Jeff V.

It's a bit early to make this prediction, but it's worth mentioning. I've been reading that certain 2019 and up GM gasoline ECMs will be following the example GM started with their 2017 diesel lineup.

https://forum.efilive.com/showthread...-Duramax/page8

Other manufacturers have been playing with this for a while, with varying degrees of success. In a nutshell, the ECM has security protocols that will prevent it from running software that doesn't have a unique cryptographic signature. On some of the older Bosch and Chrysler ECMs, you can do a hardware modification that involves opening the ECM and physically disabling the crypto function. But GM went a step further and even locked that down on the diesels.

So if this bit about the 2019s is true, then my guess is the first car out of the gate with this 'feature' would be the ZR1. One of the vendors on here said the ZR1 has an "E99" ECM, which is a brand new part. There are already credible rumors about GM adding some kind of 'cybersecurity' to the vehicle data network starting in 2017. I've done some digging into the software in the HMI modules and those are cryptographically locked down as well. There is definitely precedent for this.

Someone will inevitably say "it'll just take some smart people to figure it out". That person may as well admit they have no clue how this stuff actually works. If the hardware and software are implemented properly, this will be impossible to bypass.

HTXSkydiver

Interesting but a lot on that thread went over my head... Have those vehicles (or any) been officially deemed "untunable" and everyone has effectively given up on cracking the encryption? From one of the posts it looked like you could point some cryptocurrency mining equipment at attempting to break the "keys" lol but as your post above states I have very little clue of what I am talking about

Jeff V.

I'm not well versed on who sells what in the diesel market. The only reason I care about them at all is because this ECM situation interests me.

EFI Live has officially given up. Banks seems to be focusing on piggybacks and a full standalone system that really only works on stripped down race trucks. There was a vague reference to some kind of hardware mod from HP Tuners, but I can't find anything credible about it.

Some people keep falling back on "well it took 2 years to crack the LMM engine so give it time". But that seems to be more of a statement of faith from hopeful customers rather than anything from an actual vendor.

I don't know what the current state of the art is for the German performance market either. I know it was starting to get a little iffy when they started rolling out signed ECUs a few years back.

HTXSkydiver

On the first page of that thread they mention Google "attacked" the SHA-1 algorithm by duplicating its hash using the equivalent computing power of 1 GPU over 110 years. To bring the calculation time down to 1 day they could use approximately 40,150 GPUs at once, if all calculating different iterations. This is obviously assuming the ECU uses this type of "encryption" and also that GM does not change one or both of the "keys" in that time frame.

Larger cryptocurrency mining pools use significantly more GPUs (and hashing power) than what would be required, based on this extremely rough and likely incorrect estimation, allowing them to crack the ECU in hours if not minutes.

I hope someone with some better knowledge and understanding can chime in

Jeff V.

Supposedly GM is using SHA-256. As you mentioned, they have the capability to change keys whenever they want. The only thing stopping them from having a different key for every day of the year is the logistics of tracking which key was used when it comes time to do a service update. That could be as simple as a date stamp burned into the memory of the module as it hits the end of the assembly line.

Suns_PSD

I have an EFI, GDE tuned 2018 GMC Diesel. They said it was unhackable, that lasted about a month. LOL

KnightDriveTV

This "unhackable" pcm/ecu issue dates back quite a bit honestly. I can recall the S2000 being released and being believed it was untunable, same with the GTR. If there is a demand, there will be a way. It may not be immediate, but it'll happen one way or another.

I personally, don't see it happening. In my opinion, the more they claim it can't be tuned, the more it pushes the aftermarket to pour R&D into it to get the notoriety of being the first to break the claim.

Jeff V.

Did they actually reprogram the ECM, or did they put piggybacks on it? For something supposedly so easy to do, especially in the face of so many people claiming it's impossible, you'd think I'd easily find it for sale on that vendor's website. They'd be bragging about it very loudly.

And here's the "act of faith" guy I mentioned in the first post

BTW, if you're talking about a Colorado/Canyon diesel, those aren't locked down like the full size trucks are. Not yet, anyway.

