Friday, August 21st 2015

MBE ECU DIM Sport Key Decryption
posted @ 4:07 pm in [ Cars -Decryption -Fixing Things -PHP -Technology ]

I’ve recently started investigating into the working of the MBE ECU (Engine Control Unit) that runs the engine and fuel mixture on my TVR Cerbera and as part of the process took my own ECU out of the car to see how it was setup, and what version of the software it was using

On inspection my own ECU seemed rather different than the test unit I had bought from eBay, as the EPROM that contains the program code was piggy-backed off of a daughter board rather than being directly connected to the ECU motherboard

As you can see from the picture below the daughterboard plugs in in-between the ECU and the code EPROM



and if we actually take the EPROM and daughterboard out of the ECU you can see that the daughterboard has an ATMEL F16V8BQL electronically programmable logic device in circuit



So the ATMEL F16V8BQL basically can be programmed like a small computer to do something with data that comes through it’s inputs, and then send this data back out of it’s outputs

Therefore the next logical question would why would you want to do that when normally the data from the EPROM is sent directly to the ECU for reading?

We’ll it turns out that basically it is a decryption device for taking encoded data stored on the EPROM, decoding it in real time, and then sending this to the ECU as unencoded data to run with

Taking the EPROM out of it’s daughterboard you can see it’s made by “DIM Sport, Electronic per motori” and is labelled as Key 1010A


On investigation DIM Sport are an Italian engine calibration specialist company who make rolling road tuning systems for cars and other vehicles and Key 1010A is sold as part of their rolling road kit

So let’s try and work out how this works by reading the EPROM on it’s own (encrypted) and with it’s daughterboard installed (unencrypted)

As you can see from the Hex dumps below, the daughterboard is doing some data decryption in between


If you compare the first 16 bytes of the encrypted versus the unencrypted you can see that there is a pattern between the two


04219402 C4C10FC4 9501C4C1 0FC49501


01249102 C1C40FC1 9504C1C4 0FC19504

Every second value is being changed between the two, but the first value is always exactly the same

Originally I thought this was a pattern based cypher, so basically something like

0, -3, 0, +3, 0, -3, 0

but if you look at it visually you can see it is actually a substitution based cypher as every time on the ASCII display you see an ‘!’ symbol on the encryption version, or the unencrypted version it is a ‘$’, the same for the letter ‘t’ being a q

So that leans to being a substitution cypher, so we basically just need to work out the mapping of which letter to which, and then we can begin to reverse engineer the encryption

Here’s my map I made as I was doing it for reference (and you can see the original pattern test sequence there too) 🙂


Now lets test our theory and translate the first 8 numbers (the numbers mapped are in brackets, every even number)

04219402 = 0(1)2(4)9(1)0(2)

Perfect! So now we have the sequence let’s write a decryption program to read the original encrypted binary EPROM dump, decode it, and then write out an UNENCODED EPROM dump for us to use in our ECU and no longer require the key

I’ve written it in PHP as that’s currently where I am spending most of my programming time at the moment, and uploaded it to my GIT HUB account here

So if you find one of these in your ECU, or you want to backup your own ECU software feel free to use the above, which because I didn’t reverse engineer any hardware, doesn’t normally break any software licensing rules 🙂

Saturday, August 8th 2015

Snap-on Tool Kit – now with wheels
posted @ 9:36 am in [ Cars -Fixing Things ]

As a recent mechanical student I had the opportunity to buy my first Snap-on tool kit, which of course I snapped up the chance of doing.

It’s a fantastic student kit with everything you need for day-to-day car maintenance tasks, however even though it comes with a carry handle it is heavy which means getting it from the house to the car is quite an effort in itself!

So I put my thinking hat on, and as with our recent arcade machine projects in the office, decided that it was time to mobilise the tool kit with it’s own set of wheels

First things first – where to mount them.

Luckily the tool box has 4 holes on the bottom which after measuring them fit nicely with 8mm / M8 allen socket bolts.


So off to our good friends on eBay, KayFast, and order M8 bolts 20mm long and matching M8 flange nuts. I went for the round headed allen socket bolts as they will sit flush either way around



Next we need some wheels, castors in this case, and as we are using our own bolts we want ones without threaded heads, just with a hole to be bolt mounted.

Again eBay is a good source for these and I ordered 4 x 50mm lockable cabinet speaker castors from the great people at Atlas Handling (make sure you order the Bolt Hole ones)


Once they’ve arrived it’s time to match them all up and check they all fit correctly as per the picture below


Now we need to remove the bottom drawer of the tool kit to access the mounting holes from the inside, but the problem here is that there is a locking latch on the drawer that matches up with a stop on the slider, meaning that you can’t just slide the drawers out.

I had a read around and this guy had suggested using a flat hacksaw blade, but for me the easiest way was to get behind the point where they lock and apply gentle pressure using the small Snap-on screwdriver included with the toolkit on the drawer latch point to allow it slide underneath the slider locking point as per this photo


This allows the drawer to slide all the way out as per this photo and then we can start to mount our wheels to the bottom of the cabinet

IMG_1322 (2)

Tighten everything up using an allen key (I put the bolts with the heads on the bottom so that I can tighten them up at a later date if needed) and voila all ready to go!

IMG_1326 (1)