TUNING PROTECTION On Bosch EDC17 and MED17 ECUs explained
 

We've had many people asking why it's sometimes necessary to open the ECUs of the some cars brought to us, and what is this "tuning protection" many companies are talking about. Here's a brief explanation of it.

"Tuning Protection" for the Infineon TriCore TC-series processors (Bosch MED17/EDC17) On the CR TDI and 1.8/2.0 Turbo Petrol engines with the Bosch ECU generation 17 (MED17 for the petrols, EDC17 for the diesels, we'll just refer them to MEDC17 from now on), Bosch has implemented some new security measures to protect against aftermarket reprogramming of the engine control unit calibration data.

Bosch originally started to use various checksums in the late 80's to verify the data integrity of the engine control unit memory content. Originally this was just a simple additive checksum, where you count the sum of all bytes in the calibration, and store the value in one place. Later on, it was also used to protect the data from unauthorised modifications (that's us...). For example, ME7.5 ECU (1.8 Turbo) contains about 70 different checksum blocks, and the result values are filtered through various functions to have a secure method of verifying data integrity. At around the same time, Bosch started using access control on the outside ECU reprogramming (that is what we call the OBD flashing nowadays). It's usually a normal challenge-response scheme with a seed-key algorithm. Of course, the chiptuning industry kept on and solved these functions to have methods of correcting the checksums, and to have OBD programming capability of these ECUs. About 10-12 years ago, Bosch started using RSA signatures to control the ECU contents. Early on, just a 256bit RSA, then 512bit RSA, and nowadays, on these new ECUs, its a hash from a 1024Bit RSA signature. Something thats virtually un-crackable with traditional brute force methods. Since these keys are yet to be solved, tuners have had to find other ways of programming the ECUs.

When the MEDC17 ECU family was released, a backdoor was found in the programming algorithm. Originally this hash was checked only after certain conditions were met. If they are not met, it was not checked. So the programming method made sure that was the case every time they programmed the ECU. This "Tuning Protection", as it is commonly called, just means that this backdoor has been sealed, and the ECU always checks the hash validity after every OBD programming attempt. If this is not valid, it sets a flag in the memory that prevents the car from starting. Our tools can detect this function just by reading the ECU via OBD. Many others, including some big brand names, have problems with cars not starting after writing. That is why, for now, on these protected ECU's, we need to open the ECU to use a processor function built in the TC17xx-series processors, which allows us to boot and reset the ECU at any given moment from pins on the motherboard.  This way the ECU does not detect it as being an OBD programming attempt, and skips the hash validity check.

At this time, there are only a few tuning tools that can patch the area of the processor's internal memory (IROM) and if an ECU has "Tuning Protection" then it may need to be programmed by taking the ECU out and opening it. Some call it "bench flash", some say they "install a probe", but this is how it is done by ALL tuners who are offering remaps on "protected" MEDC17 ECUs.

Some late MED9 ECUs have similar protection from the factory and may also need to be removed to be reprogrammed.