EcuTek,Cobb, EcuEdit, tuners - how come it's legal?

[vgi]

Cars ECUs have authentication/encryption protection against non authorized (dealer) access. So how come it's legal for companies like COBB, EcuTek, EcuEdit, etc. to crack the ECU authentication/encryption protection and expose tunes, which are ECU software programs and are copyright protected?

In US car ECUs covered by Digital Millennium Copyright Act (DMCA), which is a copyright law that governs what the public can do with creative content—things like music, movies, and software.

Only in October 2015 the rulemakers have adopted exemption for Vehicle Software -ECUs (page 39-43)

http://www.copyright.gov/1201/2015/f...spectionFR.pdf

BUT it goes in effect in 12 month (Oct 2016) which means any such circumvention done earlier than 12 months is a subject of copyright infringement.

Also, note that exemption excludes circumvention "on behalf of" vehicle owners (top p43) which means it's illegal for tuners to flash you car as they're not owners of the car and can't do it on "your behalf".

So could someone please explain how come COBB, EcuTek, EcuEdit and such have been selling their soft for years?

I am genuinely curious.


WERE OUR COLLECTIVE ARSES TRICKED INTO ILLEGAL ACTIVITY BY PROMOTING/SELLING ECUTEK SOFTWARE WITHOUT ANY DISCLAIMER?

[johnmk]

At a minimum, I would guess that Subaru, and other car manufacturers, have decided that legal action would just increase demand for used cars, and they would thus lose money.

[vgi]

Quote:

Originally Posted by johnmk

At a minimum, I would guess that Subaru, and other car manufacturers, have decided that legal action would just increase demand for used cars, and they would thus lose money.

i doubt that's the reason. they did try to oppose this exemption and released a statement against it:

http://copyright.gov/1201/2015/comme..._1201_2014.pdf

i'm rather think they're too lazy and don't think it's worth it to fight all these small (relatively) companies in court.

[fumanchu1]

why would tuners not be doing this on your behalf?! You are requesting them to do it for you, if that isn't delegation of authority (in this case acting on your behalf to tune) then what is? Any person (in this case the tuner) providing you with a service, that you requested, but are unable to complete by yourself is acting on your behalf as you have given them authority to do so and therefore would fall under the exception.


here is the exert:


Under the exemption as proposed, circumvention would be


allowed when undertaken by or on behalf of the lawful owner of the


vehicle.


Meaning as long as the tuner has authorization from yourself he IS acting on your behalf and therefore covered in the exemption (p.40)

[renfield90]

They oppose it on paper, largely because the EPA would light their ass up if they openly admitted "we make it easy for enthusiasts to modify stuff outside of EPA approved parameters."

The first company to actually go after enthusiasts tuning their cars would lose a whole generation of enthusiast sales.

If they actually wanted you out of the ECU they would make it happen (see: many early 2000s Toyota ECUs which were uncrackable and not fooled by most inline or piggyback mods). The twins ECU doesn't have, to my knowledge, any encryption or authentication measures designed to deter "unauthorized" access. Everything's done with a standard J2534 interface as I understand it. You could read the SAE spec and write your own software to interface with it if you wanted.

[vgi]

Quote:

Originally Posted by fumanchu1

why would tuners not be doing this on your behalf?! You are requesting them to do it for you, if that isn't delegation of authority (in this case acting on your behalf to tune) then what is? Any person (in this case the tuner) providing you with a service, that you requested, but are unable to complete by yourself is acting on your behalf as you have given them authority to do so and therefore would fall under the exception.


here is the exert:


Under the exemption as proposed, circumvention would be


allowed when undertaken by or on behalf of the lawful owner of the


vehicle.


Meaning as long as the tuner has authorization from yourself he IS acting on your behalf and therefore covered in the exemption (p.40)

you're confusing the original proposed and what was actually accepted.

like i have referenced - at the top of page 43 there is this sentence:

"The exemption also excludes circumvention “on behalf of” vehicle owners, as a broader exception allowing third parties to engage in circumvention activities on behalf of others is in tension with the anti-trafficking provisions of section 1201(a)(2) and (b)"

Quote:

Originally Posted by renfield90

They oppose it on paper, largely because the EPA would light their ass up if they openly admitted "we make it easy for enthusiasts to modify stuff outside of EPA approved parameters."

The first company to actually go after enthusiasts tuning their cars would lose a whole generation of enthusiast sales.

