Bimmerfest BMW banner

1 - 4 of 4 Posts

·
Registered
Joined
·
5 Posts
Discussion Starter #1 (Edited)
The ISTA+ manual says that "enabling codes" are either downloaded from some online server, or if that's not possible they can be imported manually. I'm wondering, if anyone has an example "enabling codes" package that can be imported manually and would be willing to share it? They should be available in the Aftersales Assistance Portal as zip files.

My line of thinking is, if we can reverse engineer the "enabling codes" package, we might be able to start creating our own "community enabling code" packages that can be executed with ISTA+ & contain everything needed for a single functionality.

For example, video in motion community enabling code would modify both, SPEEDLOCK_X_KMH_MIN, SPEEDLOCK_X_KMH_MAX and ensure the handbrake one is disabled as well. It could then be enabled/disabled through ista+ as a package.

I did a quick search around the topic and it doesn't look like anyone has investigated these packages before. Tbh, i have no idea about the format of these files, or any possible limitations coming from ISTA+, but this seems like a nice logical avenue to try and improve the process.

edit: looks like the enabling code package contains a ".der" file, which is most probably a certificate signed by a private key from BMW. My guess is, ISTA is checking that against a public key and checks if they match. Now the prerequisite to any reverse engineering would be, where is the public key stored and can we change it? :)
 

Attachments

·
Premium Member
Joined
·
40,006 Posts
The enabling codes (Freischaltcodes aka FSC Codes) are Digital Certificates, signed by BMW AG to enable certain functions in ECU's. A means to patch some head units (CIC, NBT and NBT2) and load non-OEM FSC codes has already been developed, which allows enabling Navigation, Voice Control, Text-To-Speech, BMW Apps, CarPlay, etc.; however, the same can't be done for other ECU's such as DME, KAFAS, and EPS.

Contrary to your belief though, the loading of FSC Codes has been investigated ad nauseam over the last decade by some truly brilliant and talented individuals, and without access to BMW AG's Private Key, have likely exploited and achieved as much is possible with regard to them.

As for VIM (Video-In-Motion) specifically, it does not make use of FSC Code.
 

·
Registered
Joined
·
5 Posts
Discussion Starter #3
The enabling codes (Freischaltcodes aka FSC Codes) are Digital Certificates, signed by BMW AG to enable certain functions in ECU's. A means to patch some head units (CIC, NBT and NBT2) and load non-OEM FSC codes has already been developed, which allows enabling Navigation, Voice Control, Text-To-Speech, BMW Apps, CarPlay, etc.; however, the same can't be done for other ECU's such as DME, KAFAS, and EPS.

Contrary to your belief though, the loading of FSC Codes has been investigated ad nauseam over the last decade by some truly brilliant and talented individuals, and without access to BMW AG's Private Key, have likely exploited and achieved as much is possible with regard to them.

As for VIM (Video-In-Motion) specifically, it does not make use of FSC Code.
ah, so contrary to my belief, the "enabling codes" mentioned in ista+ manual are not infact packages of "vo/fdl" coding instructions, but just for enabling the specific ecu's to enable pre-set functions, signed by their key.

My initial thought was, that ista+ would verify the coding package is signed by the specific private key and then follow these instructions specified in the files. That's why I thought it could be reverse engineered.

As you explained, the actual work is done by the ECU, not ista+, so the signature would be checked by the ECU against a public key embedded in the hardware.

Thanks for the deeper explanation (Y)
 
1 - 4 of 4 Posts
Top