MS45 Development - Page 2 - E46Fanatics E46 BMW Social Directory E46 FAQ 3-Series Discussion Forums BMW Photo Gallery BMW 3-Series Technical Information E46 Fanatics - The Ultimate BMW Resource BMW Vendors General E46 Forum The Tire Rack's Tire Wheel Forum Forced Induction Forum The Off-Topic The E46 BMW Showroom For Sale, For Trade or Wanting to Buy

Go Back   E46Fanatics > Tuning & Tech > Driveline, Engine & DME Tuning

Driveline, Engine & DME Tuning
Talk about driveline improvements, NA tuning and DME tuning your E46 BMW here. This includes diffs, intakes, exhausts, chips, software and OBD tuning.

Reply
 
Thread Tools Search this Thread Rate Thread Display Modes
Old 12-24-2017, 10:27 PM   #21
armenh7
Registered User
 
Join Date: Dec 2016
Location: California
Posts: 8,567
My Ride: 325i (Turbo M54B30)
Quote:
Originally Posted by eddyfb View Post
I was referring to the ms45 to ms43 swap. I also saw that ms45 tools could be released in ~2 years which is also the interval on emissions testing for me. So I could pass before doing headers and SAP delete then hope that the tools will be released before my next test. That is only if I win the ZHP at auction, if not there is an 01 330ci on Craigslist that is having emissions issues I could get for cheap.

Sent from my [device_name] using E46Fanatics mobile app
I thought ms45 to ms43 swap was already done?
armenh7 is offline   Reply With Quote
Old 12-24-2017, 10:44 PM   #22
eddyfb
Registered User
 
Join Date: Oct 2016
Location: HoCo, Maryland
Posts: 49
My Ride: 01 330ci | 04 330xi
Quote:
Originally Posted by armenh7 View Post
I thought ms45 to ms43 swap was already done?
Yeah, its been done a few times before. I just wanted to hear how it went if he did it. In other threads some people have said it went fairly easily, and some others have said there was several roadblocks during the process.

Sent from my [device_name] using E46Fanatics mobile app
__________________

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

'01 330ci track car | '04 330xi 6 speed
eddyfb is offline   Reply With Quote
Old 12-24-2017, 11:22 PM   #23
armenh7
Registered User
 
Join Date: Dec 2016
Location: California
Posts: 8,567
My Ride: 325i (Turbo M54B30)
Quote:
Originally Posted by eddyfb View Post
Yeah, its been done a few times before. I just wanted to hear how it went if he did it. In other threads some people have said it went fairly easily, and some others have said there was several roadblocks during the process.

Sent from my [device_name] using E46Fanatics mobile app
I think over at zhpmafia is where it's done
armenh7 is offline   Reply With Quote
Sponsored Links
Advertisement
 
Old 12-25-2017, 11:23 AM   #24
VitalyZHP
Ukrainian
 
Join Date: Sep 2006
Location: NJ
Posts: 612
My Ride: 04 330CI
Quote:
Originally Posted by eddyfb View Post
Did you finish this out? I was planning to get an 01-03 330ci, but a ZHP just showed up at auction I would like to get if this swap is doable.

Sent from my [device_name] using E46Fanatics mobile app
Hey, was just gonna update this. I've read all threads I could find and PM'd members who've done the conversion. So, to make it plug n play and as painless as possible, here's what you're gonna need:
MS43 engine harness (plenty of them on eBay for cheap)
MS43 DME
MS43 MAF
Manual transmission/O2 sensors harness 12517520114 (6 speed in my case)
Ignition harness 12517518044(for late style coils)
Alternator voltage regulator 2 pin 12317559183 plug n play
Intake temperature sensor 13621739510
Pre cat O2 sensors 11781742050 (I'm deleting post cat sensors)
Inpa cable for tuning. This one worked great https://www.amazon.com/gp/product/B0...?ie=UTF8&psc=1

Everything plugs right in, no mods or repining harness required. I then downloaded Siemens MSSX Flash tool from MS43 Wiki, emailed them my ID and screen name and had the registration key next day. The software works great, no bootmode required, just plug your laptop in and you're ready to read/write. I flashed it with Daniel's file and the car fired right up
__________________

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
VitalyZHP is offline   Reply With Quote
Old 12-25-2017, 11:24 AM   #25
VitalyZHP
Ukrainian
 
Join Date: Sep 2006
Location: NJ
Posts: 612
My Ride: 04 330CI
Can the mods change the thread title. It has nothing to do with MS45 development anymore
__________________

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.
VitalyZHP is offline   Reply With Quote
Old 12-25-2017, 11:42 AM   #26
daniel_f.
Registered User
 
Join Date: Jul 2011
Location: Germany
Posts: 3,106
My Ride: 330iC
Make it so it represents the title
__________________

No further development on MS4x from me.


To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

daniel_f. is offline   Reply With Quote
Old 12-25-2017, 01:07 PM   #27
eddyfb
Registered User
 
Join Date: Oct 2016
Location: HoCo, Maryland
Posts: 49
My Ride: 01 330ci | 04 330xi
Awesome! Thanks for the update.

Sent from my [device_name] using E46Fanatics mobile app
__________________

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

'01 330ci track car | '04 330xi 6 speed

Last edited by eddyfb; 12-25-2017 at 01:07 PM.
eddyfb is offline   Reply With Quote
Old 06-04-2018, 06:31 PM   #28
armenh7
Registered User
 
Join Date: Dec 2016
Location: California
Posts: 8,567
My Ride: 325i (Turbo M54B30)
Hey guys I finally got my bdm pins aligned and read the full flash off of the DME. Here is the file sendspace.com/file/71hcwr
The DME is from a M56 SULEV but that shouldn't make a difference.
Hardware number 5WK93017 Index 02
Part number 7533652
VIN: WBAAZ33474KP85361
__________________

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.


Not so complicated install of BMW Tools (Windows XP, 7, and 10)

To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.


PA Soft
Driver:
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

Program:
To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

Last edited by armenh7; 06-07-2018 at 09:29 AM.
armenh7 is offline   Reply With Quote
Old 06-09-2018, 10:57 PM   #29
blarf
Registered User
 
Join Date: Oct 2009
Location: Bay Area
Posts: 1,632
My Ride: 325iT, 540iT
Quote:
Originally Posted by armenh7 View Post
Hey guys I finally got my bdm pins aligned and read the full flash off of the DME. Here is the file sendspace.com/file/71hcwr
The DME is from a M56 SULEV but that shouldn't make a difference.
Hardware number 5WK93017 Index 02
Part number 7533652
VIN: WBAAZ33474KP85361
Nice.

I found another MS45.1 dump somewhere (am bummed that daniel's not been so receptive to sharing). Between that dump and all the info that Terra's put out there I slapped together a little program to scan ECU dumps for 512-bit public keys. Among the cool kids the MS45.1 keys are already known (public and private). But for the rest of us this can be a nice to have. Worked for me on the EGS image I found as well.

If you've got the public part, 512-bit keys are easy enough to factor that some folks set up some Ansible playbooks to use Amazon to factor keys in about 7 hours for about $100.

https://github.com/eniac/faas/

SHA256 sum of the binary on the left, download link (Mega) on the right

69c8e688a1766bea944e99ed78544df546c7ff5a84bdb50bb6df2357439f 3b91 echidna-0.1.0-x86_64-pc-linux-gnu

Click image for larger version

Name:	echidna-0.1.0.gif
Views:	12
Size:	424.2 KB
ID:	745852
__________________
Tooooools for rent

Last edited by blarf; 06-09-2018 at 11:25 PM.
blarf is offline   Reply With Quote
Old 06-09-2018, 11:00 PM   #30
armenh7
Registered User
 
Join Date: Dec 2016
Location: California
Posts: 8,567
My Ride: 325i (Turbo M54B30)
Quote:
Originally Posted by blarf View Post
Nice.

I found another MS45.1 dump somewhere (am bummed that daniel's not been so receptive to sharing). Between that dump and all the info that Terra's put out there I slapped together a little program to scan ECU dumps for 512-bit public keys. Among the cool kids the MS45.1 keys are already known (public and private). But for the rest of us this can be a nice to have. Worked for me on the EGS image I found as well.

If you've got the public part, 512-bit keys are easy enough to factor that some folks set up some Ansible playbooks to use Amazon to factor keys in about 7 hours for about $100.

https://github.com/eniac/faas/

https://mega.nz/#!c7JmwbxC!qtUrPb_CS..._g55kfkdUVhAmc

Attachment 745850
Well I just graduated school and I'm not going to be taking any classes until August 27th so if you guys want me to do anything, go ahead and give me directions. I have some time on my hands
armenh7 is offline   Reply With Quote
Old 06-09-2018, 11:07 PM   #31
blarf
Registered User
 
Join Date: Oct 2009
Location: Bay Area
Posts: 1,632
My Ride: 325iT, 540iT
The mega.nz link will take you to a Linux binary and the attached GIF shows how to use the tool to extract public keys (which, coincidentally, shows the four stock public keys). Factoring the key is an exercise for the reader. Terra has already factored at least one of the MS45.1 keys and a few others, presumably other folks have access.
__________________
Tooooools for rent
blarf is offline   Reply With Quote
Old 06-09-2018, 11:10 PM   #32
armenh7
Registered User
 
Join Date: Dec 2016
Location: California
Posts: 8,567
My Ride: 325i (Turbo M54B30)
Quote:
Originally Posted by blarf View Post
The mega.nz link will take you to a Linux binary and the attached GIF shows how to use the tool to extract public keys (which, coincidentally, shows the four stock public keys). Factoring the key is an exercise for the reader. Terra has already factored at least one of the MS45.1 keys and a few others, presumably other folks have access.
So basically just set the software up and let it run for however long?
armenh7 is offline   Reply With Quote
Old 06-09-2018, 11:16 PM   #33
blarf
Registered User
 
Join Date: Oct 2009
Location: Bay Area
Posts: 1,632
My Ride: 325iT, 540iT
Yes, but setting up the software to factor out the private key is fiddly. The software Terra used is basically abandoned at this point. You can find instructions in the Wayback Machine, but the link I posted above is nice because it uses Ansible to set up an EC2 cluster and run different (maintained, probably faster) software there. You could also pick through the Ansible playbooks and setup the same software locally (CADO-NFS), but Amazon will be much faster than most people's home computers. It's just time vs money really.
__________________
Tooooools for rent
blarf is offline   Reply With Quote
Old 06-09-2018, 11:30 PM   #34
armenh7
Registered User
 
Join Date: Dec 2016
Location: California
Posts: 8,567
My Ride: 325i (Turbo M54B30)
Quote:
Originally Posted by blarf View Post
Yes, but setting up the software to factor out the private key is fiddly. The software Terra used is basically abandoned at this point. You can find instructions in the Wayback Machine, but the link I posted above is nice because it uses Ansible to set up an EC2 cluster and run different (maintained, probably faster) software there. You could also pick through the Ansible playbooks and setup the same software locally (CADO-NFS), but Amazon will be much faster than most people's home computers. It's just time vs money really.
I just want to say this for clarification
I just finished reading the readme for the github and setting if up seems easy but it looks like it's made to work with amazon.
Cado-nfs will work locally. I have very very limited knowledge with this stuff but I'm willing to learn and help out
armenh7 is offline   Reply With Quote
Old 06-09-2018, 11:36 PM   #35
blarf
Registered User
 
Join Date: Oct 2009
Location: Bay Area
Posts: 1,632
My Ride: 325iT, 540iT
Quote:
Originally Posted by armenh7 View Post
I just want to say this for clarification
I just finished reading the readme for the github and setting if up seems easy but it looks like it's made to work with amazon.
Cado-nfs will work locally. I have very very limited knowledge with this stuff but I'm willing to learn and help out
Yes. faas (factorization as a service) is a set of Ansible playbooks to set up CADO-NFS on a cluster of Amazon EC2 instances and factor large numbers. You can set CADO-NFS up locally either by going through the steps the playbooks do or by finding other instructions. The difference is that while factoring a 512-bit key on your desktop computer might take a week or more, the cluster faas sets up can usually plow through a 512-bit key in about 7 hours at a cost of around $100 in Amazon fees.

Here's a writeup about it:

https://arstechnica.com/information-...the-weak-keys/
__________________
Tooooools for rent
blarf is offline   Reply With Quote
Old 06-09-2018, 11:39 PM   #36
armenh7
Registered User
 
Join Date: Dec 2016
Location: California
Posts: 8,567
My Ride: 325i (Turbo M54B30)
Quote:
Originally Posted by blarf View Post
Yes. faas (factorization as a service) is a set of Ansible playbooks to set up CADO-NFS on a cluster of Amazon EC2 instances and factor large numbers. You can set CADO-NFS up locally either by going through the steps the playbooks do or by finding other instructions. The difference is that while factoring a 512-bit key on your desktop computer might take a week or more, the cluster faas sets up can usually plow through a 512-bit key in about 7 hours at a cost of around $100 in Amazon fees.

Here's a writeup about it:

https://arstechnica.com/information-...the-weak-keys/
Understood. I found some instructions on setting up cado-nfs online and it doesn't seem too difficult. I'm also reading this that I just saw to see if it helps me bit.ly/2JHmKDS
armenh7 is offline   Reply With Quote
Old 06-09-2018, 11:44 PM   #37
blarf
Registered User
 
Join Date: Oct 2009
Location: Bay Area
Posts: 1,632
My Ride: 325iT, 540iT
Yeah I'm running CADO-NFS on a BSD so it's a bit more tedious to setup than on Linux. ggnfs was pretty much broken out of the box and the forum referencing it is dead so I moved on pretty quickly.
__________________
Tooooools for rent
blarf is offline   Reply With Quote
Old 06-09-2018, 11:47 PM   #38
armenh7
Registered User
 
Join Date: Dec 2016
Location: California
Posts: 8,567
My Ride: 325i (Turbo M54B30)
Quote:
Originally Posted by blarf View Post
Yeah I'm running CADO-NFS on a BSD so it's a bit more tedious to setup than on Linux. ggnfs was pretty much broken out of the box and the forum referencing it is dead so I moved on pretty quickly.
So did you already know how to set up cado or did you do some searching? I know that I won't be spoonfed instructions.
Would it be something like this:
I have Kali Linux. Set up cado on Kali then I have no idea what to do after
armenh7 is offline   Reply With Quote
Old 06-09-2018, 11:59 PM   #39
blarf
Registered User
 
Join Date: Oct 2009
Location: Bay Area
Posts: 1,632
My Ride: 325iT, 540iT
I've never used CADO-NFS before. My public key crypto knowledge is pretty rusty but basically you've got a few parts of an RSA public+private key pair including two very large prime numbers and an exponent. The public key contains the product of the two primes and the exponent. CADO-NFS will find the prime factors of that very large number which will then give you the information needed to create an RSA private key. The private key is used to encrypt (for the newer ECUs that use RSA auth) and sign (starting with MS45 in BMW land I believe) data being written to the ECU. The public key is used*by you or the ECU to verify the signature is correct. Get the primes and you can update the RSA signature(s) after you update the program and/or data segments.

The entire reason RSA is/was considered secure is that taking one very large number and finding its factors is extremely time consuming. Better algorithms for doing this have been developed and hardware has gotten faster such that factorizing a 512-bit RSA key can be done in a few hours on a fast enough cluster. A 1024-bit key (as used by newer BMW ECUs) would theoretically take thousands to millions of years with the same hardware. However, because RSA is entirely dependent upon using two large factors there are a number of types of vulnerabilities. There were some PGP keys where 3 was one of the factors. Infineon was using an insecure key generation algorithm such that you could break their 1024-bit keys with about $100 spent on Amazon EC2 instances. Estonia used that Infineon library to generate keys for their ID cards. A vulnerable 2048-bit key would still take about $40,000 worth of Amazon services to crack.

The program I wrote only searches for 512-bit keys, but shouldn't be too hard to update for 1024-bit keys. At which point you could use any of the publicly available tools to see if the BMW keys are known to be vulnerable. If the BMW 1024-bit keys are vulnerable it would be pretty easy to come up with the private half of the key.
__________________
Tooooools for rent

Last edited by blarf; 06-10-2018 at 12:09 AM.
blarf is offline   Reply With Quote
Old 06-10-2018, 12:01 AM   #40
armenh7
Registered User
 
Join Date: Dec 2016
Location: California
Posts: 8,567
My Ride: 325i (Turbo M54B30)
Quote:
Originally Posted by blarf View Post
I've never used CADO-NFS before. My public key crypto knowledge is pretty rusty but basically you've got a few parts of an RSA public+private key pair including two very large prime numbers and an exponent. The public key contains the product of the two primes and the exponent. CADO-NFS will find the prime factors of that very large number which will then give you the information needed to create an RSA private key. The private key is used to encrypt (for the newer ECUs that use RSA auth) and sign (starting with MS45 in BMW land I believe) data being written to the ECU. The public key is used*by you or the ECU to verify the signature is correct. Get the primes and you can update the RSA signature(s) after you update the program and/or data segments.
Is the only advantage to this being able to flash through the obd2 port?
armenh7 is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Censor is OFF



All times are GMT -5. The time now is 12:17 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
(c) 1999 - VerticalScope Inc. All rights reserved.