-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Absolute +1 on this project to get out of Boschs closed-garden #1
Comments
Any progress on the project? what is the current state ? |
No update on this - waiting for some idea on how to crack the handshake. |
collecting all possible responses is not an option? |
Not really. it has been running for many weeks, and yet most of the handshakes are not-yet-seen. |
collecting enough would possibly create a plane to determine if bosch botched on the crypto implementation, which so far I fear they strangely didnt... |
thanks for your replies. in the readme you state
but looking at the .csv files it seems it's more like 2 CAN frames with 8 bytes each? |
That is correct, the readme is wrong. I'll fix it. |
And no, the capturing is not going now. |
there is a guy on telegram who seems to have been going at it as well but only seems to be reachable over there @bitslover101 - if any of you guys have telegram it may also be worth a try to find out what he has/knows (https://t.me/joinchat/HAonoHZMkVkBSM1N was a link i found) |
so it seems like a 128 bit challenge response which would mean 3.4028237E38 (2^128) challenge/response pairs that need to be recorded? |
in some pedelec forums (where he was getting banned by the admins seemingly out of fear of bosch legal retaliation) |
seem to have been deleted as well now... |
if we could use the software, we may be able to extract some info with it as well... |
bitslover01:
|
The hint I get from these is that Bosch uses AES. Is that something that we could verify based on the data I captured? |
@hackrid - oh perfect <3 |
"There are several bugs in the DU and BMS firmwares which allows to dump the keys... I don't want to say more for the moment. Of course AES128 brute force is not possible, it was designed for that ;)" - this is kinda what I had in mind... |
The DU is the Intuvia display? We would be happy with a single valid key btw. |
I think it's the DU (display unit - unclear which specific type) and the battery management system (BMS) |
I got a complete file set thanks to @hackrid's find of the new french forum, next I'll try to get this running in wine and patch it and learn more about that software to download the FWs. Then I need to figure out how to actually connect it to my bike. |
are there any firmware files that contain the software for the DU? because the software in the french forum seems to be a diagnostic tool?! what's the situation like for older bosch e-bkes without a removable display unit? |
I suspect that the display unit is not key here, and it is the controller/motor unit that authenticates the battery. I don't know anything about the old Bosch bikes. |
so we need a firmware update files for the motor controller. do such things exist? ...only iF the key is not stored in hardware, maybe protected against readout. A lot to speculate about. |
where do you get this information from? |
@hackrid that is a discussion quote from bitslover101 in the french forum you posted :) and that means that BMS as well as DU are vulnerable to key dumping. Once we have the keys we should be able to communicate to EC and fake a new battery/bms as well. |
my experiment in wine failed - the app starts but it crashes after opening, it's probably the insane background services bosch runs to "make it work". I'll boot up a windows 2 go instance and try it there. |
Wanted to share this quote with you. Taken from latest IBD patch release notes. 😊🔥
|
lol ye, already saw it in the patchfiles readme.. unfortunately it isnt 100% bosch's fault. it's the EU and state regulations mostly. They cant sell it if they dont do it like this. we are facing a similar problem with open WiFi firmware: https://apollo.open-resource.org/mission:log:2016:12:28:joint-statement-against-radio-lockdown |
A mysterious peterla in the pedelec-forum pointed out the following:
|
I dont think we need this effort, hence my effort to get the IBD software up and running, since we can download the firmware with it directly without having to pry them out of the MCUs via sidechannel attacks. The used challenge & response algorithm can then be reverse engineered from that firmware, which is already on the filesystem of the IBD host. |
And according to bitslover101 comments in the forum, it sounds like the DU and BMS firmwares are good candidates for this. |
I've got the Bosch Tool (IBD) and a .cff2 container file. If you follow the french thread, you should be able to get access to the latest nyon2 patch, as well. |
ye that cff2 is it i think - but this is theoretical i havent been able to boot my win2go so I'm operating on assumption and not experience level atm. still waiting to get my nyon2, nothing is available :/ at least i found the usb port in the purion controller... |
the one lurking from belgium who made his way to libera, pls come back and stick a while longer :) |
Has anyone wondered if the encryption key consists of a serial number and a part number? When I convert them to hex, they are two 4 byte values. For better understanding does anyone have a link to the IBD tool with cff2? |
I've spent many evenings now poking at this. Bosch absolutely uses aes. The dongle used by the IBD software is used in the exact same seed/key process as what these traces show to connect and fetch diagnostics. The cff2 format is a zip with a manifest of the firmwares contained AND the key you need to decrypt them. I've decrypted the battery firmware, but I don't have a good disassembler for this mcu. Shame it's not something reasonable, like arm. I think our best bet here is going to be a hardware sniffing approach. |
I remember that I tried to find the rule by recording handshake information many times before, but failed; |
There is already a company producing compatible battery packs, https://e-bike-vision.de/ - did they hack it or license the bms from BOSCH? |
I can't find anything, your tool still works? |
Did someone already tried to buy an E-Bike Vision battery and look at their handshake? |
If you have obtained the cff2 file and the battery firmware, you can share it; |
The updates don't seem to include the keys we need for the seed/key
challenge. There's a significant amount of the MCUs application that is not
part of the Motorola formatted files in the updates. It does truly seem
like a side channel approach is needed to recover the keys for battery
handshake, unless someone can glitch their way through the BAM.
…On Wed, Mar 8, 2023, 19:11 eleczj ***@***.***> wrote:
I've spent many evenings now poking at this. Bosch absolutely uses aes.
The dongle used by the IBD software is used in the exact same seed/key
process as what these traces show to connect and fetch diagnostics. The
cff2 format is a zip with a manifest of the firmwares contained AND the key
you need to decrypt them. I've decrypted the battery firmware, but I don't
have a good disassembler for this mcu. Shame it's not something reasonable,
like arm. I think our best bet here is going to be a hardware sniffing
approach.
If you have obtained the cff2 file and the battery firmware, you can share
it;
I have a hardware platform here to try and burn it to a blank chip for
verification;
If the firmware is upgraded based on CAN communication, we will need to
create a new Bootloader program on the blank chip and may still need the
access key.
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA6S6STR2XNLTKWBASPE3LLW3E33PANCNFSM5JCQ3OYQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I have seen this as well - has anybody had the chance to check that out? They claim to sell only new batteries which would be impossible when they'd have to reuse the BMS of an original pack. |
What is the status? Has the Bosch AES code been hacked yet so that you can use 3rd party batteries? |
Has someone made progress on this? I'd be interested to contribute (time and money) to get something working |
https://www.indiegogo.com/projects/infinite-the-repairable-universal-ebike-battery |
I like the Gouach battery. But I'm afraid there is no hack for Bosch yet. I can't find detailed information of how it works. |
Anyone has any success on getting firmware from main chip? |
No but I'd be interested. I think the main algo might be on the motor / controller. |
I know for sure it is on the main motor pcb (controller board). |
As soon as I have my bike, I may be able to contribute additional ECU/Battery handshake data.
The text was updated successfully, but these errors were encountered: