SWT / FSC patching

superwofy

Corporal
Jan 18, 2021
109
145
0
This post is mostly informational. The HUtools that was leaked does exactly this and is way easier.

It's quite simple, nothing groundbreaking here. If you're familiar with how FSCs work, you'll know that BMW has their own PKI.
The certificate chain is composed of the Root, SigS and FscS certificates.

Long story short, in order to sign your own certificates, you need to replace these certificates in the NBTCarHUTwo binary.


certs.png


To generate them, I used the following commands:
Code:
[Root CA]

Set date to 2002-09-19


openssl genrsa -3 -out root.key 2048


openssl req -x509 \
-days 9132 \
-md5 \
-set_serial 1001 \
-key root.key \
-out root.pem \
-subj "/DC=com/DC=bmwgroup/O=pki/OU=bmw-fzg-pki/CN=fzg-root-ca" \
-extensions v3_req \
-config <(echo -e "[v3_req]\nbasicConstraints=critical,CA:true,pathlen:0\nsubjectKeyIdentifier=none\nauthorityKeyIdentifier=none\nkeyUsage=critical,keyCertSign,cRLSign")


openssl x509 -outform der -in root.pem -out root.der


Code:
[SigS]

Set date to 2006-07-19

RSA key for SigS needs to be 512 bit and have exponent 7. Go to: https://merri.cx/enigmator/cipher/rsa_keygen.html.
Use http://www.certificate.fyicenter.com/2147_FYIcenter_RSA_Private_Key_Generator.html#Result to generate the primes p,q


openssl req -x509 \
-md5 \
-key sigs.key \
-out sigs.pem \
-subj "/DC=com/DC=bmwgroup/O=pki/OU=bmw-fzg-pki/CN=CCC-SigS-Key"


openssl x509 -x509toreq -in sigs.pem -signkey sigs.key -out sigs-signed.csr -md5


openssl x509 -req \
-in sigs-signed.csr \
-CA root.pem \
-CAkey root.key \
-set_serial 1010 \
-out sigs-signed.pem \
-md5 \
-days 1827 \
-extensions v3_req \
-extfile <(echo -e "[v3_req]\nextendedKeyUsage=critical,codeSigning\nsubjectKeyIdentifier=none\nauthorityKeyIdentifier=none")


openssl x509 -outform der -in sigs-signed.pem -out sigs.der


Code:
[FscS]

Set date to 2007-07-30


openssl genrsa -3 -out fscs.key 1024


openssl req -x509 \
-md5 \
-key fscs.key \
-out fscs.pem \
-subj "/DC=com/DC=bmwgroup/O=pki/OU=bmw-fzg-pki/CN=zentrale Master Freischaltcodestelle-Produktiv"


openssl x509 -x509toreq -in fscs.pem -signkey fscs.key -out fscs-signed.csr -md5


openssl x509 -req \
-in fscs-signed.csr \
-CA root.pem \
-CAkey root.key \
-set_serial 1026 \
-out fscs-signed.pem \
-md5 \
-days 9132 \
-extensions v3_req \
-extfile <(echo -e "[v3_req]\nextendedKeyUsage=critical,1.3.6.1.4.1.513.10.1.1\nsubjectKeyIdentifier=none\nauthorityKeyIdentifier=none")


openssl x509 -outform der -in fscs-signed.pem -out fscs.der


Code:
[Esys signing private key]
openssl rsa -in fscs.key -outform der > fscs.der


Replace the certificates in the binary, then:
Code:
Save and clear persistence:
cp -rv /var/opt/sys/persistence /fs/usb0/hu-intel-persistence && \
cp -rv /net/hu-jacinto/var/opt/sys/persistence /fs/usb0/hu-jacinto-persistence && \
rm -r /var/opt/sys/persistence/* && \
rm -r /net/hu-jacinto/var/opt/sys/persistence/*


// Need mv because file is open
mount -uw /fs/sda0 && \
mv /fs/usb0/NBTCarHUTwo /opt/car/bin && \
chmod 0775 /opt/car/bin/NBTCarHUTwo && \
sleep 5 && mount -ur /fs/sda0 && OnOffDSICommander appreset


Example files that can be used are attached.
 

Attachments

  • certs.zip
    3.1 KB · Views: 19
Last edited:
  • Like
Reactions: wheela