Close

Results 1 to 15 of 15
  1. #1
    Join Date
    Dec 2016
    Location
    Houston, Tx
    Posts
    47
    Rep Points
    188.6
    Mentioned
    12 Post(s)
    Rep Power
    2


    1 out of 1 members liked this post. Yes Reputation No

    Inquiring about flashing without opening

    Hey guys, I hope not to be crucified here... just looking to get some basic information that I can't seem to find anywhere else...

    What prevents someone from writing a tune to the DME on the F series cars? Does it ask for a key to initially write or is it a checksum value that must be perfectly encrypted? Since I currently have an E90 and E60 I don't have the ability to hook up to a F series very easily... Assuming that some basic information can be read easily, ie: DTC's, Fuel Pressures, Battery, and other basic items... what is the actual wall that prevents access to write? Or keeping the DME locked?

    Just inquiring by the way...

  2. #2
    Join Date
    Aug 2013
    Posts
    23
    Rep Points
    83.3
    Mentioned
    1 Post(s)
    Rep Power
    0


    2 out of 2 members liked this post. Yes Reputation No
    My understanding is that you can write modified flash files but the engine will not start (or if you modify the code it will not execute), although my expertise is in modification of tuning related ECU code, not flash access as all the projects I've been involved in have had someone else already achieve flash access. The engine doesn't start because a software module called TPROT or "Tuning Protection" will only run code or calibration if the area is signed by a confidential "private" 1024 bit RSA key that is beyond present factoring ability by brute force, has not been leaked and which has no presently known and commercially released vulnerabilities to exploit. The signature needs to change if you change the data. The signature cannot be feasibly patched or recalculated to match altered data like you can with a checksum. The signature cannot be derived from information in the ECU as it uses asymmetric public key cryptography https://en.wikipedia.org/wiki/Public-key_cryptography

    By flashing in boot mode you can bypass TPROT by typically patching a single instruction usually to make it appear that the RSA check always passes.

    The difficulty is with later MDG1 ECUs (I understand this is for the BMW B58 engine and also newer VAG stuff like the B9 A4) which have processors with hardware security modules which are a further class of protection level which is pretty serious. These watch over memory, processes, guard/filter comms and might actually not be feasible to defeat in a reasonable period of time "if" they have been implemented properly.

    Edit: realising your involvement with another project the answer is too simplistic, but the main point is that the password cannot presently (at least in the commercial/public domain) be read or calculated based on information you can read through the OBD port, unlike earlier ECUs.

  3. #3
    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    125,573
    Rep Points
    35,657.9
    Mentioned
    2255 Post(s)
    Rep Power
    357


    Yes Reputation No
    Click here to enlarge Originally Posted by jcsbanks Click here to enlarge
    My understanding is that you can write modified flash files but the engine will not start (or if you modify the code it will not execute), although my expertise is in modification of tuning related ECU code, not flash access as all the projects I've been involved in have had someone else already achieve flash access. The engine doesn't start because a software module called TPROT or "Tuning Protection" will only run code or calibration if the area is signed by a confidential "private" 1024 bit RSA key that is beyond present factoring ability by brute force, has not been leaked and which has no presently known and commercially released vulnerabilities to exploit. The signature needs to change if you change the data. The signature cannot be feasibly patched or recalculated to match altered data like you can with a checksum. The signature cannot be derived from information in the ECU as it uses asymmetric public key cryptography https://en.wikipedia.org/wiki/Public-key_cryptography

    By flashing in boot mode you can bypass TPROT by typically patching a single instruction usually to make it appear that the RSA check always passes.

    The difficulty is with later MDG1 ECUs (I understand this is for the BMW B58 engine and also newer VAG stuff like the B9 A4) which have processors with hardware security modules which are a further class of protection level which is pretty serious. These watch over memory, processes, guard/filter comms and might actually not be feasible to defeat in a reasonable period of time "if" they have been implemented properly.

    Edit: realising your involvement with another project the answer is too simplistic, but the main point is that the password cannot presently (at least in the commercial/public domain) be read or calculated based on information you can read through the OBD port, unlike earlier ECUs.
    Great post. Not sure I even understand it as these built in protections are confusing but certainly doing their job.

    I would love to see real open F-Series home flashing as would Trevor. Seems it is a bit of pipe dream but who knows? Maybe...

  4. #4
    Join Date
    Dec 2016
    Location
    Houston, Tx
    Posts
    47
    Rep Points
    188.6
    Mentioned
    12 Post(s)
    Rep Power
    2



    Yes Reputation No
    Click here to enlarge Originally Posted by jcsbanks Click here to enlarge
    My understanding is that you can write modified flash files but the engine will not start (or if you modify the code it will not execute), although my expertise is in modification of tuning related ECU code, not flash access as all the projects I've been involved in have had someone else already achieve flash access. The engine doesn't start because a software module called TPROT or "Tuning Protection" will only run code or calibration if the area is signed by a confidential "private" 1024 bit RSA key that is beyond present factoring ability by brute force, has not been leaked and which has no presently known and commercially released vulnerabilities to exploit. The signature needs to change if you change the data. The signature cannot be feasibly patched or recalculated to match altered data like you can with a checksum. The signature cannot be derived from information in the ECU as it uses asymmetric public key cryptography https://en.wikipedia.org/wiki/Public-key_cryptography

    By flashing in boot mode you can bypass TPROT by typically patching a single instruction usually to make it appear that the RSA check always passes.

    The difficulty is with later MDG1 ECUs (I understand this is for the BMW B58 engine and also newer VAG stuff like the B9 A4) which have processors with hardware security modules which are a further class of protection level which is pretty serious. These watch over memory, processes, guard/filter comms and might actually not be feasible to defeat in a reasonable period of time "if" they have been implemented properly.

    Edit: realising your involvement with another project the answer is too simplistic, but the main point is that the password cannot presently (at least in the commercial/public domain) be read or calculated based on information you can read through the OBD port, unlike earlier ECUs.
    Sorry to not have gotten back to you any sooner, been sort of tied up... Is it possible to get a full read on the DME without TPROT? If so, what is the software number, and could you get a full read for me?

    Thanks again!

  5. #5
    Join Date
    Aug 2013
    Posts
    23
    Rep Points
    83.3
    Mentioned
    1 Post(s)
    Rep Power
    0


    1 out of 1 members liked this post. Yes Reputation No
    The type of ECU depends on how you obtain your original file. Some Tricore ECUs can be written only through OBD, not read even in boot mode which is also protected (eg SIMOS18). Some tuners like this as it protects their work, others find limited recovery methods curtail their development. The tool suppliers like CMD flash have lists of the various ECUs and how they can be read/written. Some supply virtual reads from their server and some covert OEM files to give an original. There are dumps of various TPROT versions on chip tuning type forums such as ecuconnections and nefmoto and discussions over how to patch.

    Doing it for free is difficult given the time involved. I have some stuff I have spent about six months full time on (that needs a few more months) that I want to make a return on, but it is original work rather than another version of something people can do already. There are tens of thousands that would want it for free, but I have put more than I have been able to into free projects into it. So I do need to protect it as donations or selling the work before it is commercially proven will give pennies on the dollar of the work involved.

  6. #6
    Join Date
    Dec 2016
    Location
    Houston, Tx
    Posts
    47
    Rep Points
    188.6
    Mentioned
    12 Post(s)
    Rep Power
    2



    Yes Reputation No
    So access to a full read on an ecu with TPROT isn't possible currently then? I'm on the forums you listed already, I've been grabbing as much as possible for the project. I definitely understand the time involvement and compensation. I'm doing this for the forum and community as a whole, there are ways to monetize without having to charge people for the product...

  7. #7
    Join Date
    Aug 2013
    Posts
    23
    Rep Points
    83.3
    Mentioned
    1 Post(s)
    Rep Power
    0


    2 out of 2 members liked this post. Yes Reputation No
    Full reads of many/most TPROT ECUs are available. People want $$$/$$$$ for a2ls. WinOLS reseller database has loads of stuff, but unfortunately useful a2l content is lost by its importer and it is also $$$$ cost of entry.

    Full read on TPROT ECUs is best done in boot mode but depending on manufacturer and TPROT version there is a range of capabilities of different tools in terms of what they can read or write through OBD or boot.
    Last edited by jcsbanks; 07-16-2017 at 08:21 PM.

  8. #8
    Join Date
    Dec 2016
    Location
    Houston, Tx
    Posts
    47
    Rep Points
    188.6
    Mentioned
    12 Post(s)
    Rep Power
    2



    Yes Reputation No
    @terra anything that you are aware of that could assist?

  9. #9
    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    125,573
    Rep Points
    35,657.9
    Mentioned
    2255 Post(s)
    Rep Power
    357


    Yes Reputation No
    Click here to enlarge Originally Posted by jcsbanks Click here to enlarge
    Doing it for free is difficult given the time involved. I have some stuff I have spent about six months full time on (that needs a few more months) that I want to make a return on, but it is original work rather than another version of something people can do already.
    I hear you and considering the effort I understand your position.

    Maybe if you clarified what this original work was we could have a better understanding? If you want to PM feel free.

    You said it needs a few more months as well. Maybe you would be open to help?

    Are you starting a tuning company or do you work for one?

  10. #10
    Join Date
    Nov 2012
    Posts
    2,374
    Rep Points
    3,022.8
    Mentioned
    178 Post(s)
    Rep Power
    31


    Yes Reputation No
    Click here to enlarge Originally Posted by Sticky Click here to enlarge
    I hear you and considering the effort I understand your position.

    Maybe if you clarified what this original work was we could have a better understanding? If you want to PM feel free.

    You said it needs a few more months as well. Maybe you would be open to help?

    Are you starting a tuning company or do you work for one?

    You'll see what it is soon enough Click here to enlarge
    BIG things coming soon Click here to enlarge

  11. #11
    Join Date
    Dec 2016
    Location
    Houston, Tx
    Posts
    47
    Rep Points
    188.6
    Mentioned
    12 Post(s)
    Rep Power
    2



    Yes Reputation No
    That's refreshing to know... still don't care to share any xml files for the community???

  12. #12
    Join Date
    Aug 2013
    Posts
    23
    Rep Points
    83.3
    Mentioned
    1 Post(s)
    Rep Power
    0


    1 out of 1 members liked this post. Yes Reputation No
    I am happy to discuss in outline any interesting ideas or projects in public or private, but have to respect the confidentiality of commercial projects and avoid conflicts of interest. Over the years I have shared around 5000 hours of work for free. The experience was good for further commercial work for sure, but I could have monetized much earlier.

  13. #13
    Join Date
    Nov 2012
    Posts
    2,374
    Rep Points
    3,022.8
    Mentioned
    178 Post(s)
    Rep Power
    31


    Yes Reputation No
    Click here to enlarge Originally Posted by trevorlee02 Click here to enlarge
    That's refreshing to know... still don't care to share any xml files for the community???
    Not sure what exactly you mean by "xml files", but all table definitions are freely available on our github, and that is where they will remain.
    BIG things coming soon Click here to enlarge

  14. #14
    Join Date
    Mar 2017
    Posts
    15
    Rep Points
    104.5
    Mentioned
    2 Post(s)
    Rep Power
    2


    Yes Reputation No
    Click here to enlarge Originally Posted by trevorlee02 Click here to enlarge
    @terra anything that you are aware of that could assist?
    At the moment, no. I don't own any of the newer DMEs to mess around with. In principle the "problem" is similar to what people faced with the early days of MSD8x tuning: That is, the boot passwords can't be read without modifying the program, and the program can't be modified without a valid RSA signature. However Siemens messed up with their RSA implementation, making it unnecessary to even do a boot read (though boot mode access is nice for recovering bricks and changing EWS stuff). Since people *are* able to modify the Bosch DMEs after opening them, I suspect it is possible to read or calculate their UCB passwords without a patched program. But I don't personally know the method.

    If there's no such flaw in the implementation of newer DMEs, then it becomes considerably more difficult, at least until computers become fast enough to factor 1024-bit RSA keys (maybe will happen within the next decade or so). Or if you happen to know of a string of characters that result in an MD5 value that is a perfect cube, then you can break most BMW RSA implementations. But the odds of finding a perfect cube MD5 are quite low.

  15. #15
    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    125,573
    Rep Points
    35,657.9
    Mentioned
    2255 Post(s)
    Rep Power
    357


    Yes Reputation No
    Click here to enlarge Originally Posted by terra Click here to enlarge
    At the moment, no. I don't own any of the newer DMEs to mess around with. In principle the "problem" is similar to what people faced with the early days of MSD8x tuning: That is, the boot passwords can't be read without modifying the program, and the program can't be modified without a valid RSA signature. However Siemens messed up with their RSA implementation, making it unnecessary to even do a boot read (though boot mode access is nice for recovering bricks and changing EWS stuff). Since people *are* able to modify the Bosch DMEs after opening them, I suspect it is possible to read or calculate their UCB passwords without a patched program. But I don't personally know the method.

    If there's no such flaw in the implementation of newer DMEs, then it becomes considerably more difficult, at least until computers become fast enough to factor 1024-bit RSA keys (maybe will happen within the next decade or so). Or if you happen to know of a string of characters that result in an MD5 value that is a perfect cube, then you can break most BMW RSA implementations. But the odds of finding a perfect cube MD5 are quite low.
    Man I don't really understand any of this.

    All I know is I would love to help open up N55 flashing.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •