Transmission remap - Let's do it ourselves

DWR · 06-28-2015, 06:46 PM

Nice work MIK352tds! Given synchronicity issues I often see in datalogging, that looks like a good fit.

We are still making progress!

DWR · 06-28-2015, 08:51 PM

Quote:

Originally Posted by Mik325tds

I'm starting to think that Stat_SA is a Status in a State machine that handles up and downshifts. SA starts changing values before a change in gears happens and ends at the end of the gear change.

You are right Mik. If you log the text value of SA, it tells you the state (although I found one that is clearly misnamed). It is both shift transitions and steady state gear operation. My graph of SA value vs gear tells the same story. In some cases, these state changes happen fast enough to be missed in datalogging. That also means the OSS, mph and rpms at which these things happen can get out of sync. Its just a resolution thing. The way that is overcome is by the same means you just used - closest fit. More data doesn't hurt either

Mik325tds · 06-29-2015, 06:14 PM

Uh. Another heart rate elevation tonight. May have even skipped a few beats...
Tried flashing a modified cal file with updated checksum by NCSdummy:

Mik325tds · 06-29-2015, 06:18 PM

Boy was I glad to see this when I tried going back to the original cal:

DWR · 06-29-2015, 07:52 PM

Quote:

Originally Posted by Mik325tds

Boy was I happy to see this when I tried going back to the original cal:

Oh, most brave one, I'm at the same time envious of your tremendous cohones and ever glad we have split the chores of this endeavor in a most appropriate manner.

So, I guess we still need to figure out the Cyclic Redundancy Check?

In the meanwhile, I think I'll repeat the datalog experiment you did, with the stock cal file in my vehicle, and see if the map locations coincide with your results.

Good job, Mik.

Mik325tds · 06-30-2015, 07:33 AM

Quote:

Originally Posted by DWR

So, I guess we still need to figure out the Cyclic Redundancy Check?

It seems to be much worse than that. Reading up on NCSdummy, revtor writes that some of the flashfiles are digitally signed with an RSA signature which NCSdummy cannot fix.

Anyone with expertise on cryptology here?

Mik325tds · 06-30-2015, 07:58 AM

Found something about a weakness in the RSA signatures:
Looks like with that we'd be able to extract the public key using two signed cal files and then would be able to sign the moded cal file ourselves.

DWR · 06-30-2015, 11:08 AM

Quote:

Originally Posted by Mik325tds

Found something about a weakness in the RSA signatures:
Looks like with that we'd be able to extract the public key using two signed cal files and then would be able to sign the moded cal file ourselves.

Looked over the attachment, got to love mathematics if you want to understand cryptography. Hopefully, the open source program will work. Is that your thought also?

Mik325tds · 06-30-2015, 01:37 PM

Quote:

Originally Posted by DWR

Looked over the attachment, got to love mathematics if you want to understand cryptography. Hopefully, the open source program will work. Is that your thought also?

Which open source program?
From what I've been reading today, we'd have come to a full stop here. BMW uses a RSA asymmetric signature which means that with the public key you can authenticate (verify the correct signature) in the file but you need the secret key in order to sign the file.

DWR · 06-30-2015, 03:26 PM

Quote:

Originally Posted by Mik325tds

Which open source program?
From what I've been reading today, we'd have come to a full stop here. BMW uses a RSA asymmetric signature which means that with the public key you can authenticate (verify the correct signature) in the file but you need the secret key in order to sign the file.

I was referring to Yafu, but apparently that just finds public keys.

So, does that put a question mark on JA Tuning's flash box? Or are they in the know?

DWR · 06-30-2015, 04:54 PM

So Mik, do you think it is worthwhile to look at the other available cal files and characterize their appropriateness?

iaknown · 06-30-2015, 04:56 PM

Quote:

Originally Posted by DWR

I was referring to Yafu, but apparently that just finds public keys.

So, does that put a question mark on JA Tuning's flash box? Or are they in the know?

You mean JFA or JR? Both sell a "flash box" and neither are actually the manufacturer of it. I can dig up the company if you need it.

Mik325tds · 06-30-2015, 04:58 PM

Quote:

Originally Posted by DWR

I was referring to Yafu, but apparently that just finds public keys.

So, does that put a question mark on JA Tuning's flash box? Or are they in the know?

I doubt that they have the secret key. I think they just replace the bootloader and then never check for signature again. In order to authenticate yourself for flashing the bootloader you just need to use the same seed/key authentication that WinKFP does.
But for us it seems to be end of the story.

Thank you for all the hard work. It's been a pleasure working with you and we have learned a lot.
Also thanks to the other contributers.

iaknown · 06-30-2015, 05:35 PM

Quote:

Originally Posted by Mik325tds

I doubt that they have the secret key. I think they just replace the bootloader and then never check for signature again. In order to authenticate yourself for flashing the bootloader you just need to use the same seed/key authentication that WinKFP does.
But for us it seems to be end of the story.

Thank you for all the hard work. It's been a pleasure working with you and we have learned a lot.
Also thanks to the other contributers.

I don't understand most of the technical mumbo jumbo in this thread, but if you had the ability to write your own "flashbox" (providing its not a crock of BS) could you do the same thing they are? Perhaps the original manufacturer of the flashbox offers a way to custom program?

Hoooper · 06-30-2015, 05:56 PM

I really don't know anything about the RSA signatures, but why does it change if you just change text in the file? I also don't get why an open file would have a digital signature at all.

DWR · 07-01-2015, 12:49 AM

Quote:

Originally Posted by iaknown

You mean JFA or JR? Both sell a "flash box" and neither are actually the manufacturer of it. I can dig up the company if you need it.

Oh, that might be good. Yes, please.

