BMW M5 Forum and M6 Forums banner

1 - 20 of 593 Posts

·
Registered
Joined
·
6,198 Posts
Moderator comment in blue:

These rules have been developed to govern tuning discussions. Posts and posters running afoul of these rules will be treated harshly. These rules may change.

1. Board members and administrators need to respect laws and act fairly. Together, we will endeavor to promote honest behavior and discourage the opposite.

2. Any information/knowledge that has been obtained by an individual will not be shared if that person does not have a legal/written right to do so. "Information" includes any vendor's DAMOS files, strategies, screenshots, proprietary software. The tune you purchased (or that came with your car) may not be yours to share; it is certainly someone else’s work product. If you were employed by a tuner and have a confidentiality/non-disclosure agreement, obey it. Members assume personal liability by acts to the contrary.

3. Any vendor believing that information is being posted illegally or in violation of agreements should use Report Post and provide factual/legal basis for the objection. Threads/posts may be locked/hidden during discovery.

4. Members need to recognize that there are grave inherent risks to using information garnered via these discussions. The Board and Autoguide assume no responsibility for what Members do to their cars as a consequence (e.g. bricking their DMEs, breaking their vehicles, resulting injuries, etc).

OP's original post now follows:


So a few weeks ago I stumbled upon this thread: Comprehensive MSS54/MSS54HP DME Information
Some of you might know/seen that I already started to attempt to find some of the maps/tables myself.
Our DME has well over 2,000 maps/tables/values but only about 100 need to be altered to make a custom tune.

The MSS52, MSS54, MSS54HP are all remarkably similar, so a lot of the work that has been done on m3forum will carry over.
With the blessing of the p0lar on m3forum I've decided to get the ball rolling over here.

Its quite easy to read/write your DME with a ~$20 cable called the Galletto 1260.

Quite a few others manufacturers' DME/ECU has been cracked and reverse engineered already e.g. Subaru, GM, Mitsubishi, Ford.
If we can map out the DME then any competent tuner will be able to write tunes for us.

So who wants to help out? Who knows how to use WinOLS or Tuner Pro?


Personal note: this is my 4000th post!
 

·
Registered
Joined
·
57 Posts
+1 p0lar blessing :D

I've developed a FREE TunerPro module that will calculate AND correct the checksums for the E39 M5 - it'll also operate standalone in OS X or Linux/Unix as a perl script, or in Windows as a compiled executable.

So, far, at a bare minimum, I'm quite certain we can adjust throttle sensitivity, remove speed governors, adjust rev limits, adjust electronic throttle maps, plus a few other goodies too numerous to mention in one quick post. On top of that, I think I've got ignition and fuel maps determined.

Necessary Software:
- BMWFlash
- TunerPro
- Checksum Correction Tool
- Hex Editor

Necessary Hardware:
- A Galletto 1260 Cable for using the Galletto-based software
- alternate to the Galletto 1260, a Modified VAG Com OBD2 diagnostics cable (FTDI-based with the FT232RL chipset) for use with BMWFlash (and EDIABAS/INPA/NCSExpert/WinKFP, Progman/SSS, DIS et al)
- A 10A battery charger/tender

Program Version Information:
Code:
7831122E, 211321000502, S62B50/MSS52, E39/M5, E52, US/ECE, KAT, 414.002, 7.831.122, F365 Q
7833965E, 211321001301, S62B50/MSS52, E39/M5, E52, US/ECE, KAT, 426.001, 7.833.965, 2790 V
7835620A, 211321001501, S62B50/MSS52, E39/M5, E52, US/ECE, KAT, 427.000, 7.835.620, 31B7 5
7837965A, 211321001601, S62B50/MSS52, E39/M5, E52, US/ECE, KAT, 427.001, 7.837.965, 3E88 A
7843317A, 211321001701, S62B50/MSS52, E39/M5, E52, US/ECE, KAT, 427.002, 7.843.317, ABEB D
Data Version Information: (may not be comprehensive)
Code:
7831355, 7831122E, 211321000502JD04
7831356, 7831122E, 211321000502JD09

