CarTechnoloGY
BMW CIC PATCHER v2 - GENERATE YOUR OWN RETROFIT FSC CERTS - Printable Version

+- CarTechnoloGY (https://cartechnology.co.uk)
+-- Forum: Discussions All about Software and Hardware (https://cartechnology.co.uk/forumdisplay.php?fid=310)
+--- Forum: Automotive Help & Discussions / Software and Hardware (https://cartechnology.co.uk/forumdisplay.php?fid=40)
+---- Forum: BMW - Mini - Rolls Royce (https://cartechnology.co.uk/forumdisplay.php?fid=61)
+---- Thread: BMW CIC PATCHER v2 - GENERATE YOUR OWN RETROFIT FSC CERTS (/showthread.php?tid=23198)



BMW CIC PATCHER v2 - GENERATE YOUR OWN RETROFIT FSC CERTS - intel123 - 03-04-2017

*** RELEASED ***


BMW CIC PATCHER v2
GENERATE YOUR RETROFIT FSC CERTIFICATES


Forget about emulators, script activations, hard map updates...

This is better enhanced version of what is selling / floating around these days.



[*] NO BOOTLOADER MODE
[*] DONE IN 10 SECONDS!
[*] NO BRICKING


SUPPORTS ONLY US AND ECE LATEST VERSIONS OF SOFTWARE, SO IF YOU HAVE US or ECE CAR, UPDATE YOUR CIC SOFTWARE AND ENJOY THE PATCH!


here is short howto which is included in the archive too:
Quote:BMW CIC CK V2
-----------------
created by intel123 -

This is patcher for BMW CIC Professional Navigation, it patches binary file
and replaces root certificate what enables you to sign your own FSC certificates
from within FSTOOL or E-SYS like OEM. After patching, Self-generated certificates
will be accepted as OEM ones.

Pre request

1) This is ONLY for US (United States) and ECE (Central Europe) software versions!
2) You should update your CIC software to the latest before applying the patch!


Unlike other patches floating around, this one is done in 10 seconds or less. There is no need
for multiple reboots, or hang in "Bootloader" mode which exposes the system to bricking or failure.


HOW TO USE IT

1) Format USB drive with fat32 filesystem
2) copy file 01_PATCHER\USB_AUTORUN\copie_scr.sh to empty USB drive
3) Insert USB drive into CIC, wait until reboot and you're done!

(if CIC will not reboot in 20 seconds, it means that there is software incompatibility or already patched, read pre requests)

After cic has been patched and it restarted you can fire-up E-SYS or FSTOOL. If you go ahead and check status of FSC you will see that
CIC has been virginized and only root certificate is accepted. Key you should use for signing FSC certificates is 00_PRIVATEKEYS\fscs.der
other two private keys (root.der and sigs.der) you will have no use for, they are included just so the cert chain is complete.

To make certificates for your VIN you can use files in folder 03_FSC_TEMPLATES from archive,
load them in E-SYS (FSC Editor) or FSTOOL, change ONLY VIN, sign them and save as.

** VERY IMPORTANT: If you do not know what you are doing, when modifying template certificates, change only VIN to match yours,
do not edit other fields including date of issue.

After making all certificates you will need for your retrofit you can install them normally via FSTOOL or ESYS, other needed certificates
as SIGs and FSCs cert you can find in folder 02_CERTS from this archive.

*** PLEASE NOTE, AFTER PATCHING CIC IS VIRGINIZED AND MAY SHOW THAT
FSCS AND SIG CERTS ARE REJECTED, AND ROOT ACCEPTED. THIS IS NOT A
PROBLEM AS YOU WILL OVERWRITE IT WITH PROVIDED CERTS VIA FSTOOL
OR E-SYS. ******************************************************

Source code of the CK and all relevant data will be published on CarTechnology.co.uk forum

Quote:0017 - Voice control
0019 - Navigation system Professional
001B - Navigation system Professional
00XX - LifeTime Map Code
006F – Satellite Tuner
009B – Arabian Language
009C - BMW Apps

Full set for BMW CIC.
for E-Series: use FSTOOL
for F-Series: use E-SYS
same procedure as with OEM certificates,



