Welcome to Bimmerfest -- The #1 Online Community for BMW related information! Please enjoy the discussion forums below and share your experiences with the 200,000 current, new and past BMW owners. The forums are broken out by car model and into other special interest sections such as BMW European Delivery and a special forum to voice your questions to the many BMW dealers on the site to assist our members!

Please follow the links below to help get you started!

Go Back   Bimmerfest - BMW Forums > The Best of Bimmerfest! > BMW Coding and Programming

BMW Coding and Programming
Discuss coding options and features on your BMW here.

Reply
 
Thread Tools Display Modes
  #1  
Old 09-28-2014, 02:32 PM
svc0x80 svc0x80 is offline
Registered User
Location: USA
 
Join Date: Apr 2014
Posts: 7
Mein Auto: F82 (soon)
ESYS 3.24.3 Patch Testing

So I spent the weekend hacking away at the ESYS binaries/bytecode in preparation for my M4. The first thing I'd like to code is the VMAX on the DME (0x12)

What's the best way to test if the patch is working without a car?
Reply With Quote
Advertisement
  #2  
Old 09-28-2014, 09:24 PM
shawnsheridan's Avatar
shawnsheridan shawnsheridan is online now
Officially Welcomed to the 'Fest
Location: Houston, TX
 
Join Date: Jan 2009
Posts: 11,448
Mein Auto: 2011 535i M-Sport
Go to the Editors & Viewers module, and invoke the FDL Editor. It won't even open without a working Token solution.
__________________

- 2011 535i M-Sport (Born 10/10) - AW/BLK/DW - /ZMP (w/ARS, EDC, DHP, & AD) /ZPP /ZP2 (w/ZPS & ZPT) /ZCV (w/SCAD) /6FL /6VC
- Mods - M5 343M 20" Forged Wheels / 6WB MFID / 2TB SAT / 4U1 Ceramic / 6NR Apps / PDV 5k Fogs / Rear Fogs / Euro Tail Lights / Cyba Quad Tips
Reply With Quote
  #3  
Old 09-29-2014, 03:39 AM
vince59's Avatar
vince59 vince59 is online now
Officially Welcomed to the 'Fest
Location: roma. italia
 
Join Date: Nov 2010
Posts: 175
Mein Auto: ducati
Quote:
Originally Posted by svc0x80 View Post
So I spent the weekend hacking away at the ESYS binaries/bytecode in preparation for my M4. The first thing I'd like to code is the VMAX on the DME (0x12)

What's the best way to test if the patch is working without a car?
do not waste your time. The solution to develop the token by yourself is already available thank to a VALUABLE member ...Angrydad.
Other solutions you MUST pay..or study to crack the java into esys.
sooner or later a solution will come...
I am not an expert on java...
__________________
pleas do not touch my wife boobs
Reply With Quote
  #4  
Old 09-29-2014, 03:35 PM
svc0x80 svc0x80 is offline
Registered User
Location: USA
 
Join Date: Apr 2014
Posts: 7
Mein Auto: F82 (soon)
Actually wasn't a waste of my time. I enjoy reverse engineering. Its intellectual "fun".

I managed to get the token loaded and successfully load the FDL editor. Basically ESYS is pinning the Intermediate certificate authority inside their code. I modified/swapped out their intermediate certificate authority with my own CA took care of the certificate pinning so the token I created worked fine.

I noticed files sec_certificates.pem which contains a chain of certificates, the root, intermediate, Code-Signers (Develop/Field), and KIS-Signer. The other .lic file is actually a .p12 file that contains a E-SYS certificate as a leaf certificate. From what I can tell the sec_certificates.pem is used to validate the psdz data. Still trying to determine the password for that. (I don't think I need it to code). Its interesting to see how they perform certificate chain validation in license validator. Looks like most of that code has been obfuscated in 3.25.x.

Does the CAF xml need to be signed by the DEVELOP or the FIELD certificate? Those are really the only options I see. Also does it matter if I sign my own CAF xml? (I assume it
doesn't really matter outside of this software).

If it really doesn't matter a the call to method with the signature
bool b(byte[], bool) can simply be by-passed and the XML document returned.

I found the Angry Dad, article you mentioned it looks like they're by-passing the CAF xml signature checks. I suppose if someone wanted to be malicious with the CAF xml, they could also alter sec_certificates.pem file that contains the chain and match the subject name with their own file. (This sec_certificates.pem file is also used for certificate pinning).

So on to the sec_*.lic file. to see what there. I'm not a java expert either. I do c/c++/objective-c but getting down with the java byte code over the weekend was fun. Also, all these try/catch blocks remind me why I hate java programming.

edit: Thanks Shawn!

Last edited by svc0x80; 09-29-2014 at 04:06 PM.
Reply With Quote
  #5  
Old 09-29-2014, 05:15 PM
TokenMaster's Avatar
TokenMaster TokenMaster is offline
Token Master
Location: Java Land
 
Join Date: Jul 2013
Posts: 552
Mein Auto: Coded F30
It's good that you edited your original post, but not soon enough for me to see. Calling my assertion FUD despite having a proof of concept is, well, rather silly. I'll be very glad to be proven wrong. Until you've done your research and can prove it otherwise, please leave me out of your every and future discussions.

I'll be glad to help anyone explore a token solution, but if you're bent on bypassing file verification/validation, you will not elicit any response from me.

/unsubscribing
__________________
Code My Bimmer| FDL Coding Video Guide -Blogspot/Youtube | TokenMaster's EST Software Token demo - Blogspot | Never download already patched E-Sys from Torrent sites
Reply With Quote
  #6  
Old 09-29-2014, 05:59 PM
svc0x80 svc0x80 is offline
Registered User
Location: USA
 
Join Date: Apr 2014
Posts: 7
Mein Auto: F82 (soon)
Sorry, you were initially included because you seemed somewhat protective in the thread I found. I could personally care less about you, I'm willing to give away all information I obtain since I don't need to sell tokens.

