MY2010 Security lockout solution
-
- VAG Cafe
- Posts: 19036
- Registered for: 19 years 3 months
- Car Make: Audi
- Car Model: RS3
- Membership No: 675
- Location: Centurion
- Contact:
MY2010 Security lockout solution
Some info on the MY2010 security lockout issue:
On Bosch EDC17 and MED17 ECUs
We've had many people asking why we need to open the ECU's of the later cars brought to us, and what is this "tuning protection" many companies are talking about. Here's a brief explanation of it. "Tuning Protection" for the Infineon TriCore TC-series processors (Bosch MED17/EDC17) On the CR TDI and 1.8/2.0 Turbo Petrol engines with the latest Bosch ECU generation (MED17 for the petrols, EDC17 for the diesels, I'll just refer them to MEDC17 from now on...), Bosch has implemented some new security measures to protect against aftermarket reprogramming of the engine control unit calibration data. Bosch originally started to use various checksums in the late 80's to verify the data integrity of the engine control unit memory content. Originally this was just a simple additive checksum, where you count the sum of all bytes in the file, and store the value in one place. Later on, it was also used to protect the data from unauthorised modifications (thats us...). For example, ME7.5 ECU (1.8 Turbo) contains about 70 different checksum blocks, and the result values are filtered through various functions to have a secure method of verifying data integrity. At around the same time, Bosch started using access control on the outside ECU reprogramming (that is what we call the OBD flashing nowadays). It's usually a normal challenge-response scheme with a seed-key algorithm. Of course, the chiptuning industry kept on and solved these functions to have methods of correcting the checksums, and to have OBD programming capability of these ECUs. About 7-8 years ago, Bosch started using RSA signatures to control the ECU contents. Early on, just a 256bit RSA, then 512bit RSA, and nowadays, on these new ECUs, its a hash from a 1024Bit RSA signature. Something thats virtually un-crackable with traditional brute force methods. Since these keys are yet to be solved, tuners have had to find other ways of programming the ECUs. When the MEDC17 ECU family was released, a backdoor was found in the programming algorithm. Originally this hash was checked only after certain conditions were met. If they are not met, it was not checked. So the programming method made sure that was the case every time they programmed the ECU. This "Tuning Protection", as it is commonly called, just means that this backdoor has been sealed, and the ECU always checks the hash validity after every OBD programming attempt. If this is not valid, it sets a flag in the memory that prevents the car from starting. Our tools can detect this function just by reading the ECU via OBD. Many others, including some big brand names, have problems with cars not starting after writing. That is why, for now, on these protected ECU's, we need to open the ECU to use a processor function built in the TC17xx-series processors, which allows us to boot and reset the ECU at any given moment from pins on the motherboard. This way the ECU does not detect it as being an OBD programming attempt, and skips the hash validity check. At this time, there are no tuning companies who can bypass this security check and if an ECU has "Tuning Protection" then it will need to be programmed by taking the ECU out and opening it. Some call it "bench flash", some say they "install a probe", but this is how it is done by ALL tuners who are offering remaps on "protected" MEDC17 ECUs.
Revo Techniks solution:
The VW Audi Group has updated the ECU security from 2010 model year vehicles with MED17 and EDC17 ECUs e.g. cars like the Audi B8. This is an enhanced version of ECU security that has been incorporated in Bosch ECU’s since the launch of EDC16, but has only now been fully activated. It is not currently possible to override this security lock by communicating with the ECU via the OBD2 port. Therefore these late model vehicles cannot currently be remapped the standard way by flashing an aftermarket file through the OBD2 Port.
The security exists in the form of unbreakable digital signature which is required to “match” at the time of the remap. If the ECU requests the digital signature and the remap does not contain a “matching” digital signature the ECU will default to an unusable mode.
Revo Technik is proud to announce the launch of the new SPX and Crypt-X software. The new specially developed hardware and software allows Revo Dealers to unlock the ECU and flash through the OBDII port.
