Think You Need a Token? Maybe Not...

I’m surprised that quite a few thinks that software token is required to use E-Sys. Some even think it’s needed to “unlock” the software before use. As I always tell somebody who’s asking for a token, it’s not always needed. Never fails to bring a smile when they come back and say “thanks, it worked!”. Believe it or not, I’m just as happy as you are saving a few bucks.

There’s only a few places in the app where it is needed, and depends on what you intend to do, you may not even need it at all. Connecting and reading coding data, Vehicle Order (FA), VO Coding, Flashing, clearing codes (via Transmitter app), importing/exporting FSC, FA/SVT/TAL editor, TAL calculation/processing don’t need a token. Viewing CAF, viewing/editing FDL, and FDL coding do require one.

Let me just clear one thing before I go further. Coding will only enable (or disable) what your car can already do, but may disabled from factory. Coding will not let you fold your mirrors if you don’t have the motorized mirrors. Variable Light Distribution will not work if you don’t have KAFAS (Cameras). It can’t magically do what you want it to do without supporting hardware.

So, you want Enhanced Bluetooth (EBT)? Can do, without token. Want to turn off Auto Start/Stop? Yup, no token required. Enable VLD? Unlock boot with doors? Normal/very sensitive light control? Alpine retrofit? Seatbelt reminder off? Yes, yes, yes, yes, and yes!

Just a note on seatbelt minder. I didn’t touch this. Anything related to safety, I keep the default. It doesn’t bother me, so it stays on. Same goes true for VIM, GPS warning...etc.

How? Before I go further, let me state that I didn’t find any of the following items myself. Somebody else found 'em and is heavily discussed in different BMW boards. Let me know if you discover it and you want credit. I’ll be glad to give credit where it’s due. I simply don't know so I'm leaving it.

EBT – change 6NH to one of 6NK, 6NL, 6NS. Note: You must have COMBOX or NBT or the newer HU like ENTRYNAV

VLD (Anti Dazzle) – See this thread: http://www.bimmerfest.com/forums/showthread.php?t=660719

Seatbelt minder – HO-Wort OI11, OI12 and VO Code ACSM

ASS – Add OMSA to your HO-Wort (HO-Words) and VO Code FEM

 Retrofit Alpine – HO-Wort HIFI, VO Code NBT

“Retrofit” Satellite Tuner – Import FSC, remove 693, add 655, VO Code NBT

The above is not by any means complete, nor definitive.

How to change VO and perform VO Coding: http://www.bimmerfest.com/forums/showpost.php?p=7448118&postcount=2 (From ShawnSheridan)

As for VO Coding, the way I do it is that I have my modified FA XML File that I load and activate whenever I need to do VO coding. I don’t write this modified FA back into the car. If you are worried that your dealership will be a pain in the a$$ when it comes to these matter, then, ensuring your VCM is not updated will be in your best interest. I’m lucky my dealership couldn’t care less but this is not to say that it’s OK to do it nor is your dealership gonna be the same.

NCD / CAFD Tool V0.2.6 Alpha

NcdCafdTool V0.2.6 was released sometime back.

Added "What-If" SVT-CAFD

This feature uses your SVT, instead of individual NCD files, for input. CAFD file version associated with your current I-Step, will be determined automatically from SVT file.
FAFP will be retrieved from CAFD and any main series not used by CAFD will be excluded. Selected Build Level will control available options. If multiple ECUs are affected by a particular option, all CAFDs pertaining to these ECUs will be listed.

You can quickly find an option by selecting an item, then typing it in, e.g. 6WA, 6NS...etc.

Results are determined by a particular CAFD and not every option will have an effect on the selected CAFD. Don't select any options that obviously don't have any code associated to it, e.g. 130, 23B

Results are meant to be use as a guide only. They are by no means authoritative or definitive. Verify and use at your own risks.
 

If you have customized the settings, don't overwrite "NcdCafdTool.exe.Config" or your settings will be replaced.

Bimmerfest Thread

NCD / CAFD Tool V0.2.5 Alpha

NcdCafdTool V0.2.5 Alpha just released. A feaure called "What-if FA-CAFD" has been added. In a nutshell, is that it can determine the functions being modified when a certain option is added.


"What if I add 6WA, what would E-Sys do to my NCD?". "If I add 6NS, then..." You get my drift. This is entirely based on what's inside FA and CAFD. Based on your chosen FA, car series and build date, the tool analyzes your selected CAFD (or NCD) and list down all affected functions (non-default only) and what the value should be.

This feature uses ncd file or CAFD file for input. If you use *.ncd, the tool will use the version of CAFD used to generate your ncd file, meaning the CAFD associated with your current I-Step. Opening CAFD allows you to use any version.

