Ford Know That You Have The Edit

[BLK6T]

I'm not so sure about licensing agreements-  proprietory embedded software is present in everything these days- fridges, dishwashers, irons, electric shavers and toothbrushes, etc!

Just look at your mobile phone- good example of complex embedded software. Nokia service centres for one update the firmware whenever you go in for a service- but we don't agree to any terms to use it.

Seriously though, if Ford wanted to lock people out, they could.  As stated above, provided they don't impede the ODB-II protocol, or the current standard they are aspiring to for diagnostic code retrieval, they are free to do as they wish!

It is their software after all.  Interesting that LS1-Edit and it's variants, (Kalmaker, etc) are still going strong.

Maybe Ford secretly want a small community of people to be able to modify their cars.  There is some good free press in the performance community that they are easily modified currently- does it help sales or build the brand??   

Brett

<{POST_SNAPBACK}>

Or alternatively go to a Ford dealer. I will start doing some mods to my car through my dealer knowing that I will have full warranty on my vehice. Sure it will cost me a little more but then again I will have piece of mind driving.

<{POST_SNAPBACK}>

Mate I agree, I was speaking to my dealer on Saturday and they do know its flashed...But he also said if I flash he will not put me on "the list". he stated he wants to know whats done so he can help me with my mods and ensure that everything will be able to handle a greater power load. I understand that if I edit I lose warranty on engine components, turbo etc but not the whole vehicle. It was good to hear that some ford dealers want you to enjoy your ride with your own mods.

[jordak]

Sorry but I just dont buy the "You play you pay" philosophy within reason of course, on the basis that its just not that simplistic.

Lets say you have a whinning torque converter and diff both of which have been addressed with Ford who refuse to do anything as it falls within the "normal parametres".

Subsequent to getting the edit the noises finally reach an unnacceptable level, and ford refuse liabilty 'cause of the edit. Is that fair? I dont think so.

As far as I'm concerned ford can pay for anything that goes wrong with my car and be happy going about it.

Lets just put it down as reimbursement for being my out of pocket for the copious time off work spent driving back and forth trying to get even the most basic of warrenty work done without satisfaction.

[mickq]

Good Idea. Don't go near Ford.

Once they have finished their next round of flash "Upgrades" due in September, the rumour is that the Upload function of the ECU's will be PASSWORD protected.

Diagnostic codes will still be available, to keep the ACCC happy, but uploading Flash to the ECU's will be no more and that includes CAPA and SCT boxes.

Unless you know the NEW password for your car (which they are talking about having dealer specific) there will be no way to upload a flash.

<{POST_SNAPBACK}>

I doubt this will be possible for existing cars.

The flash is done at the physical (ie lowest) level. Passwords are done at the application or software level.

Simply, the flash writes over everything. No password related applications will likely be running when this occurs as everything is written over and barely a thing is running - and a password checking application cant be running if at the same time its software is being over written by the Edit box without specially designed hardware to load and run the password app in volatile memory regardless of whats happening to the storage memory.

Its definitely possible with specially designed hardware (ie they could choose to do it for new cars) but I would be surprised if this will be done very successfully with the existing hardware we all have.

That being said - the obvious place we should be looking for answers is in the US where SCT has done their thing for ages, and I have no doubt Ford HQ has given advice to Australia.

Has anyone been to any US Ford fan websites and asked if Ford can detect the SCT edits for US cars from people who have been using them for years? Also, how, and have they been able to block people from doing it using passwords?

[mickq]

Passwords?  Hardly!

If Ford have learnt their lesson and *really* want people out, they would not got for a simple password setup.  The password may be used as a hash as part of a bigger encryption system.

[snip]

BK

<{POST_SNAPBACK}>

And what are they going to encrypt? The encryption being used wont matter when the whole contents of memory is completely written over using an Edit box.

It will take a lot of new hardware to do what you mention, and its something they will take a fair while to make bulletproof.

Encryption like the examples you mention depend on one or both parties being secure. In the example of a VPN, its usually taken for granted that the destination is physcially secure. If it isnt, give me 4 minutes with a boot CD (Unix or Windows) and I'll show you how poor encryption can be

Our cars are not physically secure. In fact they provide a nice easy to use plug interface to fascilitate connection!

I will give you an example. I can encrypt my harddisk, or password protect my bios. Both of them are done higher than the physical level. If I were to over-write my BIOS with a newer version or format my hard disk and put on a version of Unix, it wouldnt matter what encrption was there before hand as it would all be wiped and replaced with what I want.

Even so, you would need a dedicated 2nd mini CPU to run a gatekeeper type program that includes stong passwords (say a 128+ bit key) and only when that password is entered correctly will it let data from outside to go into the ECU to reprogram it.

Its far from perfect though. You could simply do the equivalent of a game console bypass type thing to get past that bit of hardware and get straight to the main ECU. Or snce that thing is likely a device that can be written to, the Edit software would simply also over write the gatekeeper as well with a version that has the password set to something you know.

Another (better) alternative is an encrypted binary that decrypts on the fly bit by bit when it runs. But these are not foolproof even with strong encryption. There are a bunch of programs out there that use 1024 bit encryption to prevent people from editing the program to make it a full version and to skip serial checking algorithms and the like (Star Force is a good example that works quite well) - and despite such a strong encryption these have been bypassed without a problem.

Ford Aust can sure beef up security, but its unlikely they could make them fool proof. However since Australia is a small market, the chances of an Australian being interested and getting past the security would be quite low unfortunately.

Probably the best way of doing it would be to have a small section of memory (say 256 bits) totally separate from main memory. The method of writing to this must be hard - such as undoing the ECU box and plugging something in etc. (You then introduce physical security by sealing the ECU box like your electricity meter). That section of memory can hold an MD5 hash of the code in the ECU. If the wrong checksum exists, either the car wont start, or alternatively it logs details.

The only downside is that when flashing your ECU during a service, the servicing department must open your ECU to update the hash in the separate memory. Then they re-seal the ECU and then they flash the main memory...and the hash then matches the new software so all is well.

An extra step, but will end up being pretty secure.

Edited 04/07/05 12:58 PM by mickq

[Grass]

It's obvious you guys have never dealt with embedded firmware.

There must be a bootloader of some description and 100% of the boot loaders I have ever played with can easily be written to accept passwords.

We are developing on a Power PC platform at present and from the feed back I've had from our dev guys in the USA, it is extremly similar to the Black oak platform.. and guess what, we run Passwords at the bootloader level, long before any app is loaded.

You can get around it, it you have the internal developers code to catch these things as they boot and to poke memory to see if you can find the passwords, but it they are hashed, GOOD LUCK.

If you were capable of "formatting" the whole thing, there would be no bootloader to accept the new incoming Firmware image.. so guess what, back to Ford for a new one.

There must always be some Low Level type bootloader if you are going to have a "Flashable" unit.

If in the above example you did set a BIOS password, how do you FLASH your BIOS, seeing you would have to enter the password to get the PC to Boot? Your only out there is the backup battery. Now just imagine that password itself was written to ESquared ? No chance in hell of getting around it.

Would take the Ford guys about a week to implement and test.

EASILY Done..

Edited 04/07/05 01:17 PM by Grass

[harvyk]

If in the above example you did set a BIOS password, how do you FLASH your BIOS, seeing you would have to enter the password to get the PC to Boot?

<{POST_SNAPBACK}>

Simple, pull the battery or use the reset jumper, easy and have done it many times... (Final solution a new BIOS chip, but that is getting messy...)

[Grass]

If in the above example you did set a BIOS password, how do you FLASH your BIOS, seeing you would have to enter the password to get the PC to Boot?

Simple, pull the battery or use the reset jumper, easy and have done it many times... (Final solution a new BIOS chip, but that is getting messy...)

That's exactly what I am getting at,

There is NO reset link or battery to pull out on the Ford ECU's.

E squared (or EEProm) is not Volatile memory like in your PC, once it is written it is there until it is over written. Taking off the board, taking away the battery etc has NO effect. You will find the Ford are also writing the Firmware image to the E squared as well.

Ever wondered why your car still starts even it the battery is disconnected.

It is ALL in PERMANENT memory.

What's written in there stays there. Like a DVD drive that has the regions changed on it, once you exceed your number of regions there aint nothing you can do about it, disconnecting it, moving to another Pc, everytime it knows it has been changed too many times.

[harvyk]

That's exactly what I am getting at,

There is NO reset link or battery to pull out on the Ford ECU's.

