Results 1 to 20 of 20

Thread: 2019 zr1 read access... Bill?

  1. #1
    Tuner
    Join Date
    Jun 2012
    Location
    Canada
    Posts
    154

    2019 zr1 read access... Bill?

    guys any idea as to when we will be able to read/tune these? really looking forward to seeing how they incorporated/control secondary fuel system.

    Cheers
    Last edited by obd2; 10-16-2018 at 07:35 AM.

  2. #2
    id be patient cause if you look there are at least 3 threads of z06 complications after writing calibrations.

  3. #3
    Senior Tuner Higgs Boson's Avatar
    Join Date
    Mar 2010
    Location
    Texas Hill Country
    Posts
    3,299
    Quote Originally Posted by jpierro79 View Post
    id be patient cause if you look there are at least 3 threads of z06 complications after writing calibrations.
    can you stop posting this because you have problems with your car? I have been writing E92s since 2013 to the latest 19 Z with no issues at all.

    Regarding the ZR1, it has a completely different ECM and uses a changing code every time you access it and has not been cracked and may never be. hopefully HPT comes up with a workaround but I won't hold my breath on this one....

  4. #4
    Advanced Tuner IARLLC's Avatar
    Join Date
    Aug 2016
    Posts
    942
    Yep. Lots of E92 and E92A. No tuning related problems with any of those yet....looking for some wood to knock on.

  5. #5
    first of all i dont have problems with my car thanks

  6. #6
    Tuner
    Join Date
    Jun 2012
    Location
    Canada
    Posts
    154
    Quote Originally Posted by Higgs Boson View Post
    can you stop posting this because you have problems with your car? I have been writing E92s since 2013 to the latest 19 Z with no issues at all.

    Regarding the ZR1, it has a completely different ECM and uses a changing code every time you access it and has not been cracked and may never be. hopefully HPT comes up with a workaround but I won't hold my breath on this one....

    Higgs OMG! Totally disappointed, WHY? if this is case I would never buy one. Are the new diesel also using rolling codes?

  7. #7
    Tuner
    Join Date
    Jun 2012
    Location
    Canada
    Posts
    154
    Quote Originally Posted by jpierro79 View Post
    id be patient cause if you look there are at least 3 threads of z06 complications after writing calibrations.
    I have done numerous E92 ecu's 2015 to 2018 with out a problem. only time I bricked an ecu was when I did not hold the start button to properly power up ecu, so it shut down during the erase/write function rendering ecu inop for HP tuners. However I was able to reprogram ecu at dealer using MDI2 and is currently in service.

  8. #8
    Advanced Tuner
    Join Date
    Jul 2015
    Posts
    925
    Quote Originally Posted by Higgs Boson View Post
    can you stop posting this because you have problems with your car? I have been writing E92s since 2013 to the latest 19 Z with no issues at all.

    Regarding the ZR1, it has a completely different ECM and uses a changing code every time you access it and has not been cracked and may never be. hopefully HPT comes up with a workaround but I won't hold my breath on this one....
    I knew there were issue's with cracking the Zr1 but I didn't know it's constantly changing the code on it. Interesting.

  9. #9
    Senior Tuner Ben Charles's Avatar
    Join Date
    Aug 2009
    Location
    Calibrating
    Posts
    3,371
    No problems tuning e92 or above...
    yea I don?t think we will be able to get into the e99, it?s aboit to become the norm I fear

  10. #10
    Advanced Tuner
    Join Date
    Aug 2016
    Posts
    386
    Quote Originally Posted by Higgs Boson View Post

    Regarding the ZR1, it has a completely different ECM and uses a changing code every time you access it and has not been cracked and may never be. hopefully HPT comes up with a workaround but I won't hold my breath on this one....
    Yes, it's an E99 which is part of a new family of ECUs GM has rolled out. But, the problem is not rolling codes, the problem is that the flashes are digitally signed and only GM knows how to make proper signatures. And, yes, Ben Charles is correct, all of the recently new ECU hardware designs have the signing mechanism (E88, E90, E99, E01, E41, T87A, T93).

    Good news is exploits have been found in some of them, so maybe there's a chance...

  11. #11
    Thanks for the info. Do you know what's different in the 2017+ E92 that requires extra complexity and a internet connection? I'm assuming you need an internet connection so the VCM editor can communicate with HP tuners servers and then HP tuners severs are connected to GM TIS in order to fake something to make the ECM think its connected to GM TIS. But then you only have to do it the first time you flash. I know the new controllers have a digital signature, and I assume the ECM will internally reject writing any flash that doesn't have GM's private key? Or is the key needed in order to validate a password or something. I know the actually tune isn't encrypted, only the signature is. I know trying to bypass the data bus and flash directly to the chip also dosent work since the digital signature check is built in at the lowest level in the chip.

