Transmission remap - Let's do it ourselves

_TB_ · 12-22-2015, 07:34 AM

Quote:

Originally Posted by RayBan81

They released the whole project on github: https://github.com/fjvva/ecu-tool

I don't have time nor the skills (maybe not in that order

) to check on that, but having a look at the sources may reveal a lot.

Who makes contact to them? Just to make sure not that 20 people are bugging them at they same time....

A note - they only read out the flash - not the data in the processor. It is _not_ a complete readout, and it is not enough to make a proper remap.

The data stored in the processor itself is still needed, that code will not be able to recover a faulty write to the processor.

RBT-Tuning · 12-23-2015, 12:36 PM

Quote:

Originally Posted by _TB_

Quote:

Originally Posted by RayBan81

They released the whole project on github: https://github.com/fjvva/ecu-tool

I don't have time nor the skills (maybe not in that order

) to check on that, but having a look at the sources may reveal a lot.

Who makes contact to them? Just to make sure not that 20 people are bugging them at they same time....

A note - they only read out the flash - not the data in the processor. It is _not_ a complete readout, and it is not enough to make a proper remap.

The data stored in the processor itself is still needed, that code will not be able to recover a faulty write to the processor.

Why not? They do exactly that at Defcon21 live....cut the connection during flashing and recover the ECU from that point...?

DWR · 12-23-2015, 08:45 PM

Quote:

Originally Posted by RayBan81

Why not? They do exactly that at Defcon21 live....cut the connection during flashing and recover the ECU from that point...?

There is calibration data and software. The size of the file they were flashing appeared to be too small to be both. I believe they were flashing and recovering calibration data. Either that or an EDC15 doesn't control much.

_TB_ · 12-25-2015, 08:15 AM

Quote:

Originally Posted by RayBan81

Why not? They do exactly that at Defcon21 live....cut the connection during flashing and recover the ECU from that point...?

They only recovered from a faulty Flash write. They do not tamper with the data stored internally in the processor itself.

A full EDC16 readout is 2MB.

RBT-Tuning · 12-27-2015, 06:42 AM

In the meantime I did check the OLS816 and sadly our TCU is not supported. Even more sad: EVC meant, that these files are RSA signed and they don't see any way to work on that from their point.

Has anyone made contact to the guys from defcon so far?

DWR · 12-27-2015, 08:51 AM

Quote:

Originally Posted by RayBan81

Has anyone made contact to the guys from defcon so far?

RSA is the big hurdle.
Would you volunteer to contact the defcon guys?
I'm working on HP tuners and SCT. Turns out I know the president of SCT from waaaay back.

RBT-Tuning · 12-27-2015, 09:30 AM

Quote:

Originally Posted by DWR

RSA is the big hurdle.
Would you volunteer to contact the defcon guys?
I'm working on HP tuners and SCT. Turns out I know the president of SCT from waaaay back.

Ok, I'll go for them!

RBT-Tuning · 12-27-2015, 04:02 PM

Quote:

Originally Posted by 808AWD325xi

The source code files will be placed in the development data directory. (C:\DIAGPROG\KONFIGURATION\INSTALLATION_mm-dd-yyyy\DATEN\SGDAT) Enjoy !!

[/URL]

I also found some versions of 08flash on my winkfp installation, but the fun-stuff is just called as functions from external librarys.

Starting from version 6.13 they included a function "PruefeSignatur" (CheckSignature). So it looks like at that time the signature fun started (~ Summer 2005). But again, the function just references an API call where the "magic" happens.

I included one version, which i think links to the DME. Change the file extension to rar, pw is "e90post".

808AWD325xi · 12-27-2015, 07:26 PM

Quote:

Originally Posted by RayBan81

I also found some versions of 08flash on my winkfp installation, but the fun-stuff is just called as functions from external librarys.

Starting from version 6.13 they included a function "PruefeSignatur" (CheckSignature). So it looks like at that time the signature fun started (~ Summer 2005). But again, the function just references an API call where the "magic" happens.

I included one version, which i think links to the DME. Change the file extension to rar, pw is "e90post".

