NefMoto

New a2l tool released.


https://universalpatcher.net/a2l-application/ (https://universalpatcher.net/a2l-application/)


Main features:

Open and convert a2l file
Open and convert winols files
Import/export csv files
Export IDapro script files.

where is the github repo with source?

Also, this should be in the for sale section considering it requires a paid subscription.

nyet it is closed source. Not sure why you need it.

_nameless if you don`t like  it just ignore it.

I am not selling anything, but if the thread is not in the correct subforum, admin is welcomed to move it.

Calling sales donations?

Uploading some kind of unsigned closed source anonymous thing here with questionable functionality?
We're not 5 years old here, we perfectly know that it can be a trojan that's going to send every single file to your server.

No source, no digital signature = get lost. You will not find any approval for such shit here.

prj,

I don`t want to be rude but you sound like a paid troll for  a commercial company.

I guess Next thing after posting source and sign the program is to pay you to use it.

If you want signed program just send 1k USD for sign certificate for one year and you will get it.

Commenting on functionality without testing is also not correct, so Either do a real test and comment, or keep quiet.

I can also walk you through how to set up an isolated Virtual machine, and will get you some a2l out of internet, to keep your precious files safe and sound.
Not sure how advance your are with computers, but I will also show you how to use network monitor program, hope its not beyond your current skills level.

A code signing cert does not cost even close to that.
But you don't know that since you have never created or published any commercial software in your life.

You're trying to anonymously sell commercial shit here that's unsigned and that takes sensitive data. What response do you expect?

What the fuck would you call it then? Posting software in a reverse engineering sub forum without source and requiring payment for use sounds exactly like selling if you ask me... or really anyone else for that matter. 

How do I know. Don`t advertise me shadow certs with doggy service.

Sorry _nameless, I didn`t find a subforum for tools, so this one seems most appropriate, since the tool is mainly used for reverse engineering. If that is not the case, I`d be happy if it gets moved to appropriate subforum.


I want to get this cleared. Application is used in offline mode only, There is no paid subscription, and there is no online calls to a server to use it. Can be verified easily if you have the skills.


Since it have been pointed multiple times, how much does this cost, I want to buy it.

Selling is usually associated with profit. Donations will likely cover cost associate with license generation and site maintenance.
It also serve other purpose, adding extra layer of security and filtering crooks out of people that really need it.

Eventually both of you will be using the tool, since it is way much better, than anything offered so far, paid or opensource.
winols a2l plugin is a laugh, least to say.

Not sure what you're on about.
1. You don't need EV Code signing, nor would you even be able to get it, you would not pass verification without a legit size business.
2. There are two big players in code signing. Sectigo and Digicert. Neither of those are any better than the other.

There is nothing "shady" about either one of them. You picked the most expensive option of all possible, and even that did not amount to 1000$.
What you need costs around 200$ today. Before HSM was required it was 70$.

Nobody has to verify jack shit dude. There are two options.
a) Release the source
b) Sign it with a code cert and put your name on it.

Even if cost 1000$ a year, if your paid super duper software is making less than that, then no point releasing it or release it open source.
If you did any significant software development and this would be a side thing then you would already have a code signing cert you could use.

Selling is associated with revenue, not profit.

Pretty bold assumption. I have my own A2L parser, code analyzer and diasasm tools.
I don't ever need to use your crap or anyone else's. I write my own tools.

I also sign or open source all of the software I release. And I don't need an excuse to sell something.
You on other hand are just a script kiddie with a big mouth. Selling unsigned software with "donations".
A literal nobody who is too scared to put his name on the things he releases, but who is happy to talk shit about EVC. You will never amount to even 0.1% of what EVC has done for the tuning industry, nor do you probably even own a legit version of WinOLS.

prj,

1. If you think company verification is something really hard, you have no idea what is needed than. Add VAT + the applicable taxes and you will be way over 1k for ev and close to 1k for non ev cert.

2.You still sounds like a retard who will likely lose Revenue. I see no other reason about your freaking out behaviour. No arguments at all and full with false statements. Typical trolling service.

