This post is mostly informational. The HUtools that was leaked does exactly this and is way easier.
It's quite simple, nothing groundbreaking here. If you're familiar with how FSCs work, you'll know that BMW has their own PKI.
The certificate chain is composed of the Root, SigS and FscS certificates.
Long story short, in order to sign your own certificates, you need to replace these certificates in the NBTCarHUTwo binary.
To generate them, I used the following commands:
Replace the certificates in the binary, then:
Example files that can be used are attached.
It's quite simple, nothing groundbreaking here. If you're familiar with how FSCs work, you'll know that BMW has their own PKI.
The certificate chain is composed of the Root, SigS and FscS certificates.
Long story short, in order to sign your own certificates, you need to replace these certificates in the NBTCarHUTwo binary.
To generate them, I used the following commands:
Code:
[Root CA]
Set date to 2002-09-19
openssl genrsa -3 -out root.key 2048
openssl req -x509 \
-days 9132 \
-md5 \
-set_serial 1001 \
-key root.key \
-out root.pem \
-subj "/DC=com/DC=bmwgroup/O=pki/OU=bmw-fzg-pki/CN=fzg-root-ca" \
-extensions v3_req \
-config <(echo -e "[v3_req]\nbasicConstraints=critical,CA:true,pathlen:0\nsubjectKeyIdentifier=none\nauthorityKeyIdentifier=none\nkeyUsage=critical,keyCertSign,cRLSign")
openssl x509 -outform der -in root.pem -out root.der
Code:
[SigS]
Set date to 2006-07-19
RSA key for SigS needs to be 512 bit and have exponent 7. Go to: https://merri.cx/enigmator/cipher/rsa_keygen.html.
Use http://www.certificate.fyicenter.com/2147_FYIcenter_RSA_Private_Key_Generator.html#Result to generate the primes p,q
openssl req -x509 \
-md5 \
-key sigs.key \
-out sigs.pem \
-subj "/DC=com/DC=bmwgroup/O=pki/OU=bmw-fzg-pki/CN=CCC-SigS-Key"
openssl x509 -x509toreq -in sigs.pem -signkey sigs.key -out sigs-signed.csr -md5
openssl x509 -req \
-in sigs-signed.csr \
-CA root.pem \
-CAkey root.key \
-set_serial 1010 \
-out sigs-signed.pem \
-md5 \
-days 1827 \
-extensions v3_req \
-extfile <(echo -e "[v3_req]\nextendedKeyUsage=critical,codeSigning\nsubjectKeyIdentifier=none\nauthorityKeyIdentifier=none")
openssl x509 -outform der -in sigs-signed.pem -out sigs.der
Code:
[FscS]
Set date to 2007-07-30
openssl genrsa -3 -out fscs.key 1024
openssl req -x509 \
-md5 \
-key fscs.key \
-out fscs.pem \
-subj "/DC=com/DC=bmwgroup/O=pki/OU=bmw-fzg-pki/CN=zentrale Master Freischaltcodestelle-Produktiv"
openssl x509 -x509toreq -in fscs.pem -signkey fscs.key -out fscs-signed.csr -md5
openssl x509 -req \
-in fscs-signed.csr \
-CA root.pem \
-CAkey root.key \
-set_serial 1026 \
-out fscs-signed.pem \
-md5 \
-days 9132 \
-extensions v3_req \
-extfile <(echo -e "[v3_req]\nextendedKeyUsage=critical,1.3.6.1.4.1.513.10.1.1\nsubjectKeyIdentifier=none\nauthorityKeyIdentifier=none")
openssl x509 -outform der -in fscs-signed.pem -out fscs.der
Code:
[Esys signing private key]
openssl rsa -in fscs.key -outform der > fscs.derReplace the certificates in the binary, then:
Code:
Save and clear persistence:
cp -rv /var/opt/sys/persistence /fs/usb0/hu-intel-persistence && \
cp -rv /net/hu-jacinto/var/opt/sys/persistence /fs/usb0/hu-jacinto-persistence && \
rm -r /var/opt/sys/persistence/* && \
rm -r /net/hu-jacinto/var/opt/sys/persistence/*
// Need mv because file is open
mount -uw /fs/sda0 && \
mv /fs/usb0/NBTCarHUTwo /opt/car/bin && \
chmod 0775 /opt/car/bin/NBTCarHUTwo && \
sleep 5 && mount -ur /fs/sda0 && OnOffDSICommander appresetExample files that can be used are attached.
Last edited:
