[ddillenger]

I have the B3, B10 pre-TU and B10 TU binaries.

[Mik325tds]

Quote:

Originally Posted by ddillenger

I have all the alpina files converted to binary already, so no need to play with those :P

I can post them if anyone would like?

Yes, please post the binaries if you don't mind.
Are these binaries read out from a transmission or are they converted from 0da and 0pa?

[dave205t]

Quote:

Originally Posted by ddillenger

I have the B3, B10 pre-TU and B10 TU binaries.

Please share indeed, hopefully read from a transmission as the 0da/0pa files (converted) does not include the important 0x00000-0x2ffff section where all the translation related is hidden.

Best regards, Dave

[ddillenger]

Yes, they are indeed full reads, I BDM'd them.

Will upload when I get home.

[ddillenger]

Here are the alpina files I have, they are labeled accordingly.

http://www.filedropper.com/alpinafiles

[dave205t]

Quote:

Originally Posted by ddillenger

Here are the alpina files I have, they are labeled accordingly.

http://www.filedropper.com/alpinafiles

Got em, unfortunately no mpc56x files, seems to be some earlier type TCU ?

I have some more news from my side, over the weekend i got a bit fed up with progress on this project (and lack of access to confirmed good bins) so i decided to write a de compressor tool for the compressed sections in the "EGS_00000-FFFFF-00 first.bin". Still some minor (automatic) alignment testing/valid input ranges limiting and post processing left todo (automatic verifying against known good opcode combinations, for automatic entry correction) but Ida is happy with the generated decompressed code

Best regards, Dave

[DWR]

Quote:

Originally Posted by dave205t

Got em, unfortunately no mpc56x files, seems to be some earlier type TCU ?

I have some more news from my side, over the weekend i got a bit fed up with progress on this project (and lack of access to confirmed good bins) so i decided to write a de compressor tool for the compressed sections in the "EGS_00000-FFFFF-00 first.bin". Still some minor (automatic) alignment testing/valid input ranges limiting and post processing left todo (automatic verifying against known good opcode combinations, for automatic entry correction) but Ida is happy with the generated decompressed code

Best regards, Dave

Thanks for your continued dedication.

[Yozh]

Thanks Dave. I read this thread every time something new is posted, as I am sure most everyone else on this subform. We are all very thankful that there are knowledgeble guys like you.

[dave205t]

Quote:

Originally Posted by DWR

Thanks for your continued dedication.

Thanks! Btw, is there anyone else still working on this ? I read back to the start of the thread and there was plenty of idea/action there; Have all these efforts stalled ??

There must be some tuner who has already cracked this ? Or other people working on it ? I would be a shame to duplicate work.

Best regards, Dave

[rjahl]

Quote:

Originally Posted by dave205t

Quote:

Thanks! Btw, is there anyone else still working on this ? I read back to the start of the thread and there was plenty of idea/action there; Have all these efforts stalled ??

There must be some tuner who has already cracked this ? Or other people working on it ? I would be a shame to duplicate work.

Best regards, Dave

I'm due to post a few ODA / OPA files as a follow up just been slammed with projects. Spring is here and I have plenty of outstanding tasks around the house. I spent a bunch of time trying to coerce the N52 eccentric cam past 9.7 mm valve lift but that's a story for a different thread.

I read every thread posted.

[Mik325tds]

Quote:

Originally Posted by dave205t

Thanks! Btw, is there anyone else still working on this ? I read back to the start of the thread and there was plenty of idea/action there; Have all these efforts stalled ??

There must be some tuner who has already cracked this ? Or other people working on it ? I would be a shame to duplicate work.

Best regards, Dave

We all appreciate dedicated and knowledgeable people like you helping out here. Yes, all efforts have stalled at the bottle neck RSA signature. As long as we can't flash a modified file there is no sense in modifying files, right?
Honestly, I'm a bit puzzled on how you plan to crack the RSA signature. To my knowledge it hasn't been done yet.
The only way I see is to find the spot in the bootloader where it checks for the RSA signature and circumvent it. But I'm more than willing to learn if you can explain it.
And you sure would be our hero and earn hundreds of appreciation points if you can pull it off.
Also, to our knowledge there is no credible tuner out there that actually has tuned this transmission - except Robert in Germany but he at least needs access to the K-Line.
I think most of us would be already happy if we can change the physical HW number of our transmission so it would accept the Alpina B3 file.

