Friday, August 21st 2015


MBE ECU DIM Sport Key Decryption
posted @ 4:07 pm in [ Cars -Decryption -Fixing Things -PHP -Technology ]

I’ve recently started investigating into the working of the MBE ECU (Engine Control Unit) that runs the engine and fuel mixture on my TVR Cerbera and as part of the process took my own ECU out of the car to see how it was setup, and what version of the software it was using

On inspection my own ECU seemed rather different than the test unit I had bought from eBay, as the EPROM that contains the program code was piggy-backed off of a daughter board rather than being directly connected to the ECU motherboard

As you can see from the picture below the daughterboard plugs in in-between the ECU and the code EPROM

IMG_1334

IMG_1335

and if we actually take the EPROM and daughterboard out of the ECU you can see that the daughterboard has an ATMEL F16V8BQL electronically programmable logic device in circuit

IMG_1340

IMG_1338

So the ATMEL F16V8BQL basically can be programmed like a small computer to do something with data that comes through it’s inputs, and then send this data back out of it’s outputs

Therefore the next logical question would why would you want to do that when normally the data from the EPROM is sent directly to the ECU for reading?

We’ll it turns out that basically it is a decryption device for taking encoded data stored on the EPROM, decoding it in real time, and then sending this to the ECU as unencoded data to run with

Taking the EPROM out of it’s daughterboard you can see it’s made by “DIM Sport, Electronic per motori” and is labelled as Key 1010A

IMG_1341

On investigation DIM Sport are an Italian engine calibration specialist company who make rolling road tuning systems for cars and other vehicles and Key 1010A is sold as part of their rolling road kit

So let’s try and work out how this works by reading the EPROM on it’s own (encrypted) and with it’s daughterboard installed (unencrypted)

As you can see from the Hex dumps below, the daughterboard is doing some data decryption in between

EncryptionComparison

If you compare the first 16 bytes of the encrypted versus the unencrypted you can see that there is a pattern between the two

Encrypted

04219402 C4C10FC4 9501C4C1 0FC49501

Unencrypted

01249102 C1C40FC1 9504C1C4 0FC19504

Every second value is being changed between the two, but the first value is always exactly the same

Originally I thought this was a pattern based cypher, so basically something like

0, -3, 0, +3, 0, -3, 0

but if you look at it visually you can see it is actually a substitution based cypher as every time on the ASCII display you see an ‘!’ symbol on the encryption version, or the unencrypted version it is a ‘$’, the same for the letter ‘t’ being a q

So that leans to being a substitution cypher, so we basically just need to work out the mapping of which letter to which, and then we can begin to reverse engineer the encryption

Here’s my map I made as I was doing it for reference (and you can see the original pattern test sequence there too) 🙂

IMG_1345

Now lets test our theory and translate the first 8 numbers (the numbers mapped are in brackets, every even number)

04219402 = 0(1)2(4)9(1)0(2)

Perfect! So now we have the sequence let’s write a decryption program to read the original encrypted binary EPROM dump, decode it, and then write out an UNENCODED EPROM dump for us to use in our ECU and no longer require the key

I’ve written it in PHP as that’s currently where I am spending most of my programming time at the moment, and uploaded it to my GIT HUB account here

https://github.com/Judder/DIM-Sport-ECU-Key-1010A-Decrypter

So if you find one of these in your ECU, or you want to backup your own ECU software feel free to use the above, which because I didn’t reverse engineer any hardware, doesn’t normally break any software licensing rules 🙂


Leave a Reply