Post 2020 DME cracking.

[Surebob]

Hey guys, I haven’t really searched too much in the forums and google isn’t helping.

is there anyone here that is willing to explain to me the technical workflow of cracking these DMEs? I know that probably the worlds biggest minds are working on this, and I don’t expect that I am going to crack it myself, just need general information on the technical process. Thank you

Sponsored

 

[zrk]

Start with searching in the forums. It's the same process as cracking/hacking any other piece of hardware. You find an exploit.. then you exploit it.

 

[32bitsofGil]

Agreed, spend some time using the search feature here. You will find many, many, many threads covering the topic.

There's always messaging Femto directly, they are quite great about answering questions on IG.

 

[Evolution]

25ft up seems to be the sweet spot for cracking them. They just kind of bounce off the ground at anything lower.

 

[Barmalay]

25ft up seems to be the sweet spot for cracking them. They just kind of bounce off the ground at anything lower.

Its so simple, the files are IN the ECU

 

[Surebob]

Agreed, spend some time using the search feature here. You will find many, many, many threads covering the topic.

There's always messaging Femto directly, they are quite great about answering questions on IG.

Yea I don’t think Femto is gonna give me any technical breakdowns. FYI I don’t mean unlocking for a personal tune, I mean the technical process of cracking the DME.

 

[Evolution]

Its so simple, the files are IN the ECU

Finally someone gets it.... I mean ya our ecus are locked, by tamper proof e-torx, but if you got the right socket....

 

[Surebob]

Start with searching in the forums. It's the same process as cracking/hacking any other piece of hardware. You find an exploit.. then you exploit it.

Yea I generally know how hardware hacking works, I have a couple of guys with decades of hardware hacking experience, I recently bought a Supra and became knowledgeable of the shitshow that the 2020+ DME unlocking has become, I see a lot of predatory practices from different companies and just plain bullshit like MP claiming they cracked it and going radio-silent to femto being scummy and not franchising to the states. That whole bullshit about “They don’t want their method stolen” is not true, there are many ways to encrypt their tool where shops stateside using their unlock wouldn’t be able to reverse engineer it. With that all said, if I get a general idea of what DME hacking/cracking entails I might be able to do the community a favor and stick it to the russkies

 

[Surebob]

Let’s get some facts straight.

1. Femto requires physical access to the DME
2. Femto can do a partial unlock on original DME or a Full Unlock on a Cloned DME
3. Femto Can clone your DME

Taking these facts into consideration we can deduce a couple of things, first if they can clone your DME that means they are able to do a full dump of the firmware of the DME or at least a full dump of some form of Memory within the DME, this can only be done using 2 methods
First method is having leaked tools from manufacturer of the DME, Second method is… well hardware hacking using many different methods like voltage glitching on boot up to skip signature verification etc.

What my question is, is where the community’s progress is on this so I don’t have to reinvent the wheel, also if someone can help me understand BOSCH DME naming conventions so I don’t have to research that myself would also be cool, like can we tell locked DMEs just by model number? Or we need to check the manufacturing date regardless as a single model number DME can be both unlocked and locked depending on when it was made

 

[32bitsofGil]

Tell you what, I’ve got a dead DME that was involved in a crash. PM me if you’ve got the resources to hack it.
(Only bent connectors I think..)

 

[Surebob]

Tell you what, I’ve got a dead DME that was involved in a crash. PM me if you’ve got the resources to hack it.
(Only bent connectors I think..)

I remember reading your post about it, I think you mentioned that some components might also be dead?

hardware hacking is such a finicky process that you want to eliminate every single possible reason that “might” prevent your methods from working, thank you for the offer, but I’d be donating my own known working DME to the cause, unless of course You are talking about another one you have In which case it still not a good idea to use it because it was involved in a crash.

 

[32bitsofGil]

I remember reading your post about it, I think you mentioned that some components might also be dead?

hardware hacking is such a finicky process that you want to eliminate every single possible reason that “might” prevent your methods from working, thank you for the offer, but I’d be donating my own known working DME to the cause, unless of course You are talking about another one you have In which case it still not a good idea to use it because it was involved in a crash.

Totally understand, I have a feeling Femto doesn’t need to access the side of the DME that is not easily accessible.

 

[Surebob]

Totally understand, I have a feeling Femto doesn’t need to access the side of the DME that is not easily accessible.

I doubt they do, it would be helpful if someone with a femto DME can tell us if they enclosure has even been opened, if not then they most likely have leaked software and this whole thing is a non starter.

 

[Surebob]

@zrk I know you have a femto DME, upon delivery, could you tell if the enclosure was opened?

 

[JP_]

I don't think there's any community progress that anyone is willing to share unfortunately. You're asking the right question on whether ECUs have been opened though.

Leaked/pirated diagnostic/development software still seems the most likely to me, mainly because hardware hacking has a potential failure rate and I don't think we've heard of Femto breaking anything ever?

From conversations with them it sounds like they could give you a full unlock for any tuning platform, if those companies would share their code. So they've got something which can sign the full writeable area of the ECU.

The only other thing I can think is potentially they've found a way to exploit widely available software like ISTA to sign arbitrary stuff - and are reflashing the ECU with that after sticking it into their own vehicle temporarily. But if this were the case I would have expected more people to have figured it out by now. I'd also be surprised if ISTA or any other tool had the private keys - more likely there are presigned binaries for ECU updates.

Then again I've no idea what anyone's doing so maybe nobody's looked!

What does surprise me is that they haven't developed a remote service. They have their own software, so they're capable of building something that could proxy the comms from the ECU or a scantool, from a shop over to a machine on their site with whatever tooling they need to use.

Sponsored