Absolute +1 on this project to get out of Boschs closed-garden

[chron0]

As soon as I have my bike, I may be able to contribute additional ECU/Battery handshake data.

[hackrid]

Any progress on the project? what is the current state ?

[gregyedlik]

No update on this - waiting for some idea on how to crack the handshake.

[hackrid]

collecting all possible responses is not an option? That's not directly cracking it but i think what ever works is fine.

[gregyedlik]

Not really. it has been running for many weeks, and yet most of the handshakes are not-yet-seen.

[chron0]

collecting enough would possibly create a plane to determine if bosch botched on the crypto implementation, which so far I fear they strangely didnt...

[hackrid]

thanks for your replies. @gregyedlik are you still capturing the challenge and response data?

in the readme you state

the challenge and the answer consist of 2 bytes

but looking at the .csv files it seems it's more like 2 CAN frames with 8 bytes each?

[gregyedlik]

That is correct, the readme is wrong. I'll fix it.

[gregyedlik]

And no, the capturing is not going now.

[chron0]

there is a guy on telegram who seems to have been going at it as well but only seems to be reachable over there @bitslover101 - if any of you guys have telegram it may also be worth a try to find out what he has/knows (https://t.me/joinchat/HAonoHZMkVkBSM1N was a link i found)

[hackrid]

so it seems like a 128 bit challenge response which would mean 3.4028237E38 (2^128) challenge/response pairs that need to be recorded? so the the storage to hold this data would be kind of insane?? @chron0 where did you find this link? Telegram says its i"invalid or expired"

[chron0]

in some pedelec forums (where he was getting banned by the admins seemingly out of fear of bosch legal retaliation) can you lookup the user bitslover101 somehow?

[chron0]

https://www.pedelecforum.de/forum/index.php?threads/performance-line-cx-2020-diagnose-tool-ohne-dongle-verwenden.75447/page-4

seem to have been deleted as well now...

[chron0]

and https://mhhauto.com/Thread-Bosch-E-bike-Diagnostic-Tool-IBD-Software?pid=2048162#pid2048162

[chron0]

if we could use the software, we may be able to extract some info with it as well...

[hackrid]

https://cyclurba.fr/forum/702597/logiciel-diagnostic-bosch-ibd-dongle.html?from=1&discussionID=28510&messageID=702597&rubriqueID=112&pageprec=

bitslover01:

Somebody is really angry at me, made the Telegram group closed and banned me from Telegram ;) But I'm not dead.

[gregyedlik]

The hint I get from these is that Bosch uses AES. Is that something that we could verify based on the data I captured?

[chron0]

@hackrid - oh perfect <3

[chron0]

"There are several bugs in the DU and BMS firmwares which allows to dump the keys... I don't want to say more for the moment. Of course AES128 brute force is not possible, it was designed for that ;)" - this is kinda what I had in mind...

[gregyedlik]

The DU is the Intuvia display? We would be happy with a single valid key btw.

[chron0]

I think it's the DU (display unit - unclear which specific type) and the battery management system (BMS) with the software running we should be able to get the firmware files, since they are also not out in the open and binwalk and look at them...

[chron0]

I got a complete file set thanks to @hackrid's find of the new french forum, next I'll try to get this running in wine and patch it and learn more about that software to download the FWs. Then I need to figure out how to actually connect it to my bike.

[hackrid]

are there any firmware files that contain the software for the DU? because the software in the french forum seems to be a diagnostic tool?! who on the bus authenticates the battery?

what's the situation like for older bosch e-bkes without a removable display unit?

[gregyedlik]

I suspect that the display unit is not key here, and it is the controller/motor unit that authenticates the battery.

I don't know anything about the old Bosch bikes.

[hackrid]

so we need a firmware update files for the motor controller. do such things exist?

...only iF the key is not stored in hardware, maybe protected against readout. A lot to speculate about.

[hackrid]

"There are several bugs in the DU and BMS firmwares which allows to dump the keys... I don't want to say more for the moment. Of course AES128 brute force is not possible, it was designed for that ;)" - this is kinda what I had in mind...

where do you get this information from?

[chron0]

@hackrid that is a discussion quote from bitslover101 in the french forum you posted :) and that means that BMS as well as DU are vulnerable to key dumping. Once we have the keys we should be able to communicate to EC and fake a new battery/bms as well.

[chron0]

my experiment in wine failed - the app starts but it crashes after opening, it's probably the insane background services bosch runs to "make it work". I'll boot up a windows 2 go instance and try it there.

[geefro]

Wanted to share this quote with you. Taken from latest IBD patch release notes. 😊🔥

Bosch, your security scheme is PWNED. Shame on you trying to lock out your users. We fight back for our rights to configure and repair ourself the bike we own. We are fed up with companies like you always trying to make more money: something is not working? Buy a new one. You know your batteries have weaknesses on the electronic boards, but you don't want us to repair them. This time is over. We want open hardware, software, we want manufacturers to embrace ecology state of mind. Recycle, reuse, repair. Be opened.

[chron0]

lol ye, already saw it in the patchfiles readme.. ++ on it

unfortunately it isnt 100% bosch's fault. it's the EU and state regulations mostly. They cant sell it if they dont do it like this. we are facing a similar problem with open WiFi firmware: https://apollo.open-resource.org/mission:log:2016:12:28:joint-statement-against-radio-lockdown

[geefro]

A mysterious peterla in the pedelec-forum pointed out the following:

I would recommend running a sidechannel hardware attack instead of trying to reverse engineer the algorithm from the recorded data. It is more promising to use a voltage or clock glitch on the BMS chip to put the chip into debug mode and then read the firmware. The used challenge & response algorithm can then be reverse engineered from the firmware.

