I cloned my MSV70 DME

hassmaschine · 12-02-2016, 12:30 AM

Yeah, i get it - basically that whole section has to match. It reads the signature, calculates the hash from the reference offsets, and sees if it matches.

I will try so see if i can test this soon. It would be huge - no need for a $300 oft or $500 one time use programmer. Or having to use bdm (for some things though, bdm is best).

The irony is, flashes with Winkfp are faster than most programmers - since it only writes the 128kb calibration instead of the 2560kb full binary. Could be fast enough for dyno tuning (even BDM writes take a minute); although building custom 0da files for flashing at the moment is not straight forward. I have a plan for that though.

rjahl · 12-02-2016, 02:48 AM

Quote:

Originally Posted by Terraphantm

Quote:

Originally Posted by rjahl

So, I have this tool that flashes over ODB and leaves this program section modified....

Does that modification actually work? Seems a bit odd to me.

First pointer is changed from boot 3 to the parameter space and the rest are of regions that seem irrelevant to RSA. Unless your software changes the signature that's stored in the program section to match those new regions, I don't see how that would work.

I would try changing the pointers to

Code:

00000002 00840000 008400FF 00840240 0085EAFF 00000000 00000000 00000000 00000000 00000000 00000000 00000100 0001E8C0 00000000 00000000 00000000

Would only work if the parameter space has a valid signature. But if this does work, you can use this method to flash a boot_3 that ignores the RSA check, and then modify the parameter section however you want after the fact.

Yes, this actually works. This particular ODB tool makes son strange copies of the program blocks and store them in empty areas between the actual program. I need to send you the full file.

rjahl · 12-02-2016, 02:55 AM

Quote:

Originally Posted by hassmaschine

Yeah, i get it - basically that whole section has to match. It reads the signature, calculates the hash from the reference offsets, and sees if it matches.

I will try so see if i can test this soon. It would be huge - no need for a $300 oft or $500 one time use programmer. Or having to use bdm (for some things though, bdm is best).

The irony is, flashes with Winkfp are faster than most programmers - since it only writes the 128kb calibration instead of the 2560kb full binary. Could be fast enough for dyno tuning (even BDM writes take a minute); although building custom 0da files for flashing at the moment is not straight forward. I have a plan for that though.

Once the DME is unlocked I can flash custom ODA files in about 4 1/2 minutes. I have a little program that fixes checksums and creates ODA files from custom Bins. It will also do custom OPA files.

Fully thing, with fast mode turned on and on a bench, I can flash an ODA file in 45 seconds. But fast mode does not work in the car.

The converter program is written in excel VBA and is not fantastic or super fast but it works.

rjahl · 12-02-2016, 02:57 AM

Quote:

Originally Posted by hassmaschine

Yeah, i get it - basically that whole section has to match. It reads the signature, calculates the hash from the reference offsets, and sees if it matches.

I will try so see if i can test this soon. It would be huge - no need for a $300 oft or $500 one time use programmer. Or having to use bdm (for some things though, bdm is best).

The irony is, flashes with Winkfp are faster than most programmers - since it only writes the 128kb calibration instead of the 2560kb full binary. Could be fast enough for dyno tuning (even BDM writes take a minute); although building custom 0da files for flashing at the moment is not straight forward. I have a plan for that though.

Let me know if you need anything.

You know my time is very limited these days. Still pulling 60 plus hours trying to get my department into shape.

hassmaschine · 12-02-2016, 08:30 AM

Have you updated that since the last one you sent to me? Could you resend it?

rjahl · 12-02-2016, 08:56 AM

Quote:

Originally Posted by hassmaschine

Have you updated that since the last one you sent to me? Could you resend it?

I don't think I've done much since that version. I had a bug in the (0PA / 0Da) end of file checksum logic that would show up once in a million years but that's about it.

I'll send it over tonight. Don't have it with me.

hassmaschine · 12-02-2016, 09:38 AM

Cool thanks.

In other news, I'm up to 8774 parameters. There are 152 undefined (148 in the original A2L). I honestly wasn't sure I'd get more than 90% of them, but I looks like i can get all of them.

I also realized i have mapped out 2000 RAM values by hand. lol. I usually just do whatever is nearby to the code I'm looking at. Unfortunately, you can't really use an algorithm to map RAM values..

hassmaschine · 12-02-2016, 01:29 PM

Working on this a bit - it's not clear to me where the pointers are in the boot sector.

There are 3 RSA keys for the boot sector - I suppose they must be for boot 1, boot 2, and boot 3. IIRC all of my mods are in Boot 3, so I would do the third one. While the pointers for the parameters and program are obvious, I don't see anything that stands out in the boot sector (also probably because the check happens in the space between 0x860000-0x880000, not in the actual boot sector).

For fun I tried to flash a modified file without the RSA key fix and of course I got "Security access denied".

Terraphantm · 12-02-2016, 02:40 PM

Quote:

Originally Posted by hassmaschine

Working on this a bit - it's not clear to me where the pointers are in the boot sector.

There are 3 RSA keys for the boot sector - I suppose they must be for boot 1, boot 2, and boot 3. IIRC all of my mods are in Boot 3, so I would do the third one. While the pointers for the parameters and program are obvious, I don't see anything that stands out in the boot sector (also probably because the check happens in the space between 0x860000-0x880000, not in the actual boot sector).

For fun I tried to flash a modified file without the RSA key fix and of course I got "Security access denied".

What address are you seeing the 3 boot RSAs at? If you're seeing the ones at 822CD4, 822D64, and 822DF4, those aren't signatures. Those appear to be the public keys.

I don't know what the first and second are used for (though it's worth noting the second is bit for bit identical between the MS45 and MSV70, suggesting it's perhaps used for secure diagnostic comms or something along those lines). The 3rd is the public key used to decrypt the signature.

Boots 1 and 2 shouldn't have RSA signatures, since the DME never writes to those areas. Boot3's signature seems to be computed as just a segment tacked onto the program section. The only pointers you should have to edit are the ones in the program section.

rjahl · 12-02-2016, 03:09 PM

Quote:

Originally Posted by hassmaschine

Working on this a bit - it's not clear to me where the pointers are in the boot sector.

There are 3 RSA keys for the boot sector - I suppose they must be for boot 1, boot 2, and boot 3. IIRC all of my mods are in Boot 3, so I would do the third one. While the pointers for the parameters and program are obvious, I don't see anything that stands out in the boot sector (also probably because the check happens in the space between 0x860000-0x880000, not in the actual boot sector).

For fun I tried to flash a modified file without the RSA key fix and of course I got "Security access denied".

Hass

I'm still in the office but isn't the addresses you are looking the temporary address for boot three before it's moved down?

hassmaschine · 12-02-2016, 03:16 PM

I didn't even think about that.. the program signature covers the boot section too. Duh. That explains why the 5 blocks for the program include 0x60000-0x7FF7F.

So basically, copy the data signature to the program, and copy the data blocks to the program, and theoretically it should pass..

hassmaschine · 12-02-2016, 03:17 PM

Quote:

Originally Posted by rjahl

Hass

I'm still in the office but isn't the addresses you are looking the temporary address for boot three before it's moved down?

Yes I was looking for 0x60000 but I couldn't find it in the boot sector.... because it was in the program section the entire time. The worst part is, I've already seen it before...

Terraphantm · 12-02-2016, 03:20 PM

Quote:

Originally Posted by hassmaschine

I didn't even think about that.. the program signature covers the boot section too. Duh. That explains why the 5 blocks for the program include 0x60000-0x7FF7F.

So basically, copy the data signature to the program, and copy the data blocks to the program, and theoretically it should pass..

Yep that should do the trick.

hassmaschine · 12-03-2016, 10:19 AM

Need to look at my MSV70 RSA delete - even flashed over BDM, authentication fails when flashing a modified 0da. A similar mod for MS45 definitely works - and i swear rjahl tested it and it worked for him.

rjahl · 12-03-2016, 10:22 AM

Quote:

Originally Posted by hassmaschine

Need to look at my MSV70 RSA delete - even flashed over BDM, authentication fails when flashing a modified 0da. A similar mod for MS45 definitely works - and i swear rjahl tested it and it worked for him.

Yes it did. I might even be still running it. Can't remember

hassmaschine · 12-03-2016, 10:35 AM

Can you send me a dump of what you are using?

rjahl · 12-03-2016, 10:45 AM

Quote:

Originally Posted by hassmaschine

Can you send me a dump of what you are using?

Sure, I need to look to see what I have. Be later today.

lately, I've been flashing my custom tunes with winfkp. Just so much easier that way.

rjahl · 12-03-2016, 11:23 AM

Quote:

Originally Posted by rjahl

Quote:

Originally Posted by hassmaschine

Can you send me a dump of what you are using?

