SWT / FSC patching


Jan 18, 2021
This post is mostly informational. The HUtools that was leaked does exactly this and is way easier.

It's quite simple, nothing groundbreaking here. If you're familiar with how FSCs work, you'll know that BMW has their own PKI.
The certificate chain is composed of the Root, SigS and FscS certificates.

Long story short, in order to sign your own certificates, you need to replace these certificates in the NBTCarHUTwo binary.


To generate them, I used the following commands:
[Root CA]

Set date to 2002-09-19

openssl genrsa -3 -out root.key 2048

openssl req -x509 \
-days 9132 \
-md5 \
-set_serial 1001 \
-key root.key \
-out root.pem \
-subj "/DC=com/DC=bmwgroup/O=pki/OU=bmw-fzg-pki/CN=fzg-root-ca" \
-extensions v3_req \
-config <(echo -e "[v3_req]\nbasicConstraints=critical,CA:true,pathlen:0\nsubjectKeyIdentifier=none\nauthorityKeyIdentifier=none\nkeyUsage=critical,keyCertSign,cRLSign")

openssl x509 -outform der -in root.pem -out root.der


Set date to 2006-07-19

RSA key for SigS needs to be 512 bit and have exponent 7. Go to: https://merri.cx/enigmator/cipher/rsa_keygen.html.
Use http://www.certificate.fyicenter.com/2147_FYIcenter_RSA_Private_Key_Generator.html#Result to generate the primes p,q

openssl req -x509 \
-md5 \
-key sigs.key \
-out sigs.pem \
-subj "/DC=com/DC=bmwgroup/O=pki/OU=bmw-fzg-pki/CN=CCC-SigS-Key"

openssl x509 -x509toreq -in sigs.pem -signkey sigs.key -out sigs-signed.csr -md5

openssl x509 -req \
-in sigs-signed.csr \
-CA root.pem \
-CAkey root.key \
-set_serial 1010 \
-out sigs-signed.pem \
-md5 \
-days 1827 \
-extensions v3_req \
-extfile <(echo -e "[v3_req]\nextendedKeyUsage=critical,codeSigning\nsubjectKeyIdentifier=none\nauthorityKeyIdentifier=none")

openssl x509 -outform der -in sigs-signed.pem -out sigs.der


Set date to 2007-07-30

openssl genrsa -3 -out fscs.key 1024

openssl req -x509 \
-md5 \
-key fscs.key \
-out fscs.pem \
-subj "/DC=com/DC=bmwgroup/O=pki/OU=bmw-fzg-pki/CN=zentrale Master Freischaltcodestelle-Produktiv"

openssl x509 -x509toreq -in fscs.pem -signkey fscs.key -out fscs-signed.csr -md5

openssl x509 -req \
-in fscs-signed.csr \
-CA root.pem \
-CAkey root.key \
-set_serial 1026 \
-out fscs-signed.pem \
-md5 \
-days 9132 \
-extensions v3_req \
-extfile <(echo -e "[v3_req]\nextendedKeyUsage=critical,\nsubjectKeyIdentifier=none\nauthorityKeyIdentifier=none")

openssl x509 -outform der -in fscs-signed.pem -out fscs.der

[Esys signing private key]
openssl rsa -in fscs.key -outform der > fscs.der

Replace the certificates in the binary, then:
Save and clear persistence:
cp -rv /var/opt/sys/persistence /fs/usb0/hu-intel-persistence && \
cp -rv /net/hu-jacinto/var/opt/sys/persistence /fs/usb0/hu-jacinto-persistence && \
rm -r /var/opt/sys/persistence/* && \
rm -r /net/hu-jacinto/var/opt/sys/persistence/*

// Need mv because file is open
mount -uw /fs/sda0 && \
mv /fs/usb0/NBTCarHUTwo /opt/car/bin && \
chmod 0775 /opt/car/bin/NBTCarHUTwo && \
sleep 5 && mount -ur /fs/sda0 && OnOffDSICommander appreset

Example files that can be used are attached.


  • certs.zip
    3.1 KB · Views: 19
Last edited:
  • Like
Reactions: wheela