GS7 program code disassembly project

imad

Specialist
Oct 4, 2019
94
64
0
Ride
BMW e92
So you have m3 gws and drivemode button?
There is two latest versions of gts data - 7845773 and 7848442 difference is only some parameter and rennstart rpm from 3500 to 4500.
So ill prepare second one.
Yeh I am with m3 GWS and the SZL. M button is there but in order to make it work (for real) I still need to drop in an arbid generator that will simulate MDM "on" traffic instead of mss60/CIC. Not sure I really need it thou as clutch is anyways quite fast ans smart on downshifts, yet throttle is available in XDF's already. Other than that, no idea why I would need it, may be just for fun )
 

imad

Specialist
Oct 4, 2019
94
64
0
Ride
BMW e92
So far we have 700 usd who else is in ?

Think I could just borrow it for the sessions I need, just to prove the concept before we need to spend anything. Guess there is another DKG around for cheap that I coulr grab to have it on the bench.
 

aus335iguy

Colonel
Nov 18, 2017
2,248
803
0
Down under
Ride
335i DCT 2009
Yeh I am with m3 GWS and the SZL. M button is there but in order to make it work (for real) I still need to drop in an arbid generator that will simulate MDM "on" traffic instead of mss60/CIC. Not sure I really need it thou as clutch is anyways quite fast ans smart on downshifts, yet throttle is available in XDF's already. Other than that, no idea why I would need it, may be just for fun )

I think the drive button he’s talking about is the drivelogic level button on the console
 

Olza

Corporal
Feb 2, 2020
229
223
0
Minsk, Belarus
Ride
BMW M240 xdrive
I guess we can switch off drivelogic and use sport button on GTS software. We even can try to use standart GWS with it )


So try to reflash this file:
0. Make sure you HAVE already flashed M3 GTS program version 7844978 (!)
1. Save in safe warm place original A7848443.0da data file
2. Copy this file without .txt extension instead
3. Start WinKFP
4. Remove UIF write after data, after program, in expert, comfort mode and Force program programming in configuration, NO bootsector update (!)
5. In comfort mode, choose Enter ZUSB, enter 7848442
6. Check ECU family is GS40 and our file selected, OK
7. OK, Done, Program.
8. Pray :)

It should write ONLY datafile, and takes not so much time.
Then im very interested in TCU behaviour. Write down any error messages and other stuff.

Then revert back original file and reflash back to it. The only difference is LC rpm and that one parameter which i revert back to 0.

1582134658752.png
 

Attachments

  • A7848443.0DA.txt
    359.5 KB · Views: 37
Last edited:

imad

Specialist
Oct 4, 2019
94
64
0
Ride
BMW e92
I guess we can switch off drivelogic and use sport button on GTS software. We even can try to use standart GWS with it )


So try to reflash this file:
0. Make sure you HAVE already flashed M3 GTS program version 7844978 (!)
1. Save in safe warm place original A7848443.0da data file
2. Copy this file without .txt extension instead
3. Start WinKFP
4. Remove UIF write after data, after program, in expert, comfort mode and Force program programming in configuration, NO bootsector update (!)
5. In comfort mode, choose Enter ZUSB, enter 7848442
6. Check ECU family is GS40 and our file selected, OK
7. OK, Done, Program.
8. Pray :)

It should write ONLY datafile, and takes not so much time.
Then im very interested in TCU behaviour. Write down any error messages and other stuff.

Then revert back original file and reflash back to it. The only difference is LC rpm and that one parameter which i revert back to 0.

View attachment 35251
This is nice. Gonna test it )
 

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
The data normally flashed has a signature attached to it. To create that signature, the data is put into a hash function to get a ~256 byte hash. This hash is signed by the 2048 bit private key and you get the signature.

The data and signature are packaged together and flashed to the TCU. Once flashed the TCU will then take the flashed data and run it through the hashing program again to get a 256 byte hash of the actual data flashed.

Separately, it will take the signature that was sent over with the flashed data and decrypt it with the only keys on the device which are the public keys. This decrypted signature is the verified hash of the original signed data.

If these two hashes do not match, the TCU will not exit program mode and your car will not operate correctly.

These secondary operations are conducted in a private memory area we currently do not control or have ability to read or write. At least that is the belief and it would by silly if Getrag did something else.

If we bench flash directly to the chip, we can overwrite these protections and also bypass the usual program mode via OBD so those checks aren't made.

So unless there is a flaw in the TCU security, the hashes won't match and this won't be successful, but it is worth trying.
 

imad

Specialist
Oct 4, 2019
94
64
0
Ride
BMW e92
The data normally flashed has a signature attached to it. To create that signature, the data is put into a hash function to get a ~256 byte hash. This hash is signed by the 2048 bit private key and you get the signature.

The data and signature are packaged together and flashed to the TCU. Once flashed the TCU will then take the flashed data and run it through the hashing program again to get a 256 byte hash of the actual data flashed.

Separately, it will take the signature that was sent over with the flashed data and decrypt it with the only keys on the device which are the public keys. This decrypted signature is the verified hash of the original signed data.

If these two hashes do not match, the TCU will not exit program mode and your car will not operate correctly.

These secondary operations are conducted in a private memory area we currently do not control or have ability to read or write. At least that is the belief and it would by silly if Getrag did something else.

If we bench flash directly to the chip, we can overwrite these protections and also bypass the usual program mode via OBD so those checks aren't made.

So unless there is a flaw in the TCU security, the hashes won't match and this won't be successful, but it is worth trying.

I wont try that with winkpf as I know it wont pass. Bench flashing is what I am aiming.
 
  • Like
Reactions: doublespaces

aus335iguy

Colonel
Nov 18, 2017
2,248
803
0
Down under
Ride
335i DCT 2009
Ive been thinking(that’s bad)
The earliest versions of software will be the least refined. They’ll have the smallest number of features, the worst shift behaviour etc... what if they also have the worst security ?
it follows on from something Tom from Brintech said “always use the earliest file for experimentation”...
Could this be why ?
In other words we do a boot sector update to the earliest file and use that file for our experimentation
 

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
I wont try that with winkpf as I know it wont pass. Bench flashing is what I am aiming.

There is a very small chance it could be accepted :)

You have seen the mistakes Sony made with the PS3 security right?
 

Olza

Corporal
Feb 2, 2020
229
223
0
Minsk, Belarus
Ride
BMW M240 xdrive
I wont try that with winkpf as I know it wont pass. Bench flashing is what I am aiming.
but i want to see what will be with TCU while flashing with winkfp please... i did not resign binary.

doublespaces, i can see several hashes inside and routines. investigating... but full dump will be very useful.
 
Last edited:
  • Like
Reactions: doublespaces