DWR · 07-01-2015, 12:56 AM

Quote:

Originally Posted by Mik325tds

I doubt that they have the secret key. I think they just replace the bootloader and then never check for signature again. In order to authenticate yourself for flashing the bootloader you just need to use the same seed/key authentication that WinKFP does.
But for us it seems to be end of the story.

Thank you for all the hard work. It's been a pleasure working with you and we have learned a lot.
Also thanks to the other contributers.

Why can't we do what they are doing? Why can't we just use the same seed/key authentication that WinKFP does?

Mik325tds · 07-01-2015, 05:44 AM

Quote:

Originally Posted by Hoooper

I really don't know anything about the RSA signatures, but why does it change if you just change text in the file? I also don't get why an open file would have a digital signature at all.

I was very surprised by that as well. From what I read so far, BWM creates a Hash value (fixed length) from all the data in the file and signs that hash value with their secret key using the RSA algorithm.
When the program or cal file is flashed, the bootloader checks the file by recalculating the Hash value and decrypting the signed hash value from the file using the public key stored in the bootloader. Those two hash values are then compared. If they match it's good to go, if they don't - stay in bootloader mode.

Mik325tds · 07-01-2015, 05:52 AM

Quote:

Originally Posted by DWR

Why can't we do what they are doing? Why can't we just use the same seed/key authentication that WinKFP does?

We could. The seed/key authentication is a different hurdle than the signature of the file though. The seed/key authentication only "unlocks" the ECU to start the flashing process. Once the new program or cal file is transferred, the bootloader then checks the signatures before it actually runs the new program.

The bootloader is a section in the ECU that usually doesn't get reflashed, but it is possible to be reflashed through a special configuration in WinKFP. The thing is: You need a new bootlaoder that doesn't check for the signature of the new program/cal file afterwards. Where are we going to get that from?

DWR · 07-02-2015, 10:42 PM

NEWS FLASH ... working in the background. This effort isn't dead, yet.

Mik325tds · 07-03-2015, 08:42 AM

Quote:

Originally Posted by iaknown

I don't understand most of the technical mumbo jumbo in this thread, but if you had the ability to write your own "flashbox" (providing its not a crock of BS) could you do the same thing they are? Perhaps the original manufacturer of the flashbox offers a way to custom program?

That could be an option. Maybe the original manufacturer of the flash box already knows how to replace the bootloader so it doesn't check for signatures anymore.

Mik325tds · 07-04-2015, 04:45 PM

In a desperate attempt to try something we haven't confirmed yet, I substituted the Cal A7610591.0da with the Alpina file A7615836.0da from the GKE215 folder. The HW numbers are just one number apart 7591971A.0pa vs 7591972A.0pa and differ marginally.
It flashed ok and didn't complain about checksums or signatures...
... but it didn't shift out of Park either. And it had this awful message about transmission failure on the CIC.

At least we have confirmation now. Alpina B3 does not work for the 335d.

06-28-2015, 06:46 PM	#221
DWR Banned 798 Rep 1,630 Posts Drives: 2009 335d Join Date: Oct 2014 Location: Maine iTrader: (0)	Nice work MIK352tds! Given synchronicity issues I often see in datalogging, that looks like a good fit. We are still making progress! Last edited by DWR; 06-28-2015 at 07:04 PM..
	Appreciate 0 Quote

06-29-2015, 06:14 PM	#223
Mik325tds Major 807 Rep 1,191 Posts Drives: 335d M-Sport Join Date: Jul 2014 Location: Greater Detroit iTrader: (0)	Uh. Another heart rate elevation tonight. May have even skipped a few beats... Tried flashing a modified cal file with updated checksum by NCSdummy: Attached Images
	Appreciate 1 Quote

06-29-2015, 06:18 PM	#224
Mik325tds Major 807 Rep 1,191 Posts Drives: 335d M-Sport Join Date: Jul 2014 Location: Greater Detroit iTrader: (0)	Boy was I glad to see this when I tried going back to the original cal: Attached Images Last edited by Mik325tds; 06-30-2015 at 07:22 AM..
	Appreciate 1 Quote

06-30-2015, 04:54 PM	#231
DWR Banned 798 Rep 1,630 Posts Drives: 2009 335d Join Date: Oct 2014 Location: Maine iTrader: (0)	So Mik, do you think it is worthwhile to look at the other available cal files and characterize their appropriateness?
	Appreciate 1 Quote

06-30-2015, 05:56 PM	#235
Hoooper Colonel 213 Rep 2,210 Posts Drives: 335D Join Date: Jun 2013 Location: Petaluma, CA iTrader: (0)	I really don't know anything about the RSA signatures, but why does it change if you just change text in the file? I also don't get why an open file would have a digital signature at all.
	Appreciate 0 Quote

07-02-2015, 10:42 PM	#240
DWR Banned 798 Rep 1,630 Posts Drives: 2009 335d Join Date: Oct 2014 Location: Maine iTrader: (0)	NEWS FLASH ... working in the background. This effort isn't dead, yet.
	Appreciate 0 Quote

07-04-2015, 04:45 PM	#242
Mik325tds Major 807 Rep 1,191 Posts Drives: 335d M-Sport Join Date: Jul 2014 Location: Greater Detroit iTrader: (0)	Alpina B3 cal In a desperate attempt to try something we haven't confirmed yet, I substituted the Cal A7610591.0da with the Alpina file A7615836.0da from the GKE215 folder. The HW numbers are just one number apart 7591971A.0pa vs 7591972A.0pa and differ marginally. It flashed ok and didn't complain about checksums or signatures... ... but it didn't shift out of Park either. And it had this awful message about transmission failure on the CIC. At least we have confirmation now. Alpina B3 does not work for the 335d.
	Appreciate 2 Quote