Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Absolute +1 on this project to get out of Boschs closed-garden #1

Open
chron0 opened this issue Nov 30, 2021 · 51 comments
Open

Absolute +1 on this project to get out of Boschs closed-garden #1

chron0 opened this issue Nov 30, 2021 · 51 comments

Comments

@chron0
Copy link

chron0 commented Nov 30, 2021

As soon as I have my bike, I may be able to contribute additional ECU/Battery handshake data.

@hackrid
Copy link

hackrid commented Jan 17, 2022

Any progress on the project? what is the current state ?

@gregyedlik
Copy link
Owner

No update on this - waiting for some idea on how to crack the handshake.

@hackrid
Copy link

hackrid commented Jan 26, 2022

collecting all possible responses is not an option?
That's not directly cracking it but i think what ever works is fine.

@gregyedlik
Copy link
Owner

Not really. it has been running for many weeks, and yet most of the handshakes are not-yet-seen.

@chron0
Copy link
Author

chron0 commented Jan 26, 2022

collecting enough would possibly create a plane to determine if bosch botched on the crypto implementation, which so far I fear they strangely didnt...

@hackrid
Copy link

hackrid commented Jan 26, 2022

thanks for your replies.
@gregyedlik are you still capturing the challenge and response data?

in the readme you state

the challenge and the answer consist of 2 bytes

but looking at the .csv files it seems it's more like 2 CAN frames with 8 bytes each?

@gregyedlik
Copy link
Owner

That is correct, the readme is wrong. I'll fix it.

@gregyedlik
Copy link
Owner

And no, the capturing is not going now.

@chron0
Copy link
Author

chron0 commented Jan 26, 2022

there is a guy on telegram who seems to have been going at it as well but only seems to be reachable over there @bitslover101 - if any of you guys have telegram it may also be worth a try to find out what he has/knows (https://t.me/joinchat/HAonoHZMkVkBSM1N was a link i found)

@hackrid
Copy link

hackrid commented Jan 26, 2022

so it seems like a 128 bit challenge response which would mean 3.4028237E38 (2^128) challenge/response pairs that need to be recorded?
so the the storage to hold this data would be kind of insane??
@chron0 where did you find this link? Telegram says its i"invalid or expired"

@chron0
Copy link
Author

chron0 commented Jan 26, 2022

in some pedelec forums (where he was getting banned by the admins seemingly out of fear of bosch legal retaliation)
can you lookup the user bitslover101 somehow?

@chron0
Copy link
Author

chron0 commented Jan 26, 2022

@chron0
Copy link
Author

chron0 commented Jan 26, 2022

@chron0
Copy link
Author

chron0 commented Jan 26, 2022

if we could use the software, we may be able to extract some info with it as well...

@hackrid
Copy link

hackrid commented Jan 26, 2022

https://cyclurba.fr/forum/702597/logiciel-diagnostic-bosch-ibd-dongle.html?from=1&discussionID=28510&messageID=702597&rubriqueID=112&pageprec=

bitslover01:

Somebody is really angry at me, made the Telegram group closed and banned me from Telegram ;) But I'm not dead.

@gregyedlik
Copy link
Owner

The hint I get from these is that Bosch uses AES. Is that something that we could verify based on the data I captured?

@chron0
Copy link
Author

chron0 commented Jan 26, 2022

@hackrid - oh perfect <3

@chron0
Copy link
Author

chron0 commented Jan 26, 2022

"There are several bugs in the DU and BMS firmwares which allows to dump the keys... I don't want to say more for the moment. Of course AES128 brute force is not possible, it was designed for that ;)" - this is kinda what I had in mind...

@gregyedlik
Copy link
Owner

The DU is the Intuvia display? We would be happy with a single valid key btw.

@chron0
Copy link
Author

chron0 commented Jan 26, 2022

I think it's the DU (display unit - unclear which specific type) and the battery management system (BMS)
with the software running we should be able to get the firmware files, since they are also not out in the open and binwalk and look at them...

