View Single Post
      10-18-2012, 04:08 AM   #113
BimmerPost Supporting Vendor
BPMSport's Avatar

Drives: Harrop M3 / F10 M5 / F82 M4
Join Date: Apr 2008
Location: SoCal

iTrader: (9)

Garage List
2000 BMW M5  [0.00]
1990 BMW 735i Turbo  [0.00]
2008 BMW M3  [3.75]
2015 BMW M3  [0.00]
2015 BMW M5  [0.00]
Send a message via Skype™ to BPMSport
1. It's not really a CAN-Bus blocker, it's more of a 'filter'. I've logged the CAN bus in real time to see whats happening. There are a few different ways to get the FSC certificate store to authenticate and allow use of maps/voice/etc..

Not sure what you mean about not all functions working correctly.. If the emulator is in there and the certificates are valid, then it works. If any part of this equation is missing, there may be issues with missing features. Yes you do need to know the original VIN of the car it came from for map updates if the certificates are original, but you can pull that from the FSC 1B. No real other downsides other than extremely small power consumption.

2. I disagree that tuning the M3 is any different than tuning the 335. BMW didn't protect the M3 anymore than they protected the 335 as far as I am concerned. In fact, the 335 didn't pop up with a tuner protected file in 2009 like the M3 did. Your comment that it was more than simple check-summing does not make sense to me. If the checksum is correct and the routines run properly, the car will start. The 335 MSD80/81 ECU is no more "protected" than the MSS60 ECU. In fact, I would say that the M3's ECU incorporates even more protection technology than the 335 ECU, considering it has a BDM locked left side processor. When any car comes out, it's a matter of time before it's cracked. And sometimes it's from information that leaks from the factory. Cracking serious RSA keys is sometimes not an option as we're limited by time and computing power. And yes, you are right about development firmwares with different signature checking that are sometimes leaked and used for tuning. Take for instance, the N55 - a perfect example of this. There is only so much that a manufacturer can do until there is a point of diminished returns. You can secure the front door of your house so much that it's impossible for you yourself to enter. Same idea here.

In terms of the 47.1 update, it is supposed that it fixes this theft issue. Does US 47.1 differ from UK 47.1? Not to my knowledge. So a potential "patch" that they have for the UK market should theoretically be applied in the other markets as well, unless they chose to specifically target UK spec cars with specific coding data versus an actual program area patch. This is not hard for me to find out, I just need to program a UK variant and compare it to the US coding data. Information about this is not something I would withhold to make money, this is hobby for me more than anything else. I don't want my car (or yours) vulnerable to thieves.

The programmer who made the key hack device states on the site that it works on version 47 as well. It's conflicting information between BMW and the programmers to this key hack. Can I tell you with 100% certainty that BMW's update fixes this issue? No. And even if it did, it's a matter of time before it's possible again.

I don't have any use for that key programmer and would rather buy a car than steal it, so it's not feasible for me to purchase that tool and test the vulnerabilities of our current setup. Now if everyone on M3 posts donates five bucks we would probably have enough cash to buy this tool and put it to the test, and I would be happy to do the testing to see what's vulnerable and what's not - any why.

Obviously everything with in a company - particularly a huge vehicle manufacturer - is going to be assessed by future risk. They are going to do their best to mitigate risks white maximizing profit margins. It's a cost/benefit analysis and only BMW and these key hackers really know the extent of this problem.

SeniorFunkyPants also makes a very valid point two post above. In fact, this is probably one of the most important aspects of this.

Originally Posted by meyergru View Post
I know all of that, however:

1. FSC circumvention by a CAN-Bus blocker for the CIC (speech recognition, navigation and to a certain extent, maps) has some problems of its own (e.g. the owner of the car has to order a map FSC with another VIN, so he first has to know which one this is - there is a case of a buyer of such a car in Germany right now, sometimes, not all functions work correctly).

2. Map FSCs and ECU protection are special cases. The first one is not a RSA function and thus could be hacked (in fact it was). As for the ECU: for the M3 it is much easier to hack than with cars that BMW really wanted to protect, like the 335i. Tuning of the N54 was a real threat because it was cheaper but practically equally strong as it was developed as an alternative to the S65 that was ultimately used. So the protection was much stronger than simple checksumming because there was more at stake for BMW. In the beginning, only piggybacks could be used, then, when an early unprotected beta firmware was used as a tuning basis, BMW replaced the MSD80 by the MSD81, making firmware tuning impossible for nearly another year until an israeli company cracked the signature key for that, too.

What this proves, is that with all of my listed assets, BMW has at least tried to prevent access - they did not protect access of the API function to pair a key, it was sitting there waiting to be exploited.
Audi has a similar function and protected it (the diagnostic station has to be online and request a code from the manufacturer).

I call that irresponsible on BMW's part, to say the least. BTW: The device is less than $1000 in China. And is there really a fix out? I have seen the announcement for the UK, nowhere else. You once said that 2.47.1 fixes it (and just told us that the device still works with 2.47), but you did not yet specify if there are additional settings (i.e. coding) is neccessary. I can understand that because you want to make money with the service you offer.

BMW did neither offer a fix outside of the UK nor informs their customers, probably fearing an uproar when they admit that it was their fault not to protect this function, especially in the U.S. I have requested info here in Germany, but did not yet receive an answer.


Of course it takes a "highly-sophisticated" approach - BMWs are expensive cars, savvy? It seems like there is a financial controller that makes sure that the effort employed to protect something is directly proprotional to the amount at stake - and the amount is negative for theft protection because a car stolen = a car sold, unless you get a C63 afterwars. So no dice!

-----| Like us on Facebook | Instagram || Tuning Information | Remote Coding |-----
----Visit us at - Emotion. Driven. | Toll Free: (888) 557-5133----