BMW CIC PATCHER v2 - GENERATE YOUR OWN RETROFIT FSC CERTS

*** RELEASED ***

BMW CIC PATCHER v2
GENERATE YOUR RETROFIT FSC CERTIFICATES
Forget about emulators, script activations, hard map updates...

This is better enhanced version of what is selling / floating around these days.

[*] NO BOOTLOADER MODE

[*] DONE IN 10 SECONDS!
[*] NO BRICKING

SUPPORTS ONLY US AND ECE LATEST VERSIONS OF SOFTWARE, SO IF YOU HAVE US or ECE CAR,
UPDATE YOUR CIC SOFTWARE AND ENJOY THE PATCH!

here is short howto which is included in the archive too:

BMW CIC CK V2
-----------------
created by intel123 - intel@globalnet.ba

This is a patch for BMW CIC Professional Navigation, it patches binary file
and replaces root certificate what enables you to sign your own FSC certificates
from within FSTOOL or E-SYS like OEM. After patching, Self-generated certificates
will be accepted as OEM ones.

Pre request

1) This is ONLY for US (United States) and ECE (Central Europe) software versions!
2) You should update your CIC software to the latest before applying the patch! (Latest, verify is Cic.c1a)

Unlike other patches floating around, this one is done in 10 seconds or less. There is no need
for multiple reboots, or hang in "Bootloader" mode which exposes the system to bricking or failure.

HOW TO USE IT

1) Format USB drive with fat32 filesystem

2) copy file 01_PATCHER\USB_AUTORUN\copie_scr.sh to empty USB drive
3) Insert USB drive into CIC, wait until reboot and you're done!

(if CIC will not reboot in 20 seconds, it means that there is software incompatibility or already patched, read pre
requests)

After cic has been patched and it restarted you can fire-up E-SYS or FSTOOL. If you go ahead and check status of
FSC you will see that
CIC has been virginized and only root certificate is accepted. Key you should use for signing FSC certificates is
00_PRIVATEKEYS\fscs.der
other two private keys (root.der and sigs.der) you will have no use for, they are included just so the cert chain is
complete.

To make certificates for your VIN you can use files in folder 03_FSC_TEMPLATES from archive,
load them in E-SYS (FSC Editor) or FSTOOL, change ONLY VIN, sign them and save as.
** VERY IMPORTANT: If you do not know what you are doing, when modifying template certificates, change only VIN
to match yours,
do not edit other fields including date of issue.

After making all certificates you will need for your retrofit you can install them normally via FSTOOL or ESYS, other
needed certificates
as SIGs and FSCs cert you can find in folder 02_CERTS from this archive.

*** PLEASE NOTE, AFTER PATCHING CIC IS VIRGINIZED AND MAY SHOW THAT
FSCS AND SIG CERTS ARE REJECTED, AND ROOT ACCEPTED. THIS IS NOT A
PROBLEM AS YOU WILL OVERWRITE IT WITH PROVIDED CERTS VIA FSTOOL
OR E-SYS. ******************************************************

Source code of the CK and all relevant data will be published on CarTechnology.co.uk forum

0017 - Voice control

0019 - Navigation system Professional
001B - Navigation system Professional
00XX - LifeTime Map Code
006F – Satellite Tuner
009B – Arabian Language
009C - BMW Apps

Full set for BMW CIC.

for E-Series: use FSTOOL
for F-Series: use E-SYS
same procedure as with OEM certificates,

Q: How does it work?

Well not to go too much into detail as i plan to document whole procedure and publish along with the source code,
but here it is. BMW CIC is based on QNX 6.3.2 running on Renesas SH4 CPU. There are two main binaries on the
system running in "Normal" mode: CicHichEceUsaRoot and CicHighEceUsaSecond (names for ECE and US models)
First binary resides in IFS and second one on EFS. To cut this short, SWT functions reside in *Second binary. After
bare inspection of binary it is noticable that root certificate is being checked for several things including the check
which compares root certificate to its copy residing in IoC (v850 CPU), additionally there is a string which says
something like "Unable to read rcert from IoC, trying from flash" which was more than enough for start. After
disassembly and locating function responsible for checking root certificate in IoC it was only the matter of changing
two bytes and now we have program which will read and accept root certificate (if it is created properly with all
correct names and parameters) from flash /mnt/HBpersistence/rcert.swt file.
 Ok so, since i did not need to make any kind of hooking or add code it will be enough just to change bytes in current
EFS image on flash. Replace (if any) rcert in /mnt/HBpersistance with our own, virginize the CIC (delete
/mnt/hbdebug/data0? and generalPersistencyData_DiagnosticSWTController) and reboot. After reboot, using E-SYS or
FSTOOL we can see that our root certificate is accepted and we can upload the rest using one of tools mentioned
(SIGs, FSCS, and FSC certificates).

***DONATIONS: If anyone wanted to give any donation please donate directly to the forum from
HERE it will be greatly appreciated by everyone as everything you see here is FREE***

Attached File(s)

https://mega.nz/#!C50zQT5I!J2GNqrt6Pxal76Lumtvl4EPSPyY4Qd5mMXMPsXhXEk0
Loading with FSTool :

For all the Fellow BMW'IANS suffering from error 7009 in FSTOOLS with CIC here is the solution !
Guess what? i managed to import 1B via FSTOOL: I uninstalled BMW STANDARD TOOLS, uninstalled FSTOOL and
Carserver. Used Ediabas installation from Dr Gini, Updated ECU Folder from Dr GINI to my Ediabas location, and also
updated the Carserver from Dr Gini Ediabas\bin\server. Amazingly it works !
P.S. I used DR GINI version B020

Or: If you are not able to import 1B but you succeed with 17 and 19 even 9C it means that your FSTOOL need to be
UPDATED, steps to do : install Dr.GINI from forum following all instructions by updating files in EDIABAS/server.....
When you are done copy all files in folder EDIABAS\Bin\server to folder CarServer by overwriting and you are done.
PS: no need to uninstall bmw tools.

Using Ista/P, first convert certs in xml format, Executable: http://cartechnology.co.uk/attachment.php?aid=45986

I found the easiest way is to write a batch file to run the whole Fsc(s). Basically you issue commands to the converter
utility through command prompt. I dropped the unsigned .fsc files and the fscs.der certificate into the same folder
with the FscToXml.exe utility. Create a batch file in the same folder with the converter. My batch file contains the
following:
"FscToXml C:\Users\User\Downloads\FscToXml/fscs.der C:\Users\User\Downloads\FscToXml\00170001.fsc
FscToXml C:\Users\User\Downloads\FscToXml/fscs.der C:\Users\User\Downloads\FscToXml\00190001.fsc
FscToXml C:\Users\User\Downloads\FscToXml/fscs.der C:\Users\User\Downloads\FscToXml\001B0001.fsc
FscToXml C:\Users\User\Downloads\FscToXml/fscs.der C:\Users\User\Downloads\FscToXml\006F0001.fsc
FscToXml C:\Users\User\Downloads\FscToXml/fscs.der C:\Users\User\Downloads\FscToXml\009B0001.fsc
FscToXml C:\Users\User\Downloads\FscToXml/fscs.der C:\Users\User\Downloads\FscToXml\009C0001.fsc"
Your file locations will differ from mine, but running the batch file like this will spit out all the .xml files in one step.
Bear in mind that the Vin will need to be changed for each of the .fsc files, but that can be done easily with a hex
editor like HxD if you can't get FSTOOL running.

Other: Normally this should do the job, you can use notepad++ to base64 encode under plugins->mime tools-
>base64. Of course you have to change the app id and part number for the right app.