On Bosch EDC17 and MED17 ECUs
We've had many people asking why we need to open the ECU's of the later cars brought to us, and what is this "tuning protection" many companies are talking about. Here's a brief explanation of it. "Tuning Protection" for the Infineon TriCore TC-series processors (Bosch MED17/EDC17) On the CR TDI and 1.8/2.0 Turbo Petrol engines with the latest Bosch ECU generation (MED17 for the petrols, EDC17 for the diesels, I'll just refer them to MEDC17 from now on...), Bosch has implemented some new security measures to protect against aftermarket reprogramming of the engine control unit calibration data. Bosch originally started to use various checksums in the late 80's to verify the data integrity of the engine control unit memory content. Originally this was just a simple additive checksum, where you count the sum of all bytes in the file, and store the value in one place. Later on, it was also used to protect the data from unauthorised modifications (thats us...). For example, ME7.5 ECU (1.8 Turbo) contains about 70 different checksum blocks, and the result values are filtered through various functions to have a secure method of verifying data integrity. At around the same time, Bosch started using access control on the outside ECU reprogramming (that is what we call the OBD flashing nowadays). It's usually a normal challenge-response scheme with a seed-key algorithm. Of course, the chiptuning industry kept on and solved these functions to have methods of correcting the checksums, and to have OBD programming capability of these ECUs. About 7-8 years ago, Bosch started using RSA signatures to control the ECU contents. Early on, just a 256bit RSA, then 512bit RSA, and nowadays, on these new ECUs, its a hash from a 1024Bit RSA signature. Something thats virtually un-crackable with traditional brute force methods. Since these keys are yet to be solved, tuners have had to find other ways of programming the ECUs. When the MEDC17 ECU family was released, a backdoor was found in the programming algorithm. Originally this hash was checked only after certain conditions were met. If they are not met, it was not checked. So the programming method made sure that was the case every time they programmed the ECU. This "Tuning Protection", as it is commonly called, just means that this backdoor has been sealed, and the ECU always checks the hash validity after every OBD programming attempt. If this is not valid, it sets a flag in the memory that prevents the car from starting. Our tools can detect this function just by reading the ECU via OBD. Many others, including some big brand names, have problems with cars not starting after writing. That is why, for now, on these protected ECU's, we need to open the ECU to use a processor function built in the TC17xx-series processors, which allows us to boot and reset the ECU at any given moment from pins on the motherboard. This way the ECU does not detect it as being an OBD programming attempt, and skips the hash validity check. At this time, there are no tuning companies who can bypass this security check and if an ECU has "Tuning Protection" then it will need to be programmed by taking the ECU out and opening it. Some call it "bench flash", some say they "install a probe", but this is how it is done by ALL tuners who are offering remaps on "protected" MEDC17 ECUs.
Revo Techniks solution:
The VW Audi Group has updated the ECU security from 2010 model year vehicles with MED17 and EDC17 ECUs e.g. cars like the Audi B8. This is an enhanced version of ECU security that has been incorporated in Bosch ECU’s since the launch of EDC16, but has only now been fully activated. It is not currently possible to override this security lock by communicating with the ECU via the OBD2 port. Therefore these late model vehicles cannot currently be remapped the standard way by flashing an aftermarket file through the OBD2 Port.
The security exists in the form of unbreakable digital signature which is required to “match” at the time of the remap. If the ECU requests the digital signature and the remap does not contain a “matching” digital signature the ECU will default to an unusable mode.
Revo Technik is proud to announce the launch of the new SPX and Crypt-X software. The new specially developed hardware and software allows Revo Dealers to unlock the ECU and flash through the OBDII port.
- vitchie
- Cadet
- Posts: 776
- Registered for: 15 years 8 months
- Car Make: Audi
- Car Model: 11' Ibis White A4 2.0T
- Membership No: 1317
- Location: Randburg, JHB
- Contact:
Re: MY2010 Security lockout solution
Nice!
Will come visit your for some Revo juice for my A4 before the end of the year!
Will come visit your for some Revo juice for my A4 before the end of the year!
2011 Ibis White A4 2.0T /Xenon/Bluetooth/ - R.I.P.
- Awesum
- Lieutenant
- Posts: 1938
- Registered for: 21 years 8 months
- Car Make: VW
- Car Model: Tiguan
- Membership No: 999
- Location: Jhb
Re: MY2010 Security lockout solution
I'm guessing the ecu will have to be pulled to flash it the 1st time?
2019 Tiguan 2.0TDI, R-Line
2019 Polo GTI
Ex 2013 Tiguan 2.0TDI
Ex 2016 Golf VII R, DSG
Ex 2015 Polo 6C GTI, DSG, Pure White
Ex 2014 Golf VII GTI, DSG, Tornado red
Ex 2010 Scirocco 2.0TSi, DSG; Candy White; Revo, 20" RS6 wheels; Coiled looow.
