C7 ZR1 Discussion General ZR1 Corvette Discussion, Technical Info, Performance Upgrades, Suspension Setup for Street or Track
Sponsored by:
Sponsored by:

ZR1 un-tunable?

 
Old 02-27-2018, 02:56 PM
  #1  
Jeff V.
CF Senior Member
Thread Starter
 
Jeff V.'s Avatar
 
Member Since: Dec 2017
Location: Kansas City MO
Posts: 1,972
Liked 828 Times in 499 Posts
Default ZR1 un-tunable?

It's a bit early to make this prediction, but it's worth mentioning. I've been reading that certain 2019 and up GM gasoline ECMs will be following the example GM started with their 2017 diesel lineup.

https://forum.efilive.com/showthread...-Duramax/page8

Other manufacturers have been playing with this for a while, with varying degrees of success. In a nutshell, the ECM has security protocols that will prevent it from running software that doesn't have a unique cryptographic signature. On some of the older Bosch and Chrysler ECMs, you can do a hardware modification that involves opening the ECM and physically disabling the crypto function. But GM went a step further and even locked that down on the diesels.

So if this bit about the 2019s is true, then my guess is the first car out of the gate with this 'feature' would be the ZR1. One of the vendors on here said the ZR1 has an "E99" ECM, which is a brand new part. There are already credible rumors about GM adding some kind of 'cybersecurity' to the vehicle data network starting in 2017. I've done some digging into the software in the HMI modules and those are cryptographically locked down as well. There is definitely precedent for this.

Someone will inevitably say "it'll just take some smart people to figure it out". That person may as well admit they have no clue how this stuff actually works. If the hardware and software are implemented properly, this will be impossible to bypass.
Jeff V. is offline  
Old 02-27-2018, 03:22 PM
  #2  
HTXSkydiver
CF Senior Member
 
HTXSkydiver's Avatar
 
Member Since: Nov 2017
Location: Houston Texas
Posts: 456
Liked 247 Times in 139 Posts
Default

Interesting but a lot on that thread went over my head... Have those vehicles (or any) been officially deemed "untunable" and everyone has effectively given up on cracking the encryption? From one of the posts it looked like you could point some cryptocurrency mining equipment at attempting to break the "keys" lol but as your post above states I have very little clue of what I am talking about
HTXSkydiver is offline  
Old 02-27-2018, 03:44 PM
  #3  
Jeff V.
CF Senior Member
Thread Starter
 
Jeff V.'s Avatar
 
Member Since: Dec 2017
Location: Kansas City MO
Posts: 1,972
Liked 828 Times in 499 Posts
Default

Originally Posted by HTXSkydiver
Have those vehicles (or any) been officially deemed "untunable" and everyone has effectively given up on cracking the encryption?
I'm not well versed on who sells what in the diesel market. The only reason I care about them at all is because this ECM situation interests me.

EFI Live has officially given up. Banks seems to be focusing on piggybacks and a full standalone system that really only works on stripped down race trucks. There was a vague reference to some kind of hardware mod from HP Tuners, but I can't find anything credible about it.

Some people keep falling back on "well it took 2 years to crack the LMM engine so give it time". But that seems to be more of a statement of faith from hopeful customers rather than anything from an actual vendor.

I don't know what the current state of the art is for the German performance market either. I know it was starting to get a little iffy when they started rolling out signed ECUs a few years back.
Jeff V. is offline  
The following users liked this post: Jeff V.
ramairhart (03-06-2018)
Old 02-27-2018, 03:53 PM
  #4  
HTXSkydiver
CF Senior Member
 
HTXSkydiver's Avatar
 
Member Since: Nov 2017
Location: Houston Texas
Posts: 456
Liked 247 Times in 139 Posts
Default

On the first page of that thread they mention Google "attacked" the SHA-1 algorithm by duplicating its hash using the equivalent computing power of 1 GPU over 110 years. To bring the calculation time down to 1 day they could use approximately 40,150 GPUs at once, if all calculating different iterations. This is obviously assuming the ECU uses this type of "encryption" and also that GM does not change one or both of the "keys" in that time frame.

Larger cryptocurrency mining pools use significantly more GPUs (and hashing power) than what would be required, based on this extremely rough and likely incorrect estimation, allowing them to crack the ECU in hours if not minutes.

I hope someone with some better knowledge and understanding can chime in
HTXSkydiver is offline  
Old 02-27-2018, 04:03 PM
  #5  
Jeff V.
CF Senior Member
Thread Starter
 
Jeff V.'s Avatar
 
Member Since: Dec 2017
Location: Kansas City MO
Posts: 1,972
Liked 828 Times in 499 Posts
Default

Supposedly GM is using SHA-256. As you mentioned, they have the capability to change keys whenever they want. The only thing stopping them from having a different key for every day of the year is the logistics of tracking which key was used when it comes time to do a service update. That could be as simple as a date stamp burned into the memory of the module as it hits the end of the assembly line.
Jeff V. is offline  
Old 02-27-2018, 04:16 PM
  #6  
Suns_PSD
CF Senior Member
 
Member Since: Oct 2012
Location: Texas
Posts: 6,499
Liked 272 Times in 209 Posts
Default

I have an EFI, GDE tuned 2018 GMC Diesel. They said it was unhackable, that lasted about a month. LOL

Last edited by Suns_PSD; 02-27-2018 at 04:17 PM.
Suns_PSD is offline  
The following 3 users liked this post by Suns_PSD:
Kansasz06 (02-27-2018), SpeedyD (02-28-2018), vettefordays (04-15-2019)
Old 02-27-2018, 04:22 PM
  #7  
K.I.T.T.
CF Senior Member
 
K.I.T.T.'s Avatar
 
Member Since: Dec 2016
Location: Lookin over Hoover Dam
Posts: 1,964
Liked 687 Times in 376 Posts
Default

This "unhackable" pcm/ecu issue dates back quite a bit honestly. I can recall the S2000 being released and being believed it was untunable, same with the GTR. If there is a demand, there will be a way. It may not be immediate, but it'll happen one way or another.

I personally, don't see it happening. In my opinion, the more they claim it can't be tuned, the more it pushes the aftermarket to pour R&D into it to get the notoriety of being the first to break the claim.
K.I.T.T. is offline  
The following users liked this post: K.I.T.T.
[email protected] (02-27-2018)
Old 02-27-2018, 04:24 PM
  #8  
Jeff V.
CF Senior Member
Thread Starter
 
Jeff V.'s Avatar
 
Member Since: Dec 2017
Location: Kansas City MO
Posts: 1,972
Liked 828 Times in 499 Posts
Default

Originally Posted by Suns_PSD View Post
I have an EFI, GDE tuned 2018 GMC Diesel. They said it was unhackable, that lasted about a month. LOL
Did they actually reprogram the ECM, or did they put piggybacks on it? For something supposedly so easy to do, especially in the face of so many people claiming it's impossible, you'd think I'd easily find it for sale on that vendor's website. They'd be bragging about it very loudly.

Originally Posted by K.I.T.T.
I can recall the S2000 being released and being believed it was untunable, same with the GTR. If there is a demand, there will be a way.
And here's the "act of faith" guy I mentioned in the first post

BTW, if you're talking about a Colorado/Canyon diesel, those aren't locked down like the full size trucks are. Not yet, anyway.

Last edited by Steven Bell; 05-15-2018 at 05:22 PM. Reason: Merge Posts
Jeff V. is offline  
Old 02-27-2018, 04:45 PM
  #9  
K.I.T.T.
CF Senior Member
 
K.I.T.T.'s Avatar
 
Member Since: Dec 2016
Location: Lookin over Hoover Dam
Posts: 1,964
Liked 687 Times in 376 Posts
Default

20yrs+ in the automotive aftermarket, 12+ yrs as an engine management tuner and having run a small vehicle manufacturer, I'd say I'm a bit more than your derogatory term.
K.I.T.T. is offline  
The following 4 users liked this post by K.I.T.T.:
dmaxx3500 (03-06-2018), [email protected] (02-27-2018), Glenmcp (03-07-2018), vettefordays (04-15-2019)
Old 02-27-2018, 05:12 PM
  #10  
Jeff V.
CF Senior Member
Thread Starter
 
Jeff V.'s Avatar
 
Member Since: Dec 2017
Location: Kansas City MO
Posts: 1,972
Liked 828 Times in 499 Posts
Default

Originally Posted by K.I.T.T. View Post
20yrs+ in the automotive aftermarket, 12+ yrs as an engine management tuner and having run a small vehicle manufacturer, I'd say I'm a bit more than your derogatory term.
Rather than bragging, please explain a viable path for reversing or bypassing hardware based RSA signatures. Hell, just provide an example of where it's been done. An actual, specific example rather than something vague like "well, they cracked the LMM".

Tuning an engine with someone else's software is a lot different from reverse engineering an ECU and writing the tuning software itself. Being able to take amazing photos has nothing to do with building a camera.

We're talking about electronics and software. Not engines.

I've got 20 years in information technology and a bit over 10 in reverse engineering embedded software. I'm sure you can tune circles around me, but I can tell you how a line of software code actually becomes something tangible and real like an injector pulse or a spark event.
Jeff V. is offline  
The following 2 users liked this post by Jeff V.:
DocScott (02-12-2019), Telepierre (03-03-2018)
Old 02-27-2018, 08:34 PM
  #11  
DSX Tuning
Supporting Vendor
 
DSX Tuning's Avatar
 
Member Since: Feb 2017
Posts: 349
Liked 59 Times in 36 Posts
Default

Realistically, somebody from the inside will leak the methodology (or be paid for it).

I sent HP Tuners an ECM and supplied them with a ZR1 VIN. They were able to flash it with SPS on a bench, and they emailed me only saying "bad news" with no explanation. However... I don't know that they'll just give up.
__________________
St. Louis, MO
314-396-7333 --- [email protected]
Flex Fuel - Fuel Pumps - Harnesses - Tuning - R&D
DSX Tuning is offline  
Old 02-27-2018, 10:07 PM
  #12  
Suns_PSD
CF Senior Member
 
Member Since: Oct 2012
Location: Texas
Posts: 6,499
Liked 272 Times in 209 Posts
Default

Originally Posted by Jeff V. View Post
BTW, if you're talking about a Colorado/Canyon diesel, those aren't locked down like the full size trucks are. Not yet, anyway.
Its a canyon, true tune.
Attached Images  
Suns_PSD is offline  
Old 02-27-2018, 10:38 PM
  #13  
Jeff V.
CF Senior Member
Thread Starter
 
Jeff V.'s Avatar
 
Member Since: Dec 2017
Location: Kansas City MO
Posts: 1,972
Liked 828 Times in 499 Posts
Default

Originally Posted by DSX Tuning View Post
Realistically, somebody from the inside will leak the methodology (or be paid for it).

I sent HP Tuners an ECM and supplied them with a ZR1 VIN. They were able to flash it with SPS on a bench, and they emailed me only saying "bad news" with no explanation. However... I don't know that they'll just give up.
The actual private keys are only available to very specific people. It's actually possible that nobody knows the real keys. The keys could have been generated by an automated system, and the only thing available to users is a request to sign a calibration file before publishing it to TIS. Even if someone did know the actual keys, that person would be throwing their career away and possibly opening themselves up to legal action.

That also doesn't prevent GM from changing the key on the next run of ECMs. Assuming they don't periodically change them to begin with. That's the really crazy part about this. If they're using public key cryptography, then GM themselves could publish the exact protocol used...and it wouldn't matter. The methodology for this stuff has been public for years. This type of cryptography is used for things like online banking. The system is strong because it's public. It's only recently that the cost and performance of the electronics capable of doing the math has gotten to a point where it's practical to include in things like ECMs.

Some systems were just obfuscation rather than encryption, and so were trivial to crack. Other encryption systems have been broken or bypassed in the past. This one might fall too. Or it might not. The next few months will be interesting.
Jeff V. is offline  
Old 02-28-2018, 02:24 PM
  #14  
[email protected]
Supporting Vendor
 
Ben@WeaponX's Avatar
 
Member Since: Jan 2012
Location: Cin City
Posts: 4,751
Liked 410 Times in 287 Posts
St. Jude Donor '14
Default

We programmed the E99 PCM we have with a ZR1 VIN and sent it in to HPT on Valentine's Day. I checked in with them this morning and the "official" status is:

"under development" no ETA

Hoping they come through by the end of March!
__________________

Special FORUM MEMBER PRICING from CORVETTE'S #1 FORGED WHEEL DEALER!!

