Sponsored

2021+ Unlock Recon

Branflakes123

Branflakes123

Well-Known Member
First Name
Adam
Joined
Jul 19, 2021
Threads
6
Messages
139
Reaction score
148
Location
Boston
Car(s)
2021 A91 Refraction Blue
Yes it's another DME unlock thread. My goal here is to gather information in one place regarding the current technical limitation for unlocking a new DME. And brainstorm how to go about making progress, since there doesn't seem to be any.

The general information floating around is the DME is encrypted.

There are probably more details but people keep secrets trying to be first to unlock so they can hog all the profits for themself. Clearly that's not happening, at least for another 2 weeks ?

To start, we need to know what other information exists?
- We can read interact with the vehicle through OBD, but cannot push changes to tables.
- Where is the encryption? Seems like hardware, but Toyota can tune the car via OBD, do they just have a key? And is it the same across all Supras? Has anyone installed a hardware OBD sniffer then updated their car at Toyota?
- Has anyone successfully imaged the DME? Femto is able to copy new ones to old ones, so this implies they can read tables, but they may be doing some fancy interactions with the DME pins directly. This would be a gateway to creating a simulated environment aka unlimited no risk attempts to exploit the DME
- What have people achieved with OBD sniffing today?
- How does the previous generation of OBD tuning work? What are the commands used to upload a table change?

I'll update as I learn more information.
Sponsored

 
zrk

zrk

Well-Known Member
First Name
Zack
Joined
Apr 20, 2021
Threads
80
Messages
8,473
Reaction score
14,119
Location
Chicago, IL
Car(s)
2021 Supra - Nocturnal Black
This has all been covered ad nauseam.

https://www.supramkv.com/threads/bf...upra-is-finally-almost-here.13412/post-212944

Many many threads (that one included), that post, lots of research, investigation, etc has been done on this.

It's 100% a signing key thing.

https://www.supramkv.com/threads/nhtsa-recalls-aug-3-2021-remedy-available.10275/post-148061

https://www.supramkv.com/threads/a9...s-locked-warning-no-politics.6464/post-133013

----

- We cannot read from the DME as it stands, without the signing key. Only standard CANBus shit
- The 'encryption' is a rolling hardware enclave, similar to Apple's Secure Enclave
- Yes, Femto images the DME, that's how the clone works.
- Nothing really.
 
AJRMKV

AJRMKV

Well-Known Member
Joined
Apr 28, 2022
Threads
11
Messages
937
Reaction score
904
Location
Canada
Car(s)
2023 Manual Supra
Branflakes123 said:
Yes it's another DME unlock thread. My goal here is to gather information in one place regarding the current technical limitation for unlocking a new DME. And brainstorm how to go about making progress, since there doesn't seem to be any.

The general information floating around is the DME is encrypted.

There are probably more details but people keep secrets trying to be first to unlock so they can hog all the profits for themself. Clearly that's not happening, at least for another 2 weeks ?

To start, we need to know what other information exists?
- We can read interact with the vehicle through OBD, but cannot push changes to tables.
- Where is the encryption? Seems like hardware, but Toyota can tune the car via OBD, do they just have a key? And is it the same across all Supras? Has anyone installed a hardware OBD sniffer then updated their car at Toyota?
- Has anyone successfully imaged the DME? Femto is able to copy new ones to old ones, so this implies they can read tables, but they may be doing some fancy interactions with the DME pins directly. This would be a gateway to creating a simulated environment aka unlimited no risk attempts to exploit the DME
- What have people achieved with OBD sniffing today?
- How does the previous generation of OBD tuning work? What are the commands used to upload a table change?

I'll update as I learn more information.
Click to expand...
What's your objective with this thread?
 
OP
OP
Branflakes123

Branflakes123

Well-Known Member
First Name
Adam
Joined
Jul 19, 2021
Threads
6
Messages
139
Reaction score
148
Location
Boston
Car(s)
2021 A91 Refraction Blue
zrk said:
This has all been covered ad nauseam.

https://www.supramkv.com/threads/bf...upra-is-finally-almost-here.13412/post-212944

Many many threads (that one included), that post, lots of research, investigation, etc has been done on this.

It's 100% a signing key thing.

https://www.supramkv.com/threads/nhtsa-recalls-aug-3-2021-remedy-available.10275/post-148061

https://www.supramkv.com/threads/a9...s-locked-warning-no-politics.6464/post-133013

----

- We cannot read from the DME as it stands, without the signing key. Only standard CANBus shit
- The 'encryption' is a rolling hardware enclave, similar to Apple's Secure Enclave
- Yes, Femto images the DME, that's how the clone works.
- Nothing really.
Click to expand...
Yes I've read those threads, it's a lot of bench racing. I'm looking to gather tangible information. For example, I trust the information you are providing here due to your reputation on the forum, but not being able to reach the DME without the signing key. What's that look like. What commands does a 2020 DME accept for this and what's the Wireshark output when trying the same command on a 2021+. I'm not saying anyone specific has to provide this, it'll probably end up being me, but this is the information I'm trying to put together. Will it result in something? Maybe/maybe not, but I would like to document how this process actually works because I'm interested
 
OP
OP
Branflakes123

Branflakes123

Well-Known Member
First Name
Adam
Joined
Jul 19, 2021
Threads
6
Messages
139
Reaction score
148
Location
Boston
Car(s)
2021 A91 Refraction Blue
AJRMKV said:
With the intent to find your own unlock solution?
Click to expand...
If I can get there, yes, but I'm well aware that this will pretty much entail either discovering an exploit or getting into Bosch's Confluence
 
AndyK5

AndyK5

Well-Known Member
Joined
Sep 5, 2023
Threads
28
Messages
295
Reaction score
181
Location
SoCal
Car(s)
'23 Nitro Yellow MT
So how does femto do it? I guess we don't know or we'd be doing it but what is the guess? They have a rogue BMW engineer/mechanic that has an RSA key on his phone or key chain?
 
zrk

zrk

Well-Known Member
First Name
Zack
Joined
Apr 20, 2021
Threads
80
Messages
8,473
Reaction score
14,119
Location
Chicago, IL
Car(s)
2021 Supra - Nocturnal Black
AndyK5 said:
So how does femto do it? I guess we don't know or we'd be doing it but what is the guess? They have a rogue BMW engineer/mechanic that has an RSA key on his phone or key chain?
Click to expand...
It's a classic voltage exploit.
 
Kroberter

Kroberter

Well-Known Member
Joined
Dec 1, 2022
Threads
2
Messages
56
Reaction score
75
Location
Portland
Car(s)
A91MT Supra, 95 Rx7,67 Corvette 427ci
Poor guy is just eating his branflakes dreaming about open source intellectual property.
 
You must log in or register to reply here.

Similar threads

2021 Ecu OBDII unlock???
Replies
2
Views
4,762
ArthurWick
ArthurWick
bFLASH ANNOUNCES MG1 UNLOCK SOLUTION! | Tuning your 2021+ Supra is FINALLY almost here!
8 9 10
Replies
138
Views
52,989
zrk
zrk
Ecu Unlock
Replies
2
Views
1,794
Mason
Mason
Dme bench unlock NJ
Replies
6
Views
3,835
Bigjsn250
Bench Unlock DME
2 3
Replies
34
Views
20,519
#100RenaissanceRed
#100RenaissanceRed
 








Top