[Mik325tds]

Quote:

Originally Posted by DWR

So, Mik325tds is it your position that we should try to find the piece of code that controls this internal check and bypass it?

That would be the golden solution, but I'm afraid that this piece of code is included in the bootloader. If we don't get this right on the first try, we'd permanently brick the TCU that we try it on. Something like that is best tried on the bench where the TCU can be recovered through a BDM flasher.

[Mik325tds]

Quote:

Originally Posted by gini

Hi Mik325tds,
thank you for your detailed explanation

I could reproduce 100% all what Winkfp does. It's already implemented in Dr.Gini B014.

My tests were performed on non important ECUs like PDC (cheap ones)
I locked this function since I don't have the possibility yet to perform deep tests and to certify there is no risk at all

If you want to give it a try, make sure Winkfp is installed and updated
Then you can get your ECU information from its ZUSB Number (Programing function remains locked for now)

I wouldn't mind verifying the flash capability of your tool, but if it does everything just like WinKFP, why would we not use WinKFP in the first place?

But here's a proof of concept proposal:
Attached is my lightly modified A7610591.0da - would you (or Dave) be able to correct the checksum and RSA signature and send back the 0da file? I'd then try flashing it either with Dr.Gini or WinKFP and let everyone know if it worked.

[DWR]

Quote:

Originally Posted by Mik325tds

That would be the golden solution, but I'm afraid that this piece of code is included in the bootloader. If we don't get this right on the first try, we'd permanently brick the TCU that we try it on. Something like that is best tried on the bench where the TCU can be recovered through a BDM flasher.

Ouch! I remember you saying that before.

I'm trying to remember who said they had access to a BDM flasher. And then a spare TCU.

Is there a silver solution?

[Mik325tds]

Quote:

Originally Posted by DWR

Ouch! I remember you saying that before.

I'm trying to remember who said they had access to a BDM flasher. And then a spare TCU.

Is there a silver solution?

Haha, yes the silver solution would be to correct the RSA manually by Dave/Gini every time someone wants to change a cal. But I'd think that would get pretty annoying for them unless it's somehow automated.

[DWR]

Quote:

Originally Posted by Mik325tds

Haha, yes the silver solution would be to correct the RSA manually by Dave/Gini every time someone wants to change a cal. But I'd think that would get pretty annoying for them unless it's somehow automated.

Lol, how about automated is silver and manual is honorable mention.

[gini]

Quote:

Originally Posted by Mik325tds

I wouldn't mind verifying the flash capability of your tool, but if it does everything just like WinKFP, why would we not use WinKFP in the first place?

Hi Mik325tds,
programing is not activated in Dr.Gini since it's not fully tested (eg. never tested with CAS, DME, EGS, and many other expensive ECUs)

If I reproduced what Winkfp does, it's only to fully understand what Winkfp does during the programing process. This allows me to eventually modify this process if necessary since WinKfp is not updated anymore

WinKfp remains the safest and most reliable flashing tool for OBD programing

Quote:

Originally Posted by Mik325tds

But here's a proof of concept proposal:
Attached is my lightly modified A7610591.0da - would you (or Dave) be able to correct the checksum and RSA signature and send back the 0da file? I'd then try flashing it either with Dr.Gini or WinKFP and let everyone know if it worked.

The checksums in your modified Data file have been already corrected...

For the RSA signature, sorry I can't help
What I can do is the ECU authentication only

[dave205t]

New TCU_flash version (0.5.0):

* detects TCU type and dumps sections accordingly full dump on 6HP19(TU), some sim on 6HP26/32(TU)
* more descriptive file naming of saved binary as per detected TCU type, hardware nr.

Best regards, Dave

[335dsleeper]

Quote:

Originally Posted by DWR

Ouch! I remember you saying that before.

I'm trying to remember who said they had access to a BDM flasher. And then a spare TCU.

Is there a silver solution?

I have a spare TCU. PM if needed.

[winnepooh]

Quote:

Originally Posted by Mik325tds

Very interesting. Thanks! I assume that was a wide open throttle pull?
When you get a chance this weekend, would you mind doing a 30% and/or 40% throttle pull with these variables logged in TestO?
STAT_ABTRIEBSDREHZAHL_WERT
STAT_MOTORDREHZAHL_WERT
STAT_MOTORISTMOMEMENT_WERT
STAT_TURBINENDREHZAHL_WERT
STAT_FAHRPEDALWINKEL_WERT
STAT_ISTGANG_WERT
STAT_SA_WERT
STAT_WK_WERT

Hello,

had some time to make 2 logs.

Didn´t find STAT_SA_WERT.
I tired to make a custom job in Testo but it always crashed.

What value ist STAT_SA-WERT?