7833977, 7833965E, 211321001301D42B
7833985, 7833965E, 211321001301D444

7835634, 7835620A, 211321001501D42B
7835642, 7835620A, 211321001501D444

7837944, 7837965A, 211321001601I40C
7837946, 7837965A, 211321001601I426
7837948, 7837965A, 211321001601I406
7837950, 7837965A, 211321001601I40A
7837952, 7837965A, 211321001601D409
7837954, 7837965A, 211321001601D40B
7837956, 7837965A, 211321001601D42B
7837958, 7837965A, 211321001601D406
7837960, 7837965A, 211321001601D424
7837962, 7837965A, 211321001601D404
7837964, 7837965A, 211321001601D444

7843312, 7843317A, 211321001701I40A
7843314, 7843317A, 211321001701D409
 

·
Registered
Joined
·
3,427 Posts
So a few weeks ago I stumbled upon this thread: Comprehensive MSS54/MSS54HP DME Information
Some of you might know/seen that I already started to attempt to find some of the maps/tables myself.
Our DME has well over 2,000 maps/tables/values but only about 100 need to be altered to make a custom tune.

The MSS52, MSS54, MSS54HP are all remarkably similar, so a lot of the work that has been done on m3forum will carry over.
With the blessing of the p0lar on m3forum I've decided to get the ball rolling over here.

Its quite easy to read/write your DME with a ~$20 cable called the Galletto 1260.

Quite a few others manufacturers' DME/ECU has been cracked and reverse engineered already e.g. Subaru, GM, Mitsubishi, Ford.
If we can map out the DME then any competent tuner will be able to write tunes for us.

So who wants to help out, and risk blowing their car up, it's only a $15,000 gamble.? Who knows how to use WinOLS or Tuner Pro?


Personal note: this is my 4000th post!
Added some information you forgot.
 

·
Registered
Joined
·
57 Posts
So, let's get started:

There are about 5 different program versions for the E39 M5 which are identified by searching through the binary for a versioning text string (or going directly to offset 0x7FB8) that starts with 21132100, and is followed by another 4 digits and subsequently 4 characters thereafter.
  • 211321000502....
  • 211321001301....
  • 211321001501....
  • 211321001601....
  • 211321001701....
It will be repeated in triplicate.

Thus, before making changes to your 32kb binary, which is split between two 16KB sections, one in the slave EPROM and one in the master EPROM, you should identify the version you are dealing with. We typically identify it by those last four digits, thus, for reference, we'll call them 0502, 1301, 1501, 1601 and 1701. You MUST know these before proceeding.

The last four characters denote minor differences and/or updates within the various programs. The most predominant version will be version 1601, or at least it is the one with the most updates.
 

·
Registered
Joined
·
57 Posts
Sport Mode Memory:

At offset 0x4020, you'll typically find a string of characters that looks as follows:
01 01 1E 14 FF FF 03 5F 00 01 01 FF 33 FF FF FF
By modifying the '03' to '04', you should be able to enable sport mode memory, i.e. when you turn off the car with sport mode enabled, it should remain enabled when you turn the car back on. There are other values, the only interesting one of which might be that sport mode is enabled when the DSC button is pressed.

Location:
All versions: 0x4026
 

·
Registered
Joined
·
6,014 Posts
If I had a s62 DME I would be glad to help :)

The 60 flash limit is going to be a real problem when you get to the point that you want to do more then play with a couple of limits. As an example, I just finished tuning a friend's car with pretty major modifications - it needed changes to the fuel tables, air tables, boost tables, idle tables, you name it. I have at least 20 different versions of the tune from start to finish and some of those were revised 2 or three times (like the MAF transfer table which goes through several iterations).

