You might be saying, wait, doesn't GIAC have a tune? Indeed they do and to their credit they are the only company flashing the ECU. What they are truly doing is anyone's guess (and impressive) but tuners speculate they are doing what is known as BDM tuning or Background Debugging Mode.
This is commonly called a bench flash as the ECU must be physically removed. Cobb for example does not do bench flashing (although they do have bench flash access) and wants OBD-II access so you can flash at home with your Cobb Accessport.
That creates a problem though:
Originally Posted by Cobb
There are authentication steps that are posing problems which we will now go over.
1. For OBD-II access there is a seed key algorithm with a private key to gain write access to the ECU. If the wrong response is given then you are locked out of the ECU. Someone already solved this part.
2. Read access can be an issue as with the 991.1 tuners were able to use factory tools through OBD-II to get a read. Now, you have to build a file library through BDM access since it is not possible through OBD-II.
3. Things get tricky with the write process. The files are all encrypted at the OEM level and when a dealer writes to the ECU the files are encrypted and decrypted at the ECU level. It is this new encryption and decryption process that is posing the big problem.
The new ECU's have stronger processing power so the write time is about the same despite the encryption protocol.
Additionally, when the ECU boots up it checks for a signature. You must have this signature or you will be locked out. This signature is computed on the fly. The signature validation process is arguably the hardest part depending on which hacker/tuner you talk to. BDM flashing does not have this requirement.
If you program via OBD-II when you upload data or erase memory the validation status is reset and cleared. It is not set again until the validation routine is run. In the past the signature pointer was manipulated through a binary patch which pointed to a valid signature in section that was not normally tuned. The early SDI3 and SDI4 Porsche ECU's did not have this validation requirement enabled for whatever reason but they did not check for actual validation but just the checksums.
The Porsche 991.1 SDI9 did implement signature validation but you could bypass it as it was previously bypassed by pointing it somewhere else. This is a common exploit and a bug Siemens seemingly patched which means people are going to need to get very creative to bypass it.
The various checksums (a digit representing the sum of the correct digits in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data) of course still pose a problem so overall this is a very difficult process but one would guess it is only a matter of time before it is solved.
How much time? Who knows. With the Infineon Tricore ECU's and some Bosch ECU's there was help from someone in the factory on the inside who sold codes for hundreds of thousands of dollars. It would be with great risk for someone at Porsche or even Siemens to help tuners get around the security measures. A great financial reward too but is it worth a potential jail sentence?
There are very smart people working against very smart people with billions of dollars of resources to make sure those smart people do not get access.
Ultimately, it is a huge battle being fought behind the scenes for some who wish to prove their talent and others who want to make tons of money. These two aspects often overlap in the tuning world.
One way or another, this ECU will be broken into.
vBulletin Message