SWT / FSC patching

[superwofy]

This post is mostly informational. The HUtools that was leaked does exactly this and is way easier.

It's quite simple, nothing groundbreaking here. If you're familiar with how FSCs work, you'll know that BMW has their own PKI.
The certificate chain is composed of the Root, SigS and FscS certificates.

Long story short, in order to sign your own certificates, you need to replace these certificates in the NBTCarHUTwo binary.

To generate them, I used the following commands:

[Root CA]

Set date to 2002-09-19


openssl genrsa -3 -out root.key 2048


openssl req -x509 \
-days 9132 \
-md5 \
-set_serial 1001 \
-key root.key \
-out root.pem \
-subj "/DC=com/DC=bmwgroup/O=pki/OU=bmw-fzg-pki/CN=fzg-root-ca" \
-extensions v3_req \
-config <(echo -e "[v3_req]\nbasicConstraints=critical,CA:true,pathlen:0\nsubjectKeyIdentifier=none\nauthorityKeyIdentifier=none\nkeyUsage=critical,keyCertSign,cRLSign")


openssl x509 -outform der -in root.pem -out root.der

[SigS]

Set date to 2006-07-19

RSA key for SigS needs to be 512 bit and have exponent 7. Go to: https://merri.cx/enigmator/cipher/rsa_keygen.html.
Use http://www.certificate.fyicenter.com/2147_FYIcenter_RSA_Private_Key_Generator.html#Result to generate the primes p,q


openssl req -x509 \
-md5 \
-key sigs.key \
-out sigs.pem \
-subj "/DC=com/DC=bmwgroup/O=pki/OU=bmw-fzg-pki/CN=CCC-SigS-Key"


openssl x509 -x509toreq -in sigs.pem -signkey sigs.key -out sigs-signed.csr -md5


openssl x509 -req \
-in sigs-signed.csr \
-CA root.pem \
-CAkey root.key \
-set_serial 1010 \
-out sigs-signed.pem \
-md5 \
-days 1827 \
-extensions v3_req \
-extfile <(echo -e "[v3_req]\nextendedKeyUsage=critical,codeSigning\nsubjectKeyIdentifier=none\nauthorityKeyIdentifier=none")


openssl x509 -outform der -in sigs-signed.pem -out sigs.der

[FscS]

Set date to 2007-07-30


openssl genrsa -3 -out fscs.key 1024


openssl req -x509 \
-md5 \
-key fscs.key \
-out fscs.pem \
-subj "/DC=com/DC=bmwgroup/O=pki/OU=bmw-fzg-pki/CN=zentrale Master Freischaltcodestelle-Produktiv"


openssl x509 -x509toreq -in fscs.pem -signkey fscs.key -out fscs-signed.csr -md5


openssl x509 -req \
-in fscs-signed.csr \
-CA root.pem \
-CAkey root.key \
-set_serial 1026 \
-out fscs-signed.pem \
-md5 \
-days 9132 \
-extensions v3_req \
-extfile <(echo -e "[v3_req]\nextendedKeyUsage=critical,1.3.6.1.4.1.513.10.1.1\nsubjectKeyIdentifier=none\nauthorityKeyIdentifier=none")


openssl x509 -outform der -in fscs-signed.pem -out fscs.der

[Esys signing private key]
openssl rsa -in fscs.key -outform der > fscs.der

Replace the certificates in the binary, then:

Save and clear persistence:
cp -rv /var/opt/sys/persistence /fs/usb0/hu-intel-persistence && \
cp -rv /net/hu-jacinto/var/opt/sys/persistence /fs/usb0/hu-jacinto-persistence && \
rm -r /var/opt/sys/persistence/* && \
rm -r /net/hu-jacinto/var/opt/sys/persistence/*


// Need mv because file is open
mount -uw /fs/sda0 && \
mv /fs/usb0/NBTCarHUTwo /opt/car/bin && \
chmod 0775 /opt/car/bin/NBTCarHUTwo && \
sleep 5 && mount -ur /fs/sda0 && OnOffDSICommander appreset

Example files that can be used are attached.

 

[pRoxxx]

I think you forgot to put the actual patch in the archive, I mean patched NBTCarHUTwo.

 

[superwofy]

I think you forgot to put the actual patch in the archive, I mean patched NBTCarHUTwo.

Not quite, the point of the post was to show how you can create your own PKI that you can use to self-sign your FSCs.

If you're not doing that, you can just use the leaked hutools as that's exactly what it does. It replaces the public key/certs in the binary and keeps its private secret. Exact same approach for EVO too.

 

[kimizz]

Have you figured out where the keys are located in NBT-EVO? I didn't find any key traces in NBTCarHU, even using binwalk, maybe they are encoded in some way?
I know that after patching the content in this file changes, but the area of changes is quite small and it does not fit any of the keys (0x035A300 - 0x35A37F).
FSC codes are stored in several locations, including:
/var/opt/sys/persistence
/fs/sda1/opt/sys/persistence
in files pers_NBTCarHUSwt and SWT

 

[superwofy]

Have you figured out where the keys are located in NBT-EVO? I didn't find any key traces in NBTCarHU, even using binwalk, maybe they are encoded in some way?
I know that after patching the content in this file changes, but the area of changes is quite small and it does not fit any of the keys (0x035A300 - 0x35A37F).
FSC codes are stored in several locations, including:
/var/opt/sys/persistence
/fs/sda1/opt/sys/persistence
in files pers_NBTCarHUSwt and SWT

Indeed, EVO doesn't store whole certificates in that binary.
Instead what you're seeing there is the public key for SWT lite/FSCS. See attached.

HUTools replaces that key and I believe there's a slight instruction patch too. For personal use (i.e if you're not making a tool to sell..) I would just use this: https://www.spoolstreet.com/threads/swt-fsc-bypass-for-later-ilevels.9654/