NefMoto

Hello guys, i'm stuck in this problem... i've got death code already 2 times  ::) .

I've tried to change also the NLS counter to other address ... from 0x384FF0 to 0x383000 and last one 0x383000 ...always RSA signature failed.

Any solution?

What does ECU FIX do in this case? What checksum it will correct?
How is it possible to disable the RSA check?

Ori file is attach if anyone wanna try  ;)

You want help is to post the file you modify.

These are mod file with different NLS counter position...

none of those are checksummed at all. wtf?

Indeed, if i use ME7Check each file say RSA signature failed...

I have tried to checksum the standard address and then tried to flash... got the death code and car didn't start.

So now i don't know which one is secure to flash... :(

So why aren't you using ME7Sum to fix the checksums?

I have no idea WTF you are trying to do. Why would a file that you modified but did not fix the checksums for work?

Are you saying this ENTIRE time you never bothered to checksum any of your files?

First... drink a cup of tea and keep calm !!!  ;)

Then... what did you not understand?

There are a plenty of topics where everyone of you veterans were noob and asked stupid things... so...let us noob also ask stupid things and try to understand things that you now think are stupid.

I repeat.

In this ECU number, i've tried to add LC and NLS with script... i've done check and summ flashed file... for 2 times i got DEATH CODE for this RSA signature problem
From what i read here, the problem should be the NLS counter, and the checksum with rsa problem.

Now:
i post 3-4 file modded with different NLS counter position... with RSA problem in ME7Check ... i've also try to do a tuned file with this ecu number and it say always RSA problem...so at the end...i think this ecu is strange but:

1) i don't know if nls counter-rsa problem need to be resolved before checksum or after checksum (this is why 4 files without CK)
2) i don't know how to disable rsa
3) i want add LC and NLS to this stupid file (i have done already other without problems)
4) we are here to learn not to be judged or offended or treated badly.
5) long ago ... you were like us noob.

Did you try this?
http://nefariousmotorsports.com/forum/index.php?topic=7794.msg71819#msg71819

Curiosity question, I never had to deal with crypto signatures on the ECU, looked at your ME checksum program now a bit (really just a bit). Is this RSA signature thing really like this - you generate a private / public key pair, sign the MD5 hash of the flash with private key, store the signature and public key in the bin, and the ECU checks the signature against this public key? I mean, no proper certificate (chains)?

Good point! As far as I can tell, there is no other cert anywhere the ECU can get to, so self-signed certs should work.

But who knows, maybe there is another key floating around somewhere that is checked.

Somebody would have to disassemble the RSA checking code to see if there is a cert chain or another key that is checked to make sure it is signed with an authorized key.

Every factory bin with the same software has the same signature / key? Or is there some serial number / VIN based diversification?

In any case, it seems / sounds to me like really poor attempt to have some crypto protection as a selling point that was not really well thought through. The way I saw it without going deep - totally pointless. Sadly, this happens in more serious applications, see this one for example: https://www.wired.com/story/us-border-patrol-hasnt-validated-e-passport-data-for-years/

Where the security falls apart is because you can write the area that contains the key, so it's useless.
On ME7 you can write every single sector of the flash. And bootmode is unprotected.

In newer ECU's some or all of these cases are no longer the case.
As for given topic at hand, the NLS counter is put into a place in memory which is used for RSA calculation, thus the RSA calculation fails.

Is there an algorithmic way to figure out what area is unused? I'm assuming (from what I can tell) that the NLS counter is put someplace arbitrary in the heap, so a large malloc(?) may collide with it.

Is there an known unused area or two in the RSS?

Useless when we talk about internal ECU use for what essentially is just another integrity check in this case, pointless as it may be having all the other things in place.

If, however, this was introduced for legal reasons to off-line check / prove tampering with the ECU code, where the scenario is that the software producer has the database of private keys matched to VIN (ranges), then it is not entirely useless. In fact, I cannot imagine any other application for these signatures other than something like this. But at the same time - yeah, right...