Ex 2010 Golf VI GTI Dsg, Tornado Red, 19's, Revo 2
Ex 2008 Golf V GTI DSG, Riding on 19"s
Ex 2007 Golf V GTI DSG
Ex 2002 Golf IV GTI
Ex 1991 Golf II GTi 2.0 16V
Ex 1991 Jetta II CLi 1.8 8V Exec
2019 Polo GTI
Ex 2013 Tiguan 2.0TDI
Ex 2016 Golf VII R, DSG
Ex 2015 Polo 6C GTI, DSG, Pure White
Ex 2014 Golf VII GTI, DSG, Tornado red
Ex 2010 Scirocco 2.0TSi, DSG; Candy White; Revo, 20" RS6 wheels; Coiled looow.
Ex 2010 Golf VI GTI Dsg, Tornado Red, 19's, Revo 2
Ex 2008 Golf V GTI DSG, Riding on 19"s
Ex 2007 Golf V GTI DSG
Ex 2002 Golf IV GTI
Ex 1991 Golf II GTi 2.0 16V
Ex 1991 Jetta II CLi 1.8 8V Exec
-
- VAG Cafe
- Posts: 19036
- Registered for: 19 years 3 months
- Car Make: Audi
- Car Model: RS3
- Membership No: 675
- Location: Centurion
- Contact:
Re: MY2010 Security lockout solution
Yup, Bench flashAwesum wrote:I'm guessing the ecu will have to be pulled to flash it the 1st time?
- hubbly_bubbly
- Forum Advertiser
- Posts: 1040
- Registered for: 13 years 10 months
- Car Make: VW
- Car Model: Touran GTD
- Membership No: 1793
Re: MY2010 Security lockout solution
Does this mean you can flash your S4?
Candy White 2007 Touran 1.9TDI Trendline
-
- VAG Cafe
- Posts: 19036
- Registered for: 19 years 3 months
- Car Make: Audi
- Car Model: RS3
- Membership No: 675
- Location: Centurion
- Contact:
-
- Cadet
- Posts: 970
- Registered for: 17 years 8 months
- Car Make: VW
- Membership No: missing
- Location: Fourways
Re: MY2010 Security lockout solution
Nice one so wen is the S4 getting some Revo powa.
Or are they still working on the map
Or are they still working on the map
-
- VAG Cafe
- Posts: 19036
- Registered for: 19 years 3 months
- Car Make: Audi
- Car Model: RS3
- Membership No: 675
- Location: Centurion
- Contact:
Re: MY2010 Security lockout solution
Patience papanits wrote:Nice one so wen is the S4 getting some Revo powa.
Or are they still working on the map
- dazza
- Field Marshal
- Posts: 12139
- Registered for: 16 years 3 months
- Car Make: VW and VW
- Car Model: Amarok and Citi Sport
- Membership No: 1327
- Location: Roodepoort
Re: MY2010 Security lockout solution
We have been patient enough...boost the t!ts off that thing alreadyRabbit222 wrote:Patience papanits wrote:Nice one so wen is the S4 getting some Revo powa.
Or are they still working on the map
Darryn Van Rooyen
Current: 17 Amarok V6 D/C 4Motion H/L Auto
Current: 1987 Citi Sport 1.6
Current: 91 Citi Sport 1.3
Current: 05 Kawasaki 200KDX, 16 KTM 300 EXC
Previous:
14 Amarok BITDI D/C 4Motion H/L Auto
12' MKVI GTI Manual
2009 Audi TT 2.0TFSI S-Tronic
2008 Honda CBX250 Twister - Crashed!
2011 Amarok BiTDI D/C Highline 4Motion
08 RS MKV GTI DSG
09 ZG Ibiza Cupra TDI
06 CW Sportline
01 Citi 1.4i
01 Yamaha YZ125
99 Toyota Tazz
94 Fox 1.8 Sport
Current: 17 Amarok V6 D/C 4Motion H/L Auto
Current: 1987 Citi Sport 1.6
Current: 91 Citi Sport 1.3
Current: 05 Kawasaki 200KDX, 16 KTM 300 EXC
Previous:
