Unlocking Seed-Key Locked ECUs

Download Link: https://andrewrevill.co.uk/Downloads/MEMS3Tools.zip

If has come to my attention that some tuners are changing the seed key algorithms in MEMS ECUs which they remap to lock out my tools and all other standard MG Rover tools. I have been receiving an increasing number of reports from people unable to access the basic features of their ECUs with my tools. These include people who have been unable to perform basic diagnostic tasks and people who have missed out on rolling road tuning sessions because they were unable to get into their ECUs. The typical error message you see in MEMS3 Mapper is as shown below.

As of Version 7.79 Release, MEMS3 Mapper is now able to effectively counter all such attempts to lock the ECU.

· Firmware Locked ECUs

If the firmware seed key algorithm is modified, the General Diagnostic Session will be locked and the ECU will be locked out of pretty much all functions using the ISO14230 or Rover BMW protocols. Pretty much everything in MEMS3 Mapper will be locked out. Whenever you try to access anything that is locked out by the firmware seed key algorithm, MEMS3 Mapper will detect this and display a dialog that explains that the ECU is locked and guides the user through the following options for unlocking. Not that this same situation can occur where the boot loader seed key algorithm is modified and no firmware has been loaded, as this then runs the General Diagnostic Session in the boot loader, but this in unlikely to be encountered “in the wild”:

o As of Version 7.79 of MEMS3 Mapper, the main Read and Write routines are able to work WITHOUT NEEDING FIRMWARE SEED KEY SECURITY. This means that a firmware locked ECU will now still be freely readable and writeable, for firmware, coding and map, even where other features are still locked out.

o The dialog gives you full instructions and provides all of the buttons you need to run the processes.

o PLAN A – Seed Key Unlock

§ As of Version 7.79, MEMS3 Mapper now contains a Tools | ECU Tools | Seed Key Unlock feature.

§ This will permanently unlock the seed key security in both the boot loader and the firmware.

§ For a locked firmware it is almost instantaneous.

§ The seed key unlock does not require knowledge of the seed key algorithms used to lock the ECU.

§ It therefore protects against future unknown changes to the seed key algorithms as well as current known changes.

§ It can work even on boot loader locked ECUs, although in this case may take some time (one time only) to gain access.

§ The seed key unlock is performed directly on the ECU. There is no need to read files, modify and write back.

§ Once unlocked, the ECU will respond normally to all requests. All features of MEMS3 Mapper will work normally.

§ The firmware, coding and map will remain intact, unmodified, readable and writeable.

§ You can either just operate the ECU in the condition, or …

§ You can move to PLAN B in order to restore the ECU to a normal state.

§ This method protects against, and can be used to recover from:

· ALL possible changes to the firmware seed key routines, known or unknown.

· ALL possible changes to the boot loader seed key routines, known or unknown.

o PLAN B – Restore Seed Key Routines

§ As of Version 7.79, MEMS3 Mapper now contains a Tools | Wizards | Restore Seed Key Routines feature.

§ This will the restore firmware seed key routines and all related code in the current project to their standard versions.

§ As the Read and Write features now work on locked ECUs, you can use this method in isolation to recover a firmware locked ECU.

§ Read from the ECU, Save your project, Restore Seed Key Routines, Write to the ECU.

§ Once unlocked, the ECU will respond normally to all requests. All features of MEMS3 Mapper will work normally.

§ This method restores the ECU code to a stock state.

§ The firmware, coding and map will remain intact, unmodified, readable and writeable.

§ This method cannot be used in isolation with a boot loader locked ECU, but may be used after a Seed Key Unlock.

§ This method protects against, and can be used to recover from:

· ALL possible changes to the firmware security routines.

o PLAN C – Disable Firmware

§ As of Version 7.79, MEMS3 Mapper now contains a Tools | ECU Tools | Disable Firmware feature.

§ This will disable the firmware and prevent the ECU from loading it. The ECU will boot up in boot loader mode.

§ The firmware disable is performed directly on the ECU. There is no need to read files, modify and write back.

§ The firmware, coding and map will remain intact, unmodified, readable and writeable.

§ The ECU will then not run the engine until firmware is written to the ECU again.

§ Because the ECU does not attempt to load the firmware, no changes made to the firmware can lock the ECU.

§ The ECU will run both Programming and General sessions in the boot loader. All read and write functions will work normally.

§ The map can be read into a MEMS3 Mapper project with stock or patched firmware and then written back to the ECU.

§ Writing firmware back to the ECU automatically re-enables it.

§ This method cannot be used in isolation with a boot loader locked ECU, but may be used after a Seed Key Unlock.

§ This method protects against, and can be used to recover from:

· ALL possible changes ANYWHERE in the firmware.

· More sophisticated and more specific feature locking schemes.

o PLAN D – Recover Bricked ECU

§ Existing version of MEMS Mapper contain a Tools | ECU Tools | Recover Bricked ECU feature.

§ This can be used to temporarily disable the firmware as above (the above method being permanent until firmware is written).

§ It was designed for recovering ECUs where the firmware was damaged or corrupted during writing.

§ Because of its method of action, it may equally be used to recover ECUs with unwanted firmware changes.

o PLAN E – If the above methods fail, contact me at andrew.d.revill@googlemail.com. I have other experimental solutions for both firmware and boot loader locked ECUs that I do not want to put into the public domain at this time.

· Boot Loader Locked ECUs

If only the boot loader seed key algorithm is modified, the Programming Diagnostic Session will be locked and the ECU will be locked out of all programming functions. A lot of MEMS3 Mapper features will still work, but anything which depends on custom RAM agents will be locked. Firmware, coding and map will still be readable. Boot loader locking is a much more complex and risky operation as it commonly requires the ability to flash a replacement boot loader onto an ECU. This cannot be done using the stock programming routines and any failure will lead to a permanently bricked ECU. Other than physical disassembly, desoldering and bench programming of the ECU’s EEPROM chip, currently only MEMS3 Mapper provides this facility so this locking technique is not so commonly seen. Because the boot loader seed key algorithm alone does not protect the map data from reading, this technique would most likely be used alongside firmware seed key locking. In that scenario, the main effect of locking the boot loader seed key algorithm would be to prevent the use of the methods described as PLAN B, PLAN C and PLAN D above.

Whenever you try to access anything that is locked out by the boot loader seed key algorithm, MEMS3 Mapper will detect this and display a dialog that explains that the ECU is locked and guides the user through the following options for unlocking: