[cheerio]

Project is on hold for now - I think I've gotten as far as I can without actually installing an 8HP, and I don't currently have the money for that. Most likely I'll pick it up again in a month or two.

In the meantime, I might try reverse engineering the bench flash tool, to make 8HP bench flashing available for cheap/free...

Might also be a good time to start thinking about the tune; I'd be needing to port over the N52 F10 data; N55 data would likely be useful for others too.

E84/E89 only ever used the 8HP with N20 engine; E70 did use it with N55, but I'm not sure if E70 data is compatible with E89 program. I guess we also don't know how different the E- and F-series programs are; will the data even have the same fields as each other? Would be pretty hard to port if not.

rjahl you mentioned rebuilding 8HP damos for current ROM versions - what would be a good starting point for this?

[rjahl]

Quote:

Originally Posted by cheerio

Project is on hold for now - I think I've gotten as far as I can without actually installing an 8HP, and I don't currently have the money for that. Most likely I'll pick it up again in a month or two.

In the meantime, I might try reverse engineering the bench flash tool, to make 8HP bench flashing available for cheap/free...

Might also be a good time to start thinking about the tune; I'd be needing to port over the N52 F10 data; N55 data would likely be useful for others too.

E84/E89 only ever used the 8HP with N20 engine; E70 did use it with N55, but I'm not sure if E70 data is compatible with E89 program. I guess we also don't know how different the E- and F-series programs are; will the data even have the same fields as each other? Would be pretty hard to port if not.

rjahl you mentioned rebuilding 8HP damos for current ROM versions - what would be a good starting point for this?

I posted a few 8HP demos files a few years ago. Also posted an excel version making it easier to translate into a newer rom. Also posted a script that will recreate a demos from the excel file.

I'm sure I have copies of these files stashed away. Today being Mother's Day, it will be impossible or lets say, unwise to look for them. I should be able to repost them again tomorrow.

[rjahl]

https://mega.nz/file/F94AkBKY#mhoDu5...1gsCVQBFa2y52s


Link has an 8HP Damos and an Excel version of that same damos. Also inside that Excel file is a Macro that will create scripts that Winols can use to create a new OLS based on the spreadsheet. Pretty crude macro but it worked.

ZF was pretty consistent with the map layouts and they are all organized in a similar ways. We used the 8HP maps to help us sort out the 6HP.

Keep in mind that all of these transmissions utilize data compression. The program files are mostly compressed and expanded "on the fly" by the processor. Writing your own flashing tool will not be easy.

[cheerio]

Thanks very much! This should keep me occupied for a while… I hope I won’t bother you too much with my barrage of questions.

As for the program; I’ve done a bit of reading and am trying to understand the approach taken with the 6HP. Sounds like the 6HPTU has RSA protection, did the 6HP19? And by the sounds of things, it’s possible to flash custom maps without replacing the original program? Was this accomplished by extracting the public key from the program and cracking it? By replacing that public key with a different one? Or by finding an exploit which can be used to bypass the RSA check from the calibration data?

xHP has got something working for the E70/71 8HP, so it’s definitely possible. I’d rather not be beholden to a commercial project, though.

edit: Did you have any information on the compression method? I initially tried disassembling the memory dump with Ghidra, but didn’t get anything useful, which seemed odd - surely the code to decompress the rest of the code would have to be executable right off the bat… perhaps the decompression is done by the bootloader, which isn’t read out? or is it done by dedicated hardware?

[colorado.e9x]

They made an RSA delete for the DME to be able to flash their 330 tunes. Not sure if its the same thing though. I'd imagine similar but not exact. Makes it sound possible though

[cheerio]

I hadn't considered that the bench tool I initially used to make the dump might already be doing something clever. Have attached the original dump from my transmission (remove .pdf extension) - it includes three files:

• "IEep" - 128k, presumably EEPROM contents (program)
• "Maps" - 2M, presumably flash contents (data)
• "Full" - 2248k. Huh? Why is it bigger than the other two combined? It doesn't contain anything discernable; is this something like combined EEPROM + flash contents, prior to decryption?

[rjahl]

Quote:

Originally Posted by cheerio

Thanks very much! This should keep me occupied for a while… I hope I won’t bother you too much with my barrage of questions.

As for the program; I’ve done a bit of reading and am trying to understand the approach taken with the 6HP. Sounds like the 6HPTU has RSA protection, did the 6HP19? And by the sounds of things, it’s possible to flash custom maps without replacing the original program? Was this accomplished by extracting the public key from the program and cracking it? By replacing that public key with a different one? Or by finding an exploit which can be used to bypass the RSA check from the calibration data?

xHP has got something working for the E70/71 8HP, so it’s definitely possible. I’d rather not be beholden to a commercial project, though.

edit: Did you have any information on the compression method? I initially tried disassembling the memory dump with Ghidra, but didn’t get anything useful, which seemed odd - surely the code to decompress the rest of the code would have to be executable right off the bat… perhaps the decompression is done by the bootloader, which isn’t read out? or is it done by dedicated hardware?

The compression is done by the hardware and is well documented in processor documentation. It's essentially creates a new language using shorter words to reference larger words in a look up table. You will need to locate the look up table and then parse the BIN and translate. Do not expect 8 bit bytes or 16 bit words. There should be a table in the readable code that defines the location of the compressed areas and the language table.

I have some of this data mapped out for the first generation 6HP but nothing for the 8HP. Knowing ZF they will be similar, You could start out by researching those files and then translate the knowledge into the 8HP

[rjahl]

Quote:

Originally Posted by colorado.e9x

They made an RSA delete for the DME to be able to flash their 330 tunes. Not sure if its the same thing though. I'd imagine similar but not exact. Makes it sound possible though

In a way, it's the same. Most of the DME programs have a built in security bug in the software. The Incoming or flashed program has the tables that instruct the boot loader what data areas are to be checked with the RSA routine. So if your new program specifies the data area and RSA signature of the good calibration file, the boot loader is tricked into thinking the new program is good and accepts the flash.

Terraphatom did crack the RSA signature for the first gen 6HP. It's only 512 bit and it only took a week. The newer processors and DMEs are at least 1024 bit and cracking would take considerably longer. The 6HP files available on Bimmerlabs are fully signed files that the GKE just accepts as original BMW authorized files.

Most tuners use the RSA signature spoof to install a cracked program that allows a modified tune. They usually also change some of the keys that will disallow reading the tune back across ODB. This keeps people form easily steeling their tunes.

[rjahl]

Quote:

Originally Posted by cheerio

I hadn't considered that the bench tool I initially used to make the dump might already be doing something clever. Have attached the original dump from my transmission (remove .pdf extension) - it includes three files:

• "IEep" - 128k, presumably EEPROM contents (program)
• "Maps" - 2M, presumably flash contents (data)
• "Full" - 2248k. Huh? Why is it bigger than the other two combined? It doesn't contain anything discernable; is this something like combined EEPROM + flash contents, prior to decryption?

The 2M file has is similar to the Damos that posted but clearly not the same. I can align groups of maps between the ROMs but it loos like a lot of labor.

[cheerio]

Noticed this string while reading through the map file:

ZFADINFO*Z5YA5800_8HPXY_BMW_K580A*BMW*8HPXY*E26_1* ITCU2_3_X_2048*20111115_131102_FRDC12299*BMW_8HPXY _AT50014_Z5YA5800_K580A

Transmission is E70 N57 8HP70X, manufactured sometime in 2010.
The WinOLS file you uploaded is for 8HPXY_AT50012_Z0BA6800_J680A; I searched it up and it's supposedly from an F25 N47 8HP(45X?).

The same identifier from this E70 map would be 8HPXY_AT50014_Z5YA5800_K580A. It also occurs in a different order at the beginning of the map data (address 18E000): 0208C06_Z5YA5800_8HPXY_BMW_K580A.

I wonder what the identifier means? Presumably related to the program versions it's compatible with? Might be a stretch, but if we can find a compatible data version from an N52 car, then perhaps we won't have to rebuild the map from scratch...

I think I might do another readout of the current flash (E84 N20 8HP45X) and see what it looks like.

[cheerio]

Quote:

Originally Posted by rjahl

The compression is done by the hardware and is well documented in processor documentation. It's essentially creates a new language using shorter words to reference larger words in a look up table. You will need to locate the look up table and then parse the BIN and translate. Do not expect 8 bit bytes or 16 bit words. There should be a table in the readable code that defines the location of the compressed areas and the language table.

I have some of this data mapped out for the first generation 6HP but nothing for the 8HP. Knowing ZF they will be similar, You could start out by researching those files and then translate the knowledge into the 8HP

As far as I know, 6HP EGS uses Freescale MPC5xx, while 8HP EGS uses Renesas SH725xx - completely different chip with a different instruction set (PowerPC vs. SuperH). So if the compression scheme were implemented by the MPC5xx hardware, I wouldn't be surprised if it was changed for the 8HP.