[chron0]

I dont think we need this effort, hence my effort to get the IBD software up and running, since we can download the firmware with it directly without having to pry them out of the MCUs via sidechannel attacks. The used challenge & response algorithm can then be reverse engineered from that firmware, which is already on the filesystem of the IBD host.

[chron0]

And according to bitslover101 comments in the forum, it sounds like the DU and BMS firmwares are good candidates for this.

[geefro]

I've got the Bosch Tool (IBD) and a .cff2 container file. If you follow the french thread, you should be able to get access to the latest nyon2 patch, as well.

[chron0]

ye that cff2 is it i think - but this is theoretical i havent been able to boot my win2go so I'm operating on assumption and not experience level atm. still waiting to get my nyon2, nothing is available :/ at least i found the usb port in the purion controller...

[chron0]

the one lurking from belgium who made his way to libera, pls come back and stick a while longer :)

[viteka32]

Has anyone wondered if the encryption key consists of a serial number and a part number? When I convert them to hex, they are two 4 byte values. For better understanding does anyone have a link to the IBD tool with cff2?

[xerootg]

I've spent many evenings now poking at this. Bosch absolutely uses aes. The dongle used by the IBD software is used in the exact same seed/key process as what these traces show to connect and fetch diagnostics. The cff2 format is a zip with a manifest of the firmwares contained AND the key you need to decrypt them. I've decrypted the battery firmware, but I don't have a good disassembler for this mcu. Shame it's not something reasonable, like arm. I think our best bet here is going to be a hardware sniffing approach.

[PerleyZ]

I remember that I tried to find the rule by recording handshake information many times before, but failed; If it is feasible to analyze and separate the battery firmware in IBD, is it effective to download the firmware to a blank new chip? Do you need an official Bootloader? I hope to get a reply. Thank you. The original chip they used was NXP SPC5602DF1CLH3, which was replaced by ST SPC560D4L1 after 2021.

[epe]

There is already a company producing compatible battery packs, https://e-bike-vision.de/ - did they hack it or license the bms from BOSCH?

[flemichellec]

I've got the Bosch Tool (IBD) and a .cff2 container file. If you follow the french thread, you should be able to get access to the latest nyon2 patch, as well.

I can't find anything, your tool still works?

[coelep]

Did someone already tried to buy an E-Bike Vision battery and look at their handshake?

[eleczj]

I've spent many evenings now poking at this. Bosch absolutely uses aes. The dongle used by the IBD software is used in the exact same seed/key process as what these traces show to connect and fetch diagnostics. The cff2 format is a zip with a manifest of the firmwares contained AND the key you need to decrypt them. I've decrypted the battery firmware, but I don't have a good disassembler for this mcu. Shame it's not something reasonable, like arm. I think our best bet here is going to be a hardware sniffing approach.

If you have obtained the cff2 file and the battery firmware, you can share it; I have a hardware platform here to try and burn it to a blank chip for verification; If the firmware is upgraded based on CAN communication, we will need to create a new Bootloader program on the blank chip and may still need the access key.

[xerootg]

The updates don't seem to include the keys we need for the seed/key challenge. There's a significant amount of the MCUs application that is not part of the Motorola formatted files in the updates. It does truly seem like a side channel approach is needed to recover the keys for battery handshake, unless someone can glitch their way through the BAM.

On Wed, Mar 8, 2023, 19:11 eleczj @.***> wrote:

I've spent many evenings now poking at this. Bosch absolutely uses aes. The dongle used by the IBD software is used in the exact same seed/key process as what these traces show to connect and fetch diagnostics. The cff2 format is a zip with a manifest of the firmwares contained AND the key you need to decrypt them. I've decrypted the battery firmware, but I don't have a good disassembler for this mcu. Shame it's not something reasonable, like arm. I think our best bet here is going to be a hardware sniffing approach.

If you have obtained the cff2 file and the battery firmware, you can share it; I have a hardware platform here to try and burn it to a blank chip for verification; If the firmware is upgraded based on CAN communication, we will need to create a new Bootloader program on the blank chip and may still need the access key.

— Reply to this email directly, view it on GitHub https://github.com/gregyedlik/handshake/issues/1#issuecomment-1461161810, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA6S6STR2XNLTKWBASPE3LLW3E33PANCNFSM5JCQ3OYQ . You are receiving this because you were mentioned.Message ID: @.***>

[DanielMarcato]

There is already a company producing compatible battery packs, https://e-bike-vision.de/ - did they hack it or license the bms from BOSCH?

I have seen this as well - has anybody had the chance to check that out? They claim to sell only new batteries which would be impossible when they'd have to reuse the BMS of an original pack.

[avandalen]

What is the status? Has the Bosch AES code been hacked yet so that you can use 3rd party batteries? https://avdweb.nl/

[maelp]

Has someone made progress on this? I'd be interested to contribute (time and money) to get something working

[DanielMarcato]

https://www.indiegogo.com/projects/infinite-the-repairable-universal-ebike-battery Another seller with apparently a Bosch compatible BMS

[avandalen]

I like the Gouach battery. But I'm afraid there is no hack for Bosch yet. I can't find detailed information of how it works.