As promised, it's been a year since we debated cracking the Gen7 PCM........

[robvas]

If you value your privacy you don't want that connected car bullshit

Sponsored

 

[Rolls]

This is what I've been trying to communicate. If something can be coded or encrypted it can be decoded or decrypted. Problem is, the people with those types and dimensions of skill don't really care about whether the mustang PCM is locked or not. They're either working for huge corporations, working for governments or they're hacking into one of the others' systems to hold them ransom.

Eg cracking the iPhone. Fbi couldnt do it but a firm did it for a bounty exceeding 1 million. Put the ram in dry ice, shave the lid, xray it at the right time and if you know where the needle in the haystack is voila. What you then do with that needle is a whole another story.

 

[GregO]

What you then do with that needle is a whole another story.

Blackhat
Grayhat
Whitehat
All depends what side of the law they want to be on.

 

[Angrey]

Eg cracking the iPhone. Fbi couldnt do it but a firm did it for a bounty exceeding 1 million. Put the ram in dry ice, shave the lid, xray it at the right time and if you know where the needle in the haystack is voila. What you then do with that needle is a whole another story.

I don't believe the gubment for one second. I believe that they've always had the ability to access every single device, and the FBI feigning like they couldn't was just to maintain the illusion. They might not give every level of the FBI or the dark 3 letter agencies access to it, but rest assured, if they want access to anything electronic, they have it at some level. An important enough case and you can bet they'll get whatever information they want off it.

 

[andrewtac]

I don't believe the gubment for one second. I believe that they've always had the ability to access every single device, and the FBI feigning like they couldn't was just to maintain the illusion. They might not give every level of the FBI or the dark 3 letter agencies access to it, but rest assured, if they want access to anything electronic, they have it at some level. An important enough case and you can bet they'll get whatever information they want off it.

Have you ever worked for them? You have more faith than I do. I know sometimes they hide behind incompetence, but they are full of it as well.

I bought a 24 f150, I hope to be able to tune it someday. One of the reasons I chose it was to force myself to delay mods. If it doesn't happen, fuel tech is controlling the 10r80 now. I plan on a fuel tech on the mustang at some point, as motech probably will never do the gen3. I realize by even thinking those things I am in a really small segment of the market. I never say never anymore, but I do think the road to real stock ECU tuning is far away if ever.

 

[robvas]

Have you ever worked for them? You have more faith than I do. I know sometimes they hide behind incompetence, but they are full of it as well.

I bought a 24 f150, I hope to be able to tune it someday. One of the reasons I chose it was to force myself to delay mods. If it doesn't happen, fuel tech is controlling the 10r80 now. I plan on a fuel tech on the mustang at some point, as motech probably will never do the gen3.

Don't even want to know what that guy spent getting the FT600 setup on his F150...

 

[andrewtac]

Don't even want to know what that guy spent getting the FT600 setup on his F150...

I don't mind spending the money required for a standalone, but I am not prepared to spend the money required to be the first one in a vehicle. Hopefully this opens up the 10r80 control. Perhaps fuel tech sees the opportunity to make some money on those of us who are stuck. It ain't cheap, but could be cheaper if more of us did it.

 

[engineermike]

This....

This is why you'd want to tune your 2024 Mustang....

My buddy just did a good data log on his. The car ran 11.97 stock, but the throttles are closing. In fact, right after it shifts into 4th gear, it goes to 40-45% throttle for the majority of 4th and all of 5th. It seems Ford is controlling torque on it like they do the ecoboost.

The interesting thing is I have a stock DarkHorse tune and it appears to force the throttle open like the Gen1-3 did. I haven't been able to get ahold of a base GT tune to see how/why the tune is closing the throttle but it is.

 

[Joshinator99]

This....

This is why you'd want to tune your 2024 Mustang....

My buddy just did a good data log on his. The car ran 11.97 stock, but the throttles are closing. In fact, right after it shifts into 4th gear, it goes to 40-45% throttle for the majority of 4th and all of 5th. It seems Ford is controlling torque on it like they do the ecoboost.

The interesting thing is I have a stock DarkHorse tune and it appears to force the throttle open like the Gen1-3 did. I haven't been able to get ahold of a base GT tune to see how/why the tune is closing the throttle but it is.

100%. Ford is undoubtedly using the same type of torque management that GM uses. Airflow and spark are how they control torque and if you start slapping mods on without a proper tune, the ECM is simply going to close the throttle or retard spark timing until you’re within anticipated parameters. Eventually the S650 owners will want to tune their car if they want to do this right.

 

[Rolls]

Fuel tech is controlling the 10r80 now. I plan on a fuel tech on the mustang at some point, as motech probably will never do the gen3. I realize by even thinking those things I am in a really small segment of the market. I never say never anymore, but I do think the road to real stock ECU tuning is far away if ever.

Do you have anymore info on this? I can't see anything about any aftermarket 10r80 controllers, even the 6r80 ones are a step backwards if you want to do daily + track + drag.

Motec can and could do a 10r80 controller, they however take a huge cut and own the Ip of whoever develops the firmware for it. Hence it is completely uneconomical for anyone to write firmware for it.

