Pages: [1]
Author Topic: 06L907309B CZPA 2.0 TSI 180 HP original firmware  (Read 12863 times)
automan001
Full Member
***

Karma: +47/-0
Offline Offline

Posts: 153


« on: June 26, 2017, 11:01:28 AM »

Looking for original firmware of ECU: 06L907309B

It's new VW EA888 Gen 3 MQB platform
Engine code: CZPA
2.0 TSI 180 HP

Address 01: Engine (J623-CZPA)       Labels: None
   Part No SW: 5NA 907 115 D    HW: 06L 907 309 B
   Component: 2.0 R4 TFSI   H30 0003  
   Revision: 1DH30000    
   Coding: 012500122466050B34000000000000000000000000000000
   Shop #: WSC 01357 011 00200
   ASAM Dataset: EV_ECM20TFS0115NA907115D 001004
   ROD: N/A
   VCID: 3F8DA245A63E89BA85-806A

(took the additional info from here http://forums.ross-tech.com/showthread.php?8302-2017-Tiguan-MQB-2-0-TSI-180KM-CZPA)
« Last Edit: June 26, 2017, 11:03:29 AM by automan001 » Logged
aef
Hero Member
*****

Karma: +69/-46
Offline Offline

Posts: 1601


« Reply #1 on: June 26, 2017, 01:01:17 PM »

Newest Vag flash provides this FL_5NA907115D_0003__V001.frf

sorry i dont have it
Logged
vdubnation
Turboman
Global Moderator
Sr. Member
*****

Karma: +49/-2
Offline Offline

Posts: 433


« Reply #2 on: June 28, 2017, 06:37:53 AM »

shoot me your email i ll send it over compressed and still to big for nef
Logged
automan001
Full Member
***

Karma: +47/-0
Offline Offline

Posts: 153


« Reply #3 on: July 04, 2017, 09:08:33 AM »

shoot me your email i ll send it over compressed and still to big for nef
Thanks in advance! Sent my email in PM.
Logged
automan001
Full Member
***

Karma: +47/-0
Offline Offline

Posts: 153


« Reply #4 on: August 14, 2017, 07:51:55 AM »

shoot me your email i ll send it over compressed and still to big for nef
Unfortunately I haven't received any file.
Does anyone else have the firmware as well and could share?
Logged
IamwhoIam
Hero Member
*****

Karma: +52/-115
Offline Offline

Posts: 1070


« Reply #5 on: August 14, 2017, 08:53:50 AM »

What are you trying to achieve with it? it's Bosch MG1...
Logged

I have no logs because I have a boost gauge (makes things easier)
aef
Hero Member
*****

Karma: +69/-46
Offline Offline

Posts: 1601


« Reply #6 on: August 14, 2017, 02:02:03 PM »

you should have pm from 26th june
Logged
automan001
Full Member
***

Karma: +47/-0
Offline Offline

Posts: 153


« Reply #7 on: August 17, 2017, 11:12:19 AM »

you should have pm from 26th june
Thanks! Initially missed the message, now I've found it. Got the file. Also downloading VAS-PC Flash Discs with other firmwares.
Trying to figure out whether this *.frf file is encrypted and how to find maps there... Smiley
Logged
automan001
Full Member
***

Karma: +47/-0
Offline Offline

Posts: 153


« Reply #8 on: August 17, 2017, 01:46:44 PM »

P.S.: Found out how to decrypt/convert these *.frf to *.odx (there is a FRF decoder tool)
Extracted 5 sections of flash data EMEM_5NA907115D_0003__V001.FD_0*FLASHDATA from *.odx into text HEX files and converted them to .bin
It looks like the converted flash data is encrypted as well, and I see all those sections have a common header 5317E910682F21999379FB15DFC9200E
Any ideas which tool/algorythm to use to decrypt these <DATA> sections in *.odx file?
« Last Edit: August 17, 2017, 01:50:43 PM by automan001 » Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 654


« Reply #9 on: December 02, 2017, 06:32:33 AM »

Don't waste time...
Even you have decrypted dump ( decrypt is not to hard if you know AES key and vector Smiley) you cannot write file with changes inside into ECU.
It's MG1_CS001 ecu based on MCU with built-in internal HSM (Hardware Security Manager).
FYI see attached document.

Logged
automan001
Full Member
***

Karma: +47/-0
Offline Offline

Posts: 153


« Reply #10 on: December 05, 2017, 08:59:03 AM »

Don't waste time...
Even you have decrypted dump ( decrypt is not to hard if you know AES key and vector Smiley) you cannot write file with changes inside into ECU.
It's MG1_CS001 ecu based on MCU with built-in internal HSM (Hardware Security Manager).
FYI see attached document.
Thanks for the additional info! I hope some day it will become known how to disable this HSM. I think human factor could unintentionally have made some mistakes and left some back doors that would allow disable/bypass this security check. All that is needed is just time to find this door  Smiley
Logged
IamwhoIam
Hero Member
*****

Karma: +52/-115
Offline Offline

Posts: 1070


« Reply #11 on: December 05, 2017, 09:12:13 AM »

have you managed to decrypt/decompress that file yet at least?
Logged

I have no logs because I have a boost gauge (makes things easier)
automan001
Full Member
***

Karma: +47/-0
Offline Offline

Posts: 153


« Reply #12 on: December 05, 2017, 10:23:24 AM »

have you managed to decrypt/decompress that file yet at least?
Not yet Smiley Would appreciate if you know how to find this key Wink

By the way, they say https://en.wikipedia.org/wiki/Advanced_Encryption_Standard:
"AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data."

So, once you know the key you can encrypt modified firmware using it. Otherwise how they are handling firmware updates then?
But I'm afraid there might be also an additional "signature" somewhere at the end of firmware that proves this file has been modified by VAG.

I think a security concept similar to this has been used in MG1: https://www.infineon.com/cms/en/product/microcontroller/32-bit-tricore-microcontroller/aurix-safety-joins-performance/aurix-security-solutions/aurix-security-hardware/

Probably they upload encrypted firmware when making updates, the data is stored encrypted in flash memory, and then this HSM mechanism decrypts it when data is accessed. The AES key might be based on some hardware number Smiley
« Last Edit: December 05, 2017, 10:33:36 AM by automan001 » Logged
automan001
Full Member
***

Karma: +47/-0
Offline Offline

Posts: 153


« Reply #13 on: May 15, 2019, 06:53:10 AM »

Any news on cracking down this HSM thing? https://www.infineon.com/dgdl/Infineon-AURIX_Hardware_Security_Module-TR-v01_00-EN.pdf?fileId=5546d46269bda8df0169ca6e34c62549

I've seen they are reading and writing BOSCH MG1 on other cars (BMW, Ford)
Haven't seen about Audi/VW/Seat/Skoda

I want to continue tuning, but this MG1 HSM stuff is driving me crazy - 2 years has passed and no news.

I've started thinking about an alternative solution - downgrade ECU back to MED17 which has all I need - especially FR specs from Bosch. The ME7-like logger stuff for MED17 I can figure out myself how to dump variables. Maybe with some limitations (some hardware might not work) & rewiring through an adapter this is going to work. Is it worth trying, your thoughts on this?


Or maybe switch to SIMOS18 ECU which is used on 220HP versions, and figure out what to do with valve lift stuff. Should be pretty compatible because used on the same MQB platform whith DQ500 DSG7
« Last Edit: May 15, 2019, 11:55:50 AM by automan001 » Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.021 seconds with 17 queries. (Pretty URLs adds 0s, 0q)