FORGELINE * HRE * PUR * ANRKY * 360Forged * ADV1 * Weld * CCW & more

Check out our Performance Parts & Packages too!

www.WEAPONXmotorsports.com


2019 ZR1 - [email protected] MPH (1st & ONLY in the 9s!)
2020 C8 order #6
2017 Camaro ZL1 A10 - Compound Boost 1200 WHP


Ben@WeaponX is offline  
The following 3 users liked this post by [email protected]:
DocScott (02-12-2019), Fast6.3 (10-16-2018), octaneman (02-28-2018)
Old 02-28-2018, 03:22 PM
  #15  
Jeff V.
CF Senior Member
Thread Starter
 
Jeff V.'s Avatar
 
Member Since: Dec 2017
Location: Kansas City MO
Posts: 1,972
Liked 828 Times in 499 Posts
Default

Don't get me wrong. I hope someone finds a back door into this thing. But the things I'm reading lately have me really concerned.
Jeff V. is offline  
Old 03-03-2018, 12:19 PM
  #16  
Telepierre
CF Senior Member
Support Corvetteforum!
 
Telepierre's Avatar
 
Member Since: Oct 2009
Posts: 1,469
Liked 150 Times in 114 Posts
Default

Interesting topic and beyond my specialty but I have glimpsed at "advanced" ECMs cracked via circuit bypasses or outright module spoofing which is obviously even more expensive and then becomes an ROI discussion..
Telepierre is offline  
Old 03-06-2018, 12:08 PM
  #17  
17A8Vette
Junior Member
 
Member Since: Mar 2017
Posts: 4
Likes: 0
Liked 3 Times in 1 Post
Default

Originally Posted by Jeff V. View Post
If they're using public key cryptography, then GM themselves could publish the exact protocol used...and it wouldn't matter.
They did precisely that. They filed patents on the security model used in these ECUs. Google patents by GM Global Technical Operations LLC, and you'll find it.

But basically it's a SHA-256 hash that's signed with a 2048 bit RSA key, which is signed again with another 2048 bit RSA key. In other words, unless you have the keys, you ain't goin' in the front door.
17A8Vette is offline  
Old 03-06-2018, 12:11 PM
  #18  
17A8Vette
Junior Member
 
Member Since: Mar 2017
Posts: 4
Likes: 0
Liked 3 Times in 1 Post
Default

Originally Posted by Telepierre View Post
Interesting topic and beyond my specialty but I have glimpsed at "advanced" ECMs cracked via circuit bypasses or outright module spoofing which is obviously even more expensive and then becomes an ROI discussion..
That'd be neat, but the CPUs they are using in these new ECUs have hardware-based cryptographic features (see NXP MPC5777). The goal is to use these features to encrypt every message in the vehicle, so no man-in-the-middle type exploits will work.
17A8Vette is offline  
Old 03-06-2018, 09:32 PM
  #19  
K.I.T.T.
CF Senior Member
 
K.I.T.T.'s Avatar
 
Member Since: Dec 2016
Location: Lookin over Hoover Dam
Posts: 1,964
Liked 687 Times in 376 Posts
Default

^ Interesting lurker in the shadows there....3 posts in a 9 months...lol.
K.I.T.T. is offline  
Old 03-07-2018, 05:22 AM
  #20  
Telepierre
CF Senior Member
Support Corvetteforum!
 
Telepierre's Avatar
 
Member Since: Oct 2009
Posts: 1,469
Liked 150 Times in 114 Posts
Default

Originally Posted by 17A8Vette View Post
That'd be neat, but the CPUs they are using in these new ECUs have hardware-based cryptographic features (see NXP MPC5777). The goal is to use these features to encrypt every message in the vehicle, so no man-in-the-middle type exploits will work.
Wish I had time to look into that. The implied CPU power to do the above at ECM speeds surprises me a bit and shows my age too..

Back to ROI; I wonder why the lock down?

Warranty and road laws compliancy? maybe...

But maybe GM is seeing all this modding/tuning money slushing around and wants a piece of the action..

I just finished reading a post on Corvette offering a "magical" after market air intake for track only use that coupled with the cats OEM delete takes the ZR1 to alleged 840 (or so) HP! WITHOUT the need for tuning.

I consider this an OEM "mod" play whereby the mod "option" is already built in the locked down ECM...

I can foresee the "mod" battle going upscale... with the $400 tune making place for the $4000 controller...

Last edited by Telepierre; 03-07-2018 at 05:24 AM.
Telepierre is offline  

Thread Tools
Search this Thread
Quick Reply: ZR1 un-tunable?


Sponsored Ads
Vendor Directory

Contact Us - About Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service

© 2019 MH Sub I, LLC dba Internet Brands

We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites.
 
  • Ask a Question
    Get answers from community experts
Question Title:
Description:
Your question will be posted in: