BDM does not work because the CPU is locked, you require the 64bit (I think its that long off the top of my head) password which must be entered first before gaining access.In-Tech wrote:Hiya Tazzi,
Thanks for the reply. Do you think I am at a point where I should just try a BDM dump approach? What would your move be?
As soon as I youtubed some videos of these trans, I want one. Of course I want to have full control though
The password is stored in the 'shadow' flash of the cpu which again cannot be access without the password in the first place/
There IS a way around, but its pretty full on, see my response below for details.
So.. your assuming they are using their 'signature' to encrypt/decrypt their information.Gatecrasher wrote:So how is someone like HP Tuners unlocking these things? Do they somehow force it into an unencrypted mode? I'd be pretty shocked if they cracked the actual encryption. I'd think GM would hit them with a DMCA violation if that was the case.
But I don't believe this is the case. Modules can have something called "SBAT" (Signature Bypass Authorization something), which basically enables bypassing the security and signature requirements of a global A/B ECU. If someone was to 'patch' the boot code in the ecu to always allow the bypass, then they can simply upload the calibrations unencrypted/compressed.
Im fairly certain the calibrations are saved in the flash chips memory unencrypted, hence you do not need to 'decrypt' if you have access to the flash.
How are they getting access to the flash you say?? Well.. I believe its the use of high powered lasers/pulses to glitch processes into access
Checkout this teardown/work performed by Colin O'Flynn which does this for an E41 which uses the encrypted cals and has a locked CPU: https://www.youtube.com/watch?v=pkhV9K9raHE
He actually did a full technical paper on this which he indicates he got reliable access to the ECUs memory to dump and even edit the shadow flash, to then get normal Jtag access to read/write the memory: https://eprint.iacr.org/2020/937.pdf
Assuming a dedicated bench setup is made, where an ECU is slotted in place, this process could be replicated on different ecus reliably and consistently to gain access. I am assuming this is the method that HPTuners is taking to gain access to them.