Quote:Q: How does it work ?
Well not to go too much into detail as i plan to document whole procedure and publish along with the source code, but here it is. BMW CIC is based on QNX 6.3.2 running on Renesas SH4 CPU. There are two main binaries on the system running in "Normal" mode: CicHichEceUsaRoot and CicHighEceUsaSecond (names for ECE and US models) First binary resides in IFS and second one on EFS. To cut this short, SWT functions reside in *Second binary. After bare inspection of binary it is noticable that root certificate is being checked for several things including the check which compares root certificate to its copy residing in IoC (v850 CPU), additionally there is a string which says something like "Unable to read rcert from IoC, trying from flash" which was more than enough for start. After disassembly and locating function responsible for checking root certificate in IoC it was only the matter of changing two bytes and now we have program which will read and accept root certificate (if it is created properly with all correct names and parameters) from flash /mnt/HBpersistence/rcert.swt file.
[Image: 31bde5bdfe70cd32df8f3cdc3200b8b3.jpg]
Ok so, since i did not need to make any kind of hooking or add code it will be enough just to change bytes in current EFS image on flash. Replace (if any) rcert in /mnt/HBpersistance with our own, virginize the CIC (delete /mnt/hbdebug/data0? and generalPersistencyData_DiagnosticSWTController) and reboot. After reboot, using E-SYS or FSTOOL we can see that our root certificate is accepted and we can upload the rest using one of tools mentioned (SIGs, FSCS, and FSC certificates).


- HOWTO BY SweetBMW ADDED TO ATTACHMENTS! (Thanks SweetBMW)


RE: FREE BMW CIC FSC RETROFIT CERTIFICATES - inotherwords - 03-04-2017

Well, we can generate own root certs and generate FSCs using FSTool signed with these root certs, right?

But how about map update codes? 1B FSC contains 1024-bit key or somethin' like that and I don't know how to generate it.


RE: FREE BMW CIC FSC RETROFIT CERTIFICATES - Czozen - 03-04-2017

(03-04-2017, 19:26 PM)inotherwords Wrote:  Well, we can generate own root certs and generate FSCs using FSTool signed with these root certs, right?

But how about map update codes? 1B FSC contains 1024-bit key or somethin' like that and I don't know how to generate it.

I think it is simple, after you activate CIC, you will download 1B file by SWID_Reader and generate map key as always by generator smile


RE: FREE BMW CIC FSC RETROFIT CERTIFICATES - muskatas - 04-04-2017

I believe NBT should be similar method...?


RE: FREE BMW CIC FSC RETROFIT CERTIFICATES - inotherwords - 04-04-2017

(03-04-2017, 20:50 PM)Czozen Wrote:  I think it is simple, after you activate CIC, you will download 1B file by SWID_Reader and generate map key as always by generator smile

Yes, but it will be code that differs from code generated using original 1B.


RE: FREE BMW CIC FSC RETROFIT CERTIFICATES - emhtuning - 04-04-2017

Please don't spoil the thread by discussing how to read and generate map update FSC .

the OP is talking about more advanced project than just simple 1B or DE FSC generating .


RE: FREE BMW CIC FSC RETROFIT CERTIFICATES - inotherwords - 04-04-2017

(04-04-2017, 07:51 AM)ehssan Wrote:  Please don't spoil the thread by discussing how to read and generate map update FSC .

the OP is talking about more advanced project that simple 1B or DE FSC generating .

No, we are not talking about generating update code. 001B code contains 1024-bit key which is used to check map update code generated. We need to know how to generate this key to make right self-signed FSC package. This information should be useful for this thread.


RE: FREE BMW CIC FSC RETROFIT CERTIFICATES - intel123 - 04-04-2017

(04-04-2017, 21:41 PM)inotherwords Wrote:  No, we are not talking about generating update code. 001B code contains 1024-bit key which is used to check map update code generated. We need to know how to generate this key to make right self-signed FSC package. This information should be useful for this thread.

open 1b file in e-sys fsc editor or fstool>enabling codes>load>edit

extension record,type 12 is key used to generate short fsc


RE: FREE BMW CIC FSC RETROFIT CERTIFICATES - inotherwords - 04-04-2017

(04-04-2017, 22:07 PM)intel123 Wrote:  open 1b file in e-sys fsc editor or fstool>enabling codes>load>edit

extension record,type 12 is key used to generate short fsc

Yes, but how generate it for own VIN? Just random 1024-bit key?


RE: FREE BMW CIC FSC RETROFIT CERTIFICATES - intel123 - 04-04-2017

No need to match it with vin in any way as its already matched by signing fsc with fscs private key, short fsc should match with that key only, thats why generators ask for 1b file