If they actually wanted you out of the ECU they would make it happen (see: many early 2000s Toyota ECUs which were uncrackable and not fooled by most inline or piggyback mods). The twins ECU doesn't have, to my knowledge, any encryption or authentication measures designed to deter "unauthorized" access. Everything's done with a standard J2534 interface as I understand it. You could read the SAE spec and write your own software to interface with it if you wanted.

You should do some digging then to update your knowledge - it is necessary to authenticate to the ECU in order to read/flash a rom file.

the first request asks the ecu for a cryptographic seed. the ecu and the sender have a shared cryptographic function and key that when given a seed will spit out a response. the sender then sends the computed result back to prove it has the key.

usually these tuning solution companies figure out what the algorithm is from debugging servicing programs, which is also illegal. brute force won't work if the seed is reset (toyota's do so) after number of tries (10 or so).



btw, i don't debate "why would", "should they", "on paper", "close their eyes", etc


but by law - unless i missed something from those DMCA docs it seems it is not legal.

[fumanchu1]

Quote:

Originally Posted by vgi

you're confusing the original proposed and what was actually accepted.

like i have referenced - at the top of page 43 there is this sentence:

"The exemption also excludes circumvention “on behalf of” vehicle owners, as a broader exception allowing third parties to engage in circumvention activities on behalf of others is in tension with the anti-trafficking provisions of section 1201(a)(2) and (b)"





You should do some digging then to update your knowledge - it is necessary to authenticate to the ECU in order to read/flash a rom file.

the first request asks the ecu for a cryptographic seed. the ecu and the sender have a shared cryptographic function and key that when given a seed will spit out a response. the sender then sends the computed result back to prove it has the key.

usually these tuning solution companies figure out what the algorithm is from debugging servicing programs, which is also illegal. brute force won't work if the seed is reset (toyota's do so) after number of tries (10 or so).



btw, i don't debate "why would", "should they", "on paper", "close their eyes", etc


but by law - unless i missed something from those DMCA docs it seems it is not legal.

oh then I retract my statement. didn't see that when I skimmed through

[OkieSnuffBox]

In reality, you're running afoul of EPA laws regarding modifying emissions equipment, so you're just breaking a different law.

[vgi]

Quote:

Originally Posted by OkieSnuffBox

In reality, you're running afoul of EPA laws regarding modifying emissions equipment, so you're just breaking a different law.

that's not necessarily true, there are carb legal kits out there

[renfield90]

Quote:

Originally Posted by vgi

You should do some digging then to update your knowledge - it is necessary to authenticate to the ECU in order to read/flash a rom file.

the first request asks the ecu for a cryptographic seed. the ecu and the sender have a shared cryptographic function and key that when given a seed will spit out a response. the sender then sends the computed result back to prove it has the key.

usually these tuning solution companies figure out what the algorithm is from debugging servicing programs, which is also illegal. brute force won't work if the seed is reset (toyota's do so) after number of tries (10 or so).



btw, i don't debate "why would", "should they", "on paper", "close their eyes", etc


but by law - unless i missed something from those DMCA docs it seems it is not legal.

Interesting. I'll have to hook up my CAN sniffer some day and take a look.

Yes, cracking any kind of cryptographic authentication, shared secret, etc. has negative DMCA implications. I implemented such a feature for one of our products after we caught wind of some apps in the wild that were decoding our broadcast data. If you don't auth up the broadcast stops. If they crack it, we can go after them.

[johnmk]

Quote:

Originally Posted by renfield90

The first company to actually go after enthusiasts tuning their cars would lose a whole generation of enthusiast sales.

It's either that, or laziness. Probably a mixture of both.

[Ondreiko]

High bro!))
In our places it works ONLY if the right owner sues the infringer. there is no other way the authorities may catch the tresspasser than the right owner points him. Do the manufacturers care of the tuners yet? Here the dealers mostly represent the manufacturers and they dont care as i beleive. They care to get their profit only and even if the man with modifyed ROM appears with some warranty issues, they most likely would try to complete warranty request as they don't care where to get money from - from the final customer or from manufacturer - they will be paid anyway and they don't like any kind of PITA at all.
But this is only how it should work here, you know ))

[skye67]

We're basically talking about hacking and this is something I know a thing or two about. Apple tried to get it illegal 2 jailbreak the iPhone. Sony tried to make it illegal to hack the PlayStation. And I understand General Motors was trying to make it illegal to hack their ECU. But the courts have always upheld that the owner can do whatever they want to something they own. Now the EPA is a different story.

[Ultramaroon]

+1 It's mine.