|
|
|
|
|
|
BMW Garage | BMW Meets | Register | Today's Posts | Search |
|
BMW 3-Series (E90 E92) Forum
>
I cloned my MSV70 DME
|
|
12-24-2016, 09:33 PM | #1211 |
Major General
3966
Rep 7,215
Posts |
Interesting - i remember making comments on those trt comparison branches,i dont think i had made the connection since figuring out the RSA bytes.
But either way, you have to flash it to change those bytes, so why not just change the parameters instead of all the work in ncs expert? |
Appreciate
0
|
12-24-2016, 09:40 PM | #1212 | |
Captain
253
Rep 775
Posts |
Quote:
|
|
Appreciate
0
|
12-24-2016, 10:57 PM | #1213 |
Captain
253
Rep 775
Posts |
And I have found powerclass in the serial EEPROM.
I'm guessing the C669/2410 is a checksum (CRC16?). The 00/02 is the powerclass. And I'd be willing to bet that the 03 immediately before is the vmax config. And heh, the last 7 digits of my M3's VIN ended up in that serial EEPROM. Guess NCS writes that too. |
Appreciate
0
|
12-24-2016, 11:01 PM | #1215 |
Captain
253
Rep 775
Posts |
But we're able to flash arbitrary 0PAs thanks to the parameter RSA trick. So change the branch condition to always go to the "good" path, flash that 0PA, change your powerclass (and whatever else), then flash to a stock 330i tune or whatever (and don't forget to change the powerclass in the CAS if in a BN2000 car)
Last edited by Terraphantm; 12-24-2016 at 11:08 PM.. |
Appreciate
0
|
12-25-2016, 12:25 AM | #1217 | |
Captain
253
Rep 775
Posts |
Quote:
Worth noting that in this case I did *not* have any junk left over at 0x60000, so it seems like the 0x60000 -> 0x20000 copy isn't dependent on the RSA pointers. |
|
Appreciate
0
|
12-25-2016, 01:30 AM | #1218 |
Colonel
996
Rep 2,287
Posts |
Did you have the Update bootsector activated?
|
Appreciate
0
|
12-25-2016, 03:57 PM | #1220 |
Captain
253
Rep 775
Posts |
In other news, I finally figured out why I was having so much trouble verifying RSA signatures. Turns out, BMW stores the signatures and public keys backwards. The last DWORD actually comes first. Hash is simply byte flipped and reversed MD5. They don't bother padding it.
Now I should be able to factor the MS45 key. And any other 512-bit key BMW has. So in 1-2 weeks, I should be able to sign any MS45 binary. |
Appreciate
0
|
12-25-2016, 04:19 PM | #1221 |
Colonel
996
Rep 2,287
Posts |
I took another crack at this today, The idea was to install a good calibration file at 0x60000 through an 0da file with a 0x20000 byte offset. Then try flashing a custom file with the calibration pointers at the good calibration file parked 0x60000.
The first of these flashes failed hard, ECU dead to ediabas. BDM read back shows the new calibration file placed right were I wanted it at 0x60000 but all of the flash data 0x80000 and above was wiped to FF, plus the Micro processor file was completely wiped to FFs. EEprom seems to be unchanged except 10 bytes at 0x87A I simply change the 0da file extended data references from :02000004008476 to :020000040006F4 The 86 reference yielded a memory violation error. so I went with the 06. Yes there is a line in the middle of the 0PA file, 40085 I swapped that to 40007. While this was a fail, hopefully if will give us some insight to the flashing process. Edit: The ECU is not totally dead, I get ECU Ident and UIF, but I can't flash a new program at all. |
Appreciate
0
|
12-25-2016, 08:40 PM | #1222 | |
Major General
3966
Rep 7,215
Posts |
Quote:
|
|
Appreciate
0
|
12-25-2016, 08:47 PM | #1223 |
Captain
253
Rep 775
Posts |
Should be doable if we can identify the public key (which isn't that hard). Right now I've got my PC chugging away at the MS45 since that's more useful to me. Can probably do the AT afterwards.