FAFP will be retrieved from CAFD and any main series not used by CAFD will be excluded. Selected Build Level will control available options.

You can quickly find an option by selecting an item, then typing it in, e.g. 6WA, 6NS...etc.

Results are determined by a particular CAFD and not every option will have an effect on the selected CAFD. Don't select any options that obviously don't have any code associated to it, e.g. 130, 23B

Results are meant to be use as a guide only. They are by no means authoritative or definitive. Verify and use at your own risks.

Lastly, this tool is free. Never pay anything for this tool.

If you have customized the settings, don't overwrite "NcdCafdTool.exe.Config" or your settings will be replaced. Open "NcdCafdTool.exe.Config" with Notepad, copy the value of signatureKey node, then open the application, go to Settings and replace the Signature Key. You can also edit your config file with Notepad.

Bimmerfest Thread

Kompatibilität und Informations System (KIS) Advanced Table Viewer

A great member of the BMW Coding community (SS :)) asked me a while back if I can write a KIS table viewer. It took me awhile what with all the retrofit activities I've been doing, but finally, I found a good library to utilize. And the result: KIS Advanced Table Viewer:

KIS is part of E-Sys and is runnning in the background. E-Sys reads and load all KIS database on start up -and this is probably why E-Sys frequently runs out of memory at its default configuration. The HyperSQL code and GUI is based off of umpakba's work. It's heavily modified to make KIS work, however.

While the tool is free, I don't think it's for everybody. KIS database contains some great information, but only if you make sense of it. Otherwise, it's pretty useless.

The tool is free, but I'm not making it available to the general public. HMU if you want it, but let me know how you're going to use it :)

EDIT: 12/14/2014
I can now share this publicly: KISATV

Why Hacking XMLCrypto is Bad, Really Bad!!!

From the get-go, I've always avoided cracking XMLCrypto. Every time I see a discussion about hacking it, I always say leave it alone. To some people, that came across as protecting my vested interest. That can never be farther from the truth.

I've also been in discussion with a few people wanting to do their own solution, and they always focus on this one class: The XMLCrypto class. I don't blame them. I mean, this is the shortest way to their goal. I mentioned in one of my previous blogs that I looked at this and have almost considered doing exactly just that. But...my training and experience pushed me to find another way. And there's always another way. Working for a top tier security company, I've seen all this happen too often. Bad guys are always trying different things to spread harm. And I love my car too much to have to worry about this problem.

More and more solution are coming out and they're all centered on cracking XMLCrypto. There's one solution that is particularly bad. For one, this was based off of somebody else's work. For another, it entailed patching 3 class files. 3 Class Files!!! Seriously?!? If he knew what he was doing, he wouldn't be patching 3 files. If everyone had at least some sort of basic security training, they'd leave XMLCrypto alone. If everyone cares about their cars and their friend's cars as much as I do mine, they'd leave XMLCrypto alone.

So, why is it bad? For those who know E-Sys, you know that it is only part of a bigger solution. PSdZ (PSdZData) is what makes it work. All files in PSdZ are digitally signed, encrypted and some are even compressed. There's a reason for that. The very reason we digitally sign a document is to preserve its integrity and verify it's authenticity.  When you patch XMLCrypto, you take all that away. You dump the digital signature and accept everything blindly.

XMLCrypto is our last defense in verifying FA, FP, CAFD and everything else. It is our protection from tampered files. Think of it as the firewall of PSdZ. It only allows trusted and verifiable files.

Figure 1: XMLCrypto doing its job

Like I said, patching it takes away all these feature and benefits. It's akin to creating a wide hole in the firewall. Wait, not just a hole, but you're actually breaking down the entire defense wall. Why anyone would do it is well beyond me. It such a shame they don't understand this concept and the danger of doing such a thing.

Figure 2: Patched XMLCrypto Class

Proof of Concept: Download this file: Modified CAFD This is an CAFD, altered and repackaged. Unpatched E-Sys will never accept this CAFD file as it knows it's tampered and will never pass verification. But those with patched XMLCrypto will have no trouble using this file. In fact, the app will gladly accept anything you throw at it.

But what can a tampered CAFD do, you ask? CAFD is a file template which contains things like default values base on your Vehicle Order. Unfortunately, it also contains values for transport mode. What is "Transport Mode"? It's when your car needs a ride to the dealership because it wouldn't start on its own :).

Kidding aside, it is very easy to get these values and replace the ones used as default values, package and distribute it as "New" version of PSdZ. None would be the wiser, certainly, not your patched E-Sys.
 
This is why I didn't patch XMLCrypto. I hope everybody realizes this.

Random Musing #1

#1: Dog eats Dog...