The MCU on the 1st gen 8HP is supposedly the Renesas SH72519, which changed to SH72549 in later revisions (presumably the 2nd gen refresh). I've dug up the SH7254R documentation, which should be applicable: https://www.renesas.com/us/en/docume...ware?r=1054941

I'll poke around the EEPROM dump a bit further, and see what I can find.


As for the RSA protection, the difficulty of cracking the key scales exponentially with its length. 512-bit keys can be cracked pretty easily by individuals; 768-bit with great difficulty; and it's still impossible to crack a 1024-bit key. So if it's true that the 8HP uses 1024-bit RSA, then cracking the key is not an option; we will have to modify the program.

[cheerio]

Just read out the E84 program/data.

ZFADINFO*Z5YA6800_8HPXY_BMW_K680A*BMW*8HPXY*E26_1* ITCU2_3_X_2048*20110523_075319_FRDC12299*BMW_8HPXY _AT50014_Z5YA6800_K680A

Seems like this data is identified 8HPXY_AT50014_Z5YA6800_K680A. The fields don't line up with either the E70 data, nor the F25(?) damos. Nice to have an extra data point though.

As for the EEPROM read, I've just realised something. Why the heck is most of the file filled with "MMSBLANK"? Surely this isn't actually stored in the EEPROM? Maybe the bench tool is substituting it in for some reason.

I think the Yanhua tool reads out the "full" dump from the transmission, then sends it home to be decoded into map and EEPROM reads on their server.

The "full" dump ends at 0x23000F, which doesn't seem to line up with any of the address ranges in the SH7254R manual. I couldn't find a datasheet/manual for the SH72519 or SH72549 anywhere, unfortunately.

[colorado.e9x]

https://transmisevilla.com/wp-conten...ransmicion.pdf

Not sure if this will help or not. But look at page 171 of 455.

To get my 6HP19TU/21 to work with xHP, I need to find a vin of a car that shares that transmission with the N52 to the CAS/DME/TCU. Maybe you can get away with something similar with your car?

[cheerio]

Quote:

Originally Posted by colorado.e9x

https://transmisevilla.com/wp-conten...ransmicion.pdf

Not sure if this will help or not. But look at page 171 of 455.

To get my 6HP19TU/21 to work with xHP, I need to find a vin of a car that shares that transmission with the N52 to the CAS/DME/TCU. Maybe you can get away with something similar with your car?

The only N52/8HP cars were the F01, F10, and F25, none of which are E series. I suppose I could try writing an F10 VIN and using xHP, but that’s beside the point.

Coming from outside the automotive world, there’s so many wonderful free open source software projects around, and it’s a shame that so much knowledge and tooling for these cars is kept behind closed doors. Even things as basic as ECU memory dumps are being sold. Many forums are full of people gatekeeping valuable information, seeking to privately dispense it out to one “customer” at a time, instead of making it openly available, where it could have great benefit to many. I’ve been able to teach myself so many skills, almost entirely owed to information and tools freely shared on the Internet, but pushing into automotive ECUs has been incredibly frustrating. I get that this is work for some, that there are costs involved in obtaining this information, and that it’s necessary to recoup these costs somehow. But this leads to a vicious cycle where producing anything new requires expensive investment, and to keep afloat, people then need to find a way to charge for the fruits of their labour. But for the small-time hobbyists and tinkerers, this places some great projects out of our reach.

I wasn’t involved at the time, but seeing how xHP came together, with community support and goodwill, and seeing how closed-off, proprietary and unfeeling it’s become… it’s disappointing, to say the least.

I don’t expect to change the world, but I want to make my work here freely available. If I’m to be paid, it should be for additional work I take on, not for being a glorified vending machine.

Rant over.

So, I want to at least try to get this working without the end result relying on xHP and expensive bench tools, because I want the outcome to be available for others to base further developments on. I don’t know if I’ll be able to make it happen, but I’ll certainly try.

[colorado.e9x]

I love your dedication and enthusiasm. While xHP was a steep investment for the car it definitely was one of the most worthwhile ones for me. I have no tuning (programming side) experience. xHP has years of it. Also the convenience of having sliders and premade maps as a base has helped me out tremendously. That's not to say open source isn't great. Like you, all my knowledge is in a sense from open source from the internet. Mostly on here, youtube, or other means of research. One of the nice things about this forum is theres a lot of guys on here we get to work with to come up with solutions to just about any problem we might encounter on this forum. Even solutions to problems we create on our own for an upgrade or just cause. Kinda like this one.

Anyways, I think theres a possibility of running the car off F10 maps. Really the only difference spec wise is the weight. It would he nice to splice them into the E9X programming but I don't know that it's necessary. I think alls you'd need to do, similar to my situation would be to trick the engine, car access system (tied to DME) and transmission control unit into thinking its an F10. Theoretically.

[cheerio]

Quote:

Originally Posted by colorado.e9x

Anyways, I think theres a possibility of running the car off F10 maps. Really the only difference spec wise is the weight. It would he nice to splice them into the E9X programming but I don't know that it's necessary. I think alls you'd need to do, similar to my situation would be to trick the engine, car access system (tied to DME) and transmission control unit into thinking its an F10. Theoretically.

I agree that the F10 maps would likely work reasonably well out of the box. There are a few differences like higher weight, greater track width, longer wheelbase, larger wheel diameter, and lower diff ratio, but it will definitely be a good starting point.

It’s not possible to use F10 spec DME/CAS/EGS, as the F10 uses a completely different CAN bus architecture to the E-series cars; they would not be able to communicate with any of the other modules in the car. There are some retrofit projects around which use an external box to translate between the F-series messages expected by the F-series EGS, and the E-series messages in the rest of the car, but I don’t find this approach very elegant, as I prefer to avoid aftermarket components where possible. Seeing the 8HP used natively in various other E-series cars, I think having it work here is tantalisingly close to being doable.

[rjahl]

Quote:

Originally Posted by cheerio

I agree that the F10 maps would likely work reasonably well out of the box. There are a few differences like higher weight, greater track width, longer wheelbase, larger wheel diameter, and lower diff ratio, but it will definitely be a good starting point.

It’s not possible to use F10 spec DME/CAS/EGS, as the F10 uses a completely different CAN bus architecture to the E-series cars; they would not be able to communicate with any of the other modules in the car. There are some retrofit projects around which use an external box to translate between the F-series messages expected by the F-series EGS, and the E-series messages in the rest of the car, but I don’t find this approach very elegant, as I prefer to avoid aftermarket components where possible. Seeing the 8HP used natively in various other E-series cars, I think having it work here is tantalisingly close to being doable.

Personally, I'd get the E series program to work and then transfer the critical maps from an F series N52.

Just means you would need to build two sets of databases, one for the E series calibration file and one for the F but the map layouts will be very similar and not difficult to translate between the two ROM versions.

When you get to that point, I can help you locate the maps worth translating and even what maps need tweaking from stock. There are lots of things XHp does not tell you.

The hard part is in the development of the flashing tool.

[cheerio]

Hey guys. Don't have any real update for now, I'm still setting up a CAN sniffer, but have been busy with work so it's taking a while. Just thought I'd let you know I'm still alive and haven't given up

[colorado.e9x]

Good

I'm close to having mine worked on within the next month or so I'm hoping. We'll see how the 19TU swap goes soon

[F31B48]

Quote:

Originally Posted by cheerio

Hey guys. Don't have any real update for now, I'm still setting up a CAN sniffer, but have been busy with work so it's taking a while. Just thought I'd let you know I'm still alive and haven't given up

I just stumbled across this video on youtube. The guy is in Australia too and has few videos on his 8hp conversion into a e88 135i. Just thought they may possibly be of some help.

[colorado.e9x]

This was just posted. Click the pic to view the whole thing.

Mods pls dont delete

[cheerio]

Hey again all. I've finally got my CAN sniffer firmware working (probably should have just ordered an off-the-shelf one a month ago, lol). Fingers crossed, I'll have it hooked up to the transmission to snoop on the memory read/write process soon.

In other news, a friend has picked up a manual E36 compact and we'll be swapping the N52B25 from my car into that, with essentially a full electronics swap from a scrap E90. Will be making some custom electronics to get the gauges, A/C and some other bits working. Should be a fun project; let me know if you'd be interested in hearing more.

Due to this, I'm taking the opportunity to N52B30 swap my car at the same time as the transmission swap. Have already bought the engine, and will be buying the F10 transmission in the next couple of weeks. If this doesn't light a fire under my ass to get the tune working, I don't know what will, lol.

EvaBmw I've been following that series of videos, unfortunately he seems to have given up on using the stock TCU and settled for a Turbo Lamik setup. Some of the mechanical details like oil cooler lines will be helpful, though.

colorado.e9x it's very interesting to see that. I was originally considering something similar, using the e-shift 6HP21 from an E60. Wonder what tune they would have used though... didn't think 6HP28 + E-shift + N54 was used on any cars from factory.