3.You work with precious sensitive data, and don`t want false positives, you need the most trusted EV certificate.
 
4.Get me a cert for 200$ for 1 year. I will send you some money.

5. I don`t care about your DOS based script type of shit parser you have, that nobody have heard of.

6.And I will likely not pay anyone to use anything as you keep suggesting(getting a code cert), because it is too retarded to verify program integrity and don`t trust Antivirus programs. Please prj use the program I will get you 5 bucks anytime you open it.

a) release the source -{so I can repack it and sell it- You are so flat]
Selling is associated with revenue, not profit. [What a bold statement] If you don`t make profit out of it, you are making gifts[subsidizing people], not selling anything.

7. You keep suggesting application is some scam for stealing precious data, without a single point to prove it. Get some evidence about it or keep quiet[I don`t want to be rude so excuse the mild language being used)

8. I don`t care about winols contribution either. Their program sucks as hell, halted its state in the dos era, and only reason it is so popular is with its market share monopoly. The format of their  definition files is so crippled[someone will tell protected for reverse engineering], it can`t take fraction of the precious data that lays in a2l files.

Non-EV CERT is 200$.
Verification is not "really hard", but you have to have a legit company. You clearly don't if you're talking about paying VAT and taxes.
There's no "applicable taxes" or "VAT" for company expenses.

EV gives full smartscreen reputation instantly. Non-EV means you have to earn it, and after a few signed files are installed by some customers you have exactly the same reputation.
This has to be done once, after which the rep is there forever, even after cert is extended. Hardly an issue if you're releasing legit software on a regular basis.
Nobody except large corporations with money to spare need EV Signing certs, and normal certs are on HSM tokens since 1. June anyway.
 
You're not going to send me shit, because code cert is tied to your company or name and you have to go through a verification process and submit documents.
That's the entire point of it. Signed = you're not an anonymous cunt trolling on a forum anymore. If you put malicious code into your tools, then you can get sued, plain and simple.
Here's an example:
https://codesigncert.com/cheap-code-signing-certificates (https://codesigncert.com/cheap-code-signing-certificates)
$226/year if you already have HSM token. A bit more if you don't.

My A2L tools are internal use only. As for nobody heard about it - I guess you haven't heard about it. Most people who are tuning German (and other cars) are using my tools at the moment, they are part of the logging toolset.
I also don't sell any kind of converters, and I couldn't care less about your shit. I'm just calling you out on your scummy practices.

People who need these tools do not have the required knowledge to reverse engineer and verify what they are doing.
Even suggesting that just shows how far detached you are from reality.
Talking about AV is also hilarious, because it shows that while you are suggesting others to reverse your shit, you don't have any clue about it yourself.
AV works using pre-programmed signatures. If you simply upload data to a server then no AV is going to trigger on it ever.

Also, calling customers retarded when trying to sell them something, is going to go down real well lol.

No, it is called selling at a loss, which is basic economics. If your software is so shitty that you can not sell it at a profit, then too bad.
If it was as good as you say it is, then you would be printing money right now, not selling it for "donations".
It's very simple, you're either selling it or you're giving it out for free. In your case you're clearly selling it and you come on this forum spamming it in the wrong place.

Whether it's useful for anyone that you're gonna make a profit on it is another topic entirely. You seem to yell really loudly how it is the best thing since sliced bread.
On the other hand, it seems to be so bad that you don't believe it can make a profit. Make up your mind.

As for me, I fail to see why anyone would care about it outside your specific niche.
You're trying to sell a tool that converts data to some obscure format used by an obscure app that works with one engine. Nobody on here needs that.

You are posting unsigned compiled binary without source code.
Yes you will get these accusations, and it's up to you to prove otherwise by putting your name on it. Or releasing it as open source, if you don't intend on monetizing it.
This has been done many times in the past on e.g. ecuconnections, where a software identifier uploaded people's files to a google drive account.

If you didn't want feedback then you shouldn't have posted it here. Luckily you don't get to dictate who "keeps quiet", and get called out on your shit.
As for being rude - it's clear that you're on the spectrum if you don't think you're being rude already. That's okay, we don't judge here.

