I cloned my MSV70 DME

hassmaschine · 01-02-2017, 03:59 PM

You have to flash the program first - its using the signature to pass validation.

Terraphantm · 01-02-2017, 04:08 PM

Quote:

Originally Posted by rjahl

OK I've tried this three times starting with a stock program and calibration file. All three times the calibration S7623586 file would flash but the program file fails with the typical Authorization error. However, If I flash a calibration file afterwards, it's accepted. Custom or Stock.

It that what was happening to you?

I was having trouble getting program writes to verify afterwards (stock or not). Seemed like my cable was dropping bytes or something. I do wonder if WinKFP doesn't handle 20 bytes per line as gracefully as 10 bytes per line.

I switched to D-CAN rather than K-line and that seemed to work better for me, though I had to switch to a non-Z4 calibration for D-CAN to work.

rjahl · 01-02-2017, 04:39 PM

Quote:

Originally Posted by hassmaschine

You have to flash the program first - its using the signature to pass validation.

I thought the redirect required the program file to have the same RSA hash as the valid calibration file. Therefor the calibration file that supplied the RSA hash spliced into the program file must be flashed first. Did I get that wrong?

Anyways , steps I took:

1. Flashed stock Z4 calibration file, then stock program files,
2. Tried to flash custom calibration file to insure stock boot sector was working. Custom calibration file failed to load
3. Flashed ODA file supplied, flashed OPA file with authorization warning
4. Tried to re flash supplied ODA files and it also provided authorization warning
5 Flashed custom OPA file successfully.
6 Flashed supplied ODA file successfully.
7 Flashed another custom ODA file successfully.

Repeated these steps three times with consistent results. Man I really like Fast baudrate.

I used INPA to validate the DME status and read out the redirect block to confirm that patch was in place.

You are clearly onto something but I think we still have a few things to learn about this process.

hassmaschine · 01-02-2017, 06:22 PM

Oh. That is true.

I haven't tested it yet.

Terraphantm · 01-03-2017, 02:16 AM

Quote:

Originally Posted by HiggsBoson

Maybe i could provide some XEON Server Cores.

How do you compute the keys? Is there some Linux progams that i could run?

I did it more or less following the guide here. I did it in Windows. Linux works too, but it's hard to find compiled binaries for every component. I think this is one of those rare cases where Windows is better, since people out there have compiled files with CPU-specific optimizations and written parts in assembly code.

HiggsBoson · 01-03-2017, 03:23 AM

Quote:

Originally Posted by Terraphantm

I did it more or less following the guide here. I did it in Windows. Linux works too, but it's hard to find compiled binaries for every component. I think this is one of those rare cases where Windows is better, since people out there have compiled files with CPU-specific optimizations and written parts in assembly code.

I will look into it.

edit: just got GGNFS and MSIEVE running on my linux box.
Could you pm me the key i should factor?

Terraphantm · 01-03-2017, 06:21 PM

Quote:

Originally Posted by HiggsBoson

I will look into it.

edit: just got GGNFS and MSIEVE running on my linux box.
Could you pm me the key i should factor?

Sent you a PM. What kind of hardware are you running out of curiosity?

HiggsBoson · 01-04-2017, 01:31 AM

Quote:

Originally Posted by Terraphantm

Sent you a PM. What kind of hardware are you running out of curiosity?

It is a HP ProLiant DL 380 G9 with 512GB RAM and 2 Intel Xeon E5-2640 and 10 Cores per Socket + Hyperthreading.

hassmaschine · 01-04-2017, 04:27 PM

step 1 of 99,999...

http://bcoder.westus.cloudapp.azure.com:8080/

it's slow, and literally does nothing but list the parameters - but I've been trying to do this for a year now, lol.

hassmaschine · 01-05-2017, 12:03 AM

wont really take a whole lot more to load a bin, view maps, spit out XDFs, etc.

I have databased built for MS45.0, MS45.1, MSD80, MSS60, MSS54 - and can add pretty much anything i have an A2l for. Right now only MSS70 and MSV70 are uploaded.

hassmaschine · 01-05-2017, 09:19 AM

So as I've been working on this app setup (so many things I had to learn - it's running on an Azure cloud machine, Ubuntu 16.04, Hypnotoad Perl server, etc) - one of the things I had to do was set up an RSA key for secure access to the server.