14 Amarok BITDI D/C 4Motion H/L Auto
12' MKVI GTI Manual
2009 Audi TT 2.0TFSI S-Tronic
2008 Honda CBX250 Twister - Crashed!
2011 Amarok BiTDI D/C Highline 4Motion
08 RS MKV GTI DSG
09 ZG Ibiza Cupra TDI
06 CW Sportline
01 Citi 1.4i
01 Yamaha YZ125
99 Toyota Tazz
94 Fox 1.8 Sport
- MeanTdi
- The Imposer Mod-whore-rator
- Posts: 18554
- Registered for: 18 years 1 month
- Car Make: Subaru
- Car Model: WRX
- Membership No: 1153
- Location: JHB
Re: MY2010 Security lockout solution
Fantastic security solution!
I read it includes a remap. What price are we looking?
I read it includes a remap. What price are we looking?
Marco
Current: Subaru WRX
Ex: VW Polo 1.9 TDI Sportline
Ex: VW Golf VR6
Ex: VW Golf 1.8 GTi 16v
Current: Subaru WRX
Ex: VW Polo 1.9 TDI Sportline
Ex: VW Golf VR6
Ex: VW Golf 1.8 GTi 16v
ALFAHOLIC wrote:What can go wrong, jarre you guys sound like you are describing an Alfa here...
My Corsa OPC wrote:Its not an oil leak, its just an Opel marking its territory
-
- VAG Cafe
- Posts: 19036
- Registered for: 19 years 3 months
- Car Make: Audi
- Car Model: RS3
- Membership No: 675
- Location: Centurion
- Contact:
-
- Cadet
- Posts: 126
- Registered for: 15 years 5 months
- Location: Durban
Re: MY2010 Security lockout solution
old topic , I have a question tho....
with this security lockout in place, how are FRC etc doing remaps? I took my Scirocco to APR (justin) and he advised me of this, but then I spoke to FRC and they did the remap on my car. Whats the real deal. If you feel that this might be controversial to put up on the forum , pls feel free to pm!
Regards,
with this security lockout in place, how are FRC etc doing remaps? I took my Scirocco to APR (justin) and he advised me of this, but then I spoke to FRC and they did the remap on my car. Whats the real deal. If you feel that this might be controversial to put up on the forum , pls feel free to pm!
Regards,
2006 Corsa ute JL , Alpine , SEAS
-
- VAG Cafe
- Posts: 19036
- Registered for: 19 years 3 months
- Car Make: Audi
- Car Model: RS3
- Membership No: 675
- Location: Centurion
- Contact:
Re: MY2010 Security lockout solution
This issue has mostly affected the Audi B8 chassis and recently we encountered a Tiguan as well. All the Rocs and Mk6 GTIs we have done have been via the OBDII port so no issues yet.Flash_Gti wrote:old topic , I have a question tho....
with this security lockout in place, how are FRC etc doing remaps? I took my Scirocco to APR (justin) and he advised me of this, but then I spoke to FRC and they did the remap on my car. Whats the real deal. If you feel that this might be controversial to put up on the forum , pls feel free to pm!
Regards,
-
- Lieutenant
- Posts: 1243
- Registered for: 18 years
- Membership No: missing
- Location: Cape Town
Re: MY2010 Security lockout solution
Do you guys have a map for the tiguans? 2011 model? Also, can you flash it the old fasioned way or with this new bench flash?
"Nothing in the world can take the place of persistence. Talent will not; nothing is more common
than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb.
Education will not; the world is full of educated derelicts. Persistence and determination alone
are omnipotent."
than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb.
Education will not; the world is full of educated derelicts. Persistence and determination alone
are omnipotent."
-
- VAG Cafe
- Posts: 19036
- Registered for: 19 years 3 months
- Car Make: Audi
- Car Model: RS3
- Membership No: 675
- Location: Centurion
- Contact:
-
- Lieutenant
- Posts: 1243
- Registered for: 18 years
- Membership No: missing
- Location: Cape Town
Re: MY2010 Security lockout solution
What will the price be for this?Rabbit222 wrote:Bench flash on the 2011
"Nothing in the world can take the place of persistence. Talent will not; nothing is more common
than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb.
Education will not; the world is full of educated derelicts. Persistence and determination alone
are omnipotent."
than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb.
Education will not; the world is full of educated derelicts. Persistence and determination alone
are omnipotent."