How do "vehicle specific" lockdown work on tuning kits?

Discussion in 'Highly Technical' started by NeoPTLD, Mar 24, 2012.

  1. NeoPTLD

    NeoPTLD Platinum Member

    Joined:
    Nov 23, 2001
    Messages:
    2,511
    Likes Received:
    0
    These days, the parameters relevant to adjusting vehicle performance are controlled by the power train control module. The PCM contains the VIN.

    Many off-the-shelf tuning kits contain a pre-programmed tuning maps for various vehicles. Once the handheld flashing device is hooked up to a vehicle, it download's the factory settings from the PCM along with the VIN, then uploads the "tune up".

    The unit is then permanently locked to that VIN. Some allows restoring the backup and allow use on another vehicle.

    I know that many routers have the ability to spoof MAC address so that you can use the cable modem that became locked to the computer it was originally setup with.

    Is it possible to build something with spoofed VIN so the unit can be reset? How about downloading all the tuning maps?
     
  2. Iceking007

    Iceking007 Junior Member

    Joined:
    Mar 15, 2012
    Messages:
    13
    Likes Received:
    0
    Ofcouse anything CAN be done it's just 1's and 0's; how/why good luck try staying away from European cars especially BMW as their systems are generally more finikey and they like specific tools and programming that are often closely garded secrets and very expensive; my opinion is factory all the way but to each their own.
     
    #2 Iceking007, Mar 24, 2012
    Last edited: Mar 24, 2012
  3. AD5MB

    AD5MB Member

    Joined:
    Nov 1, 2011
    Messages:
    79
    Likes Received:
    0
    German cars require special DIN 1s and 0s.
     
  4. NeoPTLD

    NeoPTLD Platinum Member

    Joined:
    Nov 23, 2001
    Messages:
    2,511
    Likes Received:
    0
    Intentionally imposed limitation is a common marketing tactic. I'm not sure if people are doing it these days, but some years back, some video cards can be upgraded to higher end one by simply reflashing the firmware. The card had all the capabilities of the higher end, but it was crippled at the shipment stage for marketing reasons.

    I don't believe PCM mapping is copyrightable, so if you could download all the pre tunes, there is money making potential to offer services.
     
  5. groberts101

    groberts101 Golden Member

    Joined:
    Mar 17, 2011
    Messages:
    1,390
    Likes Received:
    0
    I've used tunercat in the past and now own a Jet Dynamic Spectrum tuner.

    Wish I could tell you that there are known workarounds for these limitations.. but sadly there don't appear to be many software hackers for these devices and you need to buy more vin allowances to continue using these devices on additional vehicles. Some of the cheaper one's won't even let you do that though.

    My DST came with 2 vin allowance's when I bought it and eventually moved to a 4 vin allowance so I felt a little gyp'd after having spent $500 on it. I can pay an additional $150 for another vin allowance anytime I choose to, but never feel the need since I keep it on the work van's anyways.
     
  6. Mark R

    Mark R Diamond Member

    Joined:
    Oct 9, 1999
    Messages:
    8,496
    Likes Received:
    0
    Yes. It is likely a trivial matter to build a "middle-man" device that spoofs the VIN to the tuneup unit, but allows the new map to be uploaded. The reprogramming ports often use a fairly simple protocol, that is easily manipulated.

    However, a lot depends on how the tuning device keeps a record of the vehicle (just VIN, VIN and manufacturer/model number of the ECU, etc.)

    Personally, I wonder how much longer these tuning devices have got - the car manufacturers are slowly beginning to hire proper electronic security experts to assist in locking down their ECUs.

    This did actually happen with printer cartridges, console memory cards. This stopped the cloners, because the security was pretty good. The security was only defeated when the cloners paid for the chips to be reverse engineered, and the schematic and security codes retrieved. (This type of reverse engineering can cost $millions).
     
  7. exdeath

    exdeath Lifer

    Joined:
    Jan 29, 2004
    Messages:
    13,643
    Likes Received:
    0
    If it becomes uncrackable (which it wont), then people like me will just switch to plug and play after market stand alone EFI computers (FAST, BigStuff, Motec, etc).
     
  8. quakefiend420

    Joined:
    Aug 26, 2004
    Messages:
    14,688
    Likes Received:
    0
    Any links that you could provide that I could use to research building some sort of interface to sniff the traffic that a device like this would likely be passing? Any thoughts on what sort of protocol would be used to communicate?
     
  9. Modelworks

    Modelworks Lifer

    Joined:
    Feb 22, 2007
    Messages:
    16,237
    Likes Received:
    0
    Cars use CAN for communications .
    http://en.wikipedia.org/wiki/CAN_bus

    You will need some chips that can do CAN , microchip has a bunch of their pic line that does CAN . Data on the CAN bus itself is rarely encrypted and easily monitored. You will need to attach to the CAN bus itself , not the interface ports that devices typically use to change the data.
     
  10. quakefiend420

    Joined:
    Aug 26, 2004
    Messages:
    14,688
    Likes Received:
    0
    Cool...this looks like it's going to be fun :)
     
  11. Modelworks

    Modelworks Lifer

    Joined:
    Feb 22, 2007
    Messages:
    16,237
    Likes Received:
    0
Loading...