Sure, I need to look to see what I have. Be later today.

lately, I've been flashing my custom tunes with winfkp. Just so much easier that way.

I got to my notes and that file is not in the car. It could still be in my spare DME.

The last RSA delete I tried for you was the bytes in the UIF section. Initially it failed to start but realigning the EWS solved the problem. We swapped messages on this around Sept 5th.

I might give time to test this again later this afternoon if you need to confirm.

hassmaschine · 12-03-2016, 11:39 AM

Ok, i thought you tested the new one.. I know the UIF mod works but you can't write those over obd.

rjahl · 12-03-2016, 12:56 PM

Quote:

Originally Posted by hassmaschine

Ok, i thought you tested the new one.. I know the UIF mod works but you can't write those over obd.

Sorry for the confusion, I think you sent that at the same time I was dealing with some major changes in my life.

Where you able to redirect the RSA pointers and flash an 0PA file?

hassmaschine · 12-03-2016, 12:58 PM

Haven't tried yet. Want to get the RSA bypass boot code working first.

Taskmaster · 12-03-2016, 01:05 PM

Quote:

Originally Posted by hassmaschine

Haven't tried yet. Want to get the RSA bypass boot code working first.

Check your email, please!

12-02-2016, 12:30 AM	#1035
hassmaschine Major General 3978 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	Yeah, i get it - basically that whole section has to match. It reads the signature, calculates the hash from the reference offsets, and sees if it matches. I will try so see if i can test this soon. It would be huge - no need for a $300 oft or $500 one time use programmer. Or having to use bdm (for some things though, bdm is best). The irony is, flashes with Winkfp are faster than most programmers - since it only writes the 128kb calibration instead of the 2560kb full binary. Could be fast enough for dyno tuning (even BDM writes take a minute); although building custom 0da files for flashing at the moment is not straight forward. I have a plan for that though. Last edited by hassmaschine; 12-02-2016 at 12:36 AM..
	Appreciate 0 Quote

12-02-2016, 08:30 AM	#1039
hassmaschine Major General 3978 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	Have you updated that since the last one you sent to me? Could you resend it?
	Appreciate 0 Quote

12-02-2016, 09:38 AM	#1041
hassmaschine Major General 3978 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	Cool thanks. In other news, I'm up to 8774 parameters. There are 152 undefined (148 in the original A2L). I honestly wasn't sure I'd get more than 90% of them, but I looks like i can get all of them. I also realized i have mapped out 2000 RAM values by hand. lol. I usually just do whatever is nearby to the code I'm looking at. Unfortunately, you can't really use an algorithm to map RAM values..
	Appreciate 1 Levanime191.00 Quote

12-02-2016, 01:29 PM	#1042
hassmaschine Major General 3978 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	Working on this a bit - it's not clear to me where the pointers are in the boot sector. There are 3 RSA keys for the boot sector - I suppose they must be for boot 1, boot 2, and boot 3. IIRC all of my mods are in Boot 3, so I would do the third one. While the pointers for the parameters and program are obvious, I don't see anything that stands out in the boot sector (also probably because the check happens in the space between 0x860000-0x880000, not in the actual boot sector). For fun I tried to flash a modified file without the RSA key fix and of course I got "Security access denied".
	Appreciate 0 Quote

12-02-2016, 03:16 PM	#1045
hassmaschine Major General 3978 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	I didn't even think about that.. the program signature covers the boot section too. Duh. That explains why the 5 blocks for the program include 0x60000-0x7FF7F. So basically, copy the data signature to the program, and copy the data blocks to the program, and theoretically it should pass..
	Appreciate 0 Quote

12-03-2016, 10:19 AM	#1048
hassmaschine Major General 3978 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	Need to look at my MSV70 RSA delete - even flashed over BDM, authentication fails when flashing a modified 0da. A similar mod for MS45 definitely works - and i swear rjahl tested it and it worked for him.
	Appreciate 0 Quote

12-03-2016, 10:35 AM	#1050
hassmaschine Major General 3978 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	Can you send me a dump of what you are using?
	Appreciate 0 Quote

12-03-2016, 11:39 AM	#1053
hassmaschine Major General 3978 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	Ok, i thought you tested the new one.. I know the UIF mod works but you can't write those over obd.
	Appreciate 0 Quote

12-03-2016, 12:58 PM	#1055
hassmaschine Major General 3978 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	Haven't tried yet. Want to get the RSA bypass boot code working first.
	Appreciate 0 Quote