When Ford unveiled the 2024 Mustang GT, it made some bold steps toward the security of its ECU. Since the whole vehicle’s a connected car, ECU data was encrypted, meaning the car couldn’t be tuned by third parties. This isn’t normally a problem, but a Mustang isn’t exactly a normal car. It’s one for people who tweak things and want to go fast, and relief is finally here.
Yes, for the past few years, if you wanted to make the new-look Mustang faster, you’d have to either run a hodgepodge of parts with no ECU map optimization, or pony up for a first-party solution like Ford Performance’s Whipple-based supercharger kit that takes a new Mustang GT up to 810 horsepower. Big gains, but at big cost. For those looking to do a fairly proven package of an aftermarket air intake, a catback exhaust, and a tune with a raised rev limiter, the old Mustang GT was more attractive.
Key word being “was” because HP Tuners, the same tuning software and hardware solution company that cracked GM’s Global B ECU, has broken into the MG1CS036 ECU used in the current Ford Mustang GT, which means these cars can finally accept custom tuning. Of course, the current Ford Mustang GT isn’t the only Ford with an ECU in this family, which means Pandora’s box has been opened for machines like the 2021-onward F-150, the 2021-onward Bronco, the Ranger Raptor, the 2022-2023 Expedition, and of course, the Mustang Dark Horse.
Should you wish to have your seventh-generation Mustang custom flashed to optimize gains from bolt-on mods, you will require four HP Tuners credits at a cost of $49.99 each plus whatever the time and expertise involved in dialling in a custom tune costs. If you’re flashing it yourself, you’ll either need an MPVI2 or newer interface, or an RTD4 device if you’re getting your tune emailed to you. The end result probably won’t be warranty compliant, likely isn’t CARB-friendly, and comes with a chance of doing actual damage if the map’s too spicy, but you probably knew this already if you’re the sort of person to have your car professionally remapped. Making power comes with some risk, and to some, the risk is worth the reward.
However, this big development means that things can finally get crazy with the new Mustang. Bring on the twin turbos, bring on the dry shots of nitrous, bring on the E85, bring on the aggro cams, all in a platform with better steering, the fun available toy of a drift brake, modern tech, and some serious available brakes. For decades, the Mustang has been a tuner’s dream, and while we faced a brief intermission, it seems like the dream isn’t over.
Top graphic image: Thomas Hundal
Support our mission of championing car culture by becoming an Official Autopian Member.
Bring on the trees. Bring on the crowds. Bring on the light poles.
I’m waiting at the side of the road, ready to shove my phone in some poor person’s face after their kneecaps are taken out by a rogue stallion.
Whipple as in Charmin or as in the humongous-number-of-staples-down your front weight loss surgery?
I am conflicted. Cybersecurity is one of my jobs, and as a cyber guy this doesn’t seem ideal given how connected vehicle systems are. But as a car enthusiast, and someone who has been using HPTuners since 2002, this is awesome, even if I likely won’t ever be buying a newer Mustang. Oh well, such are the compromises of life.
The obvious solution is not to integrate all these systems, connect them to the internet, and create both the risk and the need to lock down security.
Just to be a stickler, a lot of automotive cyber security is less about “bad actor” (Although that’s becoming more relevant, now that electronic steering and braking can be hacked) and more about preventing tinkering where one should not tinker. OEMS are required to at least make a reasonable attempt to prevent the aftermarket from disabling safety / emissions systems.
If you makes you feel any better, automotive ECU “security” is generally pretty laughable.
For what it’s worth, I doubt Ford tried very hard to make these secure. I work with manufacturers that require back-end server certificates to successfully flash an ECU and use encrypted CAN messaging channels to talk from ECU-to-ECU.
But why would Ford bother with these? They know customers are going to want to tune their vehicles, and it’s not like they couldn’t just reflash the ECU with new hardware codes when vehicles came in for service if they wanted to stop these people.
It’s honestly just lip-service, they do enough so that the federal government can’t get mad at them for making “emissions defeat devices,” meet ISO26262 Functional Safety and cybersecurity requirement, then call it a day.
ISO21434 and UNECE R155 would like a word sir….
As to why would they bother with them? Because they have to if they want to continue to sell vehicles, security requirements have moved well pasts 26262 and NHTSA has shown they are willing to issue big fines and recalls for cyber issues (okay, well one time they did) in the EU you can no longer sell a new vehicle that doesn’t meet R155 Type Compliance.
