Pages: [1]
Author Topic: BCB Type1 (C) R. Bosch GmbH 2000  (Read 2871 times)
3ri
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 17


« on: November 05, 2022, 02:47:13 PM »

Hi,

Is anyone able to help me convert this data into BCB Type1 (C) R. Bosch GmbH 2000? I've been cracking my head on this topic but I'm not getting any further

Thanks!
Logged
gremlin
Hero Member
*****

Karma: +179/-7
Offline Offline

Posts: 568


« Reply #1 on: November 05, 2022, 03:46:53 PM »

Is anyone able to help me convert this data into BCB Type1 (C) R. Bosch GmbH 2000?

This is you want.
Logged
3ri
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 17


« Reply #2 on: November 05, 2022, 04:08:16 PM »

That's just the extracted datablock from the odx, I want to do it the other way around.

Can you do it with this file for example?
Logged
gremlin
Hero Member
*****

Karma: +179/-7
Offline Offline

Posts: 568


« Reply #3 on: November 05, 2022, 04:24:02 PM »

Can you do it with this file for example?

Here.
But direct put it into odx instead of original data block is useless work. ;-)
Logged
3ri
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 17


« Reply #4 on: November 06, 2022, 12:20:56 AM »

That's what I was looking for indeed, Thanks! For testing I also would like these 2 converted back to BCB format. I think I know how to do the BCB Checksum and ODX checksum:

New checksum of block 4
UByte (8bit)
95195B

CRC-32 (for in ODX)
A1ED
 
New checksum of block 5
UByte (8bit)
5262CE

CRC-32 (for in ODX)

 23
656F

Can you please explain how to convert these back to BCB? I know XOR with key encryption and RLE compression needs to be done I just cannot get the process right. At last you said this cannot be put back into the ODX, it's because of signing? Is that just for the ODIS flashtool and is it possible to flash with VCP for example?
Logged
prj
Hero Member
*****

Karma: +903/-420
Offline Offline

Posts: 5789


« Reply #5 on: November 06, 2022, 06:01:53 AM »

That's what I was looking for indeed, Thanks! For testing I also would like these 2 converted back to BCB format. I think I know how to do the BCB Checksum and ODX checksum:

New checksum of block 4
UByte (8bit)
95195B

CRC-32 (for in ODX)
A1ED
 
New checksum of block 5
UByte (8bit)
5262CE

CRC-32 (for in ODX)

 23
656F

Can you please explain how to convert these back to BCB? I know XOR with key encryption and RLE compression needs to be done I just cannot get the process right. At last you said this cannot be put back into the ODX, it's because of signing? Is that just for the ODIS flashtool and is it possible to flash with VCP for example?

The binary is signed by RSA private key. The ECU bootloader checks if the signature matches after the flash process is complete (it contains the public key).
Does not matter what you use to flash.
So you can use whatever tool you want to flash the ODX, but unless the ECU has unlocked bootloader, it is never going to accept the flash unless the signature is correct.

Actually it's going to fail already on the first block, because before the new flashed CBOOT is loaded the signature is verified, so it'll just stay in bootloader forever.
« Last Edit: November 06, 2022, 06:04:49 AM by prj » Logged

PM's will not be answered, so don't even try.
Log your car properly.
3ri
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 17


« Reply #6 on: November 07, 2022, 03:42:24 AM »

That makes sense, I kind of should have known that was there. Well here is a new file to test, can somebody convert it to BCB or show or even better, please explain how I can do this myself?
Logged
prj
Hero Member
*****

Karma: +903/-420
Offline Offline

Posts: 5789


« Reply #7 on: November 07, 2022, 03:56:20 AM »

But what's the point of re-encoding it?
You want to unlock it in boot and then use ODIS or something to flash OBD? Or what is the reason?

Does not matter what you do in the file. If the bootloader is not already unlocked it will not accept an unsigned bootloader unless you use an exploit to bypass the verification check.
But any tool flashing FRF/ODX will not do any exploit when flashing FRF/ODX.
Logged

PM's will not be answered, so don't even try.
Log your car properly.
3ri
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 17


« Reply #8 on: November 07, 2022, 04:24:54 AM »

Yes, I want to flash by OBD with ODIS/VCP, it would be great if the boot process can be skipped, so the exploit to bypass the verification check is interesting. But if I understand correct, it's definitely not possible to fix this in the ODX?
Logged
prj
Hero Member
*****

Karma: +903/-420
Offline Offline

Posts: 5789


« Reply #9 on: November 07, 2022, 05:54:49 AM »

Yes, I want to flash by OBD with ODIS/VCP, it would be great if the boot process can be skipped, so the exploit to bypass the verification check is interesting. But if I understand correct, it's definitely not possible to fix this in the ODX?
Of course not.

Again, if the ECU has factory SW, then signature verification is active.
When you try to flash your custom ODX/FRF it will fail verification and the ECU will stay in bootloader.
It won't switch to the new bootloader until the current bootloader in the ECU verifies the new one, which it never will.
So it does not matter what you do in the file, that file flash is never going to complete.

Do you see how what you're doing is a waste of time?
Logged

PM's will not be answered, so don't even try.
Log your car properly.
3ri
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 17


« Reply #10 on: November 07, 2022, 06:08:20 AM »

"Of course not", is not the right answer. It's possible to write an factory odx, the ecu accepts other factory odx files with other calibrations. So for sure it's possible to create our own odx and write that, it's just finding out how. I assume you have some more knowledge about this.

There is also an tool which is called ODXCreate, I haven't found the right settings yet, do you know, if you create an odx file with this, will this solve the singing verification you are talking about?

I can use several flash tools which solve this issue, i just want to learn, learning is never a waste of time so I think we think different about wasting time.
Logged
d3irb
Full Member
***

Karma: +131/-1
Offline Offline

Posts: 185


« Reply #11 on: November 07, 2022, 07:26:48 AM »

Quote
the ecu accepts other factory odx files with other calibrations.

Because they are signed using the RSA private key from the factory, which we do not have.

Quote
There is also an tool which is called ODXCreate, I haven't found the right settings yet, do you know, if you create an odx file with this, will this solve the singing verification you are talking about?

Not unless you have the RSA private key from the factory, which we do not have.

Quote
I can use several flash tools which solve this issue

Depending on the specific ECU revision, they solve this issue using an exploit which bypasses the verification check, which in this case requires tweaks to the flashing process which are not possible through ODIS/VCP or an ODX file. Besides one small range of MED versions for which it might be possible to do this as the signature validation bypass relies on forged signatures, most signature bypass exploits require a custom flashing process which VCP and ODIS cannot understand.
Logged
prj
Hero Member
*****

Karma: +903/-420
Offline Offline

Posts: 5789


« Reply #12 on: November 07, 2022, 07:30:17 AM »

"Of course not", is not the right answer.
It is 100% the right answer, unless you have access to OEM smartcards/keychain.
Quote
So for sure it's possible to create our own odx and write that, it's just finding out how. I assume you have some more knowledge about this.
Yes, of course it is possible. You just need a quantum computer with a few thousand qubits to find the private key that matches the public key.
Quote
I can use several flash tools which solve this issue, i just want to learn, learning is never a waste of time so I think we think different about wasting time.
Start by learning how public key cryptography works, you don't need an ECU to do that.
After that you will see that what you're trying to do is a waste of time.
« Last Edit: November 07, 2022, 07:31:56 AM by prj » Logged

PM's will not be answered, so don't even try.
Log your car properly.
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.021 seconds with 16 queries. (Pretty URLs adds 0.001s, 0q)