All of them were lightly modified Galois LFSRs with a tiny internal state (24 or 32 bits) and proprietary, never-reviewed constructions:",{"type":194,"tag":260,"props":508,"children":509},{},[510,537],{"type":194,"tag":264,"props":511,"children":512},{},[513,515,520,522,528,530,535],{"type":200,"value":514},"The ",{"type":194,"tag":208,"props":516,"children":517},{},[518],{"type":200,"value":519},"Ford",{"type":200,"value":521}," cipher used a 24-bit challenge and response. Its modified Galois LFSR was seeded with a constant (",{"type":194,"tag":273,"props":523,"children":525},{"className":524},[],[526],{"type":200,"value":527},"0xC541A9",{"type":200,"value":529},") baked into the firmware, and the output was mixed against a 64-bit register made of the 24-bit challenge and a ",{"type":194,"tag":208,"props":531,"children":532},{},[533],{"type":200,"value":534},"40-bit secret shared across every ECU of that type",{"type":200,"value":536},". Two captured seed/key pair leaks enough of that secret to reconstruct the cipher. The researchers showed it can even be recovered with nothing but access to the diagnostic interface by an efficient brute-forcing strategy.",{"type":194,"tag":264,"props":538,"children":539},{},[540,542,547,549,555,557,562,564,570],{"type":200,"value":541},"An ",{"type":194,"tag":208,"props":543,"children":544},{},[545],{"type":200,"value":546},"Audi",{"type":200,"value":548}," gateway used a 32-bit transform whose entire internal state was just the challenge itself, so the only entropy came from a fixed 32-bit tap constant (",{"type":194,"tag":273,"props":550,"children":552},{"className":551},[],[553],{"type":200,"value":554},"0x04C11DB7",{"type":200,"value":556},", the CRC-32 polynomial). On top of that weakness, one unit in this family shipped with a ",{"type":194,"tag":208,"props":558,"children":559},{},[560],{"type":200,"value":561},"hardcoded backdoor",{"type":200,"value":563},": reply to any seed with the constant ",{"type":194,"tag":273,"props":565,"children":567},{"className":566},[],[568],{"type":200,"value":569},"0xCAFFE012",{"type":200,"value":571}," and the ECU unlocks regardless of the algorithm.",{"type":194,"tag":202,"props":573,"children":574},{},[575,577,580],{"type":200,"value":576},"A state that small, combined with secrets that are shared rather than per-unit, means a handful of recorded seed/key pairs (or a firmware dump) is enough to recover the algorithm and forge keys at will. The paper's conclusion is blunt: proprietary cryptography with a small internal state is not a substitute for a real keyed primitive ",{"type":194,"tag":502,"props":578,"children":579},{"id":175},[],{"type":200,"value":237},{"type":194,"tag":490,"props":582,"children":584},{"id":583},"volkswagen-group-sa2",[585],{"type":200,"value":586},"Volkswagen Group: SA2",{"type":194,"tag":202,"props":588,"children":589},{},[590,592,597,599,604,606,611,613,617,619,625,627,633,635,638],{"type":200,"value":591},"Volkswagen's modern programming uses what is called the ",{"type":194,"tag":208,"props":593,"children":594},{},[595],{"type":200,"value":596},"SA2",{"type":200,"value":598}," seed/key. Instead of hard-coding one algorithm per ECU, the key computation is shipped as a short ",{"type":194,"tag":208,"props":600,"children":601},{},[602],{"type":200,"value":603},"bytecode program",{"type":200,"value":605},", the ",{"type":194,"tag":223,"props":607,"children":608},{},[609],{"type":200,"value":610},"SA2 script",{"type":200,"value":612},", that lives inside the flash container (the FRF / ODX flashdaten covered in the ",{"type":194,"tag":231,"props":614,"children":615},{"href":97},[616],{"type":200,"value":98},{"type":200,"value":618}," chapter). A tiny stack-based virtual machine in the tester loads the seed into a register and runs the opcodes against it: load constants, add and subtract, XOR, rotate and shift, and conditional jumps, ending by returning the transformed register as the key. For example, one published script turns the seed ",{"type":194,"tag":273,"props":620,"children":622},{"className":621},[],[623],{"type":200,"value":624},"0x1a1b1c1d",{"type":200,"value":626}," into the key ",{"type":194,"tag":273,"props":628,"children":630},{"className":629},[],[631],{"type":200,"value":632},"0x6a37f02e",{"type":200,"value":634}," ",{"type":194,"tag":502,"props":636,"children":637},{"id":182},[],{"type":200,"value":237},{"type":194,"tag":202,"props":640,"children":641},{},[642,644,649,651,655],{"type":200,"value":643},"Making the algorithm data rather than code is good engineering: a new ECU can ship a new script without updating the tester. But it has an obvious consequence for security. The script travels inside the flash file, and those files are downloadable through ODIS and the erWin portals, so ",{"type":194,"tag":208,"props":645,"children":646},{},[647],{"type":200,"value":648},"anyone who has the flashdaten has the algorithm",{"type":200,"value":650},". Open-source implementations extract the SA2 bytecode straight from the container and execute it to compute keys for a live ECU ",{"type":194,"tag":502,"props":652,"children":654},{"id":653},"sa2-seed-key,vw-flash",[],{"type":200,"value":237},{"type":194,"tag":239,"props":657,"children":659},{"id":658},"references",[660],{"type":200,"value":661},"References",{"type":194,"tag":663,"props":664,"children":665},"chapter-references",{},[],{"title":172,"searchDepth":16,"depth":16,"links":667},[668,669,673],{"id":241,"depth":16,"text":244},{"id":450,"depth":16,"text":453,"children":670},[671,672],{"id":492,"depth":22,"text":495},{"id":583,"depth":22,"text":586},{"id":658,"depth":16,"text":661},"markdown","content:7.knowledge-base:3.reverse-engineering:1.ecu-flashing.md","content","md",1779543672129]