psyko
Newbie
Karma: +0/-1
 Offline
Posts: 13
|
 |
« on: September 07, 2023, 03:41:18 PM »
|
|
|
Hello,
I have a BMW which I am flashing with Bootmod3. They don't allow you to see the map data for their OTS maps (like the specific values in the individual calibration tables for wastegate control, fueling etc...), but you can see the map data for a self-tune or stock map.
I have logged the bytes which Bootmod3 transfers to my ECU during the programming session. It's 306,900 bytes when I do a "partial" flash. Partial meaning the ECU was already flashed with BM3 and I just changed some data in a self-tuned table and reflash.
I expected that maybe only a few bytes would change, but actually only about 72KB are identical (the first chunk) and the remainder is largely changed. It doesn't look to be like any sort of sophisticated encryption or compression, because some random lengths of bytes in these areas ARE still the same... but are mostly different...
Anyway, is what I am trying to do possible? What am I missing? I have the ISO 14229-1 spec which matches at least what the programming session is doing, but as far as the actual data contents go for this session, I am totally blind. Is there a BMW spec somewhere I can find? Or does that come from Bosch? It's a Bosch ECU (Aurix based).
Thanks for any help!!
|
|
|
|
|
Logged
|
|
|
|
|
IamwhoIam
|
|
« Reply #1 on: September 07, 2023, 11:50:25 PM »
|
|
|
Why don't you ask Bootmod3 for help?
|
|
|
|
|
Logged
|
I have no logs because I have a boost gauge (makes things easier)
|
|
|
psyko
Newbie
Karma: +0/-1
Offline
Posts: 13
|
|
« Reply #2 on: September 08, 2023, 11:41:46 AM »
|
|
|
Why don't you ask Bootmod3 for help?
Lol, are you being facetious?? Why would they help me "steal" something they are protecting? They don't want people to know what their proprietary tune consists of and have a method to encrypt the maps on their software. I am wondering if the data transmitted to the ECU is still in an encrypted form, or not (because I doubt the ECU would support that?) |
|
|
|
|
Logged
|
|
|
|
jcsbanks
Full Member
Karma: +17/-3
Offline
Posts: 126
|
|
« Reply #3 on: September 08, 2023, 12:19:57 PM »
|
|
|
Usually the 34 command just before the 36 commands in UDS will tell you what the compression and encryption is so it 3400 it is no compression and no encryption, assuming it isn't running a custom bootloader. BMWs used to flash in the clear IIRC.
|
|
|
|
|
Logged
|
|
|
|
psyko
Newbie
Karma: +0/-1
Offline
Posts: 13
|
|
« Reply #4 on: September 08, 2023, 01:01:13 PM »
|
|
|
Usually the 34 command just before the 36 commands in UDS will tell you what the compression and encryption is so it 3400 it is no compression and no encryption, assuming it isn't running a custom bootloader. BMWs used to flash in the clear IIRC.
Aha! I Think we are on to something here... It's 34 10, meaning compressed but unencrypted. What does compression = 1 mean? How do I decompress the stream -- is there a standard/spec somwhere? |
|
|
|
|
Logged
|
|
|
|
jcsbanks
Full Member
Karma: +17/-3
Offline
Posts: 126
|
|
« Reply #5 on: September 08, 2023, 01:32:15 PM »
|
|
|
The compression and encryption nibbles are platform specific according to the UDS standards.
|
|
|
|
|
Logged
|
|
|
|
psyko
Newbie
Karma: +0/-1
Offline
Posts: 13
|
|
« Reply #6 on: September 08, 2023, 01:43:49 PM »
|
|
|
Dang... Does anyone know what BMW MG1 uses?
I guess I will try to derive it from some statistical analysis of the hex
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #7 on: September 09, 2023, 12:45:28 AM »
|
|
|
Dang... Does anyone know what BMW MG1 uses?
I guess I will try to derive it from some statistical analysis of the hex Statistical analysis of AES? Good luck. Because that's what most modern controllers use. No idea about this one though. |
|
|
|
|
Logged
|
|
|
|
|
gt-innovation
|
|
« Reply #8 on: September 09, 2023, 01:48:20 AM »
|
|
|
Dang... Does anyone know what BMW MG1 uses?
I guess I will try to derive it from some statistical analysis of the hex
The steps would be to re-construct the block flashed from a sniff, decrypt using the correct aes keys(if encrypted), decompress using the correct decompression algo(if compressed) and there you have it. However this process is about 50% of what is needed to create a flashing protocol (without an exploit or a hack) and it is too much of an effort for something that many calibration engineers can do. So Why bother at all ? |
|
|
|
« Last Edit: September 09, 2023, 07:34:03 AM by gt-innovation »
|
Logged
|
|
|
|
jcsbanks
Full Member
Karma: +17/-3
Offline
Posts: 126
|
|
« Reply #9 on: September 09, 2023, 09:11:47 AM »
|
|
|
Dang... Does anyone know what BMW MG1 uses?
I guess I will try to derive it from some statistical analysis of the hex
If it happens to be AES 128 CBC you might happen to find an IV that is stereotypical and next to the AES key in the CBOOT dump. But I have no idea about recent BMWs, my colleague won't let me have one because I'd probably end up drifting it all day around an airfield and never get any work done. |
|
|
|
|
Logged
|
|
|
|
EanDem
Full Member
Karma: +8/-35
 Online
Posts: 53
|
|
« Reply #10 on: September 09, 2023, 10:28:48 AM »
|
|
|
It seems like attempt for pain in the ass on full...... Why not start normal way - use propper editing tool as for greenhorn you may buy St1 form known vendor and resolve mappack demand. Start learning and ask more specific questions in forums if required - there always help possible.
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #11 on: September 09, 2023, 10:33:02 AM »
|
|
|
If it happens to be AES 128 CBC you might happen to find an IV that is stereotypical and next to the AES key in the CBOOT dump. But I have no idea about recent BMWs, my colleague won't let me have one because I'd probably end up drifting it all day around an airfield and never get any work done.
Assuming that they didn't modify the cboot... |
|
|
|
|
Logged
|
|
|
|
|
