{"id":278,"date":"2019-09-29T11:54:24","date_gmt":"2019-09-29T06:24:24","guid":{"rendered":"https:\/\/tangentmotorsport.com\/?p=278"},"modified":"2019-09-29T11:54:24","modified_gmt":"2019-09-29T06:24:24","slug":"medc17-uds-flashing-exploit","status":"publish","type":"post","link":"https:\/\/blogs.tangentmotorsport.com\/?p=278","title":{"rendered":"MEDC17 UDS Flashing Exploit"},"content":{"rendered":"\n<p>Just finished writing the backbone of my flashtool last week. Can flash any MEDC17(presently only UDS based). Here&#8217;s a snippet of a EDC17C46 being flashed on bench:<\/p>\n\n\n\n<a href=\"https:\/\/imgur.com\/pTMurHh\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/pTMurHh.png\" title=\"source: imgur.com\" \/><\/a>\n\n\n\n<p>It&#8217;s not just an FRF flash. Any modified file can be flashed(code and data area). An exploit in the bootloader is leveraged to allow RSA check(TPROT) to be bypassed and allow unsigned code to execute.<\/p>\n\n\n\n<p>Presently using Tactrix Openport 2.0(J2534) as an interface and Arduino Due for logging CAN traffic.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Just finished writing the backbone of my flashtool last week. Can flash any MEDC17(presently only UDS based). Here&#8217;s a snippet of a EDC17C46 being flashed on bench: It&#8217;s not just an FRF flash. Any modified file can be flashed(code and data area). An exploit in the bootloader is leveraged to allow RSA check(TPROT) to be [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[5],"tags":[73,70,26,72,71,74],"class_list":["post-278","post","type-post","status-publish","format-standard","hentry","category-re","tag-bootloader","tag-flash-tool","tag-medc17","tag-obd","tag-obd2","tag-rsa-patch"],"aioseo_notices":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>MEDC17 UDS Flashing Exploit -<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blogs.tangentmotorsport.com\/?p=278\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MEDC17 UDS Flashing Exploit -\" \/>\n<meta property=\"og:description\" content=\"Just finished writing the backbone of my flashtool last week. Can flash any MEDC17(presently only UDS based). Here&#8217;s a snippet of a EDC17C46 being flashed on bench: It&#8217;s not just an FRF flash. Any modified file can be flashed(code and data area). An exploit in the bootloader is leveraged to allow RSA check(TPROT) to be [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blogs.tangentmotorsport.com\/?p=278\" \/>\n<meta property=\"article:published_time\" content=\"2019-09-29T06:24:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i.imgur.com\/pTMurHh.png\" \/>\n<meta name=\"author\" content=\"nihalot\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"nihalot\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blogs.tangentmotorsport.com\/?p=278\",\"url\":\"https:\/\/blogs.tangentmotorsport.com\/?p=278\",\"name\":\"MEDC17 UDS Flashing Exploit -\",\"isPartOf\":{\"@id\":\"https:\/\/3.127.164.11:80\/#website\"},\"datePublished\":\"2019-09-29T06:24:24+00:00\",\"dateModified\":\"2019-09-29T06:24:24+00:00\",\"author\":{\"@id\":\"https:\/\/3.127.164.11:80\/#\/schema\/person\/d90d31ae9d843a5f8308048a2f2d19f0\"},\"breadcrumb\":{\"@id\":\"https:\/\/blogs.tangentmotorsport.com\/?p=278#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blogs.tangentmotorsport.com\/?p=278\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blogs.tangentmotorsport.com\/?p=278#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/3.127.164.11:80\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"MEDC17 UDS Flashing Exploit\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/3.127.164.11:80\/#website\",\"url\":\"https:\/\/3.127.164.11:80\/\",\"name\":\"\",\"description\":\"Custom Code for ECUs\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/3.127.164.11:80\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/3.127.164.11:80\/#\/schema\/person\/d90d31ae9d843a5f8308048a2f2d19f0\",\"name\":\"nihalot\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/3.127.164.11:80\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/cbff731b9289c11fc7eeba59d92f76462697573bbfb1b8b22fe4e2a20558750c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/cbff731b9289c11fc7eeba59d92f76462697573bbfb1b8b22fe4e2a20558750c?s=96&d=mm&r=g\",\"caption\":\"nihalot\"},\"url\":\"https:\/\/blogs.tangentmotorsport.com\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MEDC17 UDS Flashing Exploit -","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blogs.tangentmotorsport.com\/?p=278","og_locale":"en_US","og_type":"article","og_title":"MEDC17 UDS Flashing Exploit -","og_description":"Just finished writing the backbone of my flashtool last week. Can flash any MEDC17(presently only UDS based). Here&#8217;s a snippet of a EDC17C46 being flashed on bench: It&#8217;s not just an FRF flash. Any modified file can be flashed(code and data area). An exploit in the bootloader is leveraged to allow RSA check(TPROT) to be [&hellip;]","og_url":"https:\/\/blogs.tangentmotorsport.com\/?p=278","article_published_time":"2019-09-29T06:24:24+00:00","og_image":[{"url":"https:\/\/i.imgur.com\/pTMurHh.png"}],"author":"nihalot","twitter_card":"summary_large_image","twitter_misc":{"Written by":"nihalot"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blogs.tangentmotorsport.com\/?p=278","url":"https:\/\/blogs.tangentmotorsport.com\/?p=278","name":"MEDC17 UDS Flashing Exploit -","isPartOf":{"@id":"https:\/\/3.127.164.11:80\/#website"},"datePublished":"2019-09-29T06:24:24+00:00","dateModified":"2019-09-29T06:24:24+00:00","author":{"@id":"https:\/\/3.127.164.11:80\/#\/schema\/person\/d90d31ae9d843a5f8308048a2f2d19f0"},"breadcrumb":{"@id":"https:\/\/blogs.tangentmotorsport.com\/?p=278#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blogs.tangentmotorsport.com\/?p=278"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blogs.tangentmotorsport.com\/?p=278#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/3.127.164.11:80\/"},{"@type":"ListItem","position":2,"name":"MEDC17 UDS Flashing Exploit"}]},{"@type":"WebSite","@id":"https:\/\/3.127.164.11:80\/#website","url":"https:\/\/3.127.164.11:80\/","name":"","description":"Custom Code for ECUs","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/3.127.164.11:80\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/3.127.164.11:80\/#\/schema\/person\/d90d31ae9d843a5f8308048a2f2d19f0","name":"nihalot","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/3.127.164.11:80\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/cbff731b9289c11fc7eeba59d92f76462697573bbfb1b8b22fe4e2a20558750c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cbff731b9289c11fc7eeba59d92f76462697573bbfb1b8b22fe4e2a20558750c?s=96&d=mm&r=g","caption":"nihalot"},"url":"https:\/\/blogs.tangentmotorsport.com\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/blogs.tangentmotorsport.com\/index.php?rest_route=\/wp\/v2\/posts\/278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.tangentmotorsport.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.tangentmotorsport.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.tangentmotorsport.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.tangentmotorsport.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=278"}],"version-history":[{"count":0,"href":"https:\/\/blogs.tangentmotorsport.com\/index.php?rest_route=\/wp\/v2\/posts\/278\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.tangentmotorsport.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.tangentmotorsport.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.tangentmotorsport.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}