And I don't care about you yelling really loudly.
Btw, there's no "market monopoly", WinOLS is not the only tool since over a decade. You probably haven't even heard of Swiftec or newer stuff like Stage X.

You're just an angry kid talking shit. You probably weren't even born when OLS was released.

Cheapest one goes for 600$ for one year. So far for the link you provided.

Thanks for the crash course in economics and cert business. It is really informative how good you are. Looks like you don`t have any experience with companies, since all companies that are non VAT registered own VAT, and you should know better mr Economics.


That explains it all, why you are so upset. All your statements should be considered in state of conflict and are completely irrelevant on the thread topic.


The main argument you have is code signing. I am still using unsigned drivers, from reputables companies,
It is obvious that if the program was signed, there will be something else to argue, and the troll spam will be absolutely the same.


Calling xdf and csv formats obscure, only shows that you are too tied with commercial software, and the tune without PAY big shit of money, scares you to death.  
Why it is not advertised is because tunerpro don`t cover lots of a2l functionalities, like 2d,3d 4d arrays, multitables and so on.
If you are so good as you claim, you can easily convert xml definitions to your preferred tuning software or write your  own.
The one engine statement only shows your ignorance of open source tuning, Actually with tunerpro you can`t tune a single engine without a definition file.
Stating that tunerpro is completely useless, is that your trying to say?

Calling a2l->ida import script non reverse engineering specific is another weak point. Think about something better.

Please don`t push me to release source code, so someone else[like you] to monetize it.

From now one source code is officially for sales[thread can be moved to sales section].
Estimated cost as a man hour used for developing will be around 1 mil, and that doesn`t include the value of program.
So you are still telling I am selling something.



Arguing with you off topic is fun, but is also a punishment to argue with an empty bottle- whatever you say there is always some slight echo back that is so faint you can`t even hear it.

I don`t plan to keep this off topic fight, so if you have to say something on the subject I will more that happy to answer you.

P>S

When you are young, someone took your lollipop out of your mouth and you grew one very angry upset kid. I perfectly understand it and don`t take it personally. You are excused.

Are you blind? 226$ per year if you buy for 3 years...
Even if it was 600$ that's peanuts for any half-decent software developer in the EU.
Less than 20% of monthly salary, and if you're making paid software that has any use at all, then it is going to pay for itself in a week.
Except it's not 600$.

Non-VAT registered legal entity in EU = tiny turnover one man show. Anyone who is making any decent amount of money is VAT registered.

You are not a "reputable company". You are an anonymous nobody.
Also "reputable companies" do not put out unsigned drivers, unless they are for testing purposes.

I don't see what there is to argue about. If it is signed, then you're not an anonymous guy posting a binary blob, your name is under it.
If you decide to scam someone or put malware into it, you will be heald liable. That's infinitely safer.
The only thing left after that is that you posted it into the wrong subforum, and should have posted it in sales instead.

TunerPro is a commercial tool, XDF is a proprietary format.
CSV - I am not sure why you would want the data in a random CSV, but WinOLS can already export all of the columns from the .ols project into a CSV or a JSON file. If you're still on 2.26 (lol) then probably not.

If you have ASAP2 data, then there is zero point to convert it to anything. If you want to make some kind of WinOLS replacement, then the best thing to do is to work directly with the ASAP2, instead of converting it to yet another intermediate format.
Unlike your CSV with random columns, ASAP2 is an open standard.

The reason TunerPro is rarely used is the same reason INCA is not used in the aftermarket. It is not possible to have a full definition for every ECU out there unless you work for an OEM.
WinOLS allows to quickly find maps based on a similar A2L.

Btw, I don't know why you assume that I don't use tunerpro. A while ago I opensourced my whole 2.2T development on older ECU's, it uses TunerPro extensively.
https://m232.org/index.php/Main_Page (https://m232.org/index.php/Main_Page). From tuning to data acquisition.
I never had any issues representing any A2L data with TunerPro. It's actually more flexible than WinOLS in this case, because it supports formulas.