Motec don't offer a proper euro 6 cat controller to meet emissions. I know people who could write firmware to do so, but the ROI is awful. If people can't get that off the ground then a 10r80 is a pipe dream.

It is unfortunate as motec have incredible systems, they just make it hard to make a profit for anyone with the skills to write custom firmware for it.

This is why at pcmtec we are going the opposite route, taking the oem systemand adding as much aftermarket support as possible for it.

 

[andrewtac]

 

[geddys]

Also there are zero ECU's from crashed s650s GT available on ebay for reasonable price, making people that have skills and do that kind of stuff ( breaking into hardware ) as a hobby just go and try different project ( only USA has a market for that kind of skillset, rest of the world does this as a hobby with few exceptions ). This project is waste of time, as no one is gonna pay you for knowledge of unlocking it with amount that is adequate for skillset and time required. And to "bring it to market yourself" you basically would need to build completely new software for tune editing and flashing which will eat crapload of your time with poor ROI as car tuning market is falling down

S650 tune security is based on simple premise. Every ECU has built-in hardware security module that stores public RSA key, and every part of software is signed by Ford with their respective RSA private key.
When you want to write a tune, you tell ECU via Unified Diagnostics Service protocol ( ODB2 standard ) that you want to flash new tune. ECU says OK, and you send bootloader ( mini program that knows how to receive tune via Canbus and how to write it to flash ), then ECU loads/starts bootloader and begins flashing tune. But now both bootloader and tune itself is RSA signed, and if digital signature does not match then it just dumps it into trash.
Probably whipple/roush/etc gets special ECU from Ford for tune development with non-production RSA key so they can tune it themselves, but final calibration is signed by Ford/Bosch

To get proper signature for software you either need to steal private key from Ford/Bosch ( not gonna happen ), or just add your own RSA key into ECU.
To do that, you could simply talk with ECU via JTAG ( thats how they probably "unlocked" F150 ECUs few years back ) - but on S650 ECU Bosch has put 256-bit password on that interface so its not gonna happen until that password gets leaked or brute-forced or cracked somehow.

There might be built-in procedures so Ford Dealers have ability to add new RSA key to ECU in case Ford need to replace its key when it gets compromised, but unless thats get leaked there is slim chance of someone finding it ( or maybe that tuning device from Whipple uses it - who knows - someone would need to dump all canbus traffic when flashing a tune with it ).

 

[Rolls]

To get proper signature for software you either need to steal private key from Ford/Bosch ( not gonna happen ), or just add your own RSA key into ECU.
To do that, you could simply talk with ECU via JTAG ( thats how they probably "unlocked" F150 ECUs few years back ) - but on S650 ECU Bosch has put 256-bit password on that interface so its not gonna happen until that password gets leaked or brute-forced or cracked somehow.

256 bit is brute forceable if you can reduce the key space, eg you know that the mechanism used to generate it is flawed. That is how they cracked the 1024/2048 bit RSA keys on other infineon processors. I believe they reduced it to 50 CPU years to crack, 50 years is a long time, but with say 5000 "computers" that becomes 3.65 days. Also its more likely log(50) as it's unlikely you will try 99% of the keys before you get the right one.

https://www.infosecglobal.com/news/infineon-vulnerability

There might be built-in procedures so Ford Dealers have ability to add new RSA key to ECU in case Ford need to replace its key when it gets compromised, but unless thats get leaked there is slim chance of someone finding it ( or maybe that tuning device from Whipple uses it - who knows - someone would need to dump all canbus traffic when flashing a tune with it ).

As far as I know the key is "fused" in, eg each bit of the key is a tiny resistor/fuse that is purposely blown if it is a 0 and left if it is a 1.

Potentially you could change the key to be all 1s if you found an exploit to change it, making the key 0xFFFF.... etc though given how widespread the infineon TPM is, I see this unlikely. Also if you found a way to do this, you'd almost certainly be able to disable the check in the first place.

 

[Angrey]

256 bit is brute forceable if you can reduce the key space, eg you know that the mechanism used to generate it is flawed. That is how they cracked the 1024/2048 bit RSA keys on other infineon processors. I believe they reduced it to 50 CPU years to crack, 50 years is a long time, but with say 5000 "computers" that becomes 3.65 days. Also its more likely log(50) as it's unlikely you will try 99% of the keys before you get the right one.

https://www.infosecglobal.com/news/infineon-vulnerability



As far as I know the key is "fused" in, eg each bit of the key is a tiny resistor/fuse that is purposely blown if it is a 0 and left if it is a 1.

Potentially you could change the key to be all 1s if you found an exploit to change it, making the key 0xFFFF.... etc though given how widespread the infineon TPM is, I see this unlikely. Also if you found a way to do this, you'd almost certainly be able to disable the check in the first place.

Wouldn't they want to use multiple keys for OPSEC when/if the key is ever leaked? If you use a singular key and it's leaked, it's much harder to start the investigation of who leaked it.

 

[Rolls]

If the key is leaked they will make new hardware. By the time it occurs everything will be our of warranty anyway.

Sponsored