[hassmaschine]

Interesting - i remember making comments on those trt comparison branches,i dont think i had made the connection since figuring out the RSA bytes.

But either way, you have to flash it to change those bytes, so why not just change the parameters instead of all the work in ncs expert?

[Terraphantm]

Quote:

Originally Posted by hassmaschine

Interesting - i remember making comments on those trt comparison branches,i dont think i had made the connection since figuring out the RSA bytes.

But either way, you have to flash it to change those bytes, so why not just change the parameters instead of all the work in ncs expert?

Avoids the need for bdm, and you can flash to a 100% stock file after the powerclass change.

[Terraphantm]

And I have found powerclass in the serial EEPROM.



I'm guessing the C669/2410 is a checksum (CRC16?). The 00/02 is the powerclass. And I'd be willing to bet that the 03 immediately before is the vmax config.

And heh, the last 7 digits of my M3's VIN ended up in that serial EEPROM. Guess NCS writes that too.

[hassmaschine]

Dont you need BDM to change the RSA bytes anyway?

[Terraphantm]

Quote:

Originally Posted by hassmaschine

Dont you need BDM to change the RSA bytes anyway?

But we're able to flash arbitrary 0PAs thanks to the parameter RSA trick. So change the branch condition to always go to the "good" path, flash that 0PA, change your powerclass (and whatever else), then flash to a stock 330i tune or whatever (and don't forget to change the powerclass in the CAS if in a BN2000 car)

[hassmaschine]

Sorta.. It passes RSA authorization but the flash doesn't complete and the DME will be in limp mode.

[Terraphantm]

Quote:

Originally Posted by hassmaschine

Sorta.. It passes RSA authorization but the flash doesn't complete and the DME will be in limp mode.

Okay, re-eenabled RSA on my DME and crafted an 0PA with the appropriate modifications. Worked fine. Even if the DME is in limp mode, enough of the code is executing to allow the powerclass to change. You can just flash back to a stock program after that.

Worth noting that in this case I did *not* have any junk left over at 0x60000, so it seems like the 0x60000 -> 0x20000 copy isn't dependent on the RSA pointers.

[rjahl]

Did you have the Update bootsector activated?

[Terraphantm]

I have it disabled.

[Terraphantm]

In other news, I finally figured out why I was having so much trouble verifying RSA signatures. Turns out, BMW stores the signatures and public keys backwards. The last DWORD actually comes first. Hash is simply byte flipped and reversed MD5. They don't bother padding it.

Now I should be able to factor the MS45 key. And any other 512-bit key BMW has. So in 1-2 weeks, I should be able to sign any MS45 binary.

[rjahl]

I took another crack at this today, The idea was to install a good calibration file at 0x60000 through an 0da file with a 0x20000 byte offset. Then try flashing a custom file with the calibration pointers at the good calibration file parked 0x60000.

The first of these flashes failed hard, ECU dead to ediabas. BDM read back shows the new calibration file placed right were I wanted it at 0x60000 but all of the flash data 0x80000 and above was wiped to FF, plus the Micro processor file was completely wiped to FFs. EEprom seems to be unchanged except 10 bytes at 0x87A

I simply change the 0da file extended data references from

:02000004008476

to

:020000040006F4


The 86 reference yielded a memory violation error. so I went with the 06.

Yes there is a line in the middle of the 0PA file, 40085 I swapped that to 40007.

While this was a fail, hopefully if will give us some insight to the flashing process.



Edit: The ECU is not totally dead, I get ECU Ident and UIF, but I can't flash a new program at all.

[hassmaschine]

Quote:

Originally Posted by Terraphantm

In other news, I finally figured out why I was having so much trouble verifying RSA signatures. Turns out, BMW stores the signatures and public keys backwards. The last DWORD actually comes first. Hash is simply byte flipped and reversed MD5. They don't bother padding it.

Now I should be able to factor the MS45 key. And any other 512-bit key BMW has. So in 1-2 weeks, I should be able to sign any MS45 binary.

I'm pretty sure the E9x AT uses a 512 bit key..

[Terraphantm]

Quote:

Originally Posted by hassmaschine

I'm pretty sure the E9x AT uses a 512 bit key..

Should be doable if we can identify the public key (which isn't that hard). Right now I've got my PC chugging away at the MS45 since that's more useful to me. Can probably do the AT afterwards.

Or really, anyone else who has a half-way decent PC (i7 w/ at least 4 cores) can probably factor it in 1-2 weeks.

[hobbit382]

Quote:

Originally Posted by Terraphantm

In other news, I finally figured out why I was having so much trouble verifying RSA signatures. Turns out, BMW stores the signatures and public keys backwards. The last DWORD actually comes first. Hash is simply byte flipped and reversed MD5. They don't bother padding it.

Now I should be able to factor the MS45 key. And any other 512-bit key BMW has. So in 1-2 weeks, I should be able to sign any MS45 binary.

