Pages: [1]
Author Topic: Is it possible to intercept a tune while flashing and map it to a calibration?  (Read 2413 times)
psyko
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 13



Hello,

I have a BMW which I am flashing with Bootmod3. They don't allow you to see the map data for their OTS maps (like the specific values in the individual calibration tables for wastegate control, fueling etc...), but you can see the map data for a self-tune or stock map.

I have logged the bytes which Bootmod3 transfers to my ECU during the programming session. It's 306,900 bytes when I do a "partial" flash. Partial meaning the ECU was already flashed with BM3 and I just changed some data in a self-tuned table and reflash.

I expected that maybe only a few bytes would change, but actually only about 72KB are identical (the first chunk) and the remainder is largely changed. It doesn't look to be like any sort of sophisticated encryption or compression, because some random lengths of bytes in these areas ARE still the same... but are mostly different...

Anyway, is what I am trying to do possible? What am I missing? I have the ISO 14229-1 spec which matches at least what the programming session is doing, but as far as the actual data contents go for this session, I am totally blind. Is there a BMW spec somewhere I can find? Or does that come from Bosch? It's a Bosch ECU (Aurix based).

Thanks for any help!!
Logged
IamwhoIam
Hero Member
*****

Karma: +52/-115
Offline Offline

Posts: 1070



Why don't you ask Bootmod3 for help?
Logged

I have no logs because I have a boost gauge (makes things easier)
psyko
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 13



Why don't you ask Bootmod3 for help?

Lol, are you being facetious??

Why would they help me "steal" something they are protecting? They don't want people to know what their proprietary tune consists of and have a method to encrypt the maps on their software. I am wondering if the data transmitted to the ECU is still in an encrypted form, or not (because I doubt the ECU would support that?)
Logged
jcsbanks
Full Member
***

Karma: +19/-3
Offline Offline

Posts: 146



Usually the 34 command just before the 36 commands in UDS will tell you what the compression and encryption is so it 3400 it is no compression and no encryption, assuming it isn't running a custom bootloader. BMWs used to flash in the clear IIRC.
Logged
psyko
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 13



Usually the 34 command just before the 36 commands in UDS will tell you what the compression and encryption is so it 3400 it is no compression and no encryption, assuming it isn't running a custom bootloader. BMWs used to flash in the clear IIRC.

Aha! I Think we are on to something here...

It's 34 10, meaning compressed but unencrypted.

What does compression = 1 mean? How do I decompress the stream -- is there a standard/spec somwhere?
Logged
jcsbanks
Full Member
***

Karma: +19/-3
Offline Offline

Posts: 146



The compression and encryption nibbles are platform specific according to the UDS standards.
Logged
psyko
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 13



Dang... Does anyone know what BMW MG1 uses?

I guess I will try to derive it from some statistical analysis of the hex
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037



Dang... Does anyone know what BMW MG1 uses?

I guess I will try to derive it from some statistical analysis of the hex
Statistical analysis of AES? Good luck. Because that's what most modern controllers use.

No idea about this one though.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449



Dang... Does anyone know what BMW MG1 uses?

I guess I will try to derive it from some statistical analysis of the hex

The steps would be to re-construct the block flashed from a sniff, decrypt using the correct aes keys(if encrypted), decompress using the correct decompression algo(if compressed) and there you have it. However this process is about 50% of what is needed to create a flashing protocol (without an exploit or a hack) and it is too much of an effort for something that many calibration engineers can do. So Why bother at all ?
« Last Edit: September 09, 2023, 07:34:03 AM by gt-innovation » Logged
jcsbanks
Full Member
***

Karma: +19/-3
Offline Offline

Posts: 146



Dang... Does anyone know what BMW MG1 uses?

I guess I will try to derive it from some statistical analysis of the hex

If it happens to be AES 128 CBC you might happen to find an IV that is stereotypical and next to the AES key in the CBOOT dump. But I have no idea about recent BMWs, my colleague won't let me have one because I'd probably end up drifting it all day around an airfield and never get any work done.
Logged
EanDem
Full Member
***

Karma: +8/-40
Offline Offline

Posts: 78



It seems like attempt for pain in the ass on full...... Why not start normal way - use propper editing tool as for greenhorn you may buy St1 form known vendor and resolve mappack demand. Start learning and ask more specific questions in forums if required - there always help possible.
Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037



If it happens to be AES 128 CBC you might happen to find an IV that is stereotypical and next to the AES key in the CBOOT dump. But I have no idea about recent BMWs, my colleague won't let me have one because I'd probably end up drifting it all day around an airfield and never get any work done.
Assuming that they didn't modify the cboot...
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.022 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)