pcmhacking.net

What a time to be alive, its developments like these which just get me revved up to continue reverse engineering!

Edge has brought out brand new product that allows unlocking and tuning the E41 ecus, and its a fraction of the cost of HPtuners service+credits: https://www.edgeproducts.com/products/h ... arts/26402

Looking over their unlocking manual, it appears they are power glitching the ECU. This is either to get it into a recovery state or to execute code before any 'security' actually engages within the ecus firmware.. likely during the boot code process.

It wouldnt be a far fetch concept to assume this could be applied to other ecus, assuming they have the same recovery state (Most global A/B modules do) or boot setup. I can't imagine its micro second precision required, since its simply using a fuse at the engine bays ECM fuse location, with a wire that runs to the 'unlocker box'. I assume the handheld scantool then sends commands to the unlocker box to begin glitching/power cycling the ecu. Once its in some sort of recovery state or vulnerable state to inject code, it can then have is boot code modified to allow uploading tunes without signature verification.

thats awesome, glitching seems to often be the way to go on newer platforms. like you say its interesting that its just power, often something else would be tweaked to slow the processor down to make it easier to get the timing right, but unless its doing something to pins on the OBD bus that we cant see that doesnt seem to be the case here.

that's awesome. I've had the theory for a while now that HP is not opening the e41 at all to "modify" them for tuning. I have one of the "modified" e41's and it doesn't look like it has been opened up at all. Unless they're are very good at it I just don't see this being the case. I think they have a way they are able to upload the boot code that allows their signed files.

antus wrote:thats awesome, glitching seems to often be the way to go on newer platforms. like you say its interesting that its just power, often something else would be tweaked to slow the processor down to make it easier to get the timing right, but unless its doing something to pins on the OBD bus that we cant see that doesnt seem to be the case here.

On board is quite different than being connected directly, due to capacitance. It is a hard thing to do and is different in every application. Some times you can do "in circuit" but most times not. When reverse engineering you generally have to separate the flash or the cpu/flash to get it to comply. It's not an easy task, but much easier than getting to the bits through a microscope