Nice work!!! What have you been using to brute force the 512-bit key?

[hobbit382]

Also, is the RSA key different for msv80? If it's not couldnt we simply extract it from BB flash?

[hassmaschine]

Quote:

Originally Posted by Terraphantm

Should be doable if we can identify the public key (which isn't that hard). Right now I've got my PC chugging away at the MS45 since that's more useful to me. Can probably do the AT afterwards.

Or really, anyone else who has a half-way decent PC (i7 w/ at least 4 cores) can probably factor it in 1-2 weeks.

yeah, it's 512bit for sure, this is the signature:

Code:

00 00 00 10 
C0 C3 90 7A 39 49 58 3E 2B 66 A2 B3 A0 DD 4A 0F
B9 3C 36 92 6F 06 70 8B 09 10 B7 45 53 88 24 55
DD 41 34 3F E6 97 93 04 A9 93 25 7D F9 E1 D6 22
05 C2 B8 29 C0 18 E6 8B 02 08 D5 F9 79 55 47 81

I guess these are the public keys/factors?

Code:

00 00 00 10 74 71 D0 01  8E 90 A7 1A 84 74 88 1C
AE 7E 57 07 03 1C AE 8C  91 51 7B EC D8 A8 BC E0
ED 17 9C 7A 8D 59 90 8E  CF 05 7F 67 75 88 3C CD
A8 6B 5F 1E 8B 27 CC 1B  7F AD 72 E8 E0 6E C2 36
A2 E2 46 E7 00 00 00 00  00 00 00 01 00 00 00 07
00 00 00 10 2D AB F6 B1  D9 0F 7F DF E3 7F FB 8B
6A E2 70 CE 79 FE B5 BC  E3 40 D8 BC C2 CE 16 B1
4E C2 9D 51 69 70 B0 23  15 3D 04 CE 76 55 96 01
B4 B2 8C 87 B5 90 E7 94  61 58 06 4A 9D 03 C9 25
A1 F4 DF 76 00 00 00 00  00 00 00 01 00 00 00 07
00 00 00 10 8D 6C 9F D3  99 63 86 34 27 25 34 2F
27 5D 72 1C F9 D4 30 44  4A FB A9 69 17 9A 3E 53
04 9C C0 CF B1 F8 FE 9E  2B D6 A0 B3 3F A8 DC 49
4C 9D B6 60 11 79 3E 3D  43 D6 D2 DF 36 29 0C 4B
9C C0 D7 D5 00 00 00 00  00 00 00 01 00 00 00 07
00 00 00 10 94 62 6F B3  3F 39 C2 DB 78 DA 3E 0B
44 76 FC 60 23 D2 6E 0B  87 67 60 AB 48 B2 1C 2D
5B A0 AD A2 BE F6 30 F6  AA 84 7B 00 1F 48 50 A3
3C 62 50 55 60 D0 F7 A6  EF 83 85 16 AD 5D DF 39
9B D7 45 76 00 00 00 00  00 00 00 01 00 00 00 07

[hassmaschine]

Quote:

Originally Posted by hobbit382

Also, is the RSA key different for msv80? If it's not couldnt we simply extract it from BB flash?

I'd guess it's the same, but who knows.

[Terraphantm]

Quote:

Originally Posted by hobbit382

Nice work!!! What have you been using to brute force the 512-bit key?

I'm using GGNFS/Msieve. This should be enough to get started: http://gilchrist.ca/jeff/factoring/n...ers_guide.html

There are some newer/faster libraries than what he links to on that page out there.

Quote:

Originally Posted by hobbit382

Also, is the RSA key different for msv80? If it's not couldnt we simply extract it from BB flash?

It is different. Public keys for most of the newer modules can be retrieved from the 0PA files.

Quote:

Originally Posted by hassmaschine

yeah, it's 512bit for sure, this is the signature:

Code:

00 00 00 10 
C0 C3 90 7A 39 49 58 3E 2B 66 A2 B3 A0 DD 4A 0F
B9 3C 36 92 6F 06 70 8B 09 10 B7 45 53 88 24 55
DD 41 34 3F E6 97 93 04 A9 93 25 7D F9 E1 D6 22
05 C2 B8 29 C0 18 E6 8B 02 08 D5 F9 79 55 47 81

I guess these are the public keys/factors?