Yeah, I’m wondering how the selling the software would not be considered selling an emission controls defeat device. Track use/offroad only? Allows the buyer to change settings, but does not force the buyer to change settings?
Much like “Guns don’t kill people, people do,” perhaps “Software does not make smog, people do?”
Asking for a friend.
That all depends on the jurisdiction, but yes; in the US the “Offroad use only” disclaimer seems to cover it.
Most of the tuning softwares have removed the ability to turn off emissions related checks and devices. There are some exceptions to this such as HP Tuners. At the same time, the vast majority of big name tuners refuse to turn them off even if they have the ability to avoid the potential fallout from the EPA. Although in recent times there is very little concern about the environment so I don’t know how much that is being adhered to now since I am no longer in that industry.
“TrAcK uSe OnLy”
Oh I’m very familiar with ISO / ECE R standards. The thing you have to remember is that technically they’re not required to sell new cars, just FMVSS compliance.
Now if you don’t want to get your pants sued off (and i mean, you still will, but at least you’ll have a defensible argument) it’s best to do your best to comply, especially where safety standards are concerned.
As you noted, the rules are different in EU (and Canada) where ECE compliance is compulsory.
Ford is pretty well known for doing just enough to satisfy requirements on their ECUs and being pretty supportive of the aftermarket tuning community. It really sets them apart from GM and Dodge as their attempts are much more intrusive and require a lot more money and effort to bypass. Most German companies are also very difficult to bypass and tune with the exception of VW who tend to be fairly open to it. BMW especially has a reputation for not wanting their cars tuned which is why that market tends to have a large amount of piggyback options such as the JB4.
That’s the thing, it benefits them to keep some tuneability, both in-house and external. Especially for enthusiast vehicle like the Mustang, and healthy aftermarket is essential to drive new sales (and parts).
A lot of Ford dealers even offer modified cars straight on the lot with a warranty. In my experience, Ford is miles ahead of the competition when it comes to embracing the aftermarket.
Considering it took four model years starting with the F-150 to crack these ECUs, I’d say Ford paid more than lip service to cyber security. For the last few years the only way to tune the 3.5 ecoboosts was to buy a 2022 model year ECU.
I’m not saying it’s easy, I’m saying they didn’t go out of their way to make it hard.
It’s not that hard to reverse engineer an ECU, but to do it in a manner that you can tune it is a different thing.
I almost had to deal with that server connection mess to program our ECUs but was able to navigate around it. Thank goodess.
Mustang GT insurance rates goin’ up in 3, 2, 1…
Just keep them from cutting loose at a “Cars and Coffee” event and chalk it up as a win. More power with no control means more parts cars available later on.
Glad to see it! Tunability is one of the reasons I went with a Sportwagen TDI, like many VWs of that era there’s so many options. I did a Stage 2 which let me keep the dpf system intact (for now…) and bumped me up from ~145hp/235ftlbs to ~160hp/310ftlbs. Saw a bit of an increase in fuel economy too. And it felt like a different car, even with those relatively modest gains. It’s truly fantastic to drop your car off and pick it up later that day and have a such a difference, for not a lot of money. Everyone should get the chance to do that. Keep hacking those ECUs.
Also one of the reasons we went with our Audi’s. Plugged the laptop into my car for 30 minutes and when I unplugged it I had an additional 100hp, over 100 additional tq, and a completely remapped TCU. As long as you don’t go crazy bolting on big turbos and running E85/meth injection and things like that you’re really not taking a hit on reliability or fuel economy either. It’s lovely.
Took my ALH from 90hp to 330whp. Still gets 50mpg. Hy35 and a shot of propane makes a 1.9 diesel feel like a big block. Sheared off the teeth off 5th gear, pulled the thicker .840 5th off a GTI to have the thicker teeth and so far holding.
Too much fun for the cost.
Your post made me remember my ALH TDI that had been tuned by someone before I got it. I still got 50mpg and drove that thing hard every day since I had a 650mile commute on back roads every week (which was less then one tank of fuel). Traded my Mk3 GTI VR6 for it. These days, I miss both of those cars.
Propane or nitro propane?
https://youtu.be/mPnyOvWVAvY?si=9b0kyMPiTNe65XBr
VWs were the first cars I learned to DIY, and I went to school with the guys who founded APR (didn’t know them well). I just assumed that was the future of chip tuning for ALL brands, but didn’t realize until much later than VAG was a bit of an anomaly — undertuned cars, relatively easy access to ECUs and the like. It was shocking to me that all the other brands didn’t have similar subcultures, but most of them were like the wild west. VW modding seemed like a very reliable and competitive industry in contrast.
The only thing that bugs me today is that everything is just software flashing, not a physical soldering. The customer no longer “owns” the product and can’t sell it off to bring the car back to stock. It used to be a coup to find a second ECU for chipping.
Under $1k including HPT for a DIY tune is pretty good. Plus HPT is a darn good scan tool for the cars it has access to. Well worth it for a person who’s into that.
Now we can run our Mustangs & F150’s on natural gas.
That’s great. Still not gonna do anything, though. I’m much too old to engage in the horsepower wars.
Given how powerful Mustangs have been for the last few years, I’d prefer Ford focus more on improving handling. The only mod I’ve done to my ’22 is Ford Performance sway bars. The car was too floaty with the stock bars over big bumps on the highway. The only thing I might do in the future is stiffer springs that lower the ride height very slightly.
I wish some manufacturer would focus on mass and drag reduction with a RWD car.
For street use, those two variables make a massive difference in both usability and performance. As well as operating cost.
I’d LOVE a 500+ horsepower V8 in a car with Miata-or-less weight and a CdA value matching or beating a VW XL1, all in a narrow package that can weave between lanes similarly to a motorcycle. We could have a delightfully hoonable daily that will remain easy on the wallet. And the cops would have a hell of a time catching it in a chase should one transpire. Beyond what is needed for basic stability and net zero lift at speed, downforce really only matters in a controlled track setting.
The current bloated, overweight ‘Stang with that hideous oversized grille, stupidly huge wheels, fragile rubberband tires, and needlessly drag-inducing styling cues is not for me.
Sadly, the car of which you speak will have to be something you build yourself. Would be a hoot (albeit slightly terrifying), though!
I have thoughts on that front!
https://www.factoryfive.com/type-65-coupe/
It’s about 30% wider, 20% taller, with twice the drag coefficient vs what I’d have in mind. If you’re going to go with a donor ready to assemble, you’d still be hard-pressed to do better.
Think of something sized more like a Ginetta G4 or Fisher Fury. But with an overpowered V8, 6-speed manual transmission, RWD, and complete with all fluids ready to drive somewhere around 2,000 lbs or a little less. And the Cd value of something like a Fiat Turbina, Panhard CD Peugeot 66C, or Aptera 2E.
Something that could hold 150 mph on like 90 horsepower, except you have 500+ horsepower in it.
AND driven normally without too much throttle, you’d probably get 25 mpg driving it slightly recklessly in town using it to maybe 1/3 of its potential(and still endangering yourself and everyone else in the process), and maybe 60+ mpg at a steady 70 mph on the highway.
Or you can haul ass and be at 200-ish mph in under 20 seconds, guzzling down all the fuel that engine can demand.
I’m very interested to see if Casey Putsch puts his Omega into production. 1.9L TDI-powered streamlined 2-seater weighing around 2,000 lbs, getting 0-60 mph in 4 seconds and 100 mpg or so at a steady 60 mph.
That is mighty sweet but it’s crazy to think that the donor is itself a vintage performance car.
I had the same thought but it doesn’t need to be vintage apparently, depending upon your definition of vintage. Initially I thought it must be a 60s era Mustang but according to their site, “If you have our base kit and running gear parts from a 1987-1993 Mustang GT donor car”.
I’m sorry to say, but 1987-1993 was 38-32 years ago. It hits me hard sometimes.
Later parts are an option.
They have even been built with Chevy V8s.
I rode in one once, in race livery.
Only time I’ve ever had sports bikes pull over to let a car by!
“And the cops would have a hell of a time catching it in a chase should one transpire.”
I’m all for high-performance cars… but are you intimating that you participate in activities that would require you to flee from law enforcement on public roads?
What are we even doing here?
Nothing good.
I’m merely fantasizing about a lightweight, agile, maneuverable, very hoonable 4-wheeled conveyance with a laden power-to-weight ratio similar to that of a liter-bike. Except by having 4 wheels instead of 2, there exists potential for increased lateral acceleration capability versus the liter-bike.
This sort of vehicle would literally be the fastest thing on the road for a radius of tens of miles, and would even give aircraft a run for the money.
Anything in that body won’t be hard to find.
“And the cops would have a hell of a time catching it in a chase should one transpire.”
Good luck with that.
As my cop friends used to say: You can’t outrun a Motorola. And good luck evading a Jetranger.
Sounds like a damn fine way to traumatize a new dad passing by on his way home from Cars and Coffee.
Have you not seen all the videos of people ditching cops left and right all over in stolen cars? There are whole youtube documentaries about it. Tommy G does two good videos covering it. Cops don’t give a shit and aren’t allowed to chase anymore.
I don’t watch such videos be cause that’s what those jerks want.
“Cops don’t give a shit and aren’t allowed to chase anymore.”
Here in San Jose they do and they go after those jerks and the jerks who support them:
https://sanjosespotlight.com/san-jose-considers-penalties-for-encouraging-sideshow-spectators/
https://www.nbcbayarea.com/news/local/south-bay/bust-suspects-san-jose-sideshows/3695883/
https://www.ktvu.com/news/san-jose-sideshow-7-arrests
I dunno how many police chases happen in the US in each day, but I’d guess it’s at least a thousand per day. So even if hundreds of people are out running the cops each week, they’re still massively in the minority.
If I wanted to lose police, I’d drive a silver or grey Toyota.
A fish in the ocean.
That would be the way…as long as they hadn’t tagged the car with a magnetic GPS tracker and use that to follow you home.
First gen Insight with a Tesla transaxle in the back and high-C batteries would do it. Upgrade to solid state batteries later and your baby hot rod will have some nice range.
I know I’ve said this before, but I still think about that guy who had to widen a Datsun 510 body by several inches to fit a Miata pan. A 510 was our family car growing up.
I still dream about Nissan going feral, shoving a hotted-up LEAF drivetrain into the back of a chopped Micra and calling it a neo-510.
Why not shove that hotted-up LEAF drivetrain into the back of a chopped Mitsubishi i-Miev instead?
Gotta keep it in the family, and the Micra chassis has better performance mods.
It IS in the family:
https://en.m.wikipedia.org/wiki/Renault%E2%80%93Nissan%E2%80%93Mitsubishi_Alliance
https://electrek.co/2025/05/07/mitsubishi-launching-new-ev-based-on-the-nissan-leaf/
A friend still has a 510 with a factory race engine in it.
Adequate, as they say.
They did. Buy a gt350. Preferably a 2017 or newer.
It was always going to be cracked. It is extraordinarily difficult to fully secure a system when the threat model includes someone having long-term unfettered physical access.
Still impressive though, especially if it uses a modern on-chip HSM. I wonder how the “connected car” and OTA upgrade mechanisms play into encryption/enforcement.
Dunno if they brute forced it (dump the data, then let a PC (or more PCs) try to decrypt the data until it looks like normal real data) or if someone leaked the encryption key from inside.
OR, the hard way, hack the hardware, get the key out of the chips themselves, which are used to decrypt the data when the car starts up. They did that with several consoles, at least with an Xbox and I think a Playstation.
Everything is possible, depending on how much time you want to throw against it.
The problem is as you said when there is an update or a recall – you either have to put back the original data, hope they don’t change the encryption method again and see if the original data will actually work with your mods. If not the car might not run (well) or cause damage or the update might not even go through.
It’s like cracking games for your PC. Yes it is possible but every update needs a new crack and it might cause more problems. Once cars are 100% online then hacking/cracking is sheer impossible.
Why is that important anyone ? Because it then basically blocks off -any- modifications forever.
Another problem is some state inspections looking for tuned cars at emission inspections. Sure you could reflash the ECU before the inspection but that still shows up in the ECU.
There is also the option of remotely monitoring. BAR (California Bureau of Auto Repairs) has already done some studies with automakers where they pull data from vehicle OBDII systems as people drive.
What is an “inspection station”?
MOT (UK)/inspection center (Cali) /TUV (germany)/ CT (France)
Plenty of countries want the cars on their roads to be safe. So they check the car if it is safe to drive, from tires to suspension to emissions and if your registration and insurance is correct.
Without it – not legal to drive.
Of course that won’t stop idiots to drive without insurance or a checked car and when those get into accidents it’s *always* a big problem for everyone involved from a legal perspective.
I don’t need Big Brother stuff, but something like a random check once in a while on every vehicle would not be bad for increasing safety on roads, everywhere in the world.
For a UK MoT test they don’t check the ECU. As long as your car passes emissions you’re all good, and you’re allowed to do whatever you want with the ECU.
I didn’t say the MOT checks the ECU. In a lot of countries they do note the current miles driven in an online database. If the next year the amount is lower, it will be noted in the database. And the buyer has a good reason to ask why that happened (new engine for example)
Some software is available because if it isn’t in wide use, there won’t be enough users to make a profit and those are the ones they care about.