Have a client that just took delivery of 3 2017 duramax trucks. Is there any support for these yet?
Have a client that just took delivery of 3 2017 duramax trucks. Is there any support for these yet?
NOPE..........BE A LONG TIME MOST LIKELY
Rumor is the ECM is locked down like an Apple Phone as far as encryption.........many roadblocks in the way, and some may be almost impossible to remove !!
There is no encryption as such but there is SHA-256 signatures on every calibration segment and the OS, no external reflash bootloader permitted so the signature validation cannot be bypassed and to top it off the JTAG/BDM is 128bit password protected.
Be prepared to accept that these may never be tunable, nobody but GM can generate the SHA-256 signatures and if someone does they will likely be sued by GM because SHA-256 is not crackable.
I no longer monitor the forum, please either post your question or create a support ticket.
SHA-256 is just a hashing algorithm. It's pretty easy to generate as long as you know exactly what generates it. (Hiding exactly what makes the hash is a sort of weak form of encryption I guess you can say).
What makes a signature is when you somehow encrypt that hash, and store that encrypted hash in the file. Then the program will take that encrypted hash and decrypt it using a key (public key if asymmetric). From there it takes the encrypted hash and checks it against the rest of the file by running the hash algorithm. (Sometimes it will check it against the actual hash stored in the file).
Your solution is to find that public key/key and swap it out with your own. This might not be doable through OBD2 flashing. It really depends how they implemented it.
I would expect the ECM bootblock would contain the public key as that is the part of the ECM that is doing the validation during the reflash.
When the controller is flashed a hash is sent up to the ECM for the data to be flashed for each cal segment (I don't recall the exact size, maybe 800 bytes or so), we have to assume this hash is generated with GM's private Key which we will likely never know therefore we cannot generate a valid hash that works with their public key.
The bootblock is not accessible via OBD-II therefore we cannot replace their public key / hash with our own and sign then calibrations with our own matching private Key either.
I look at it this way, GM have been working on this for years no doubt and they've chosen SHA-256 because it is not crackable if implemented correctly..... so it is possible they have actually won the battle to keep tuners out (and therefore soon to be watching sales drop off!). So just like the video game console manufacturers appear to have won the battle against game piracy as processing power becomes cheap for them to put in solid signing mechanisms or encryption systems that have yet to be beaten. And think about how many people would be working on that since the PS3 came out in 2006 and only once did anyone get anywhere because SONY made an implementation error on one of their firmware updates that was fixed. But for the last 11 years nobody has beaten the PS3 protection to be able to sign valid signatures for PS3 games.
I no longer monitor the forum, please either post your question or create a support ticket.
Well..........that was an interesting read :
https://en.wikipedia.org/wiki/SHA-2
So at any time they can alter the public and private key ??
So in effect, they could, as a normal coarse of business make constant changes to the public and private key ?
As in, sorry about your luck ???
My intention behind posting that link was to try to nip in the bud the 'But can't you just' questions
So here is some numbers on the older SHA-1 system that GM aren't using and has been replaced with stronger SHA-2 (or SHA-256 as per GM) with no known exploit existing.
"This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations"
http://thehackernews.com/2017/02/sha...on-attack.html
Last edited by GMPX; April 25th, 2017 at 03:02 PM.
I no longer monitor the forum, please either post your question or create a support ticket.
Pretty sure that with the current approach the universe will run out of energy before someone finds a SHA2 collision.
BUT. Vulnerabilities will be found. If not by humans, then computers will find the vulnerabilities. That will knock the number down significantly just like it did with SHA1.
So there is hope (if you can call it hope). But... At the point it comes to fruition I doubt anyone is going to be concerned with 20 year old Duramax engines.
If they did then it breaks their own compatibility in a way. They could be all means change the Keys if they released say an E41A controller, or E41B controller.
Lets (safely) assume there is a only a handful of people at GM that know their private signing key for a particular controller so they can be reflashed via OBD-II. We know it is impossible to reverse engineer what that key value might be so the only way to get the private key is from one of those people. Imagine tomorrow EFILive released tuning for this E41 where we could correctly sign the calibrations so when it is processed with the public key in the ECM it works out, GM are not going to turn a blind eye to that and heads would roll and lawyers would smell blood, it's not a good situation at all.
Maybe there is an exploit that someone will discover down the track, who knows.
Unfortunately, yes that about sums it up.
Would a flood of letters to GM explaining that cutting off aftermarket alterations is going to be detrimental to their sales once word gets out actually change anything? Probably not and it may be external pressures have forced them to take this path. As soon as this finds its way in to the gas controllers (which I assume it will) then GM will be in trouble with their performance cars, nobody wants to go see ten 2018 Corvette's run the exact same times down the drag strip because nobody can tune them, that would be embarrassing really.
I no longer monitor the forum, please either post your question or create a support ticket.
Im sure a ~30hp harness box (rail pressure fooler or something) isnt out of the question for the L5P.
But any more than that and you'll probably bump into the limits of the "max allowed calculated power" algorithms/ECM torque model sanity checks.
2005 Silverado, CC/SB, 4x4, LT, LILLY/Allison12.9s @ 108 mph
many thanks to Ross and Paul