SWT/FSC bypass for later ilevels

[superwofy]

Essentially this is just the HUTOOLS 2.6 public key patch applied to the NBTCarHU binary. This allows you to import FSCs generated by HUTOOLS 2.6.
Tested with 18-03, 23-07, 24-07.

Install with:

mount -uw /fs/sda0 && \
mv /fs/usb0/NBTCarHU /fs/sda0/opt/car/bin/ && \
chmod 0775 /fs/sda0/opt/car/bin/NBTCarHU && \
sleep 5 && \
mount -ur /fs/sda0 && sleep 5 && OnOffDSICommander appreset

If you need to clear the current persistence:

rm -r /var/opt/sys/persistence/* && \
rm -r /net/hu-jacinto/var/opt/sys/persistence/*

 

[gtodev]

Does this method work on NBT Evo?

 

[superwofy]

Does this method work on NBT Evo?

Well yes, that's the point.
I'm currently using that binary on my HW2.3 EVO (ID6 flashed) on iLevel 24-11.

Said binary is nothing more than a patched 18-03 file. The only modification is the replacement of the FSCS key and a signature check bypass. I didn't make it myself, it's extracted from HUTOOLS.

I'm working on one based 24-11 so that it matches the rest of the firmware. Not much is different in it.

 

[gtodev]

Ok but is there anything that this method will do but the hutools won't? I mean can I just do it using the hutools instead of going this process?

 

[superwofy]

Ok but is there anything that this method will do but the hutools won't? I mean can I just do it using the hutools instead of going this process?

If you're trying to bypass SWT on iLevels older than 18-11 (or whenever the USB exploit was patched), then no.

If you're on newer iLevels, the only way to bypass is either through SSH (which is what I've posted here) or some people have access to the L5 UDS key and can patch via ENET.

 

[Hoangtien05]

This method works but it will be canceled after 1 day of use and must reload fsc a second time and use OK

 

[flowjob]

Nice work! I like this method.

But I just tried it on my retrofit NBT Evo HW5.1 with 21-03 SW, which is on my bench (direct connection, no ZGW). After replacing the file on my Headunit with the file provided here, and deleting the two persistence folders, and coding the unit again, I created a full FSC set with HUTOOL 2.6 pre and tried to load them with E-Sys 3.30.1.

Unfortunately, the FSC get rejected with reason SWID_CHECK_FAILURE or sometimes FGN_CHECK_FAILURE when writing with E-Sys. Only the 170 FSC got accepted.

Any ideas why it could fail? Does it work only in the car with a time master present? Or is it because my HUTOOL 2.6 pre is somehow not the correct one?

Thanks in advance!

 

[superwofy]

Nice work! I like this method.

But I just tried it on my retrofit NBT Evo HW5.1 with 21-03 SW, which is on my bench (direct connection, no ZGW). After replacing the file on my Headunit with the file provided here, and deleting the two persistence folders, and coding the unit again, I created a full FSC set with HUTOOL 2.6 pre and tried to load them with E-Sys 3.30.1.

Unfortunately, the FSC get rejected with reason SWID_CHECK_FAILURE or sometimes FGN_CHECK_FAILURE when writing with E-Sys. Only the 170 FSC got accepted.

Any ideas why it could fail? Does it work only in the car with a time master present? Or is it because my HUTOOL 2.6 pre is somehow not the correct one?

Thanks in advance!

Based on what I've seen on my unit in the last few days since I've been playing with it / downgrading upgrading etc:

You're getting the SWID_CHECK_FAILURE because TrustedVIN is triggered. Check "is_lesen".
You're getting FGN_CHECK_FAILURE with 170 because there's no VIN 0x380 message sent. You can modify your emulator code to include the correct 0x380 or put it in the car. After connecting to the car, you need to clear the persistence again and then, upload 170.

 

[samsonx]

@superwofy did you have a method to load FSCs via SSH? Don't have psdzdata for versions of idrive with the USB loading available.. Or should I just be using esys: FSC Extended->StoreFSC?

 

[superwofy]

@superwofy did you have a method to load FSCs via SSH? Don't have psdzdata for versions of idrive with the USB loading available.. Or should I just be using esys: FSC Extended->StoreFSC?

Hi, no, I don't sorry. The only way I can think of doing it via SSH is using the SWT persistency file but you'd have to have a backup of it already.

I use just the basic FSC screen, not extended. Load the FSC, load the FA, set the address to 0x63 and hit identify. Then "upgrade fsc". That should be it.

 

[samsonx]

Hi, no, I don't sorry. The only way I can think of doing it via SSH is using the SWT persistency file but you'd have to have a backup of it already.

I use just the basic FSC screen, not extended. Load the FSC, load the FA, set the address to 0x63 and hit identify. Then "upgrade fsc". That should be it.

Ok, I will use this method. Thanks!

Based on what I've seen on my unit in the last few days since I've been playing with it / downgrading upgrading etc:

You're getting the SWID_CHECK_FAILURE because TrustedVIN is triggered. Check "is_lesen".
You're getting FGN_CHECK_FAILURE with 170 because there's no VIN 0x380 message sent. You can modify your emulator code to include the correct 0x380 or put it in the car. After connecting to the car, you need to clear the persistence again and then, upload 170.

The setup I am using has a little CAS emulator box that seems to only be sending out 0x130 (Term 15 / R ON?) - at least looking from the OBD port on my bench harness. Which device normally sends 0x380 (and what contents?)? I found this page that pertains to my F1X: https://www.loopybunny.co.uk/CarPC/filter.php?filter=flag_KCAN2 but no mention of 0x380. I do have the means to send out custom messages via PCAN devices, can you point me to more info on the requirements for this message? This setup is only a bench setup and dont intend to install in vehicle, it's just for development work.

EDIT: attached a can dump, I am sending out 0x380 with last 7 of my VIN . Sending this can message does seems to prevent triggering component protection, but still get the FGN_CHECK_FAILURE .

FGN_CHECK_FAILURE when trying to upgrade 6F FSC.. Using 24-11 i-level, and 18-03 HUTool2.6 file from this thread.. I read somewhere that the order of loading the FSCs matters? and should be in order that its displayed in the FSC status??

 

[ferrycouk]

Hi I am quite new to the forum and the NBT evo as well. Very interesting post with so useful information on how to achive the same thing FeatureInstaller does but for the more technical users. I would like to try the UART way of enabling the SSH access to my NBT EVO ID6 iLevel 22-03. Can I solder the PINs for the UART and connect to it when installed and powered in the car? I do not have a bench setup to do it outside to power it and send the required CAN messages to keep the HU on or wake it. Are they the same pins for all hardware versions? I am planning in enabling the SSH access to install the patched file and be able to upload the self-signed FSC certificates to enabled other functions not currently available. Would be more riskier to do it this way are they other pros and cons of using a bench setup or this task?

 

[samsonx]

If you are forced to enable ssh over uart connection, then I think it's worth just wiring that connection up only for the commands needsed. I found running soldered tx,rx,gnd leads external in a harness very constrained on an assembled unit. I wouldn't install in vehicle like this.. I'd say buy or make a can filter box that can wake the unit and perform the ssh uart steps on the bench.

Serial + SSH/Telnet Open

I realized I didn't create one of these for EVO. The procedure is very similar to the original ID3. As far as I am aware, for the latest iLevels which patched the usb script vulnerabilities this is the only way outside of the L5 UDS key. Gaining access to the EVO's UART is more difficult than...

www.spoolstreet.com

 

[superwofy]

Ok, I will use this method. Thanks!


The setup I am using has a little CAS emulator box that seems to only be sending out 0x130 (Term 15 / R ON?) - at least looking from the OBD port on my bench harness. Which device normally sends 0x380 (and what contents?)? I found this page that pertains to my F1X: https://www.loopybunny.co.uk/CarPC/filter.php?filter=flag_KCAN2 but no mention of 0x380. I do have the means to send out custom messages via PCAN devices, can you point me to more info on the requirements for this message? This setup is only a bench setup and dont intend to install in vehicle, it's just for development work.

EDIT: attached a can dump, I am sending out 0x380 with last 7 of my VIN . Sending this can message does seems to prevent triggering component protection, but still get the FGN_CHECK_FAILURE .

FGN_CHECK_FAILURE when trying to upgrade 6F FSC.. Using 24-11 i-level, and 18-03 HUTool2.6 file from this thread.. I read somewhere that the order of loading the FSCs matters? and should be in order that its displayed in the FSC status??

Yes the order matters.
When the HU sees the "wrong" VIN for the first time it will trigger component protection. You'll see this in the error memory. You have to push the 0x170 certificate to unlock it then you can use the other certificates.

If 0x170 is not accepted it's usually because there's no VIN on the canbus or the VIN from the FA does not match the CAN VIN. To retry you have to clear the persistence again.