@chron0
Copy link
Author

chron0 commented Jan 26, 2022

I got a complete file set thanks to @hackrid's find of the new french forum, next I'll try to get this running in wine and patch it and learn more about that software to download the FWs. Then I need to figure out how to actually connect it to my bike.

@hackrid
Copy link

hackrid commented Jan 29, 2022

are there any firmware files that contain the software for the DU? because the software in the french forum seems to be a diagnostic tool?!
who on the bus authenticates the battery?

what's the situation like for older bosch e-bkes without a removable display unit?

@gregyedlik
Copy link
Owner

I suspect that the display unit is not key here, and it is the controller/motor unit that authenticates the battery.

I don't know anything about the old Bosch bikes.

@hackrid
Copy link

hackrid commented Jan 29, 2022

so we need a firmware update files for the motor controller. do such things exist?

...only iF the key is not stored in hardware, maybe protected against readout. A lot to speculate about.

@hackrid
Copy link

hackrid commented Jan 29, 2022

"There are several bugs in the DU and BMS firmwares which allows to dump the keys... I don't want to say more for the moment. Of course AES128 brute force is not possible, it was designed for that ;)" - this is kinda what I had in mind...

where do you get this information from?

@chron0
Copy link
Author

chron0 commented Jan 29, 2022

@hackrid that is a discussion quote from bitslover101 in the french forum you posted :) and that means that BMS as well as DU are vulnerable to key dumping. Once we have the keys we should be able to communicate to EC and fake a new battery/bms as well.

@chron0
Copy link
Author

chron0 commented Jan 29, 2022

my experiment in wine failed - the app starts but it crashes after opening, it's probably the insane background services bosch runs to "make it work". I'll boot up a windows 2 go instance and try it there.

@geefro
Copy link

geefro commented Feb 2, 2022

Wanted to share this quote with you. Taken from latest IBD patch release notes. 😊🔥

Bosch, your security scheme is PWNED. Shame on you trying to lock out your users. We fight back for our rights
to configure and repair ourself the bike we own.
We are fed up with companies like you always trying to make more money: something is not working? Buy a new one.
You know your batteries have weaknesses on the electronic boards, but you don't want us to repair them.
This time is over. We want open hardware, software, we want manufacturers to embrace ecology state of mind.
Recycle, reuse, repair. Be opened.

@chron0
Copy link
Author

chron0 commented Feb 2, 2022

lol ye, already saw it in the patchfiles readme..
++ on it

unfortunately it isnt 100% bosch's fault. it's the EU and state regulations mostly. They cant sell it if they dont do it like this. we are facing a similar problem with open WiFi firmware: https://apollo.open-resource.org/mission:log:2016:12:28:joint-statement-against-radio-lockdown

@geefro
Copy link

geefro commented Feb 2, 2022

A mysterious peterla in the pedelec-forum pointed out the following:

I would recommend running a sidechannel hardware attack instead of trying to reverse engineer the algorithm from the recorded data. It is more promising to use a voltage or clock glitch on the BMS chip to put the chip into debug mode and then read the firmware. The used challenge & response algorithm can then be reverse engineered from the firmware.

@chron0
Copy link
Author

chron0 commented Feb 2, 2022

I dont think we need this effort, hence my effort to get the IBD software up and running, since we can download the firmware with it directly without having to pry them out of the MCUs via sidechannel attacks. The used challenge & response algorithm can then be reverse engineered from that firmware, which is already on the filesystem of the IBD host.

@chron0
Copy link
Author

chron0 commented Feb 2, 2022

And according to bitslover101 comments in the forum, it sounds like the DU and BMS firmwares are good candidates for this.

@geefro
Copy link

geefro commented Feb 2, 2022

I've got the Bosch Tool (IBD) and a .cff2 container file. If you follow the french thread, you should be able to get access to the latest nyon2 patch, as well.

@chron0
Copy link
Author

chron0 commented Feb 2, 2022

ye that cff2 is it i think - but this is theoretical i havent been able to boot my win2go so I'm operating on assumption and not experience level atm. still waiting to get my nyon2, nothing is available :/ at least i found the usb port in the purion controller...