E  squared (or EEProm) is not Volatile memory like in your PC, once it is written it is there until it is over written. Taking off the board, taking away the battery etc has NO effect. You will find the Ford are also writing the Firmware image to the E squared as well.

Ever wondered why your car still starts even it the battery is disconnected.

It is ALL in PERMANENT memory.

What's written in there stays there. Like a DVD drive that has the regions changed on it, once you exceed your number of regions there aint nothing you can do about it, disconnecting it, moving to another Pc, everytime it knows it has been changed too many times.

<{POST_SNAPBACK}>

Give it time, it could be proven that it could be defeated with as little as a graphite pencil (any newsagency sells them). You'd probably heard about the AMD lock (it was either clock speed or multiplier can't remember which) and that was defeated using a graphite pencil, creating a link between a few pins and volia instant unlocked chip (no coding required...) It was difficult for AMD to detect as from memory if you had to send the chip back the tracks could be erased from the chip (a rubber could do it...)

Your thinking the more traditional methods of unlocking \ overwriting etc... I'm sure the guys on this site if nothing else would be looking at ways of unlocking any locks that ford put on... And I'm sure that they would find a way to do it so that ford couldn't detect it... (Which is what the entire thread is about)

Remember for every security device a man builds there are at least 3 men ready to defeat it...

Edited 05/07/05 02:51 AM by harvyk

[bkofoed]

Guys, you're missing something here still

We're talking about the difference between a microprocessor (I.e. x86 variants) and a microcontroller (I.e. 6816, MPC555, etc).

Microprocessors NEED off chip Program and Data storage. They are simply execution engines that read instructions, starting at a predefined address, and process them. Swap the Program the read (I.e. bios) and they do something different.

Microcontrollers are SELF CONTAINED, the often have Program and Data storage right on the same silicon. The Black Oak, MPC555, has 448 KB of Program (EEPROM, non-volatile) and 26 KB of Data (SRAM, volatile) on chip. They come 'unlocked' when new and can be freely programmed.

There would be NO hardware changes required. There is no way you can bypass the internal (as in, cast in the same silicon) EEPROM of the Black Oak MPC555. You cant read it directly from external pins at all, unless you write code into it, to send itself outside.

Think of a PC with a BIOS password. Now move the BIOS into the Processor with no dependance on power. (EEPROM, or Esqaured as Grass refers to, is Electronically Eraseable, Programmable ROM, and is used in cars to store things like Odomoter values, and needs no power).

Now there is a config register, also is internal EEPROM, which decides what the Black Oak does on boot. It would be configured to bootstrap from internal EEPROM only. The chip also has on board RAM, 26KB of it - plenty of room.

The only program that can overwrite the EEPROM is in the EEPROM! (And BTW, in Motorola chips, the EEPROM can normally be partitioned, so you can lock the bottom half, and overwrite the top half, etc so no dual-port / dual micro approach needed)

So - you give the chip power, it loads the encryption code. What are you going to bypass? You can't change how it boots or what it boots, because you can't access that memory- it is internal and the software in there has to LET you read write it- only when you get the authentication right!

Take the MPC555 off the board, and boot it up in isolation - it loads the encryption code.

Very simple. Very hard to bypass. No boot disk, boot CD, back door, emergency floppy flash loader, CMOS jumpers or BIOS to pop and replace. No disk to move to another machine. Forget it. Embedded processor, self contained. If they want you out, YOU'RE OUT

You can poke it with a pencil all you like Your three men can physically crack it open, but nothing with work when you do that! (packaging is cast onto the silicon, so stress the packaging and you stress the silicon!)

Sorry for the topic deviation, but I have done firmware development. PC's have components easily accesible, Embedded devices are designed to have minimum component count- the MPC555 actually has 2 x CAN bus controllers on chip, as well as well as multiple Analog to Digital convertors to read sensors.

So again, they could lock us out IF THEY WANT!

BK

[ZAP]

As far as I understand the BlackOak EEPROM has its firmware that is not on an erasable chip. This would require Ford to install new ECU's or open them up and install EEPROM chips.

If this is the case, I cannot believe that Ford would spend the money replacing all the ECU's.

The only question I have about this password thing is that Ford have had the Edit in the USA for many years now and seem to do SFA about there cars being edited, why do you think Ford Oz will bother to password their ECU's if the USA have not ?