Yeah, the magic occurs in the SGBD files. Check out this job (SPEICHER_SCHREIBEN) in GS19D:

Code:

	<JOB>
		<JOBNAME>SPEICHER_SCHREIBEN</JOBNAME>
		<JOBCOMMENT>Beschreiben des Steuergeraete-Speichers</JOBCOMMENT>
		<JOBCOMMENT>Als Argumente werden uebergeben:</JOBCOMMENT>
		<JOBCOMMENT>Speichersegment, Start-Adresse, Anzahl der Datenbytes</JOBCOMMENT>
		<JOBCOMMENT>und Datenbytes (Datenbytes durch Komma getrennt)</JOBCOMMENT>
		<JOBCOMMENT>KWP2000: $3D WriteMemoryByAddress</JOBCOMMENT>
		<JOBCOMMENT>Modus  : Default</JOBCOMMENT>
		<ARG>
			<ARGNAME>SEGMENT</ARGNAME>
			<ARGTYPE>string</ARGTYPE>
			<ARGCOMMENT> "LAR" "linearAdressRange"</ARGCOMMENT>
			<ARGCOMMENT> "ROMI" "ROM / EPROM, internal"</ARGCOMMENT>
			<ARGCOMMENT> "ROMX" "ROM / EPROM, external"</ARGCOMMENT>
			<ARGCOMMENT> "NVRAM" "NV-RAM (characteristic zones, DTC memory"</ARGCOMMENT>
			<ARGCOMMENT> "RAMIS" "RAM, internal (short MOV)"</ARGCOMMENT>
			<ARGCOMMENT> "RAMXX" "RAM, external (x data MOV)"</ARGCOMMENT>
			<ARGCOMMENT> "FLASH" "Flash EPROM, internal"</ARGCOMMENT>
			<ARGCOMMENT> "UIFM" "User Info Field Memory"</ARGCOMMENT>
			<ARGCOMMENT> "VODM" "Vehicle Order Data Memory"</ARGCOMMENT>
			<ARGCOMMENT> "FLASHX" "Flash EPROM, external"</ARGCOMMENT>
			<ARGCOMMENT> "RAMIL" "RAM, internal (long MOV / Register)"</ARGCOMMENT>
			<ARGCOMMENT> "???" "unbekanntes Speichersegment"</ARGCOMMENT>
		</ARG>
		<ARG>
			<ARGNAME>ADRESSE</ARGNAME>
			<ARGTYPE>long</ARGTYPE>
			<ARGCOMMENT>0x000000 - 0xFFFFFF</ARGCOMMENT>
		</ARG>
		<ARG>
			<ARGNAME>ANZAHL</ARGNAME>
			<ARGTYPE>int</ARGTYPE>
			<ARGCOMMENT>1 - n ( max. 249 )</ARGCOMMENT>
		</ARG>
		<ARG>
			<ARGNAME>DATEN</ARGNAME>
			<ARGTYPE>string</ARGTYPE>
			<ARGCOMMENT>zu schreibende Daten (Anzahl siehe oben)</ARGCOMMENT>
			<ARGCOMMENT>z.B. 1,2,03,0x04,0x05...</ARGCOMMENT>
		</ARG>
		<RESULT>
			<RESULTNAME>JOB_STATUS</RESULTNAME>
			<RESULTTYPE>string</RESULTTYPE>
			<RESULTCOMMENT>OKAY, wenn fehlerfrei</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_GENERAL_REJECT"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_SERVICE_NOT_SUPPORTED"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_SUBFUNCTION_NOT_SUPPORTED__INVALID_FORMAT"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_BUSY_REPEAT_REQUEST"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_CONDITIONS_NOT_CORRECT_OR_REQUEST_SEQUENCE_ERROR"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_ROUTINE_NOT_COMPLETE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_REQUEST_OUT_OF_RANGE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_SECURITY_ACCESS_DENIED__SECURITY_ACCESS_REQUESTED"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_EXCEED_NUMBER_OF_ATTEMPTS"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_REQUIRED_TIME_DELAY_NOT_EXPIRED"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_DOWNLOAD_NOT_ACCEPTED"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_IMPROPER_DOWNLOAD_TYPE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_CANNOT_DOWNLOAD_TO_SPECIFIED_ADDRESS"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_CANNOT_DOWNLOAD_NUMBER_OF_BYTES_REQUESTED"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_UPLOAD_NOT_ACCEPTED"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_IMPROPER_UPLOAD_TYPE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_CANNOT_UPLOAD_FROM_SPECIFIED_ADDRESS"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_CANNOT_UPLOAD_NUMBER_OF_BYTES_REQUESTED"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_TRANSFER_SUSPENDED"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_TRANSFER_ABORTED"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_ILLEGAL_ADDRESS_IN_BLOCK_TRANSFER"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_ILLEGAL_BYTE_COUNT_IN_BLOCK_TRANSFER"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_ILLEGAL_BLOCK_TRANSFER_TYPE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_BLOCKTRANSFER_DATA_CHECKSUM_ERROR"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_REQUEST_CORRECTLY_RECEIVED__RESPONSE_PENDING"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_INCORRECT_BYTE_COUNT_DURING_BLOCK_TRANSFER"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_SERVICE_NOT_SUPPORTED_IN_ACTIVE_DIAGNOSTIC_MODE"</RESULTCOMMENT>
			<RESULTCOMMENT> "OKAY"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_INCORRECT_RESPONSE_ID"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_INCORRECT_LEN"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_INCORRECT_LIN_RESPONSE_ID"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_INCORRECT_LIN_LEN"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_F_CODE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_TABLE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_INTERPRETATION"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_F_POS"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_SEGMENT"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ADDRESS"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_NUMBER"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_DATA"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_MODE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_BAUDRATE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_BYTE1"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_BYTE2"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_BYTE3"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_DATA_OUT_OF_RANGE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_NUMBER_ARGUMENT"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_RANGE_ARGUMENT"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_VERIFY"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_NO_BIN_BUFFER"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_BIN_BUFFER"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_DATA_TYPE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_CHECKSUM"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_FLASH_SIGNATURE_CHECK"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_VEHICLE_IDENTIFICATION_NR"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_PROGRAMMING_DATE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ASSEMBLY_NR"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_CALIBRATION_DATASET_NR"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_EXHAUST_REGULATION_OR_TYPE_APPROVAL_NR"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_REPAIR_SHOP_NR"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_TESTER_SERIAL_NR"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_MILAGE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_PROGRAMMING_REFERENCE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_NO_FREE_UIF"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_MAX_UIF"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_SIZE_UIF"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_LEVEL"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_KEY"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_AUTHENTICATION"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_NO_DREF"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_CHECK_PECUHN"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_CHECK_PRGREF"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_AIF_NR"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_CHECK_DREF"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_CHECK_HWREF"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_CHECK_HWREF"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_CHECK_PRGREFB"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_CHECK_VMECUH*NB"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_CHECK_PRGREFB"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_CHECK_VMECUH*N"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_MOST_CAN_GATEWAY_DISABLE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_NO_P2MIN"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_NO_P2MAX"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_NO_P3MIN"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_NO_P3MAX"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_NO_P4MIN"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_DIAG_PROT"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_SG_ADRESSE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_SG_MAXANZAHL_AIF"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_SG_GROESSE_AIF"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_SG_ENDEKENNUNG_AIF"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_SG_AUTHENTISIERUNG"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_TELEGRAM_LEN_OUT_OFF_RANGE"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ARGUMENT"</RESULTCOMMENT>
			<RESULTCOMMENT> "ERROR_ECU_UNKNOWN_NEGATIVE_RESPONSE"</RESULTCOMMENT>
		</RESULT>
		<RESULT>
			<RESULTNAME>_TEL_AUFTRAG</RESULTNAME>
			<RESULTTYPE>binary</RESULTTYPE>
			<RESULTCOMMENT>Hex-Auftrag an SG</RESULTCOMMENT>
		</RESULT>
		<RESULT>
			<RESULTNAME>_TEL_ANTWORT</RESULTNAME>
			<RESULTTYPE>binary</RESULTTYPE>
			<RESULTCOMMENT>Hex-Antwort von SG</RESULTCOMMENT>
		</RESULT>
	</JOB>

You can extract the jobs to a XML file:

Code:

C:\EDIABAS\Bin>xtract -X c:\ediabas\ecu\gs19d.prg
XTRACT Version 7.3.0, EDIABAS Version 7.3.0
Copyright BMW AG, created by Softing AG

C:\EDIABAS\ECU\GS19D.PRG -> .\GS19D.XML

Press any key to exit...

808AWD325xi · 01-07-2016, 02:35 PM

Apologies for the double post, but this thread has gone silent...

Quote:

Originally Posted by RayBan81

So, again no luck with the B5 data. Flashing went fine, TCU is visible on CAN afterwards, but there are 3 constant errors, which are linked to the electronic park lock on the E60 platform, which the E89 platform does not have.

I didn't try to start the car, because then i remembered that I did try this already a few months ago. The lever won't move out of P.
[...]

Perhaps we can fix that via coding?

On my E92 (6HP21), the EGS has a setting for the electronic shift interlock:

Code:

EL_INTERLOCK
	aktiv

After flash reprogramming, I would try default coding the EGS module with SG_CODIRIEN, and then run NCS-Expert with FSW/PSW manipulation enabled and examine the FSW_PSW.TRC file...it might be worth a shot....

DWR · 01-07-2016, 05:40 PM

I maybe running down dead end streets.

Knew SCT support was not held in high regard. Sent a message to their support team asking if we could get their ZF6HP tuning ported to BMWs. Also asked them to forward the message to the President, as he and I shared some tuning experiences a lifetime ago, before SCT even existed. Well, that was 2 weeks ago with not even an acknowledgement.

Sent TCU calibration files to HP tuners, per their request. Have not heard back, dispite a recent follow-up. Perhaps, they are working on it.

Finally, doing some investigation on a CAN massage "translator". Not our best option, but it maybe possible to use a Ford TCU with translation of CAN messages between a FORD TCU and BMW ECU. That technology could also be used as an interceptor between BMW TCU and ECU to trick the tranny, piggyback style.

Mik325tds · 01-10-2016, 09:00 AM

Quote:

Originally Posted by 808AWD325xi

Apologies for the double post, but this thread has gone silent...

Perhaps we can fix that via coding?

On my E92 (6HP21), the EGS has a setting for the electronic shift interlock:

Code:

EL_INTERLOCK
	aktiv

After flash reprogramming, I would try default coding the EGS module with SG_CODIRIEN, and then run NCS-Expert with FSW/PSW manipulation enabled and examine the FSW_PSW.TRC file...it might be worth a shot....

Thanks for keeping up the thinking! I have been off for a while. Did you succeed with the coding?

Mik325tds · 01-10-2016, 09:06 AM

Quote:

Originally Posted by DWR

I maybe running down dead end streets.

Knew SCT support was not held in high regard. Sent a message to their support team asking if we could get their ZF6HP tuning ported to BMWs. Also asked them to forward the message to the President, as he and I shared some tuning experiences a lifetime ago, before SCT even existed. Well, that was 2 weeks ago with not even an acknowledgement.

Sent TCU calibration files to HP tuners, per their request. Have not heard back, dispite a recent follow-up. Perhaps, they are working on it.

Finally, doing some investigation on a CAN massage "translator". Not our best option, but it maybe possible to use a Ford TCU with translation of CAN messages between a FORD TCU and BMW ECU. That technology could also be used as an interceptor between BMW TCU and ECU to trick the tranny, piggyback style.

Thanks to you as well for keeping the ball in the air! For now my highest hopes are with the HP tuners adding support for the BMW EGS. Do you think it would make sense if multiple users from this forum contact them in order to create some profit interest on HP tuners side?
If so, what is the best way to contact them?

808AWD325xi · 01-10-2016, 12:33 PM

Quote:

Originally Posted by 808AWD325xi

Rather than messing with B3 bits meant for a different HW-NR (7591971), have you considered trying the B5 S transmission flash (ZB 7592154)?

The HW-NR (7591972) is the same as your 335d. Even if the program file doesn't work, perhaps the data file will...just a thought.

Quote:

Originally Posted by Mik325tds

I wasn't even aware of the B5 S. Thanks for the hint! Where is it located? I can't seem to find it in my daten collection.

Quote:

Originally Posted by 808AWD325xi

You're welcome, it's in the E60 > data > GKE195 folder.

Quote:

Originally Posted by RayBan81

So, again no luck with the B5 data. Flashing went fine, TCU is visible on CAN afterwards, but there are 3 constant errors, which are linked to the electronic park lock on the E60 platform, which the E89 platform does not have.

I didn't try to start the car, because then i remembered that I did try this already a few months ago. The lever won't move out of P.

I also did some research on how to change the HW_REFERENZ, but I couldn't find any job for that too.

I'm pretty sure the reference# is also part of the RSA sig, because its stored inside the data block of the *.oda file.

I'm running out of ideas at the moment...

Quote:

Originally Posted by 808AWD325xi

Apologies for the double post, but this thread has gone silent...

Perhaps we can fix that via coding?

On my E92 (6HP21), the EGS has a setting for the electronic shift interlock:

Code:

EL_INTERLOCK
	aktiv

After flash reprogramming, I would try default coding the EGS module with SG_CODIRIEN, and then run NCS-Expert with FSW/PSW manipulation enabled and examine the FSW_PSW.TRC file...it might be worth a shot....

Quote:

Originally Posted by Mik325tds

Thanks for keeping up the thinking! I have been off for a while. Did you succeed with the coding?

You're welcome !!

No, I don't have a 6HP26 to test the hypothesis...

TheBoar · 01-10-2016, 02:51 PM

Yeah, I don't know anything about remapping but been reading this thread since I started lurking. I would like to help and get this going if we can.

RBT-Tuning · 01-10-2016, 04:15 PM

Quote:

Originally Posted by 808AWD325xi

Apologies for the double post, but this thread has gone silent...

Perhaps we can fix that via coding?

On my E92 (6HP21), the EGS has a setting for the electronic shift interlock:

Code:

EL_INTERLOCK
	aktiv

After flash reprogramming, I would try default coding the EGS module with SG_CODIRIEN, and then run NCS-Expert with FSW/PSW manipulation enabled and examine the FSW_PSW.TRC file...it might be worth a shot....

I played with this switch already and it had no effect on my stock cal. That means, I didn't get an error code, or any other effect. So I doubt that it would have any with the 5series cal. But we should give it a try anyway. I can't do it in the next days, so mabye someone else...

Nevertheless I worked a lot on the ips/prg/Winkfp files the last 2 weeks, but there were no major breakthroughs to report so I kept silent. What I can confirm 100% by now, is that's it's not possible to let the ECU "skip" the signature check from outside, or set it to a running state without the check whithin the scope of the ips/prg files. Unfortunately there's no useful information retrievable from these files. I also started to decompile WinkFP.exe and already found the part where the signature check is handled. I don't have a thorough understanding of the procedure at the moment but honestly I don't expect to find any useful information in there either.

As far as I made an understanding the TCU does the check fully on it's own and just returns OK or NOK. So no way to interfere from outside. After completing the flash procedure the TCU switches to state "0x05" (Program) or "0x06" (Data) which means that they are fully flashed, but not yet checked. The sig check then has to be called from outside and afterwards the TCU switches to state 0x01 (running), which WinkFP readsout and confirms a successful flash.

I also found the signature block on both the *.opa and the *.oda files. It's a 128 byte block each (=1024 Bit). The oda starts right with the signature, the opa ends with the signature. As the opa file is much bigger, than the readout with BMW Scanner i guess there's a good chance the signature routine is included in the code of the opa file. But I'm not aware of any available program, which disassembles the Motorola code.....? (IDA does, but costs a fortune)

That's my state at the moment....

rjahl · 01-10-2016, 05:19 PM

Great work.

This is really tough work When you consider the lack publicly available information.

If the TCU is checking the program and calibration file by itself, what are the authorization files in the daten folders for?

On another note, I think I've managed to get my DME to ignore the toque reduction requests from the TCU. It's a single byte in the calibration tables and so far it has not thrown a code.

I'd rather have a quick shifting box but removing the power reduction feels awesome. I'm going to log the behavior before pushing it too hard. I'm not keen on on the idea of burned clutches or a broken torque converter.

RBT-Tuning · 01-11-2016, 01:24 AM

They are for seed/key Auth. i think... But not so sure about that.

_TB_ · 01-11-2016, 03:23 AM

Quote:

Originally Posted by rjahl

Great work.

This is really tough work When you consider the lack publicly available information.

If the TCU is checking the program and calibration file by itself, what are the authorization files in the daten folders for?

On another note, I think I've managed to get my DME to ignore the toque reduction requests from the TCU. It's a single byte in the calibration tables and so far it has not thrown a code.

Do tell more..

DWR · 01-11-2016, 03:34 AM

Quote:

Originally Posted by rjahl

On another note, I think I've managed to get my DME to ignore the toque reduction requests from the TCU. It's a single byte in the calibration tables and so far it has not thrown a code.

I'd rather have a quick shifting box but removing the power reduction feels awesome. I'm going to log the behavior before pushing it too hard. I'm not keen on on the idea of burned clutches or a broken torque converter.

Oh boy, that sounds like fun.

Yes, let it adapt. I'm sure you cleared adaptions, but just mentioning it.

DWR · 01-11-2016, 03:51 AM

A couple of thoughts came together today. The Defcon21 guys were able to recover a faulty flash on a EDC16. The folks at JR tuning say they are not remapping but changing some pointers in memory. They do it from the OBD port and in a very short time. Wondering if there "configuration" switches in the flashable memory? Still more questions than answers.

_TB_ · 01-11-2016, 09:25 AM

Quote:

Originally Posted by DWR

A couple of thoughts came together today. The Defcon21 guys were able to recover a faulty flash on a EDC16. The folks at JR tuning say they are not remapping but changing some pointers in memory. They do it from the OBD port and in a very short time. Wondering if there "configuration" switches in the flashable memory? Still more questions than answers.

Soo.. Bosch magically added another memory section with optimized parameters?

We have the full readout - there are not double sections..

I call bollocks..

12-27-2015, 06:42 AM	#533
RBT-Tuning 715 Rep 755 Posts Drives: A lot of BMWs... Join Date: Feb 2015 Location: Austria iTrader: (0)	In the meantime I did check the OLS816 and sadly our TCU is not supported. Even more sad: EVC meant, that these files are RSA signed and they don't see any way to work on that from their point. Has anyone made contact to the guys from defcon so far?
	Appreciate 0 Quote

01-07-2016, 05:40 PM	#539
DWR Banned 799 Rep 1,630 Posts Drives: 2009 335d Join Date: Oct 2014 Location: Maine iTrader: (0)	I maybe running down dead end streets. Knew SCT support was not held in high regard. Sent a message to their support team asking if we could get their ZF6HP tuning ported to BMWs. Also asked them to forward the message to the President, as he and I shared some tuning experiences a lifetime ago, before SCT even existed. Well, that was 2 weeks ago with not even an acknowledgement. Sent TCU calibration files to HP tuners, per their request. Have not heard back, dispite a recent follow-up. Perhaps, they are working on it. Finally, doing some investigation on a CAN massage "translator". Not our best option, but it maybe possible to use a Ford TCU with translation of CAN messages between a FORD TCU and BMW ECU. That technology could also be used as an interceptor between BMW TCU and ECU to trick the tranny, piggyback style.
	Appreciate 1 Quote

01-10-2016, 02:51 PM	#543
TheBoar Private 9 Rep 61 Posts Drives: 2011 Jet Black 335d Join Date: Nov 2015 Location: Florida iTrader: (0)	Yeah, I don't know anything about remapping but been reading this thread since I started lurking. I would like to help and get this going if we can.
	Appreciate 0 Quote

01-10-2016, 05:19 PM	#545
rjahl Colonel 1002 Rep 2,287 Posts Drives: Z4 35is Join Date: Jun 2011 Location: Tampa iTrader: (0) Garage List 2012 Z4 35is [0.00]	Great work. This is really tough work When you consider the lack publicly available information. If the TCU is checking the program and calibration file by itself, what are the authorization files in the daten folders for? On another note, I think I've managed to get my DME to ignore the toque reduction requests from the TCU. It's a single byte in the calibration tables and so far it has not thrown a code. I'd rather have a quick shifting box but removing the power reduction feels awesome. I'm going to log the behavior before pushing it too hard. I'm not keen on on the idea of burned clutches or a broken torque converter.
	Appreciate 0 Quote

01-11-2016, 01:24 AM	#546
RBT-Tuning 715 Rep 755 Posts Drives: A lot of BMWs... Join Date: Feb 2015 Location: Austria iTrader: (0)	They are for seed/key Auth. i think... But not so sure about that.
	Appreciate 0 Quote

01-11-2016, 03:51 AM	#549
DWR Banned 799 Rep 1,630 Posts Drives: 2009 335d Join Date: Oct 2014 Location: Maine iTrader: (0)	A couple of thoughts came together today. The Defcon21 guys were able to recover a faulty flash on a EDC16. The folks at JR tuning say they are not remapping but changing some pointers in memory. They do it from the OBD port and in a very short time. Wondering if there "configuration" switches in the flashable memory? Still more questions than answers.
	Appreciate 0 Quote