@chron0
Copy link
Author

chron0 commented Feb 4, 2022

the one lurking from belgium who made his way to libera, pls come back and stick a while longer :)

@viteka32
Copy link

viteka32 commented Apr 19, 2022

Has anyone wondered if the encryption key consists of a serial number and a part number? When I convert them to hex, they are two 4 byte values. For better understanding does anyone have a link to the IBD tool with cff2?

@xerootg
Copy link

xerootg commented Aug 19, 2022

I've spent many evenings now poking at this. Bosch absolutely uses aes. The dongle used by the IBD software is used in the exact same seed/key process as what these traces show to connect and fetch diagnostics. The cff2 format is a zip with a manifest of the firmwares contained AND the key you need to decrypt them. I've decrypted the battery firmware, but I don't have a good disassembler for this mcu. Shame it's not something reasonable, like arm. I think our best bet here is going to be a hardware sniffing approach.

@PerleyZ
Copy link

PerleyZ commented Sep 14, 2022

I remember that I tried to find the rule by recording handshake information many times before, but failed;
If it is feasible to analyze and separate the battery firmware in IBD, is it effective to download the firmware to a blank new chip? Do you need an official Bootloader? I hope to get a reply. Thank you.
The original chip they used was NXP SPC5602DF1CLH3, which was replaced by ST SPC560D4L1 after 2021.

@epe
Copy link

epe commented Dec 24, 2022

There is already a company producing compatible battery packs, https://e-bike-vision.de/ - did they hack it or license the bms from BOSCH?

@flemichellec
Copy link

I've got the Bosch Tool (IBD) and a .cff2 container file. If you follow the french thread, you should be able to get access to the latest nyon2 patch, as well.

I can't find anything, your tool still works?

@coelep
Copy link

coelep commented Feb 14, 2023

Did someone already tried to buy an E-Bike Vision battery and look at their handshake?

@eleczj
Copy link

eleczj commented Mar 9, 2023

I've spent many evenings now poking at this. Bosch absolutely uses aes. The dongle used by the IBD software is used in the exact same seed/key process as what these traces show to connect and fetch diagnostics. The cff2 format is a zip with a manifest of the firmwares contained AND the key you need to decrypt them. I've decrypted the battery firmware, but I don't have a good disassembler for this mcu. Shame it's not something reasonable, like arm. I think our best bet here is going to be a hardware sniffing approach.

If you have obtained the cff2 file and the battery firmware, you can share it;
I have a hardware platform here to try and burn it to a blank chip for verification;
If the firmware is upgraded based on CAN communication, we will need to create a new Bootloader program on the blank chip and may still need the access key.

@xerootg
Copy link

xerootg commented Mar 9, 2023 via email

@DanielMarcato
Copy link

There is already a company producing compatible battery packs, https://e-bike-vision.de/ - did they hack it or license the bms from BOSCH?

I have seen this as well - has anybody had the chance to check that out? They claim to sell only new batteries which would be impossible when they'd have to reuse the BMS of an original pack.

@avandalen
Copy link

What is the status? Has the Bosch AES code been hacked yet so that you can use 3rd party batteries?
https://avdweb.nl/

@maelp
Copy link

maelp commented Sep 5, 2024

Has someone made progress on this? I'd be interested to contribute (time and money) to get something working

@DanielMarcato
Copy link

https://www.indiegogo.com/projects/infinite-the-repairable-universal-ebike-battery
Another seller with apparently a Bosch compatible BMS

@avandalen
Copy link

I like the Gouach battery. But I'm afraid there is no hack for Bosch yet. I can't find detailed information of how it works.

@mightysimba
Copy link

Anyone has any success on getting firmware from main chip?

@maelp
Copy link

maelp commented Jan 7, 2025

No but I'd be interested. I think the main algo might be on the motor / controller.

@mightysimba
Copy link

I know for sure it is on the main motor pcb (controller board).
It is stored in SPC5 family microcontroller. So far ive seen only SPC56EL60L3. Im new to hardware hacking, so it is quite big topic for me to go over😂 i had hope someone managed to gain access into the chip's memory. I have a board that i want to install a blank chip, flash it with firmware and use it as it is without any alternation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests