In the tuning industry, June 2020 marks the "Great Lockdown." While older Bosch MG1 and MD1 units (Aurix TC2xx) were easily bypassed via traditional bench protocols, the newer hardware revisions introduced a security architecture that essentially "bricked" the standard reading methods for nearly all aftermarket tools.
The Core Architecture: Aurix TC3xx & SBOOT
The shift moved from the older Infineon Aurix TC2xx to the TC3xx series (like the TC387 or TC399). The critical change isn't just the processor speed; it’s the Secure Bootloader (SBOOT) version 04.00.03 or higher.
-
State Machine Validation: In previous versions (04.00.01), a vulnerability existed in the state machine during the boot process. Tools could bypass digital signature checks by exploiting a flaw in how the ECU verified the entry into "Bootstrap Loader" mode.
-
The Patch: Bosch updated three specific lines of code in the SBOOT to force a hard validation of the digital signature before allowing any external code execution.
-
HSM (Hardware Security Module): The TC3xx utilizes a dedicated ARM-based HSM core. This core manages the encryption keys independently of the main TriCore CPUs. If the HSM doesn't see a valid RSA signature from Bosch, it keeps the main cores in a "Halt" state.
Why "No Read" is the New Standard
For these newer units, standard TPROT (Tuning Protection) isn't the only hurdle. The ECU has OBD Readout Protection baked into the bootloader.
-
Most tools can perform an ID to see the hardware and software numbers, but the Password (PWD) calculation—previously derived from the ECU's serial or a known seed/key algorithm—is now hidden behind a unique per-unit key stored in the HSM.
-
Without this PWD, you cannot gain "Bench" access to the P-Flash or D-Flash.
The "Permanent" Patch
A major concern for tuners is the "Relock" during dealer updates.
-
The Good News: Most 2026 unlock methods involve a Bootloader Downgrade or a Custom Signature Patch.
-
The Result: Even if a BMW dealer performs an iStep update and overwrites the OS (SWFL/ASW), the underlying patched bootloader (SBOOT) remains. This means you can simply re-apply the "OBD Unlock Patch" via your tool without needing to pull the ECU again.
Tactical Advice for Shops
When a customer brings in a 2021+ G-Series BMW or a MK5 Supra:
-
Bench ID first: Check the Bootloader (BTLD) version. If you see
04.00.03+on an Aurix chip, explain the hardware lock immediately. -
Verify the BTLD date: Some transition cars (July/August 2020) still have the old "Wave 2" (Bench Unlockable) hardware.
-
Explain the "Read" vs. "Write": Educate them that "No Read" means we rely on Virtual Reads (VR) from the tool's server once the unlock is performed.
MPC5777 vs. Aurix TC3xx: The Evolution of the Lock
The Security Core: CSE vs. HSM
-
MPC5777 (NXP PowerPC): Uses a CSE (Cryptographic Services Engine). The CSE is a peripheral based on the SHE (Secure Hardware Extension) specification. While it can store keys and perform AES-128 encryption, it is relatively "passive." It checks signatures at the request of the main cores.
-
Aurix TC3xx (Infineon TriCore): Features a full-blown HSM (Hardware Security Module). This is essentially a separate ARM-based computer living inside the chip. It has its own private RAM/Flash and runs its own firmware independently of the main TriCore cores. The HSM "owns" the boot process—if it doesn't approve the code, the main cores never even receive power.
The Bootloader Logic: SBOOT and the "Chain of Trust"
In the newer TC3xx units (Post-2020/06), Bosch implemented a Chain of Trust that is significantly more aggressive than what was seen in the MPC5777.
-
MPC5777 Implementation: The "lock" was often just a password-protected JTAG/Nexus interface. Once the password was bypassed (usually via a glitch or a known seed/key), you could dump the entire flash.
-
TC3xx Implementation (SBOOT 04.00.03+): * The Hardware Root of Trust: The boot sequence starts in an immutable ROM inside the HSM.
-
The Validation: Before the main CPU (the TriCore) can execute a single line of your tuning file, the HSM verifies the RSA/ECC digital signature.
-
The Lockdown: Because the HSM has exclusive access to the keys, standard bench tools cannot "ask" the CPU for the password anymore. The password isn't just a string of hex; it's a dynamic result of a cryptographic handshake that only Bosch’s servers know.
-
Why the "No Read" exists on TC3xx
In the MPC5777 era, "reading" was a matter of gaining entry to the debug interface. In the new TC3xx architecture:
-
Read-Protection (RDP): The HSM actively monitors the DAP (Device Access Port). If it detects an attempt to read certain memory sectors (like the P-Flash containing the maps) without a successful HSM-to-HSM authentication, it triggers a destructive reset or simply stays silent.
-
Encrypted Flash: In some high-security variants, the data sitting on the flash isn't even "plain text"—it is decrypted on the fly as it moves into the CPU cache. If you manage to dump the chip physically, you often end up with gibberish.
Comparison for the Workshop
|
Feature |
MPC5777 (Early MDG1) |
Aurix TC3xx (Post-06/2020) |
|
Architecture |
PowerPC e200z7 |
TriCore 1.6.2P / 1.8 |
|
Security Module |
CSE (Simple) |
HSM (Advanced/Independent) |
|
Unlock Difficulty |
Low (Password Bypass) |
High (Signature/HSM Exploit) |
|
Read Method |
Bench / Boot |
Virtual Read (VR) Only |
|
Exploit Target |
Debug Interface |
SBOOT / Bootloader State Machine |
What this means for your Toolchain
If you are working with an MPC5777-based ECU, you can likely still "read" the file and see the actual hex of the car you are working on.
If you are working with a TC3xx Post-06/2020, you must accept that the "Read" button on your tool is essentially a "Search" button. Your tool IDs the software version, connects to the server, and downloads a stock file that matches that ID (Virtual Read). You are never actually seeing the data currently on the chip until you perform a successful "Hardware Unlock" via a service.