What is a "multitable" in A2L? That's certainly not part of ASAP2 spec.
Do you have the spec? Or is that also too expensive for you, and I should give it to you?

Monetize what? Something that WinOLS already includes in the program?
Conversion to some kind of weird ass format nobody except you has any use for?
If you could monetize it, you would.

Rest of your rambling does not really warrant a response.
Keep talking and showing how not only you have no idea about code signing, reversing and AV, but even the ASAP2 format, that your best tool is supposedly better at parsing than everyone else in the world.

Oh please. We have EV certificate from 10 years, any many many things goes unsigned. Token is in office and things are compiled remotely and must be delivered 'now'... ;-)
Anyway - Code sign without EV, can be ordered by somebody. For me, have same value as unsigned thing. In my opinion the cost (money and time) of EV minimizes the risk of signing everything as it comes.

Token can be also in cloud.
https://docs.digicert.com/en/digicert-keylocker.html (https://docs.digicert.com/en/digicert-keylocker.html)

The only difference is that the non-EV can be also bought by a natural person (with full identity verification).
EV is company only. But then, you can get an EV cert as a sole trader as well.
Not sure how it is the same as "unsigned" - for any code cert to be issued the full credentials of the person have been verified by the CA. In case of ordering for a legal person they verify both the legal entity owner as a natural person as well as the legal entity itself.

I would say when it is given to a natural person then that person is even more on the hook for shit they sign.

Since this year there is almost no difference in cost anymore.
Before the standard cert used to cost 70$/year because you could use it without a HSM. Now you have to have a HSM token for the standard one as well.
The only difference these days between EV and non-EV is the initial smartscreen reputation. Which makes zero difference after your entity is trusted, and this trust in my experience comes quite quickly, I think it took me a month or so initially.

I mean in this way now because there is almost no price and technical difference between EV and non-EV you might as well get an EV cert.
Before there used to be a continuous 3x price difference in something that takes less than a month to solve forever.

I hate clouds.

Not exactly.
Personal code sign certificate can be 'ordered' for 'stolen' ID card and 'faked personality'. EV certficate validation is performed via government data - so company must exists and all data must be valid and actual.
Personally code sign personal certificate for me have same value as let's encrypt ssl certificate on website. Nice, because communication between my browser and server is encrypted - but this is not place, when i will leave my personal data, leave my card number etc.
In any case, when someone wants to 'infect' a computer with malicious code, they will probably use a zero-day bug and more advanced technology as signing code via his own certificate(probably use stolen cert/token/cloud account). More, in world history were situations, where NSA and other agencies used stolen certificates to signing drivers and applications... In this situation application signed with EV certificate code is more dangerous (because 100% trojan have valid sign code) in compare to unsigned random application downloaded from internet.

This is the same for non-EV certificate when the certificate is issued to a company. It always has been.
The existence and the owner of the company is verified via government data.

In the past the difference between EV and non-EV for companies was that EV came on a HSM and gave instant smart screen reputation to the publisher.
These days the difference is only the smartscreen reputation. If you already established smartscreen reputation in the past and are extending an already existing certificate, then you are already a "trusted publisher" for Microsoft.
The fact that the certificate is now also on HSM like the non-EV variant means that it is also harder to steal - this was the real issue with non-EV certs before (but not since this year anymore).
It's also the reason why the difference between EV and non-EV is now like 20% of the price while it used to be 300%.

There was a tool posted on ecuconnections that read bosch numbers from a file. Also of course anonymous and unsigned.
Except it was also gathering the WinOLS data folder and uploading all ols files to a google drive account. The credentials were in the binary.
There was a very large amount of data on there....

I don't really get how code signing makes a difference in this threat model? I'm all for code signing (as I'm sure you are aware, I have signed all of my releases), but there's no reason that clown couldn't have signed a malicious WinOLS stealer. Maybe if the stars aligned right and the moon phase was correct the issuer would have revoked their certificate for malicious behavior, but I highly doubt this as even high assurance EV signed device drivers with giant backdoors and vulnerabilities are allowed to proliferate everywhere.

