T87a 10 speed Trans controller

[Tazzi]

Hiya Tazzi,
Thanks for the reply. Do you think I am at a point where I should just try a BDM dump approach? What would your move be?

As soon as I youtubed some videos of these trans, I want one. Of course I want to have full control though

BDM does not work because the CPU is locked, you require the 64bit (I think its that long off the top of my head) password which must be entered first before gaining access.
The password is stored in the 'shadow' flash of the cpu which again cannot be access without the password in the first place/
There IS a way around, but its pretty full on, see my response below for details.

So how is someone like HP Tuners unlocking these things? Do they somehow force it into an unencrypted mode? I'd be pretty shocked if they cracked the actual encryption. I'd think GM would hit them with a DMCA violation if that was the case.

So.. your assuming they are using their 'signature' to encrypt/decrypt their information.

But I don't believe this is the case. Modules can have something called "SBAT" (Signature Bypass Authorization something), which basically enables bypassing the security and signature requirements of a global A/B ECU. If someone was to 'patch' the boot code in the ecu to always allow the bypass, then they can simply upload the calibrations unencrypted/compressed.

Im fairly certain the calibrations are saved in the flash chips memory unencrypted, hence you do not need to 'decrypt' if you have access to the flash.

How are they getting access to the flash you say?? Well.. I believe its the use of high powered lasers/pulses to glitch processes into access
Checkout this teardown/work performed by Colin O'Flynn which does this for an E41 which uses the encrypted cals and has a locked CPU: https://www.youtube.com/watch?v=pkhV9K9raHE

He actually did a full technical paper on this which he indicates he got reliable access to the ECUs memory to dump and even edit the shadow flash, to then get normal Jtag access to read/write the memory: https://eprint.iacr.org/2020/937.pdf

Assuming a dedicated bench setup is made, where an ECU is slotted in place, this process could be replicated on different ecus reliably and consistently to gain access. I am assuming this is the method that HPTuners is taking to gain access to them.

[In-Tech]

I'm a cunt..... as me and my bro from zealand say, haha
I have yet begun to defile myself but I don't know shite myself.


TCM Security Seed: B921254206
TCM Security Key: 90B0581963

Captured Communications:

Delta(ms) Time Stamp CANID Can Data
---------- ---------- ----- -----------------------
0 43031 0101 FE 01 3E 00 00 00 00 00 ; Tester present message - to all nodes

31 43062 0101 FE 02 1A B0 00 00 00 00 ; Request data by identifier

7 43069 07EA 03 5A B0 18 AA AA AA AA ; Response to request for data by identifier - from TCM

1 43070 07E8 03 5A B0 11 ; Response to request for data by identifier - from ECM

3 43073 07E9 03 5A B0 12 ; Response to request for data by identifier - from TCM

8 43081 07EB 03 5A B0 13

3 43084 07EC 03 5A B0 14

8 43092 07ED 03 5A B0 15

4 43096 07EE 03 5A B0 16

7 43103 07EF 03 5A B0 17

1502 44605 0101 FE 02 10 02 00 00 00 00 ; Initiate diagnostic operation - Disable all diagnostic codes

6 44611 07E8 01 50 ; Response to initiate diagnostic operation - from ECM

2 44613 07EA 01 50 AA AA AA AA AA AA ; Response to initiate diagnostic operation - from TCM

2 44615 07E9 01 50 ; Response to initiate diagnostic operation - from TCM

8 44623 07EB 01 50

4 44627 07EC 01 50

6 44633 07ED 01 50

4 44637 07EE 01 50

7 44644 0101 FE 01 3E 00 00 00 00 00 ; Tester present message - to all nodes

1 44645 07EF 01 50

1529 46174 0101 FE 01 28 00 00 00 00 00 ; Request to stop normal comm

7 46181 07EA 01 68 AA AA AA AA AA AA ; Stop normal comm OK response from TCM

1 46182 07E8 01 68 ; Stop normal comm OK response from ECM

3 46185 07E9 01 68 ; Stop normal comm OK response from TCM

[In-Tech]

Tazzi, I luv ya bro, thanks for the feedback.
I may end up no where on this project but this is fun

[Tazzi]

Standard first few frames of preparing for a flash.

No stress! If you decide to go into the glitching side...Id be REALLY interested.

[In-Tech]

Hiya,
I will drag out my glitch crap from the early 2000 stuff. I'm game. Man, I'm buried with work and we gotta get together on some kinda phone thingy that we talked about too.

[Tazzi]

Hiya,
I will drag out my glitch crap from the early 2000 stuff. I'm game. Man, I'm buried with work and we gotta get together on some kinda phone thingy that we talked about too.

Im down for that

[In-Tech]

I haven't had the time to look. Have you noticed any kind of clock jitter or are they not there yet? It's kinda funny I predicted this 20 years ago, lmao

[Tazzi]

I haven't had the time to look. Have you noticed any kind of clock jitter or are they not there yet? It's kinda funny I predicted this 20 years ago, lmao

Not sure about that. I have a chip whisperer nano, which doesnt have the capability of whats described in that video/document.

[In-Tech]

Just jumbling comments here...it has been many years ago and some things I comment on probably don't have correct terminology, sorry. When the cpu is "idling" we would test "glitches" of the "answer to reset" to find a good timed entry point. Then load the "buffer" and glitch power to the cpu to change an address in the normal "idling" structure. Basically a glitch(in our case) will change a value to 00h and we were looking to execute code at 0080h where the buffer was. In another post, where I wasn't very clear, there is also a "peripheral" that can be called and will xor that next value to the following bytes and can be used to "encrypt" everything(bytes) after until the peripheral is reset. This uses almost no tics and is part of the internal mathco or maprom so the dump can look like garbage but the cpu runs like normal.

Anyway, too many surgeries and I don't feel like I came all the way back after each one, so, lost some grey matter Time is not available as much as I want but this newer stuff has me interested

[Gatecrasher]

I first stumbled on Colin's videos a few months ago. That shit blew my mind. I start feeling like I'm making a little progress with something, and then I watch something like that. It's like getting a tiny glimpse across the massive gulf between what I'm doing and what people who actually know what they're doing are working on.