KnightDriveTV

20yrs+ in the automotive aftermarket, 12+ yrs as an engine management tuner and having run a small vehicle manufacturer, I'd say I'm a bit more than your derogatory term.

Jeff V.

Rather than bragging, please explain a viable path for reversing or bypassing hardware based RSA signatures. Hell, just provide an example of where it's been done. An actual, specific example rather than something vague like "well, they cracked the LMM".

Tuning an engine with someone else's software is a lot different from reverse engineering an ECU and writing the tuning software itself. Being able to take amazing photos has nothing to do with building a camera.

We're talking about electronics and software. Not engines.

I've got 20 years in information technology and a bit over 10 in reverse engineering embedded software. I'm sure you can tune circles around me, but I can tell you how a line of software code actually becomes something tangible and real like an injector pulse or a spark event.

0DSX Tuning

Realistically, somebody from the inside will leak the methodology (or be paid for it).

I sent HP Tuners an ECM and supplied them with a ZR1 VIN. They were able to flash it with SPS on a bench, and they emailed me only saying "bad news" with no explanation. However... I don't know that they'll just give up.

Suns_PSD

Its a canyon, true tune.

Jeff V.

The actual private keys are only available to very specific people. It's actually possible that nobody knows the real keys. The keys could have been generated by an automated system, and the only thing available to users is a request to sign a calibration file before publishing it to TIS. Even if someone did know the actual keys, that person would be throwing their career away and possibly opening themselves up to legal action.

That also doesn't prevent GM from changing the key on the next run of ECMs. Assuming they don't periodically change them to begin with. That's the really crazy part about this. If they're using public key cryptography, then GM themselves could publish the exact protocol used...and it wouldn't matter. The methodology for this stuff has been public for years. This type of cryptography is used for things like online banking. The system is strong because it's public. It's only recently that the cost and performance of the electronics capable of doing the math has gotten to a point where it's practical to include in things like ECMs.

Some systems were just obfuscation rather than encryption, and so were trivial to crack. Other encryption systems have been broken or bypassed in the past. This one might fall too. Or it might not. The next few months will be interesting.

Ben@WeaponX

We programmed the E99 PCM we have with a ZR1 VIN and sent it in to HPT on Valentine's Day. I checked in with them this morning and the "official" status is:

"under development" no ETA

Hoping they come through by the end of March!

Jeff V.

Don't get me wrong. I hope someone finds a back door into this thing. But the things I'm reading lately have me really concerned.

Telepierre

Interesting topic and beyond my specialty but I have glimpsed at "advanced" ECMs cracked via circuit bypasses or outright module spoofing which is obviously even more expensive and then becomes an ROI discussion..

17A8Vette

They did precisely that. They filed patents on the security model used in these ECUs. Google patents by GM Global Technical Operations LLC, and you'll find it.

But basically it's a SHA-256 hash that's signed with a 2048 bit RSA key, which is signed again with another 2048 bit RSA key. In other words, unless you have the keys, you ain't goin' in the front door.

17A8Vette

That'd be neat, but the CPUs they are using in these new ECUs have hardware-based cryptographic features (see NXP MPC5777). The goal is to use these features to encrypt every message in the vehicle, so no man-in-the-middle type exploits will work.

KnightDriveTV

^ Interesting lurker in the shadows there....3 posts in a 9 months...lol.

Telepierre

Wish I had time to look into that. The implied CPU power to do the above at ECM speeds surprises me a bit and shows my age too..

Back to ROI; I wonder why the lock down?

Warranty and road laws compliancy? maybe...

But maybe GM is seeing all this modding/tuning money slushing around and wants a piece of the action..

I just finished reading a post on Corvette offering a "magical" after market air intake for track only use that coupled with the cats OEM delete takes the ZR1 to alleged 840 (or so) HP! WITHOUT the need for tuning.

I consider this an OEM "mod" play whereby the mod "option" is already built in the locked down ECM...

I can foresee the "mod" battle going upscale... with the $400 tune making place for the $4000 controller...