SWT/FSC bypass for later ilevels

[superwofy]

Essentially this is just the HUTOOLS 2.6 public key patch applied to the NBTCarHU binary. This allows you to import FSCs generated by HUTOOLS 2.6.
Tested with 18-03, 23-07, 24-07.

Install with:

mount -uw /fs/sda0 && \
mv /fs/usb0/NBTCarHU /fs/sda0/opt/car/bin/ && \
chmod 0775 /fs/sda0/opt/car/bin/NBTCarHU && \
sleep 5 && \
mount -ur /fs/sda0 && sleep 5 && OnOffDSICommander appreset

If you need to clear the current persistence:

rm -r /var/opt/sys/persistence/* && \
rm -r /net/hu-jacinto/var/opt/sys/persistence/*

 

[gtodev]

Does this method work on NBT Evo?

 

[superwofy]

Does this method work on NBT Evo?

Well yes, that's the point.
I'm currently using that binary on my HW2.3 EVO (ID6 flashed) on iLevel 24-11.

Said binary is nothing more than a patched 18-03 file. The only modification is the replacement of the FSCS key and a signature check bypass. I didn't make it myself, it's extracted from HUTOOLS.

I'm working on one based 24-11 so that it matches the rest of the firmware. Not much is different in it.

 

[gtodev]

Ok but is there anything that this method will do but the hutools won't? I mean can I just do it using the hutools instead of going this process?

 

[superwofy]

Ok but is there anything that this method will do but the hutools won't? I mean can I just do it using the hutools instead of going this process?

If you're trying to bypass SWT on iLevels older than 18-11 (or whenever the USB exploit was patched), then no.

If you're on newer iLevels, the only way to bypass is either through SSH (which is what I've posted here) or some people have access to the L5 UDS key and can patch via ENET.

 

[Hoangtien05]

This method works but it will be canceled after 1 day of use and must reload fsc a second time and use OK

 

[flowjob]

Nice work! I like this method.

But I just tried it on my retrofit NBT Evo HW5.1 with 21-03 SW, which is on my bench (direct connection, no ZGW). After replacing the file on my Headunit with the file provided here, and deleting the two persistence folders, and coding the unit again, I created a full FSC set with HUTOOL 2.6 pre and tried to load them with E-Sys 3.30.1.

Unfortunately, the FSC get rejected with reason SWID_CHECK_FAILURE or sometimes FGN_CHECK_FAILURE when writing with E-Sys. Only the 170 FSC got accepted.

Any ideas why it could fail? Does it work only in the car with a time master present? Or is it because my HUTOOL 2.6 pre is somehow not the correct one?

Thanks in advance!

 

[superwofy]

Nice work! I like this method.

But I just tried it on my retrofit NBT Evo HW5.1 with 21-03 SW, which is on my bench (direct connection, no ZGW). After replacing the file on my Headunit with the file provided here, and deleting the two persistence folders, and coding the unit again, I created a full FSC set with HUTOOL 2.6 pre and tried to load them with E-Sys 3.30.1.

Unfortunately, the FSC get rejected with reason SWID_CHECK_FAILURE or sometimes FGN_CHECK_FAILURE when writing with E-Sys. Only the 170 FSC got accepted.

Any ideas why it could fail? Does it work only in the car with a time master present? Or is it because my HUTOOL 2.6 pre is somehow not the correct one?

Thanks in advance!

Based on what I've seen on my unit in the last few days since I've been playing with it / downgrading upgrading etc:

You're getting the SWID_CHECK_FAILURE because TrustedVIN is triggered. Check "is_lesen".
You're getting FGN_CHECK_FAILURE with 170 because there's no VIN 0x380 message sent. You can modify your emulator code to include the correct 0x380 or put it in the car. After connecting to the car, you need to clear the persistence again and then, upload 170.