RomRaider

Isn't the communication 512bit RSA encrypted to ms45 so maybe it's that?

BTW guys, MS45 was the first ecu in the 3 series to be secured with BMW's SAM (security and authentication) module. The ecu is secured with two RSA keys - one for login (aka seed/key) and one to digitally sign the calibration data.

Here's the signature routine:

ROM:FFF083D8 # =============== S U B R O U T I N E =======================================
ROM:FFF083D8
ROM:FFF083D8
ROM:FFF083D8 SIG_CHK: # CODE XREF: ROM:FFF0F67Cp
ROM:FFF083D8 # ROM:FFF0FF38p ...
ROM:FFF083D8
ROM:FFF083D8 .set var_10, -0x10
ROM:FFF083D8 .set var_4, -4
ROM:FFF083D8 .set arg_4, 4
ROM:FFF083D8
ROM:FFF083D8 stwu sp, var_10(sp)
ROM:FFF083DC mflr r0
ROM:FFF083E0 stw r31, 0x10+var_4(sp)
ROM:FFF083E4 stw r0, 0x10+arg_4(sp)
ROM:FFF083E8 lwz r12, ((off_FFF09C94+0x636C) & 0xFFFF)(r6)
ROM:FFF083EC cmplwi r12, 0x10
ROM:FFF083F0 ble loc_FFF083FC
ROM:FFF083F4 li r3, -1
ROM:FFF083F8 b loc_FFF0841C
ROM:FFF083FC # ---------------------------------------------------------------------------
ROM:FFF083FC
ROM:FFF083FC loc_FFF083FC: # CODE XREF: SIG_CHK+18j
ROM:FFF083FC lis r31, ((SIG_MODULUS+0x10000) >> 16)
ROM:FFF08400 addi r31, r31, -0x627C # SIG_MODULUS
ROM:FFF08404 lis r11, ((CALC_SIG+0x10000) >> 16)
ROM:FFF08408 addi r11, r11, -0x7964 # CALC_SIG
ROM:FFF0840C mtlr r11
ROM:FFF08410 addi r8, r31, 0x48
ROM:FFF08414 addi r7, r31, 0
ROM:FFF08418 blrl
ROM:FFF0841C
ROM:FFF0841C loc_FFF0841C: # CODE XREF: SIG_CHK+20j
ROM:FFF0841C lwz r0, 0x10+arg_4(sp)
ROM:FFF08420 lwz r31, 0x10+var_4(sp)
ROM:FFF08424 mtlr r0
ROM:FFF08428 addi sp, sp, 0x10
ROM:FFF0842C blr
ROM:FFF0842C # End of function SIG_CHK

That I'm aware of, the RSA modulus for the signatures has been factored by one and only one team, and one of the two members (the other being my partner for 23 years) is typing this. We factored a 512 bit RSA modulus in 14 days using custom/optimized hardware and an optimized version of the general number field sieve algorithm. This was back in 2007. We kept the "how" silent back then because 512 modulii were used in SSL and banking and we really didn't want "the bad guys" to know our factoring capabilities.

Haven't forgotten about this.

Did some sniffing today and was able to decipher this (just to get familiar with the packets)

TX: B8 12 F1 01 3E 64
RX: B8 F1 12 01 7E 24

TX: B8 12 F1 03 10 81 05 CC
RX: B8 F1 12 03 50 81 05 8C

E0 38 30 30 70 70 38 10 C0 70 0E 80 10 80 30 C0 0C 1C C0 10 70 30 18 C0 60 70 70 88 3A 60 38 10 80 38 0C 60 1C 70 80 70 30 18 60 70 18 70 E0 70 38 80 30 F8 F8 FF

TX: B8 12 F1 01 3E 64
RX: B8 F1 12 01 7E 24

TX: B8 12 F1 03 10 81 05 CC
RX: B8 F1 12 03 50 81 05 8C


I'm unable to identify the bold text. How many packets, which are the packet headers, checksums, etc. Does anyone else see anything there?

It's much the same as the protocol we use for Subaru (on K-line).
You may even be able to create your own Logger definition file to try it.
Change these as required but leave protocol ID as SSM and transport ID as ISO9141 and choose SSM on K-line as the protocol in the Logger settings rather than DS2:

Try a sniff and see if you get a response. Then you'd have to define all the logger parameters in this section of the def.
What will probably be different is the Init to determine the DME ID and supported parameters thereafter.

Tried this with the Bolded settings, however the test app send command always started with "8012".
Is there a way to adjust what is sent prior to the "12" for the ECU address?