That got me thinking. Is there any reason we couldn't replace the public keys with our own? Then we could sign it with our own private key - since the 1024 bit key will never be factored anytime soon.

I think it just requires access to the AIF reason. I'm not sure there's any technical reason we can't write to there (0x30000-0x3FFFF) - WinKFP does it obviously. I think you would need to read the original data, erase the block, and then overwrite the whole thing. I don't think it's included in the RSA check, so you wouldn't need to pass signature verification until you wrote a new 0pa/0da, which would now be valid.

Anyway, not sure how feasible it would be, just thinking out loud.

Terraphantm · 01-05-2017, 09:56 AM

Quote:

Originally Posted by hassmaschine

So as I've been working on this app setup (so many things I had to learn - it's running on an Azure cloud machine, Ubuntu 16.04, Hypnotoad Perl server, etc) - one of the things I had to do was set up an RSA key for secure access to the server.

That got me thinking. Is there any reason we couldn't replace the public keys with our own? Then we could sign it with our own private key - since the 1024 bit key will never be factored anytime soon.

I think it just requires access to the AIF reason. I'm not sure there's any technical reason we can't write to there (0x30000-0x3FFFF) - WinKFP does it obviously. I think you would need to read the original data, erase the block, and then overwrite the whole thing. I don't think it's included in the RSA check, so you wouldn't need to pass signature verification until you wrote a new 0pa/0da, which would now be valid.

Anyway, not sure how feasible it would be, just thinking out loud.

Public key is in boot sector. And if you're overwriting the boot sector, you might as well bypass the check altogether.

It's at 0x22DF4

There are 3 512-bit keys located before that key. They appear to be for different levels secure access. I haven't disassembled far enough to figure out if the one WinKFP uses is the highest level of access.

hassmaschine · 01-06-2017, 02:56 PM

yeah, I wasn't thinking about that clearly - it's actually been a while since I've spent a lot of time in the disassembly.

BTW, I have confirmed - MSV70 will boot and run with an MSS70 full binary. The trick is you have to use Kline - I think the Dcan port is turned off (BN2000 is definitely disabled, but supported - meaning, you could swap an S54 into an E9x with MSS70 and run it like it was completely stock).

Helping somebody with a Z4 S54 swap - MSS70s are pretty rare though. They are obviously related, for example the PCB is the same layout - but MSS70 has fewer components (no valvetronic). I'll post some pics later.

BTW, since I doubt anyone knows what the links above are about - I've been working on a web based BMW tuning app for ages, but have always hit roadblocks with shared servers. Finally signed up for a cloud service (Microsoft Azure) and have a server up and running - just started coding it, so it doesn't do much yet. I have it reading maps, but it's slow and some features are missing (no signed values, no axises yet, etc). Need to spend a few days rebuilding the database so it will be fast enough to use, then I can start working on adding functionality.

Terraphantm · 01-06-2017, 04:10 PM

Cool. Are there any differences that you can see what would prevent an MSV70 from being used as an MSS70 if someone wanted to do a swap?

hassmaschine · 01-06-2017, 04:19 PM

Not sure. Most of the I/O is the same. But there are some pretty obvious differences - with MSS70 missing a lot of stuff that's on MSV70. So I guess the question is, does the MSV70 have everything an MSS70 does? Because if so, you could adapt it to any S54 - IMO, it's a bit superior to MSS54, although tuning it isn't very common since people didn't understand it and there were so few of them made.

Terraphantm · 01-06-2017, 04:23 PM

Wideband O2s would be nice for sure. MSS54 is so much easier to tune otherwise though - it is nice having a platform that's about as close to open source as it gets.