Code:

00 00 00 10 74 71 D0 01  8E 90 A7 1A 84 74 88 1C
AE 7E 57 07 03 1C AE 8C  91 51 7B EC D8 A8 BC E0
ED 17 9C 7A 8D 59 90 8E  CF 05 7F 67 75 88 3C CD
A8 6B 5F 1E 8B 27 CC 1B  7F AD 72 E8 E0 6E C2 36
A2 E2 46 E7 00 00 00 00  00 00 00 01 00 00 00 07
00 00 00 10 2D AB F6 B1  D9 0F 7F DF E3 7F FB 8B
6A E2 70 CE 79 FE B5 BC  E3 40 D8 BC C2 CE 16 B1
4E C2 9D 51 69 70 B0 23  15 3D 04 CE 76 55 96 01
B4 B2 8C 87 B5 90 E7 94  61 58 06 4A 9D 03 C9 25
A1 F4 DF 76 00 00 00 00  00 00 00 01 00 00 00 07
00 00 00 10 8D 6C 9F D3  99 63 86 34 27 25 34 2F
27 5D 72 1C F9 D4 30 44  4A FB A9 69 17 9A 3E 53
04 9C C0 CF B1 F8 FE 9E  2B D6 A0 B3 3F A8 DC 49
4C 9D B6 60 11 79 3E 3D  43 D6 D2 DF 36 29 0C 4B
9C C0 D7 D5 00 00 00 00  00 00 00 01 00 00 00 07
00 00 00 10 94 62 6F B3  3F 39 C2 DB 78 DA 3E 0B
44 76 FC 60 23 D2 6E 0B  87 67 60 AB 48 B2 1C 2D
5B A0 AD A2 BE F6 30 F6  AA 84 7B 00 1F 48 50 A3
3C 62 50 55 60 D0 F7 A6  EF 83 85 16 AD 5D DF 39
9B D7 45 76 00 00 00 00  00 00 00 01 00 00 00 07

That last one is 4 different keys. I've formatted it below:

Code:

00 00 00 10 74 71 D0 01  8E 90 A7 1A 84 74 88 1C
AE 7E 57 07 03 1C AE 8C  91 51 7B EC D8 A8 BC E0
ED 17 9C 7A 8D 59 90 8E  CF 05 7F 67 75 88 3C CD
A8 6B 5F 1E 8B 27 CC 1B  7F AD 72 E8 E0 6E C2 36
A2 E2 46 E7 00 00 00 00  00 00 00 01 00 00 00 07

00 00 00 10 2D AB F6 B1  D9 0F 7F DF E3 7F FB 8B
6A E2 70 CE 79 FE B5 BC  E3 40 D8 BC C2 CE 16 B1
4E C2 9D 51 69 70 B0 23  15 3D 04 CE 76 55 96 01
B4 B2 8C 87 B5 90 E7 94  61 58 06 4A 9D 03 C9 25
A1 F4 DF 76 00 00 00 00  00 00 00 01 00 00 00 07


00 00 00 10 8D 6C 9F D3  99 63 86 34 27 25 34 2F
27 5D 72 1C F9 D4 30 44  4A FB A9 69 17 9A 3E 53
04 9C C0 CF B1 F8 FE 9E  2B D6 A0 B3 3F A8 DC 49
4C 9D B6 60 11 79 3E 3D  43 D6 D2 DF 36 29 0C 4B
9C C0 D7 D5 00 00 00 00  00 00 00 01 00 00 00 07


00 00 00 10 94 62 6F B3  3F 39 C2 DB 78 DA 3E 0B
44 76 FC 60 23 D2 6E 0B  87 67 60 AB 48 B2 1C 2D
5B A0 AD A2 BE F6 30 F6  AA 84 7B 00 1F 48 50 A3
3C 62 50 55 60 D0 F7 A6  EF 83 85 16 AD 5D DF 39
9B D7 45 76 00 00 00 00  00 00 00 01 00 00 00 07

The last one I believe is for verifying the tune/program. The other 3 seem to be for different levels of communication authentication.

That "00 00 00 07" is the public exponent.

To verify a signature, formula is:
(sig ^ e) mod n

Where sig is the signature, e is the public exponent (7 in this case; 3 on some DMEs), and n is the public key. Result should be a non-padded MD5 (at least it has been on the 3 modules I checked)

And remember, they're stored backwards. So that last key would be 9BD74576 AD5DDF39... 94626FB3

[hassmaschine]

Yeah, looks like the BBflash software has the key somehow:



I'm not familiar with .NET programming - it could be in another DLL or it could be in this one, I'm not really sure, but it must be there. On the DME, I would just search for 00 00 00 20 until I found it but that probably won't work here.

[Terraphantm]

Quote:

Originally Posted by hassmaschine

Yeah, looks like the BBflash software has the key somehow:



I'm not familiar with .NET programming - it could be in another DLL or it could be in this one, I'm not really sure, but it must be there. On the DME, I would just search for 00 00 00 20 until I found it but that probably won't work here.

Well. The RSA sign formula is:

(hash ^ d) mod n

So assuming they don't just generate d and n on the fly from the factors, the public key should be stored somewhere, and hopefully the private key is somewhere nearby.

[hassmaschine]

Would have to study it some more - I got lucky, actually, because this was the first (and only) DLL I ran through and it was right there. .NET sure disassembles a lot easier than an embedded file - IDA detected everything, I just clicked "OK". lol

[hobbit382]

So are we thinking it is the same?