Or really, anyone else who has a half-way decent PC (i7 w/ at least 4 cores) can probably factor it in 1-2 weeks. Last edited by Terraphantm; 12-25-2016 at 09:48 PM.. |
Appreciate
1
rjahl996.00 |
12-28-2016, 10:49 AM | #1224 | |
New Member
0
Rep 12
Posts |
Quote:
|
|
Appreciate
0
|
12-28-2016, 11:02 AM | #1226 | |
Major General
3966
Rep 7,215
Posts |
Quote:
Code:
00 00 00 10 C0 C3 90 7A 39 49 58 3E 2B 66 A2 B3 A0 DD 4A 0F B9 3C 36 92 6F 06 70 8B 09 10 B7 45 53 88 24 55 DD 41 34 3F E6 97 93 04 A9 93 25 7D F9 E1 D6 22 05 C2 B8 29 C0 18 E6 8B 02 08 D5 F9 79 55 47 81 Code:
00 00 00 10 74 71 D0 01 8E 90 A7 1A 84 74 88 1C AE 7E 57 07 03 1C AE 8C 91 51 7B EC D8 A8 BC E0 ED 17 9C 7A 8D 59 90 8E CF 05 7F 67 75 88 3C CD A8 6B 5F 1E 8B 27 CC 1B 7F AD 72 E8 E0 6E C2 36 A2 E2 46 E7 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00 10 2D AB F6 B1 D9 0F 7F DF E3 7F FB 8B 6A E2 70 CE 79 FE B5 BC E3 40 D8 BC C2 CE 16 B1 4E C2 9D 51 69 70 B0 23 15 3D 04 CE 76 55 96 01 B4 B2 8C 87 B5 90 E7 94 61 58 06 4A 9D 03 C9 25 A1 F4 DF 76 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00 10 8D 6C 9F D3 99 63 86 34 27 25 34 2F 27 5D 72 1C F9 D4 30 44 4A FB A9 69 17 9A 3E 53 04 9C C0 CF B1 F8 FE 9E 2B D6 A0 B3 3F A8 DC 49 4C 9D B6 60 11 79 3E 3D 43 D6 D2 DF 36 29 0C 4B 9C C0 D7 D5 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00 10 94 62 6F B3 3F 39 C2 DB 78 DA 3E 0B 44 76 FC 60 23 D2 6E 0B 87 67 60 AB 48 B2 1C 2D 5B A0 AD A2 BE F6 30 F6 AA 84 7B 00 1F 48 50 A3 3C 62 50 55 60 D0 F7 A6 EF 83 85 16 AD 5D DF 39 9B D7 45 76 00 00 00 00 00 00 00 01 00 00 00 07 |
|
Appreciate
0
|
12-28-2016, 11:04 AM | #1227 |
Major General
3966
Rep 7,215
Posts |
|
Appreciate
0
|
12-28-2016, 11:17 AM | #1228 | |||
Captain
253
Rep 775
Posts |
Quote:
There are some newer/faster libraries than what he links to on that page out there. Quote:
Quote:
Code:
00 00 00 10 74 71 D0 01 8E 90 A7 1A 84 74 88 1C AE 7E 57 07 03 1C AE 8C 91 51 7B EC D8 A8 BC E0 ED 17 9C 7A 8D 59 90 8E CF 05 7F 67 75 88 3C CD A8 6B 5F 1E 8B 27 CC 1B 7F AD 72 E8 E0 6E C2 36 A2 E2 46 E7 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00 10 2D AB F6 B1 D9 0F 7F DF E3 7F FB 8B 6A E2 70 CE 79 FE B5 BC E3 40 D8 BC C2 CE 16 B1 4E C2 9D 51 69 70 B0 23 15 3D 04 CE 76 55 96 01 B4 B2 8C 87 B5 90 E7 94 61 58 06 4A 9D 03 C9 25 A1 F4 DF 76 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00 10 8D 6C 9F D3 99 63 86 34 27 25 34 2F 27 5D 72 1C F9 D4 30 44 4A FB A9 69 17 9A 3E 53 04 9C C0 CF B1 F8 FE 9E 2B D6 A0 B3 3F A8 DC 49 4C 9D B6 60 11 79 3E 3D 43 D6 D2 DF 36 29 0C 4B 9C C0 D7 D5 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00 10 94 62 6F B3 3F 39 C2 DB 78 DA 3E 0B 44 76 FC 60 23 D2 6E 0B 87 67 60 AB 48 B2 1C 2D 5B A0 AD A2 BE F6 30 F6 AA 84 7B 00 1F 48 50 A3 3C 62 50 55 60 D0 F7 A6 EF 83 85 16 AD 5D DF 39 9B D7 45 76 00 00 00 00 00 00 00 01 00 00 00 07 That "00 00 00 07" is the public exponent. To verify a signature, formula is: (sig ^ e) mod n Where sig is the signature, e is the public exponent (7 in this case; 3 on some DMEs), and n is the public key. Result should be a non-padded MD5 (at least it has been on the 3 modules I checked) And remember, they're stored backwards. So that last key would be 9BD74576 AD5DDF39... 94626FB3 |
|||
Appreciate
0
|
12-28-2016, 11:27 AM | #1229 |
Major General
3966
Rep 7,215
Posts |
Yeah, looks like the BBflash software has the key somehow:
I'm not familiar with .NET programming - it could be in another DLL or it could be in this one, I'm not really sure, but it must be there. On the DME, I would just search for 00 00 00 20 until I found it but that probably won't work here. |
Appreciate
0
|
12-28-2016, 11:33 AM | #1230 | |
Captain
253
Rep 775
Posts |
Quote:
(hash ^ d) mod n So assuming they don't just generate d and n on the fly from the factors, the public key should be stored somewhere, and hopefully the private key is somewhere nearby. |
|
Appreciate
0
|
12-28-2016, 11:35 AM | #1231 |
Major General
3966
Rep 7,215
Posts |
Would have to study it some more - I got lucky, actually, because this was the first (and only) DLL I ran through and it was right there. .NET sure disassembles a lot easier than an embedded file - IDA detected everything, I just clicked "OK". lol
|
Appreciate
0
|
Bookmarks |
|
|