ZR1 un-tunable?
#1
Le Mans Master
Thread Starter
ZR1 un-tunable?
It's a bit early to make this prediction, but it's worth mentioning. I've been reading that certain 2019 and up GM gasoline ECMs will be following the example GM started with their 2017 diesel lineup.
https://forum.efilive.com/showthread...-Duramax/page8
Other manufacturers have been playing with this for a while, with varying degrees of success. In a nutshell, the ECM has security protocols that will prevent it from running software that doesn't have a unique cryptographic signature. On some of the older Bosch and Chrysler ECMs, you can do a hardware modification that involves opening the ECM and physically disabling the crypto function. But GM went a step further and even locked that down on the diesels.
So if this bit about the 2019s is true, then my guess is the first car out of the gate with this 'feature' would be the ZR1. One of the vendors on here said the ZR1 has an "E99" ECM, which is a brand new part. There are already credible rumors about GM adding some kind of 'cybersecurity' to the vehicle data network starting in 2017. I've done some digging into the software in the HMI modules and those are cryptographically locked down as well. There is definitely precedent for this.
Someone will inevitably say "it'll just take some smart people to figure it out". That person may as well admit they have no clue how this stuff actually works. If the hardware and software are implemented properly, this will be impossible to bypass.
https://forum.efilive.com/showthread...-Duramax/page8
Other manufacturers have been playing with this for a while, with varying degrees of success. In a nutshell, the ECM has security protocols that will prevent it from running software that doesn't have a unique cryptographic signature. On some of the older Bosch and Chrysler ECMs, you can do a hardware modification that involves opening the ECM and physically disabling the crypto function. But GM went a step further and even locked that down on the diesels.
So if this bit about the 2019s is true, then my guess is the first car out of the gate with this 'feature' would be the ZR1. One of the vendors on here said the ZR1 has an "E99" ECM, which is a brand new part. There are already credible rumors about GM adding some kind of 'cybersecurity' to the vehicle data network starting in 2017. I've done some digging into the software in the HMI modules and those are cryptographically locked down as well. There is definitely precedent for this.
Someone will inevitably say "it'll just take some smart people to figure it out". That person may as well admit they have no clue how this stuff actually works. If the hardware and software are implemented properly, this will be impossible to bypass.
Popular Reply
05-16-2018, 12:06 AM
Supporting Vendor
Member Since: Dec 2016
Location: Lookin over Hoover Dam
Posts: 3,513
Received 2,314 Likes
on
990 Posts
#2
Pro
Interesting but a lot on that thread went over my head... Have those vehicles (or any) been officially deemed "untunable" and everyone has effectively given up on cracking the encryption? From one of the posts it looked like you could point some cryptocurrency mining equipment at attempting to break the "keys" lol but as your post above states I have very little clue of what I am talking about
#3
Le Mans Master
Thread Starter
Originally Posted by HTXSkydiver
Have those vehicles (or any) been officially deemed "untunable" and everyone has effectively given up on cracking the encryption?
EFI Live has officially given up. Banks seems to be focusing on piggybacks and a full standalone system that really only works on stripped down race trucks. There was a vague reference to some kind of hardware mod from HP Tuners, but I can't find anything credible about it.
Some people keep falling back on "well it took 2 years to crack the LMM engine so give it time". But that seems to be more of a statement of faith from hopeful customers rather than anything from an actual vendor.
I don't know what the current state of the art is for the German performance market either. I know it was starting to get a little iffy when they started rolling out signed ECUs a few years back.
The following users liked this post:
ramairhart (03-06-2018)
#4
Pro
On the first page of that thread they mention Google "attacked" the SHA-1 algorithm by duplicating its hash using the equivalent computing power of 1 GPU over 110 years. To bring the calculation time down to 1 day they could use approximately 40,150 GPUs at once, if all calculating different iterations. This is obviously assuming the ECU uses this type of "encryption" and also that GM does not change one or both of the "keys" in that time frame.
Larger cryptocurrency mining pools use significantly more GPUs (and hashing power) than what would be required, based on this extremely rough and likely incorrect estimation, allowing them to crack the ECU in hours if not minutes.
I hope someone with some better knowledge and understanding can chime in
Larger cryptocurrency mining pools use significantly more GPUs (and hashing power) than what would be required, based on this extremely rough and likely incorrect estimation, allowing them to crack the ECU in hours if not minutes.
I hope someone with some better knowledge and understanding can chime in
#5
Le Mans Master
Thread Starter
Supposedly GM is using SHA-256. As you mentioned, they have the capability to change keys whenever they want. The only thing stopping them from having a different key for every day of the year is the logistics of tracking which key was used when it comes time to do a service update. That could be as simple as a date stamp burned into the memory of the module as it hits the end of the assembly line.
#6
Le Mans Master
I have an EFI, GDE tuned 2018 GMC Diesel. They said it was unhackable, that lasted about a month. LOL
Last edited by Suns_PSD; 02-27-2018 at 04:17 PM.
The following 3 users liked this post by Suns_PSD:
#7
Supporting Vendor
Member Since: Dec 2016
Location: Lookin over Hoover Dam
Posts: 3,513
Received 2,314 Likes
on
990 Posts
This "unhackable" pcm/ecu issue dates back quite a bit honestly. I can recall the S2000 being released and being believed it was untunable, same with the GTR. If there is a demand, there will be a way. It may not be immediate, but it'll happen one way or another.
