3ri
Newbie
Karma: +0/-0
 Offline
Posts: 17
|
 |
« on: November 05, 2022, 02:47:13 PM »
|
|
|
Hi,
Is anyone able to help me convert this data into BCB Type1 (C) R. Bosch GmbH 2000? I've been cracking my head on this topic but I'm not getting any further
Thanks!
|
|
|
|
|
Logged
|
|
|
|
|
gremlin
|
|
« Reply #1 on: November 05, 2022, 03:46:53 PM »
|
|
|
Is anyone able to help me convert this data into BCB Type1 (C) R. Bosch GmbH 2000?
This is you want. |
|
|
|
|
Logged
|
|
|
|
3ri
Newbie
Karma: +0/-0
Offline
Posts: 17
|
|
« Reply #2 on: November 05, 2022, 04:08:16 PM »
|
|
|
That's just the extracted datablock from the odx, I want to do it the other way around.
Can you do it with this file for example?
|
|
|
|
|
Logged
|
|
|
|
|
gremlin
|
|
« Reply #3 on: November 05, 2022, 04:24:02 PM »
|
|
|
Can you do it with this file for example?
Here. But direct put it into odx instead of original data block is useless work. ;-) |
|
|
|
|
Logged
|
|
|
|
3ri
Newbie
Karma: +0/-0
Offline
Posts: 17
|
|
« Reply #4 on: November 06, 2022, 12:20:56 AM »
|
|
|
That's what I was looking for indeed, Thanks! For testing I also would like these 2 converted back to BCB format. I think I know how to do the BCB Checksum and ODX checksum:
New checksum of block 4
UByte (8bit)
95195B
CRC-32 (for in ODX)
A1ED
New checksum of block 5
UByte (8bit)
5262CE
CRC-32 (for in ODX)
23
656F
Can you please explain how to convert these back to BCB? I know XOR with key encryption and RLE compression needs to be done I just cannot get the process right. At last you said this cannot be put back into the ODX, it's because of signing? Is that just for the ODIS flashtool and is it possible to flash with VCP for example?
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #5 on: November 06, 2022, 06:01:53 AM »
|
|
|
That's what I was looking for indeed, Thanks! For testing I also would like these 2 converted back to BCB format. I think I know how to do the BCB Checksum and ODX checksum:
New checksum of block 4
UByte (8bit)
95195B
CRC-32 (for in ODX)
A1ED
New checksum of block 5
UByte (8bit)
5262CE
CRC-32 (for in ODX)
23
656F
Can you please explain how to convert these back to BCB? I know XOR with key encryption and RLE compression needs to be done I just cannot get the process right. At last you said this cannot be put back into the ODX, it's because of signing? Is that just for the ODIS flashtool and is it possible to flash with VCP for example? The binary is signed by RSA private key. The ECU bootloader checks if the signature matches after the flash process is complete (it contains the public key). Does not matter what you use to flash. So you can use whatever tool you want to flash the ODX, but unless the ECU has unlocked bootloader, it is never going to accept the flash unless the signature is correct. Actually it's going to fail already on the first block, because before the new flashed CBOOT is loaded the signature is verified, so it'll just stay in bootloader forever. |
|
|
|
« Last Edit: November 06, 2022, 06:04:49 AM by prj »
|
Logged
|
|
|
|
3ri
Newbie
Karma: +0/-0
Offline
Posts: 17
|
|
« Reply #6 on: November 07, 2022, 03:42:24 AM »
|
|
|
That makes sense, I kind of should have known that was there. Well here is a new file to test, can somebody convert it to BCB or show or even better, please explain how I can do this myself?
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #7 on: November 07, 2022, 03:56:20 AM »
|
|
|
But what's the point of re-encoding it?
You want to unlock it in boot and then use ODIS or something to flash OBD? Or what is the reason?
Does not matter what you do in the file. If the bootloader is not already unlocked it will not accept an unsigned bootloader unless you use an exploit to bypass the verification check.
But any tool flashing FRF/ODX will not do any exploit when flashing FRF/ODX.
|
|
|
|
|
Logged
|
|
|
|
3ri
Newbie
Karma: +0/-0
Offline
Posts: 17
|
|
« Reply #8 on: November 07, 2022, 04:24:54 AM »
|
|
|
Yes, I want to flash by OBD with ODIS/VCP, it would be great if the boot process can be skipped, so the exploit to bypass the verification check is interesting. But if I understand correct, it's definitely not possible to fix this in the ODX?
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #9 on: November 07, 2022, 05:54:49 AM »
|
|
|
Yes, I want to flash by OBD with ODIS/VCP, it would be great if the boot process can be skipped, so the exploit to bypass the verification check is interesting. But if I understand correct, it's definitely not possible to fix this in the ODX?
Of course not. Again, if the ECU has factory SW, then signature verification is active. When you try to flash your custom ODX/FRF it will fail verification and the ECU will stay in bootloader. It won't switch to the new bootloader until the current bootloader in the ECU verifies the new one, which it never will. So it does not matter what you do in the file, that file flash is never going to complete. Do you see how what you're doing is a waste of time? |
|
|
|
|
Logged
|
|
|
|
3ri
Newbie
Karma: +0/-0
Offline
Posts: 17
|
|
« Reply #10 on: November 07, 2022, 06:08:20 AM »
|
|
|
"Of course not", is not the right answer. It's possible to write an factory odx, the ecu accepts other factory odx files with other calibrations. So for sure it's possible to create our own odx and write that, it's just finding out how. I assume you have some more knowledge about this.
There is also an tool which is called ODXCreate, I haven't found the right settings yet, do you know, if you create an odx file with this, will this solve the singing verification you are talking about?
I can use several flash tools which solve this issue, i just want to learn, learning is never a waste of time so I think we think different about wasting time.
|
|
|
|
|
Logged
|
|
|
|
d3irb
Full Member
Karma: +134/-1
Offline
Posts: 195
|
|
« Reply #11 on: November 07, 2022, 07:26:48 AM »
|
|
|
the ecu accepts other factory odx files with other calibrations. Because they are signed using the RSA private key from the factory, which we do not have. There is also an tool which is called ODXCreate, I haven't found the right settings yet, do you know, if you create an odx file with this, will this solve the singing verification you are talking about? Not unless you have the RSA private key from the factory, which we do not have. I can use several flash tools which solve this issue Depending on the specific ECU revision, they solve this issue using an exploit which bypasses the verification check, which in this case requires tweaks to the flashing process which are not possible through ODIS/VCP or an ODX file. Besides one small range of MED versions for which it might be possible to do this as the signature validation bypass relies on forged signatures, most signature bypass exploits require a custom flashing process which VCP and ODIS cannot understand. |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #12 on: November 07, 2022, 07:30:17 AM »
|
|
|
"Of course not", is not the right answer. It is 100% the right answer, unless you have access to OEM smartcards/keychain. So for sure it's possible to create our own odx and write that, it's just finding out how. I assume you have some more knowledge about this. Yes, of course it is possible. You just need a quantum computer with a few thousand qubits to find the private key that matches the public key. I can use several flash tools which solve this issue, i just want to learn, learning is never a waste of time so I think we think different about wasting time. Start by learning how public key cryptography works, you don't need an ECU to do that. After that you will see that what you're trying to do is a waste of time. |
|
|
|
« Last Edit: November 07, 2022, 07:31:56 AM by prj »
|
Logged
|
|
|
|
|
