|
Title: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: automan001 on June 26, 2017, 11:01:28 AM Looking for original firmware of ECU: 06L907309B
It's new VW EA888 Gen 3 MQB platform Engine code: CZPA 2.0 TSI 180 HP Address 01: Engine (J623-CZPA) Labels: None Part No SW: 5NA 907 115 D HW: 06L 907 309 B Component: 2.0 R4 TFSI H30 0003 Revision: 1DH30000 Coding: 012500122466050B34000000000000000000000000000000 Shop #: WSC 01357 011 00200 ASAM Dataset: EV_ECM20TFS0115NA907115D 001004 ROD: N/A VCID: 3F8DA245A63E89BA85-806A (took the additional info from here http://forums.ross-tech.com/showthread.php?8302-2017-Tiguan-MQB-2-0-TSI-180KM-CZPA) Title: Re: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: aef on June 26, 2017, 01:01:17 PM Newest Vag flash provides this FL_5NA907115D_0003__V001.frf
sorry i dont have it Title: Re: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: vdubnation on June 28, 2017, 06:37:53 AM shoot me your email i ll send it over compressed and still to big for nef
Title: Re: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: automan001 on July 04, 2017, 09:08:33 AM shoot me your email i ll send it over compressed and still to big for nef Thanks in advance! Sent my email in PM.Title: Re: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: automan001 on August 14, 2017, 07:51:55 AM shoot me your email i ll send it over compressed and still to big for nef Unfortunately I haven't received any file.Does anyone else have the firmware as well and could share? Title: Re: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: IamwhoIam on August 14, 2017, 08:53:50 AM What are you trying to achieve with it? it's Bosch MG1...
Title: Re: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: aef on August 14, 2017, 02:02:03 PM you should have pm from 26th june
Title: Re: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: automan001 on August 17, 2017, 11:12:19 AM you should have pm from 26th june Thanks! Initially missed the message, now I've found it. Got the file. Also downloading VAS-PC Flash Discs with other firmwares.Trying to figure out whether this *.frf file is encrypted and how to find maps there... :) Title: Re: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: automan001 on August 17, 2017, 01:46:44 PM P.S.: Found out how to decrypt/convert these *.frf to *.odx (there is a FRF decoder tool)
Extracted 5 sections of flash data EMEM_5NA907115D_0003__V001.FD_0*FLASHDATA from *.odx into text HEX files and converted them to .bin It looks like the converted flash data is encrypted as well, and I see all those sections have a common header 5317E910682F21999379FB15DFC9200E Any ideas which tool/algorythm to use to decrypt these <DATA> sections in *.odx file? Title: Re: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: gremlin on December 02, 2017, 06:32:33 AM Don't waste time...
Even you have decrypted dump ( decrypt is not to hard if you know AES key and vector :)) you cannot write file with changes inside into ECU. It's MG1_CS001 ecu based on MCU with built-in internal HSM (Hardware Security Manager). FYI see attached document. Title: Re: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: automan001 on December 05, 2017, 08:59:03 AM Don't waste time... Thanks for the additional info! I hope some day it will become known how to disable this HSM. I think human factor could unintentionally have made some mistakes and left some back doors that would allow disable/bypass this security check. All that is needed is just time to find this door :)Even you have decrypted dump ( decrypt is not to hard if you know AES key and vector :)) you cannot write file with changes inside into ECU. It's MG1_CS001 ecu based on MCU with built-in internal HSM (Hardware Security Manager). FYI see attached document. Title: Re: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: IamwhoIam on December 05, 2017, 09:12:13 AM have you managed to decrypt/decompress that file yet at least?
Title: Re: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: automan001 on December 05, 2017, 10:23:24 AM have you managed to decrypt/decompress that file yet at least? Not yet :) Would appreciate if you know how to find this key ;) By the way, they say https://en.wikipedia.org/wiki/Advanced_Encryption_Standard (https://en.wikipedia.org/wiki/Advanced_Encryption_Standard): "AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data." So, once you know the key you can encrypt modified firmware using it. Otherwise how they are handling firmware updates then? But I'm afraid there might be also an additional "signature" somewhere at the end of firmware that proves this file has been modified by VAG. I think a security concept similar to this has been used in MG1: https://www.infineon.com/cms/en/product/microcontroller/32-bit-tricore-microcontroller/aurix-safety-joins-performance/aurix-security-solutions/aurix-security-hardware/ (https://www.infineon.com/cms/en/product/microcontroller/32-bit-tricore-microcontroller/aurix-safety-joins-performance/aurix-security-solutions/aurix-security-hardware/) Probably they upload encrypted firmware when making updates, the data is stored encrypted in flash memory, and then this HSM mechanism decrypts it when data is accessed. The AES key might be based on some hardware number :) Title: Re: 06L907309B CZPA 2.0 TSI 180 HP original firmware Post by: automan001 on May 15, 2019, 06:53:10 AM Any news on cracking down this HSM thing? https://www.infineon.com/dgdl/Infineon-AURIX_Hardware_Security_Module-TR-v01_00-EN.pdf?fileId=5546d46269bda8df0169ca6e34c62549
I've seen they are reading and writing BOSCH MG1 on other cars (BMW, Ford) Haven't seen about Audi/VW/Seat/Skoda I want to continue tuning, but this MG1 HSM stuff is driving me crazy - 2 years has passed and no news. I've started thinking about an alternative solution - downgrade ECU back to MED17 which has all I need - especially FR specs from Bosch. The ME7-like logger stuff for MED17 I can figure out myself how to dump variables. Maybe with some limitations (some hardware might not work) & rewiring through an adapter this is going to work. Is it worth trying, your thoughts on this? Or maybe switch to SIMOS18 ECU which is used on 220HP versions, and figure out what to do with valve lift stuff. Should be pretty compatible because used on the same MQB platform whith DQ500 DSG7 |