Code:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<fscProvided custOrderID=" " dealerNo="29691" orderID="000000" partNo="000001B
0001" requestID="1OL03EF8">
<vinShort>Put here your short vin</vinShort>
<fscItem>
<genTime>2011-10-27T22:00:00.000Z</genTime>
<fsc code="base64" id="102823042586">
Put here your base64 encoded FSC Code
</fsc>
<diagnoseAddr>63</diagnoseAddr>
<swID>
<applicationNo>001B</applicationNo>
<upgradeIndex>0001</upgradeIndex>
</swID>
</fscItem>
<certificate code="base64" serial="AAAAAAAABAI=">
Put here your base64 encoded certificate
</certificate>
</fscProvided>

Don't know if it is the same this way but normally all the fsc codes use the same certificate so i encoded it and tested
it with a random generated FSC code. Ista/p did successfully import the code and certificate is available in file
manager. Don't have a car to test if it will import them but first step is made. Hope someone can test it. If they have
trouble with encoding send me a pm maybe i can help you out!

Code:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<fscProvided custOrderID=" " dealerNo="29691" orderID="000000" partNo="000001B
0001" requestID="1OL03EF8">
<vinShort>Put here your short vin number</vinShort>
<fscItem>
<genTime>2011-10-27T22:00:00.000Z</genTime>
<fsc code="base64" id="102823042586">
put here your base64 encoded FSC code you generated
</fsc>
<diagnoseAddr>63</diagnoseAddr>
<swID>
<applicationNo>001B</applicationNo>
<upgradeIndex>0001</upgradeIndex>
</swID>
</fscItem>
<certificate code="base64" serial="AAAAAAAABAI=">
MIIDCDCCAfCgAwIBAgICBAIwDQYJKoZIhvcNAQEEBQAwaTETMBEGCgmSJomT8ixkARkWA2NvbTEYMBYG
CgmSJomT8ixkARkWCGJtd2dyb3VwMQwwCgYDVQQKDANwa2kxFDASBgNVBAsMC2Jtdy1memctcGtpMRQw
EgYDVQQDDAtmemctcm9vdC1jYTAeFw0xNzA0MDMxNjI4MjJaFw0yNzA0MDExNjI4MjJaMIGMMRMwEQYK
CZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIYm13Z3JvdXAxDDAKBgNVBAoMA3BraTEUMBIG
A1UECwwLYm13LWZ6Zy1wa2kxNzA1BgNVBAMMLnplbnRyYWxlIE1hc3RlciBGcmVpc2NoYWx0Y29kZXN0
ZWxsZS1Qcm9kdWt0aXYwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBAL/9yM2oDHCCNA5CvXgPbzqRyeUqWj5
5z5vUoNm3ztt10olUi3+Bc0xK7shw0LId1u/ViYrYPQUNQuJkkhNXZx1SG97aisAgXDbVok+Kacn9Vb/U+l8XWy
j+95u36GgMvYGzTZmxopE6fGmGtPwOkqJJpgd/uWpqhfexSfEGZPCDAgEDoxwwGjAYBgNVHSUBAf8EDjAMBgorB
gEEAYQBCgEBMA0GCSqGSIb3DQEBBAUA
A4IBAQBYAuYDqMsPXeVwvNE5C7NeflgdIWHjhSHr3eYeDaUzgq+5liYNsYvhcaKfWGWiVLdbuN8dY2nZ
7Lf/dQ3jfV8uNqu+jlafW9JXyRR72MvqtR7nt4KKuGuJpL4y/BdIcmFdkcl5n9KpMbG5+0GBAKdVcQSLu6LpQYv
7gc0ii9VfFGYaItvWk0W/aMF0cumJkkXN88E2oXmf87a/Wx316izm3yEjFZeaYfTrFPHaDeaBUwZg3FWLg/ldzK
Q5I6P9cOksNno/tkFkMxcj1UKzlonWU4v/+VT5m1R4STPOFhh7aSAxjPr0q7gDihmLX+46lvg3j2Y8h8wimIgx8
WNEeUUv
</certificate>
</fscProvided>

Workaround importing:

Imported 1B, 17, 19 and 9C successfully, but with two problems that I have solved.