Like I said if the sec_certificate.pem is used for pinning.

Keeping validation in tact doesn't seem like it will be hard to do. The original files are signed by either the Codier-Signer develop or field private key. I just need a little more research done.

The generated XML after coding is signed by the private key that's part of the EST token. Looks like the public key is parameter to get the actual certificate.

My point concerning FUD:
I already have the Codier-encrypt public and private keys and we'll as E-SYS private and public key. As well as the passphrase to decrypt the original PKCS12 file.

I believe that would be enough to create a malicious version of CADF files and pass validation/signature verification in the XMLCrypto class. (Not sure what the point would be).

Obviously, I've been at this less than a week.
Reply With Quote
  #7  
Old 09-29-2014, 11:22 PM
vince59's Avatar
vince59 vince59 is online now
Officially Welcomed to the 'Fest
Location: roma. italia
 
Join Date: Nov 2010
Posts: 175
Mein Auto: ducati
Quote:
Originally Posted by svc0x80 View Post
Actually wasn't a waste of my time. I enjoy reverse engineering. Its intellectual "fun".
edit: Thanks Shawn!
I completely agree with your approach; unfortunately I can only give a small support being a computer litearte and not a java expert.
You effort and your explanation will definitely help (at least me) for better understanding hoping I will have the possibility to apply an study java.

We have two way here:
- someone find a solution but the results are not shared but sold;
- someone find a solution or tries to find a solution and shares the result.
I am glad you belong to the second one
__________________
pleas do not touch my wife boobs
Reply With Quote
  #8  
Old Yesterday, 12:55 AM
TokenMaster's Avatar
TokenMaster TokenMaster is offline
Token Master
Location: Java Land
 
Join Date: Jul 2013
Posts: 552
Mein Auto: Coded F30
Now THAT is a big FUD. When I staked my claim, I have a proof of concept and you still called FUD, so returning the favor, but this time, it's a real FUD and boats load of BS . Luckily, ESG engineers are a lot smarter than what you give them credit for, otherwise, your idea might have worked and we're all at the mercy of script kiddies.

Two words: RSA Crypto. Well, that's actually 4 words but whatever. That should give you an idea of what you can and cannot do. Try and circumvent that all the while keeping the validation intact. Nothing you have will generate something that an unaltered XMLCrypto will accept.

XMLCrypto is not something you want to mess around with, unless you just want to create a quick workaround, without regard to its side effects. I've said it before and I'll say it again, XMLCrypto is not the way nor is it the only way and I wish everyone just leave it alone. That's a bit melodramatic but I feel strongly about security. Nothing in my book is worth compromising it.

I'm totally out of this thread as it's bordering on a subject I don't want to discuss and I've already said enough. I don't want to expose the weakness of the app any more than what has already been done. Good luck
__________________
Code My Bimmer| FDL Coding Video Guide -Blogspot/Youtube | TokenMaster's EST Software Token demo - Blogspot | Never download already patched E-Sys from Torrent sites
Reply With Quote
  #9  
Old Yesterday, 10:06 AM
svc0x80 svc0x80 is offline
Registered User
Location: USA
 
Join Date: Apr 2014
Posts: 7
Mein Auto: F82 (soon)
1. Decrypt existing CADF XML files uses the Codier-Encrpyters private key.
2. Modify raw XML.
3. Encrypt using a new 'Codier-Encrypter''s private key.
4. Sign using a new Codier-Signers private key.
5. Switch out the security license file that contains the PKCS12 base 64 encoded data. Make sure to use the same passphrase the application uses to decrypt it.
6. Switch out the entire certificate chain w/ the new certificates.

I write security frameworks and tamper detection code for banking institutions. So I kinda know what I'm doing.

Also more fun coming with the default behavior of Java class loaders.

Last edited by svc0x80; Yesterday at 10:06 AM. Reason: Typos.
Reply With Quote
  #10  
Old Yesterday, 10:10 AM
svc0x80 svc0x80 is offline
Registered User
Location: USA
 
Join Date: Apr 2014
Posts: 7
Mein Auto: F82 (soon)
Another point: Original files are signed by the Codier-Signer DEVELOP. Modified files are signed by the Codier-Signer FIELD. These are not included in the application.

XMLCrypto uses the License validator to get the correct public key to compare the signature in the XML.
Hack is simple enough, get the public key that belong to the token and return that...game over.

Last edited by svc0x80; Yesterday at 10:11 AM. Reason: change typo =private to public.
Reply With Quote
  #11  
Old Yesterday, 12:45 PM
vince59's Avatar
vince59 vince59 is online now
Officially Welcomed to the 'Fest
Location: roma. italia
 
Join Date: Nov 2010
Posts: 175
Mein Auto: ducati
Quote:
Originally Posted by svc0x80 View Post
Another point: Original files are signed by the Codier-Signer DEVELOP. Modified files are signed by the Codier-Signer FIELD. These are not included in the application.

XMLCrypto uses the License validator to get the correct public key to compare the signature in the XML.
Hack is simple enough, get the public key that belong to the token and return that...game over.
I definitely have to apply studying...I wish I could follow your effort!!!!
__________________
pleas do not touch my wife boobs
Reply With Quote
Reply

Bookmarks


Forum Navigation
Go Back   Bimmerfest - BMW Forums > The Best of Bimmerfest! > BMW Coding and Programming
Today's Posts Search
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



Forum Jump


All times are GMT -7. The time now is 12:09 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
© 2001-2011 performanceIX, Inc. All Rights Reserved .: guidelines .:. privacy .:. terms