Code signing is surely good (for example, if I download VehiCAL, it is signed, and I trust you, and know you signed it, so there's no reason for me to audit it more, I'll just run it). But if the author is some random, it doesn't really matter IMO. The only solution here is to build from source yourself if available, sandbox, or RE the app and do an audit. And without source available auditing is too much work, so I'm sure as hell not using any binaries posted on nef.

Unless the certificate was stolen, then it is known exactly who signed it and who made this malicious piece of software.
So there is responsibility, versus downloading an unsigned blob from someone completely anonymous.
Yes, both can do you wrong, however, you can sue one, but not the other.

Making a fraudulent piece of software (which is illegal in many places on it's own) and then putting your name on it is some special kind of stupid.

dbg made quick work of this anyways lol

Going through this for a new company, under the new arrangements since June 2023, it did end up over $800 for a 3 year certificate with an HSM, and we're not there yet with the telephone validation (because like many companies we don't do business over the phone and are not listed in US centric phone directories) and might have to get a professional opinion letter written (not just confirming the phone number) taking the cost well over $1000. Still, it is a small part of the cost of making something worthwhile that people trust if you are running it as a company even though companies with multiple premises, more employees than I ever want, trading for multiple years and bringing in lots of revenues don't always do it. I really need it because I do stuff with encryption and networks and light up the heuristics on potentially unwanted software or bad behaviour like a dashboard on a 25 year old badly maintained and badly modified 1.8T. It seems the controversy in this thread is the nature of what is being offered and whether it is a business or not.

$800 for 3 years is not 1000$ as OP claims lol.

That's 3x cert + 1x token.

I had zero issues with my validation, done in a day.
Also in the EU you are required to have a phone number listed in the terms of service if you are offering any services as a company.
This comes from consumer protection rights.

AFAIK the UK also has these in force, and your website/privacy policy actually isn't compliant or GDPR compliant, because it does not list the required rights...
Maybe the UK has it different though after Brexit, no idea.
I have found the EVC privacy policy to be exemplary. https://www.evc.de/en/imprint/privacy.asp (https://www.evc.de/en/imprint/privacy.asp).

No longer in the UK and not in the EU, but GDPR does apply. We avoid processing any customer data except that required to process an order. Thanks for the info, we'll check and if we need to publish one on our website we will. I think our other company that was UK based did have one, and thankfully people didn't call it for irrelevant technical support - that is my main fear. Our main requests for phone numbers from customers are unrelated to the delivery of our products and services.

It is actually a good prompt to get our policies checked and updated, so will get that done, thanks. I do notice that many German websites particularly have an "imprint" that is particularly verbose like the one for EVC (and as I understand is mandated) that I don't see in other jurisdictions.

Imprint (Impressum) is something else, it's a German only requirement.

In EU if you are providing services to natural persons you must have a whole bunch of stuff in the TOS.
If you process any data that falls under the GDPR, you must have a Privacy Policy with a bunch of mandated stuff to comply with the GDPR.

The TOS must have your company phone number in it. It does not matter if this phone number goes to voice mail all the time, there is no requirement to ever answer it.
Just that it has to be there :)

Noted.

Sectigo have refused our phone number verification as the only third party source of it was listed in the Chamber of Commerce and they want it in a government list (they don't keep them) or a type of phone directory that isn't available here. So we have to do the professional opinion letter and it is rather involved because it isn't just verifying the phone number.

It was much easier distributing a device from which the software was downloaded.

There is some local listing site that appears to have no actual verification that could be used, but it is box ticking like the business phone that goes to answer phone for other requirements.

https://shop.certum.eu/standard-code-signing-set.html
Standard code signing (not EV) 3years + token (SIM smartcard with usb reader) for 359eur, the cheapest i've found.

Great deal, thanks. I might need it as a fallback as still awaiting phone approval with Sectigo. I wanted to go with Sectigo because I found a working method that uses an HSM with Visual Studio publish and I've adopted that method for version control/updates.