I personally, don't see it happening. In my opinion, the more they claim it can't be tuned, the more it pushes the aftermarket to pour R&D into it to get the notoriety of being the first to break the claim.
I personally, don't see it happening. In my opinion, the more they claim it can't be tuned, the more it pushes the aftermarket to pour R&D into it to get the notoriety of being the first to break the claim.
The following users liked this post:
Fernando@LGMotorsports (02-27-2018)
#8
Le Mans Master
Thread Starter
Originally Posted by K.I.T.T.
I can recall the S2000 being released and being believed it was untunable, same with the GTR. If there is a demand, there will be a way.
BTW, if you're talking about a Colorado/Canyon diesel, those aren't locked down like the full size trucks are. Not yet, anyway.
Last edited by Steve Garrett; 05-15-2018 at 05:22 PM. Reason: Merge Posts
The following 4 users liked this post by KnightDriveTV:
dmaxx3500 (03-06-2018),
Fernando@LGMotorsports (02-27-2018),
Glenmcp (03-07-2018),
vettefordays (04-15-2019)
#10
Le Mans Master
Thread Starter
Tuning an engine with someone else's software is a lot different from reverse engineering an ECU and writing the tuning software itself. Being able to take amazing photos has nothing to do with building a camera.
We're talking about electronics and software. Not engines.
I've got 20 years in information technology and a bit over 10 in reverse engineering embedded software. I'm sure you can tune circles around me, but I can tell you how a line of software code actually becomes something tangible and real like an injector pulse or a spark event.
The following 2 users liked this post by Jeff V.:
DocScott (02-12-2019),
Telepierre (03-03-2018)
#11
Realistically, somebody from the inside will leak the methodology (or be paid for it).
I sent HP Tuners an ECM and supplied them with a ZR1 VIN. They were able to flash it with SPS on a bench, and they emailed me only saying "bad news" with no explanation. However... I don't know that they'll just give up.
I sent HP Tuners an ECM and supplied them with a ZR1 VIN. They were able to flash it with SPS on a bench, and they emailed me only saying "bad news" with no explanation. However... I don't know that they'll just give up.
#12
Le Mans Master
#13
Le Mans Master
Thread Starter
Realistically, somebody from the inside will leak the methodology (or be paid for it).
I sent HP Tuners an ECM and supplied them with a ZR1 VIN. They were able to flash it with SPS on a bench, and they emailed me only saying "bad news" with no explanation. However... I don't know that they'll just give up.
I sent HP Tuners an ECM and supplied them with a ZR1 VIN. They were able to flash it with SPS on a bench, and they emailed me only saying "bad news" with no explanation. However... I don't know that they'll just give up.
That also doesn't prevent GM from changing the key on the next run of ECMs. Assuming they don't periodically change them to begin with. That's the really crazy part about this. If they're using public key cryptography, then GM themselves could publish the exact protocol used...and it wouldn't matter. The methodology for this stuff has been public for years. This type of cryptography is used for things like online banking. The system is strong because it's public. It's only recently that the cost and performance of the electronics capable of doing the math has gotten to a point where it's practical to include in things like ECMs.
Some systems were just obfuscation rather than encryption, and so were trivial to crack. Other encryption systems have been broken or bypassed in the past. This one might fall too. Or it might not. The next few months will be interesting.
#14
Safety Car
Member Since: Jan 2012
Location: Cin City
Posts: 4,885
Received 481 Likes
on
317 Posts
St. Jude Donor '14
We programmed the E99 PCM we have with a ZR1 VIN and sent it in to HPT on Valentine's Day. I checked in with them this morning and the "official" status is:
"under development" no ETA
Hoping they come through by the end of March!
"under development" no ETA
Hoping they come through by the end of March!
#15
Le Mans Master
Thread Starter
Don't get me wrong. I hope someone finds a back door into this thing. But the things I'm reading lately have me really concerned.
#16
Interesting topic and beyond my specialty but I have glimpsed at "advanced" ECMs cracked via circuit bypasses or outright module spoofing which is obviously even more expensive and then becomes an ROI discussion..
#17
But basically it's a SHA-256 hash that's signed with a 2048 bit RSA key, which is signed again with another 2048 bit RSA key. In other words, unless you have the keys, you ain't goin' in the front door.
#18
That'd be neat, but the CPUs they are using in these new ECUs have hardware-based cryptographic features (see NXP MPC5777). The goal is to use these features to encrypt every message in the vehicle, so no man-in-the-middle type exploits will work.
#20
Back to ROI; I wonder why the lock down?
Warranty and road laws compliancy? maybe...
But maybe GM is seeing all this modding/tuning money slushing around and wants a piece of the action..
I just finished reading a post on Corvette offering a "magical" after market air intake for track only use that coupled with the cats OEM delete takes the ZR1 to alleged 840 (or so) HP! WITHOUT the need for tuning.
I consider this an OEM "mod" play whereby the mod "option" is already built in the locked down ECM...
I can foresee the "mod" battle going upscale... with the $400 tune making place for the $4000 controller...
Last edited by Telepierre; 03-07-2018 at 05:24 AM.