Perhaps a way to go around the RSA signature problem:
http://www.ecuconnections.com/forum/...hp?f=2&t=28994

Perhaps the RSA check routine is a part of the 0pa-file?

Winnepooh

[DWR]

Quote:

Originally Posted by 335dsleeper

I have a spare TCU. PM if needed.

Good man. Let you know when we get the BDM in place. Thank you very much.

[gini]

Reading speed improved a bit...

approx: 1 791 bytes/sec

[DWR]

Thought I would post pooh's 2nd log as a graph, as a favor to the community. Not sure what we are looking for?

[Mik325tds]

Quote:

Originally Posted by winnepooh

Hello,

had some time to make 2 logs.

Didn´t find STAT_SA_WERT.
I tired to make a custom job in Testo but it always crashed.

What value ist STAT_SA-WERT?

No problem. The STAT_SA_WERT is not that important. We think it is the internal status machine that triggers the shifts. Since you have the actual gear position, the SA_WERT is redundant info.

Quote:

Originally Posted by winnepooh

Perhaps a way to go around the RSA signature problem:
http://www.ecuconnections.com/forum/...hp?f=2&t=28994

Perhaps the RSA check routine is a part of the 0pa-file?

Winnepooh

Good find on the ecuconnections forum. I actually posted there but no one responded. I guess we can try finding the pattern they've been talking about and replacing it with "no operation" commands, but that brings us back to the problem of tampering with the boot-loader of the TCU which is really dangerous if you only have one shot. We'll pursue this once I get hold of that spare TCU from 335dsleeper.

[Mik325tds]

Quote:

Originally Posted by DWR

Thought I would post pooh's 2nd log as a graph, as a favor to the community. Not sure what we are looking for?
Attachment 1414634

Thanks for visualizing the data DWR. Is this the first or second file? Can you please put in the throttle as well. However, it looks like the Alpina shifts similar to ours in the first two gears. It looks the TC on the shift to 3rd gear and leaves it open in 1st and second. Maybe it delivers a little bit more torque in first and second though.

[dave205t]

Quote:

Originally Posted by Mik325tds

Good find on the ecuconnections forum. I actually posted there but no one responded. I guess we can try finding the pattern they've been talking about and replacing it with "no operation" commands, but that brings us back to the problem of tampering with the boot-loader of the TCU which is really dangerous if you only have one shot. We'll pursue this once I get hold of that spare TCU from 335dsleeper.

Even if you manage to find the such a pattern (which i can assure you does not exist in TCU), you'll wont be able to change the code, as its compressed; but lets assume code changing succeeds you'll still have to to correct the other checksums.

[PD330]

Is it realy such a big deal to write a tool, which can correct checksums/rsa? I did not analyze the data yet, but when you can correct it manualy, what exactly is the problem to calculate them from a loaded file and write them automaticaly to the correct location in the file?

[ChrizLoud]

This is so exciting ☺️

[Mik325tds]

Quote:

Originally Posted by dave205t

Even if you manage to find the such a pattern (which i can assure you does not exist in TCU), you'll wont be able to change the code, as its compressed; but lets assume code changing succeeds you'll still have to to correct the other checksums.

I didn't know that bootloader was also compressed. Thanks for the clarification. Where you able to see if the bootloader also has a RSA signature? How many checksums are involved?

To the note above: If you're able to correct the files RSA signature on a binary level and gini is able to transform it back to a .0da/0pa - what is keeping us from doing that?

Maybe the spare TCU from 335dsleeper would do us more good in your hands?

[dave205t]

Quote:

Originally Posted by Mik325tds

I didn't know that bootloader was also compressed. Thanks for the clarification. Where you able to see if the bootloader also has a RSA signature? How many checksums are involved?

There are a total of 19 checksums in the TCU bins (various types), excluding the two RSA's. The bootloader is indeed also covered by the application RSA.

Quote:

Originally Posted by Mik325tds

To the note above: If you're able to correct the files RSA signature on a binary level and gini is able to transform it back to a .0da/0pa - what is keeping us from doing that?

The sections that need to be rewritten are normally not in 0pa/0da, im not sure it will work on the first try and might be hard to recover after that.

Quote:

Originally Posted by Mik325tds

Maybe the spare TCU from 335dsleeper would do us more good in your hands?

A TCU to test on, assuming i can somehow disassemble it to get to the electronics to BDM read it would speed things up considerably (would rather try it on a otherwise broken one, mechanical wise) i have a BDM programmer.

Best regards, Dave

[DWR]

OK, so if 335dsleeper can send the TCU to Dave in the the Netherlands, I assume some of us here will split the tab for postage? Don't know the best way to do that, but I'm in.

[CvilleBill]

I'll chip in.

[_TB_]

So will I.