|
Title: BMW BMS-O (TC-1793) flash checksum algo Post by: Miro_FI on January 26, 2026, 10:36:55 PM Hello everyone, I'm working on patching the FSC public key on the BMW BMS-O motorrad ECU
Basically what I've succeeded so far is to find the raw FSC public key in the flash dump... Now, I'm not the best in this so I'd like to ask you to bear with me if I ask some stupid question, thanks! My next question is how do I make my own private-public key pair so I can replace the original and then later on do the checksum on the flash... Also how is the CRC structured... upon running binwalk on the dump i see there is a CRC table near the end of the file - I'm sure its relevant, just don't know how. I have had a friend with winols5 do the CRC for me on a slightly modified file and I have compared them but only 4 bytes are different and miles away from the modified area. thanks a lot for your time! If anyone is interested to trade this information I can share the algo on how to change ISN/VIN/Mileage on the EEPROM of the same BMS :) |