So, in one of my earlier blog, I pointed out a guy selling tokens. This guy generates his own token, BUT, uses patched files from the original developer. What this guy did is reversed-engineered the solution and started generating his own token, then sells them. Geez, what a rip off

And I didn't think it would get worse!!! So, another guy bought a token from then first developer. He then again reversed-engineered this, "created patches" and pass it on as his own. D'uh. And this is actually worse. The first developer, uses 2 patched files, the new guy patches 3. This tells me he didn't really know what he's doing and just patches things left and right. VERY dangerous

...And it gets worse still!!! I learned of a guy who got a token from me, and is now selling token too, derived from the third guy. Next thing you know, he'll mix and match solution, ending up with a FrankenToken lol.

See, these guys bit the hands that fed them. Keep doing that and the hands will eventually stop feeding. These guys chose to ripped people off. We're not exactly saints, but I spent a lot of time developing my original solution without looking at others work. I came up with a patchless solution because I not only studied the software, but the platform which it was built on. I was very careful in my method and made sure the app remained true for whatever it is designed to do.

Dog eats dog, pirates pirating the hackers. Back in the days, these never happened and we had code. We had respect for each others work. We collaborated when we needed something from each other and not rip each other.

#2: 3.22.x ~ 3.24.x is defeated

As most already know, I came up with the first ever patchless solution, but not only it is patchless, it's multi-version as well. The same 20kb file, the same token can be use from version 3.22.x up to and including 3.24.3, or whatever the latest version is on the 3.24 series.

So, this is no news anymore, time to move on

But then...came 3.25.x!!!

#3: 3.25

3.25 came out last year. It was almost redesigned, security-wise. I can almost say, the only change that was implemented was everything about the security. I can't say whether it was the programmer's decision or that of the Architect's, but if I was the PM, I'd be majorly pissed at the direction it went. It added no value, and only caused problem.

3.25.2 would not even FDL code!!! But guess what? I made it run and coded my car. 3.25.3 fixed the issue with FDL coding, but the UI bug remained. The software as a whole is solid, and I give props to the whole development team. It's just that 3.25 shouldn't have went where it did.

3.25 series was a pain. And let me tell you that I spent more time analyzing it than I did on the previous versions. And this is me armed with previous knowledge. It was hard and I almost doubted whether it can be done or not.

And that, folks, is why you don't trust pirates! These guys are selling it for cheap, and why not? They didn't have to do anything. But then, ask them if they can support you, or if you can get upgrade.

#4: Unbeatable?

With the amount of time and effort it took to beat 3.25.x, it's not too far off to think that eventually, we'll be faced with an unbeatable software. This is when the hand stops feeding, the hand will stop giving. Instead of a software that costs few pennies, we'll all end up with a software that is pretty much out of everyone's reach, including mine. And we'll all have the pirates to thank for.

Frequently Asked Question (FAQ)

Here are some of the most common questions I've been answering quite lately:

Q: The instructions I read in the PDF says I need to delete 2 files and then replace with the 2 files. Where are those files?
A: Those files are from another developer. My solution does not use patched files and no files should be removed or deleted. If you did, you need to restore those files or reinstall the application to restore them before you can use my token.

Q: I got a token for my 3.23.4 version. Now I got hold of 3.24.2, can I get an updated file?
A: You already have it. My solution works on versions 3.22.5 up to 3.24.3 and everything in between.

Q: If I get a token, will you provide the patch as well?
A: It depends on what patch you're talking about. If you meant the two patched files, then, No. I don't use patched files (see Q#1). I provide everything you need to use the token except the application itself. It comes with less than 20kb file, PDF instruction and the token. Just install the application, then proceed with my instructions.

Q: Will this token work with new version of the application?
A: It works up to 3.24.3. There's no way for me to tell if it works on unreleased version until I get hold of it.

Q: I sent you a PM a few days ago and have yet to receive a response. What gives?
A: Just complying with the forum rules. Most BMW forum prohibit the use of PM system for commercial use unless you're a sponsor of the site/forum. I am not a sponsor, so I'm prohibited to use the PM system. Contact me at fxxtokenmaster[at]Gmail_dot_com instead and I'm likely to respond within the hour, if I'm up and about.

Not a question but...

Q: I'd like to get 3 year...
A: 3-year token is the 2nd most popular request next to 1-year token. Before asking for 2 or 3 years token, understand that it's only guaranteed to work from versions 3.22.5 up to 3.24.3 and everything in between. It's always a possibility that the token will not work with newer versions.

The app requires PSdZ and this gets released all the time with new security feature so, it may require newer version. Most notably, PSdZ 49.x will not work with 3.18, thus, the release of 3.22.x. 3.22.5 won't work with PSdZ 51.0, hence, the release of 3.23.x.

If you get, say, 3-year token now, and your car gets updated that would necessitate using new PSdZ and new app and I can't come up with a solution, multi-year token would now be essentially "useless"