automan001
Full Member
Karma: +47/-0
 Offline
Posts: 153
|
 |
« on: June 26, 2017, 11:01:28 AM »
|
|
|
Looking for original firmware of ECU: 06L907309B It's new VW EA888 Gen 3 MQB platform Engine code: CZPA 2.0 TSI 180 HP Address 01: Engine (J623-CZPA) Labels: None Part No SW: 5NA 907 115 D HW: 06L 907 309 B Component: 2.0 R4 TFSI H30 0003 Revision: 1DH30000 Coding: 012500122466050B34000000000000000000000000000000 Shop #: WSC 01357 011 00200 ASAM Dataset: EV_ECM20TFS0115NA907115D 001004 ROD: N/A VCID: 3F8DA245A63E89BA85-806A (took the additional info from here http://forums.ross-tech.com/showthread.php?8302-2017-Tiguan-MQB-2-0-TSI-180KM-CZPA) |
|
|
|
« Last Edit: June 26, 2017, 11:03:29 AM by automan001 »
|
Logged
|
|
|
|
|
aef
|
|
« Reply #1 on: June 26, 2017, 01:01:17 PM »
|
|
|
Newest Vag flash provides this FL_5NA907115D_0003__V001.frf
sorry i dont have it
|
|
|
|
|
Logged
|
|
|
|
vdubnation
Turboman
Global Moderator
Sr. Member
Karma: +49/-2
Offline
Posts: 433
|
|
« Reply #2 on: June 28, 2017, 06:37:53 AM »
|
|
|
shoot me your email i ll send it over compressed and still to big for nef
|
|
|
|
|
Logged
|
|
|
|
automan001
Full Member
Karma: +47/-0
Offline
Posts: 153
|
|
« Reply #3 on: July 04, 2017, 09:08:33 AM »
|
|
|
shoot me your email i ll send it over compressed and still to big for nef
Thanks in advance! Sent my email in PM. |
|
|
|
|
Logged
|
|
|
|
automan001
Full Member
Karma: +47/-0
Offline
Posts: 153
|
|
« Reply #4 on: August 14, 2017, 07:51:55 AM »
|
|
|
shoot me your email i ll send it over compressed and still to big for nef
Unfortunately I haven't received any file. Does anyone else have the firmware as well and could share? |
|
|
|
|
Logged
|
|
|
|
|
IamwhoIam
|
|
« Reply #5 on: August 14, 2017, 08:53:50 AM »
|
|
|
What are you trying to achieve with it? it's Bosch MG1...
|
|
|
|
|
Logged
|
I have no logs because I have a boost gauge (makes things easier)
|
|
|
|
aef
|
|
« Reply #6 on: August 14, 2017, 02:02:03 PM »
|
|
|
you should have pm from 26th june
|
|
|
|
|
Logged
|
|
|
|
automan001
Full Member
Karma: +47/-0
Offline
Posts: 153
|
|
« Reply #7 on: August 17, 2017, 11:12:19 AM »
|
|
|
you should have pm from 26th june
Thanks! Initially missed the message, now I've found it. Got the file. Also downloading VAS-PC Flash Discs with other firmwares. Trying to figure out whether this *.frf file is encrypted and how to find maps there...  |
|
|
|
|
Logged
|
|
|
|
automan001
Full Member
Karma: +47/-0
Offline
Posts: 153
|
|
« Reply #8 on: August 17, 2017, 01:46:44 PM »
|
|
|
P.S.: Found out how to decrypt/convert these *.frf to *.odx (there is a FRF decoder tool)
Extracted 5 sections of flash data EMEM_5NA907115D_0003__V001.FD_0*FLASHDATA from *.odx into text HEX files and converted them to .bin
It looks like the converted flash data is encrypted as well, and I see all those sections have a common header 5317E910682F21999379FB15DFC9200E
Any ideas which tool/algorythm to use to decrypt these <DATA> sections in *.odx file?