  12. #12
    Its becoming like VW has been for years. Internet required ect ect more complications. Bottom line is GM is getting more complex and i dont care if youve flashed a 100 cars of gen v im trying to help those who DONT know if you do great. So if you've never bricked a car good for you. Im getting tired of being bashed for trying to help. VW ecu's have been more complex for many years. BMW is the worst but due to the popularity of gm tuning the software will come and it will be stable and do not be dissapointed. For those knocking me for my suggestions have at it. I dont see you posting on how to try to help other people. Troll me all you like just cause youve posted 3000 posts doesnt mean anything. ZR1 software will be here and it will happen. Rolling codes are nothing new but just more complex. Your garage door opener more than likely has rolling codes. With that being said I do like hptuners as write times are fast and accessibilty vs cost and being compact is great.Also not needing company approval and training courses is nice to have access. Heres the thing though ANYONE CAN ACCESS it. Im not saying hptuners is bricking cars people are. Hence the posts i write are for the average joe as that is what 90 percent of people using hptuners are. Id love to see the average joe pass the test for access to pro cobb software. You MUST GET EVERY QUESTION RIGHT. So back to real topic as ive made my point. requiring an internet connection stinks and if you have a poor connection be prepared. There might be a need for internet like unitronic and apr as there are many variants or coding of the same ecu. Im not sure how GM is coding their ecu's but vw had more than 20 different ecu's for the same car in the same model and each year later theyd add another 20 even same model and as many tcu units and also required an internet connection because it simplifies software on our end. Weve got it easy. Imagine 45 minute write times requiring jump box and digital charger.

  13. #13
    I had a friend fix a z4 that was struck by lightening. He had to replace almost every module. I was extremely surprised at how easy he was able to buy all new modules and reprogram them. I thought BMWs were all locked down, but apparently not he was changing all kind of BCM type functions. With any global A type GM vehicle we have basically no control over anything unless we want to invest in a TIS subscription and even then everything is cloud controlled. This makes me kind of disappointed I bought a new Camaro, I know all the manufactures are going through this but I though GM stuff was still the easiest as far as tuning goes.


    The things about his BMW stuff was all the control he had over BCM type functions. Since all the new GM stuff like traction control is done outside the ECM we could desperately use access to the chassis and body control module to tweak launch control and stuff like that.

  14. #14
    I went back to my old laptop and recovered a car recently with a fpcm KAM failure persistent code. It was like carrying a lead brick. My old ASUS worked even after 6 flashes on lenovo and the snap on scanner costing 5k would not read a fpcm fail the two laptops read it and yet after i transferred the file asus at home and did a full write to zl1 it cleared right up. Code non existent. Why does my crappy laptop work better than my 2k laptop. So If your stuck it might be an option to transfer tune file to to different laptop as it might write and work. I got stuck with a car that studdered its way home and it was for a friend. Soo embarassing. I looked like an #)(*$ you get the hint. It was a MAF adjustment on darn near stock car raise rpm with 2 degrees and 400 rpm raise child's play.
    Last edited by jpierro79; 10-21-2018 at 09:16 PM.

  15. #15
    Advanced Tuner
    Join Date
    Aug 2016
    Posts
    386
    Quote Originally Posted by cmitchell17a View Post
    Thanks for the info. Do you know what's different in the 2017+ E92 that requires extra complexity and a internet connection? I'm assuming you need an internet connection so the VCM editor can communicate with HP tuners servers and then HP tuners severs are connected to GM TIS in order to fake something to make the ECM think its connected to GM TIS. But then you only have to do it the first time you flash. I know the new controllers have a digital signature, and I assume the ECM will internally reject writing any flash that doesn't have GM's private key? Or is the key needed in order to validate a password or something. I know the actually tune isn't encrypted, only the signature is. I know trying to bypass the data bus and flash directly to the chip also dosent work since the digital signature check is built in at the lowest level in the chip.
    Yes, so GM ECU security went from a design that would have been questionably secure in 1985 to something that's considered modern day secure over the course of 1 model year. Two things happened.

    1. For 2017, most or all ECMs went to a new security key calculation that is infinitely more complex than the pre-2017 method.

    2. For 2017, any new ECU designs that came about (T87A, E41) include a secure boot loader by incorporating a digital signing mechanism.

    Most of the tuning companies seem to have found one solution or another for #1. It's #2 that's the bigger problem, though in those two particular cases, there are options now. I haven't heard of anybody getting past #2 for the E88, E90, E99, E01 or T93.

    But, GM released an LT5 crate engine kit, I wonder if the ECM that comes with it (which is almost certainly an E99) is "open"? And didn't Dodge say they were doing that with the Demon ECM?

  16. #16
    Advanced Tuner Redline MS's Avatar
    Join Date
    Jun 2006
    Location
    New York- South Florida
    Posts
    536
    Coming soon..... Start studying about RSA Encryption...
    Last edited by Redline MS; 10-24-2018 at 11:14 PM.
    Full Service GM Late Model Performance Facility

    www.redline-motorsports.net
    Follow US on FACEBOOK!
    Follow us on Instagram! redline_motorsports


  17. #17
    Quote Originally Posted by tunerpro View Post
    Yes, so GM ECU security went from a design that would have been questionably secure in 1985 to something that's considered modern day secure over the course of 1 model year. Two things happened.

    1. For 2017, most or all ECMs went to a new security key calculation that is infinitely more complex than the pre-2017 method.

    2. For 2017, any new ECU designs that came about (T87A, E41) include a secure boot loader by incorporating a digital signing mechanism.

    Most of the tuning companies seem to have found one solution or another for #1. It's #2 that's the bigger problem, though in those two particular cases, there are options now. I haven't heard of anybody getting past #2 for the E88, E90, E99, E01 or T93.

    But, GM released an LT5 crate engine kit, I wonder if the ECM that comes with it (which is almost certainly an E99) is "open"? And didn't Dodge say they were doing that with the Demon ECM?
    Thanks a lot for the info! I would think the boot loader would be responsible for rewriting the flash when the rest of the board is off, so they put logic into the bootloader and stored a private key into it, then this logic compares a decrypted (decrypted by the internal private key in the bootloader) signature (value stored in the calibration) to some value stored in the bootloader. This method prevents someone from reading the calibration file signature, since the signature has been encrypted by GM's private key, it has to be un-encrypted to make any sense. This way no one could just look at the calibration and figure out the true value of the key? But that leads me to the question of how does someone not just manually read the signature value off the bootloader flash? Thanks again for the info

    Also is the security key you describe in the #1 method, is this just the "challenge-response" when a request is sent through the ODB port to rewrite calibration, meaning the ECM will ask a question, then the tuning tool has to send a response back that the ecm checks is correct? If this is how it works, what is stopping someone from sniffing that value out and sharing it with everyone? Is it rolling code?
    Last edited by cmitchell17a; 10-31-2018 at 06:23 PM.

  18. #18
    Advanced Tuner
    Join Date
    Aug 2016
    Posts
    386
    Quote Originally Posted by cmitchell17a View Post
    Thanks a lot for the info! I would think the boot loader would be responsible for rewriting the flash when the rest of the board is off, so they put logic into the bootloader and stored a private key into it, then this logic compares a decrypted (decrypted by the internal private key in the bootloader) signature (value stored in the calibration) to some value stored in the bootloader. This method prevents someone from reading the calibration file signature, since the signature has been encrypted by GM's private key, it has to be un-encrypted to make any sense. This way no one could just look at the calibration and figure out the true value of the key? But that leads me to the question of how does someone not just manually read the signature value off the bootloader flash? Thanks again for the info
    If they were smart they would have used asymmetrical encryption on the signature so even if the the boot loader is compromised, all you'd have is the [public] key which can only verify the signature provided is authentic (e.g. the only thing the boot loader would need to do), not generate a new one... And, a secure boot loader would have countermeasures to prevent itself from being manually read. Seeing as how nobody except GM seems to be able to generate signatures that work on unmodified ECUs, I'd say either or both of these are true.

  19. #19
    Bypassing RSA sig?s are not that difficult. I don?t follow gm stuff to closely but if this has not been solved yet if someone has a ecu dump and boot I?m sure I can find an exploit. Also need to know what chip is in it. I?ve developed exploits for most all tricore and mpc including FCA.

  20. #20
    HP Tuners Support
    (foff667)
    Bill@HPTuners's Avatar
    Join Date
    Jun 2004
    Location
    Hailing from Parts Unknown
    Posts
    28,247
    It doesn't have to be perfect, it just needs to be done in two weeks...

    A wise man once said "google it"