[dave205t]

Quote:

Originally Posted by Mik325tds

We all appreciate dedicated and knowledgeable people like you helping out here. Yes, all efforts have stalled at the bottle neck RSA signature. As long as we can't flash a modified file there is no sense in modifying files, right?
Honestly, I'm a bit puzzled on how you plan to crack the RSA signature. To my knowledge it hasn't been done yet.
The only way I see is to find the spot in the bootloader where it checks for the RSA signature and circumvent it. But I'm more than willing to learn if you can explain it.

The TCU bin (like 7564645A.0pa GS19.11 6HP19) uses several layers of obfuscation making this one a harder nut to crack, biggest hurdle on my side is the compressed code its horrible. The bin uses sections of uncompressed code (beginning)/compressed code interleaved with data (non-compressed; but no easy way to differentiate between the two).
After reconstructing the bin to data that can be disassembled, it should be relatively easy to find how everything is calculated (checksums/crc32 and rsa) and disable or recalc them.

Quote:

Originally Posted by Mik325tds

Also, to our knowledge there is no credible tuner out there that actually has tuned this transmission - except Robert in Germany but he at least needs access to the K-Line.

Does this mean he can modify the calibration/program and re-flash the TCU (with correct crc's and signatures) or does it mean he developed a tool to flash the transmission over k-line (without the need of winfkp) but can only flash unmodified files ?

Quote:

Originally Posted by Mik325tds

I think most of us would be already happy if we can change the physical HW number of our transmission so it would accept the Alpina B3 file.

What does the HW number look like for the EGS 7564645A.0pa/A7571103.0da combination Rjahl posted (EGS_00000-FFFFF-00 first.bin) ? I can check quickly if that is feasible.

Best regards, Dave

[_TB_]

Quote:

Originally Posted by dave205t

Thanks! Btw, is there anyone else still working on this ?

Yes, etuners are working - but they need a spare TCU to experiment with.
I have asked if someone is willing to help in finding a spare TCU - but no one is responding. Without access to the hardware progress is almost impossible.

[Mik325tds]

Quote:

Originally Posted by dave205t

What does the HW number look like for the EGS 7564645A.0pa/A7571103.0da combination Rjahl posted (EGS_00000-FFFFF-00 first.bin) ? I can check quickly if that is feasible.

Best regards, Dave

Hi Dave,
This is something we found just before X-mas 2015 when trying to flash the Alpina file. Look around this post:
http://www.e90post.com/forums/showpo...&postcount=415
rjahl then found that the HW number occurs several times within the flash file and most likely is part of the RSA signature:
http://www.e90post.com/forums/showpo...&postcount=423

I was wondering if we could change the HW reference in EEprom of the EGS (through K-Line) which then would make it accept the Alpina flash.
I noticed that on my E53 with Progman (really old BMW tools), it was able to actually change the HW number. So it should be possible.

[dave205t]

Quote:

Originally Posted by _TB_

Yes, etuners are working - but they need a spare TCU to experiment with.
I have asked if someone is willing to help in finding a spare TCU - but no one is responding. Without access to the hardware progress is almost impossible.

Why don't they just buy one ? It seems to be a company, some investment makes sense (in time and/or money) to get the $$$ returns.

It would be great to cooperate with someone (or a group) on this (on a level playing field), perhaps they are open to this ? If its a company most likely they want to keep the box closed.

Best regards, Dave

[dave205t]

Quote:

Originally Posted by Mik325tds

Hi Dave,
This is something we found just before X-mas 2015 when trying to flash the Alpina file. Look around this post:
http://www.e90post.com/forums/showpo...&postcount=415
rjahl then found that the HW number occurs several times within the flash file and most likely is part of the RSA signature:
http://www.e90post.com/forums/showpo...&postcount=423

Yes, that area is checksum/rsa covered you will not be able to change that without correcting the checksum/rsa.

Best regards, Dave

[RBT-Tuning]

Quote:

Originally Posted by dave205t

Quote:

Thanks! Btw, is there anyone else still working on this ? I read back to the start of the thread and there was plenty of idea/action there; Have all these efforts stalled ??

There must be some tuner who has already cracked this ? Or other people working on it ? I would be a shame to duplicate work.

Best regards, Dave

That's the point. No one on this forum knows any tuner who has done this before. I've spent days on the net finding someone and also contacted many tuners/tool developers through email. There are plenty of solutions out there for the GS19 unit, but NOT for those used in BMW's. For example Magic Motorsport has cracked it on Audi/VW but not on BMW.

I also had contact to some guy on the Nefmoto forum who claimed he can do it, but in the end refused to share anything. Not for the community and not for money.

As far as I know Robert from Germany can reflash the BMW GS19 units with tweaked files. But only with direct access (K-Line) and his own hardware. So that doesnt help us out either. On his website he started to offer the tool for about 3k Euro

[Mik325tds]

Quote:

Originally Posted by dave205t

Yes, that area is checksum/rsa covered you will not be able to change that without correcting the checksum/rsa.

Best regards, Dave

In this case the idea was not to change the .0pa/.0da files but change the HW reference of the EGS to match that in the files. So when it comes time to compare them it would be accepted.

[dave205t]

Quote:

Originally Posted by RayBan81

I also had contact to some guy on the Nefmoto forum who claimed he can do it, but in the end refused to share anything. Not for the community and not for money.

Interesting, so there is another guy who solved this (apparently), did he provide sufficient details to back up his claim or was it another unicorn sighting ? Perhaps he wants to join and help out a bit.

Quote:

Originally Posted by RayBan81

As far as I know Robert from Germany can reflash the BMW GS19 units with tweaked files. But only with direct access (K-Line) and his own hardware. So that doesnt help us out either. On his website he started to offer the tool for about 3k Euro

Promising, that means there are potentially two people who solved it. Flashing the transmission is no problem, i can solve that puzzle quite easily; But it is of no use without being able to fully correct (or patch) a changed file first.

Best regards, Dave

[Mik325tds]

Quote:

Originally Posted by dave205t

Interesting, so there is another guy who solved this (apparently), did he provide sufficient details to back up his claim or was it another unicorn sighting ? Perhaps he wants to join and help out a bit.


Promising, that means there are potentially two people who solved it. Flashing the transmission is no problem, i can solve that puzzle quite easily; But it is of no use without being able to fully correct (or patch) a changed file first.

Best regards, Dave

I know from talking to Robert that he doesn't fix the RSA signature and I wouldn't believe anyone who can't prove it to me.

[passuff]

Quote:

Originally Posted by RayBan81

As far as I know Robert from Germany can reflash the BMW GS19 units with tweaked files. But only with direct access (K-Line) and his own hardware. So that doesnt help us out either. On his website he started to offer the tool for about 3k Euro

Do you have a link?

EDIT: Are you referring to this one?: http://mechasoft.de/item/mechaprog-a-interface-2/
It's just for VAG seems..

[NickTheStick]

Quote:

Originally Posted by RayBan81

That's the point. No one on this forum knows any tuner who has done this before. I've spent days on the net finding someone and also contacted many tuners/tool developers through email. There are plenty of solutions out there for the GS19 unit, but NOT for those used in BMW's. For example Magic Motorsport has cracked it on Audi/VW but not on BMW.

I also had contact to some guy on the Nefmoto forum who claimed he can do it, but in the end refused to share anything. Not for the community and not for money.

As far as I know Robert from Germany can reflash the BMW GS19 units with tweaked files. But only with direct access (K-Line) and his own hardware. So that doesnt help us out either. On his website he started to offer the tool for about 3k Euro

Thats only 300 euro from 10 people.

Just sayin...