|
|
|
|
« Last Edit: August 17, 2017, 01:50:43 PM by automan001 »
|
Logged
|
|
|
|
|
gremlin
|
|
« Reply #9 on: December 02, 2017, 06:32:33 AM »
|
|
|
Don't waste time... Even you have decrypted dump ( decrypt is not to hard if you know AES key and vector ) you cannot write file with changes inside into ECU. It's MG1_CS001 ecu based on MCU with built-in internal HSM (Hardware Security Manager). FYI see attached document. |
|
|
|
|
Logged
|
|
|
|
automan001
Full Member
Karma: +47/-0
Offline
Posts: 153
|
|
« Reply #10 on: December 05, 2017, 08:59:03 AM »
|
|
|
Don't waste time... Even you have decrypted dump ( decrypt is not to hard if you know AES key and vector ) you cannot write file with changes inside into ECU. It's MG1_CS001 ecu based on MCU with built-in internal HSM (Hardware Security Manager). FYI see attached document. Thanks for the additional info! I hope some day it will become known how to disable this HSM. I think human factor could unintentionally have made some mistakes and left some back doors that would allow disable/bypass this security check. All that is needed is just time to find this door |
|
|
|
|
Logged
|
|
|
|
|
IamwhoIam
|
|
« Reply #11 on: December 05, 2017, 09:12:13 AM »
|
|
|
have you managed to decrypt/decompress that file yet at least?
|
|
|
|
|
Logged
|
I have no logs because I have a boost gauge (makes things easier)
|
|
|
automan001
Full Member
Karma: +47/-0
Offline
Posts: 153
|
|
« Reply #12 on: December 05, 2017, 10:23:24 AM »
|
|
|
have you managed to decrypt/decompress that file yet at least?
Not yet Would appreciate if you know how to find this key  By the way, they say https://en.wikipedia.org/wiki/Advanced_Encryption_Standard: "AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data." So, once you know the key you can encrypt modified firmware using it. Otherwise how they are handling firmware updates then? But I'm afraid there might be also an additional "signature" somewhere at the end of firmware that proves this file has been modified by VAG. I think a security concept similar to this has been used in MG1: https://www.infineon.com/cms/en/product/microcontroller/32-bit-tricore-microcontroller/aurix-safety-joins-performance/aurix-security-solutions/aurix-security-hardware/Probably they upload encrypted firmware when making updates, the data is stored encrypted in flash memory, and then this HSM mechanism decrypts it when data is accessed. The AES key might be based on some hardware number |
|
|
|
« Last Edit: December 05, 2017, 10:33:36 AM by automan001 »
|
Logged
|
|
|
|
automan001
Full Member
Karma: +47/-0
Offline
Posts: 153
|
|
« Reply #13 on: May 15, 2019, 06:53:10 AM »
|
|
|
Any news on cracking down this HSM thing? https://www.infineon.com/dgdl/Infineon-AURIX_Hardware_Security_Module-TR-v01_00-EN.pdf?fileId=5546d46269bda8df0169ca6e34c62549I've seen they are reading and writing BOSCH MG1 on other cars (BMW, Ford) Haven't seen about Audi/VW/Seat/Skoda I want to continue tuning, but this MG1 HSM stuff is driving me crazy - 2 years has passed and no news. I've started thinking about an alternative solution - downgrade ECU back to MED17 which has all I need - especially FR specs from Bosch. The ME7-like logger stuff for MED17 I can figure out myself how to dump variables. Maybe with some limitations (some hardware might not work) & rewiring through an adapter this is going to work. Is it worth trying, your thoughts on this? Or maybe switch to SIMOS18 ECU which is used on 220HP versions, and figure out what to do with valve lift stuff. Should be pretty compatible because used on the same MQB platform whith DQ500 DSG7 |
|
|
|
« Last Edit: May 15, 2019, 11:55:50 AM by automan001 »
|
Logged
|
|
|
|
|