My CIC was script activated, before doing anything I removed the script and all the files related to the activation.
After applying intel123 script, I don't know why, but I think it was not virginized correctly, the certificates were still in
CIC.
I followed the instructions from this post and finally I fixed it:
You won’t get private (active) certificates with any FStool, you can forget about that one from the beginning so forget
signing your own certs without patching CIC itself (v850 IOC firmware needs to be patched).
For virginizing CIC it is done quite simply,
1) if these files exists, remove them and make empty ones:
/mnt/hbdebug/data01
/mnt/hbdebug/data02
/mnt/hbdebug/data03

Code:
rm -rf /mnt/hbdebug/data0?
touch /mnt/hbdebug/data01
touch /mnt/hbdebug/data02
touch /mnt/hbdebug/data03

After that, you should clear generalPersistencyData_DiagnosticSWTController, you can find empty (virginized) one in
attachment: http://cartechnology.co.uk/attachment.php?aid=44550
File normally resides in: /mnt/HBpersistence/normal/
After that, reboot the CIC and it’s virginized.

After this, 1B, 17 and 19 were loaded correctly, but when I tried to load 9C I got this error, "Error Code 10802".
Following the instructions from this post I fixed it.
Anybody has got success to get rid of "Error code 10802" for 9C apps? And also swap the "swtconf0" from
ruben_17non file bringing up different error.

Try to replace C:\EC-Apps\CarServer folder with this one: http://cartechnology.co.uk/attachment.php?aid=27641

Which is: https://mega.nz/#!gpUxRJ7Q!7KVm_-ImJGO5Cay3pwdNFAKR1jQeuuBebPik91Kskks

Now I have the CIC with all the certificates loaded and working correctly.
Thanks to intel123 and all those who have contributed with information.

Other FsTool config:

Firstly FSTOOL works to import all FSC with a little bit of tweaking Ediabas and Carserver.
First have FSTOOL up and running without any errors from java or carserver. You should be able to establish
connection. Forget about loading or reading FSC at this moment. Establishing connection should not throw up any
errors.

Download Dr Gini. 0B20 from this Forum, Here is the Link:

http://cartechnology.co.uk/showthread.ph...ht=Dr+gini
Which are: https://mega.co.nz/#F!VwJzgByC!K0krmp2Rfy86NetmhCIx6A
Or:
https://mega.co.nz/#F!Fl5WBR5D!Svh3FVE4A3FQboexaVPtFA
Download everything !

If you already have Ediabas installed copy and replace Ediabas from FOLDER EDIABAS from Dr Gini.
Copy and replace Ecu folder of your EDIABAS FROM Dr Gini Ecu
Copy replace API32.DLL in Ediabas\bin with AP132.DLL from Dr Gini.
Now install Dr Gini.
If you notice your Ediabas\bin on your computer you will find that Dr Gini had created a folder called SERVER. You
now need to copy the contents of this folder and Paste it in ECAPPS\CARSERVER and replace or overwrite them on
your computer.
After all this is achieved your FSTOOL installation should work right with READING AND STORING FSC AND
CREATING THEM !
About manipulating NBT Fsc(s) wait for the 0B021, coming soon … (~1 month)

FSTOOL link: https://mega.co.nz/#!idVhGDQD!vk6a59-PhwzHGaaGM4NUPX6ZoZs9WS7v3YYae4vEf28

carserver_fstool
https://mega.nz/#!chxD0DKY!6QMLynXcOKtCatqhakr7GPmxe-SIhL8empUCiTOmwa0

ediabas_jre
https://mega.nz/#!40hE0L6J!tD9jHOzdeeW1N5cdGhI197Ly2ngF_RFRVlmXsSc576U