Terraphantm · 01-06-2017, 07:13 PM

Improved RSA Delete - no longer dependent on a valid 0da (it is dependent on your stock boot sector being untouched and up to date however).

https://www.dropbox.com/s/or8dvilyoq...No0DA.0pa?dl=0

Similar strategy should be doable to MSV80 (and looking at it, it's similar to what the BBFlash guys have done)

rjahl · 01-07-2017, 12:19 PM

Quote:

Originally Posted by Terraphantm

Improved RSA Delete - no longer dependent on a valid 0da (it is dependent on your stock boot sector being untouched and up to date however).

https://www.dropbox.com/s/or8dvilyoq...No0DA.0pa?dl=0

Similar strategy should be doable to MSV80 (and looking at it, it's similar to what the BBFlash guys have done)

Don't think your achievements have gone unnoticed!

Hassmachine as well. I have not had time to test the second version, but essentially everything someone needs to do their own MSV70 tuning can be found in this thread. Just need to read. Nothing is locked down or secret. Great work and thank you guys for sharing.

Now, if we can only find someone willing to appreveate this into DIY instructions. LOL

Terraphantm · 01-07-2017, 01:06 PM

So I got my MSV80 in - I think I've got a valid strategy for the RSA delete, but so far I haven't been able to get it to work. Probably just making a small typo somewhere or miscalculating an offset (I hate little endian).

Much more annoying to test the MSV80 since it doesn't support K-line as far as I can tell. And D-CAN is so much slower (which is odd, I thought D-CAN could do 500kbps instead of the 115.2 like the K-line)

Taskmaster · 01-07-2017, 02:43 PM

Question: basically the S54s MSS70 is similar to the MSV70, which is basically the same as the MSV80 - any advantage to using S54 parts on the N52, like...VVT adjusters? And the ECU now has perimeters to play with the increased range?

Terraphantm · 01-07-2017, 02:45 PM

Quote:

Originally Posted by TheAxiom

Question: basically the S54s MSS70 is similar to the MSV70, which is basically the same as the MSV80 - any advantage to using S54 parts on the N52, like...VVT adjusters? And the ECU now has perimeters to play with the increased range?

None of it would be remotely close to fitting onto an N52

Taskmaster · 01-07-2017, 02:50 PM

Quote:

Originally Posted by Terraphantm

None of it would be remotely close to fitting onto an N52

I was just pulling the details up...bummer.

01-02-2017, 03:59 PM	#1299
hassmaschine Major General 3987 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	You have to flash the program first - its using the signature to pass validation.
	Appreciate 0 Quote

01-02-2017, 06:22 PM	#1302
hassmaschine Major General 3987 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	Oh. That is true. I haven't tested it yet.
	Appreciate 0 Quote

01-04-2017, 04:27 PM	#1307
hassmaschine Major General 3987 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	step 1 of 99,999... http://bcoder.westus.cloudapp.azure.com:8080/ it's slow, and literally does nothing but list the parameters - but I've been trying to do this for a year now, lol. Last edited by hassmaschine; 01-05-2017 at 01:33 PM..
	Appreciate 0 Quote

01-05-2017, 12:03 AM	#1308
hassmaschine Major General 3987 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	wont really take a whole lot more to load a bin, view maps, spit out XDFs, etc. I have databased built for MS45.0, MS45.1, MSD80, MSS60, MSS54 - and can add pretty much anything i have an A2l for. Right now only MSS70 and MSV70 are uploaded. Last edited by hassmaschine; 01-20-2017 at 01:00 AM..
	Appreciate 0 Quote

01-05-2017, 09:19 AM	#1309
hassmaschine Major General 3987 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	So as I've been working on this app setup (so many things I had to learn - it's running on an Azure cloud machine, Ubuntu 16.04, Hypnotoad Perl server, etc) - one of the things I had to do was set up an RSA key for secure access to the server. That got me thinking. Is there any reason we couldn't replace the public keys with our own? Then we could sign it with our own private key - since the 1024 bit key will never be factored anytime soon. I think it just requires access to the AIF reason. I'm not sure there's any technical reason we can't write to there (0x30000-0x3FFFF) - WinKFP does it obviously. I think you would need to read the original data, erase the block, and then overwrite the whole thing. I don't think it's included in the RSA check, so you wouldn't need to pass signature verification until you wrote a new 0pa/0da, which would now be valid. Anyway, not sure how feasible it would be, just thinking out loud.
	Appreciate 0 Quote

01-06-2017, 02:56 PM	#1311
hassmaschine Major General 3987 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	yeah, I wasn't thinking about that clearly - it's actually been a while since I've spent a lot of time in the disassembly. BTW, I have confirmed - MSV70 will boot and run with an MSS70 full binary. The trick is you have to use Kline - I think the Dcan port is turned off (BN2000 is definitely disabled, but supported - meaning, you could swap an S54 into an E9x with MSS70 and run it like it was completely stock). Helping somebody with a Z4 S54 swap - MSS70s are pretty rare though. They are obviously related, for example the PCB is the same layout - but MSS70 has fewer components (no valvetronic). I'll post some pics later. BTW, since I doubt anyone knows what the links above are about - I've been working on a web based BMW tuning app for ages, but have always hit roadblocks with shared servers. Finally signed up for a cloud service (Microsoft Azure) and have a server up and running - just started coding it, so it doesn't do much yet. I have it reading maps, but it's slow and some features are missing (no signed values, no axises yet, etc). Need to spend a few days rebuilding the database so it will be fast enough to use, then I can start working on adding functionality. Last edited by hassmaschine; 01-06-2017 at 03:02 PM..
	Appreciate 0 Quote

01-06-2017, 04:10 PM	#1312
Terraphantm Captain 253 Rep 775 Posts Drives: E46 M3 Coupe Join Date: Apr 2009 Location: N/A iTrader: (1)	Cool. Are there any differences that you can see what would prevent an MSV70 from being used as an MSS70 if someone wanted to do a swap?
	Appreciate 0 Quote

01-06-2017, 04:19 PM	#1313
hassmaschine Major General 3987 Rep 7,212 Posts Drives: "NBO" 330i Join Date: Jun 2014 Location: earth iTrader: (0)	Not sure. Most of the I/O is the same. But there are some pretty obvious differences - with MSS70 missing a lot of stuff that's on MSV70. So I guess the question is, does the MSV70 have everything an MSS70 does? Because if so, you could adapt it to any S54 - IMO, it's a bit superior to MSS54, although tuning it isn't very common since people didn't understand it and there were so few of them made.
	Appreciate 1 Taskmaster2475.50 Quote

01-06-2017, 04:23 PM	#1314
Terraphantm Captain 253 Rep 775 Posts Drives: E46 M3 Coupe Join Date: Apr 2009 Location: N/A iTrader: (1)	Wideband O2s would be nice for sure. MSS54 is so much easier to tune otherwise though - it is nice having a platform that's about as close to open source as it gets.
	Appreciate 1 Taskmaster2475.50 Quote

01-06-2017, 07:13 PM	#1315
Terraphantm Captain 253 Rep 775 Posts Drives: E46 M3 Coupe Join Date: Apr 2009 Location: N/A iTrader: (1)	Improved RSA Delete - no longer dependent on a valid 0da (it is dependent on your stock boot sector being untouched and up to date however). https://www.dropbox.com/s/or8dvilyoq...No0DA.0pa?dl=0 Similar strategy should be doable to MSV80 (and looking at it, it's similar to what the BBFlash guys have done)
	Appreciate 2 rjahl1001.50 Taskmaster2475.50 Quote

01-07-2017, 01:06 PM	#1317
Terraphantm Captain 253 Rep 775 Posts Drives: E46 M3 Coupe Join Date: Apr 2009 Location: N/A iTrader: (1)	So I got my MSV80 in - I think I've got a valid strategy for the RSA delete, but so far I haven't been able to get it to work. Probably just making a small typo somewhere or miscalculating an offset (I hate little endian). Much more annoying to test the MSV80 since it doesn't support K-line as far as I can tell. And D-CAN is so much slower (which is odd, I thought D-CAN could do 500kbps instead of the 115.2 like the K-line)
	Appreciate 0 Quote

01-07-2017, 02:43 PM	#1318
Taskmaster Banned 2476 Rep 9,004 Posts Drives: M235i 6MT / E92 328 Msport 6MT Join Date: Nov 2013 Location: Florida iTrader: (6)	Question: basically the S54s MSS70 is similar to the MSV70, which is basically the same as the MSV80 - any advantage to using S54 parts on the N52, like...VVT adjusters? And the ECU now has perimeters to play with the increased range?
	Appreciate 0 Quote