On my own car, I am sure I have flashed it well over 150 times, but GM ecu's don't care and if they do they only cost around $50 :)

BTW, it is good to see vendors trying to scare people off of this, some things never change hiha
 

·
Registered
Joined
·
57 Posts
Throttle Sensitivity:

Limp Mode:
0A 00
00 02 00 64 00 C8 01 2C 01 90 01 F4 02 58 02 BC 03 20 03 E8
00 00 00 41 00 82 00 C3 01 04 01 45 01 86 01 C7 02 08 02 58
Sport Mode:
0A 00
00 09 00 50 00 A0 01 04 01 5E 01 C2 02 26 02 8A 02 EE 03 84
00 00 00 40 00 6E 00 C3 01 38 01 C0 02 3E 02 B2 03 16 03 E8
Comfort Mode:
0A 00
00 09 00 28 00 AA 01 0E 01 68 01 C2 02 26 02 8A 02 EE 03 E8
00 00 00 36 00 52 00 99 00 DB 01 40 01 AE 02 4E 02 D0 03 E8


The first part of each curve is the '0A 00' part, which designates that this curve has 10 values and only 2 axes. Thus, you see 10 words (2 bytes each) values per line for the pedal %, and then 10 words (2 bytes each) for their respective throttle %.

Location:
All versions: 0x414C
 

Attachments

·
Registered
Joined
·
57 Posts
If I had a s62 DME I would be glad to help :)

The 60 flash limit is going to be a real problem when you get to the point that you want to do more then play with a couple of limits. As an example, I just finished tuning a friend's car with pretty major modifications - it needed changes to the fuel tables, air tables, boost tables, idle tables, you name it. I have at least 20 different versions of the tune from start to finish and some of those were revised 2 or three times (like the MAF transfer table which goes through several iterations).

On my own car, I am sure I have flashed it well over 150 times, but GM ecu's don't care and if they do they only cost around $50 :)

BTW, it is good to see vendors trying to scare people off of this, some things never change hiha
We've already got ways around that. There are two mainstream solutions that are viable, and inexpensive.

1) socket the DME, then use a USB-based Willem GQ-4 programmer combined with an ADS-019 adapter to burn the now-removeable EPROMs (AM29F200 chips, which are readily available for ~$4 USD each). It seems the best approach is to use risers on the board, then place the sockets atop those with a locking housing for best stability.

2) Add a BDM header and use bdm32 to flash the chips, which then never need be removed. This is probably the best way, we're still refining this methodology over at M3forum. Expect more to come on this.

3) desolder the AM29F200 chips, burn in programmer, resolder the AM29F200 chips.

If it's anything at all like the MSS54 and MSS54HP (and it is), to correct the flash counter, take a full dump of the EPROM, find a region in the 0x4800 range that is all '00's, then change them back to 'FF's, byte swap, and burn the entire image back to the EPROM. There you go!
 

·
Registered
Joined
·
6,014 Posts
We've already got ways around that. There are two mainstream solutions that are viable, and inexpensive.

1) socket the DME, then use a USB-based Willem GQ-4 programmer combined with an ADS-019 adapter to burn the now-removeable EPROMs (AM29F200 chips, which are readily available for ~$4 USD each). It seems the best approach is to use risers on the board, then place the sockets atop those with a locking housing for best stability.

2) Add a BDM header and use bdm32 to flash the chips, which then never need be removed. This is probably the best way, we're still refining this methodology over at M3forum. Expect more to come on this.

3) desolder the AM29F200 chips, burn in programmer, resolder the AM29F200 chips.

If it's anything at all like the MSS54 and MSS54HP (and it is), to correct the flash counter, take a full dump of the EPROM, find a region in the 0x4800 range that is all '00's, then change them back to 'FF's, byte swap, and burn the entire image back to the EPROM. There you go!

That's good news :)
 

·
Registered
Joined
·
57 Posts
Speed Governor per gear:

Code:
00 00 00 01 00 02 00 03 00 04 00 05 00 06 00 07 
10 20 10 20 10 20 10 20 10 20 10 20 10 20 10 20
In hex, 1020 = 4128 decimal. 4128 / 16 = 258 kmph

So, to adjust this to remove the speed governor, simply change the 1020 to something more reasonable for the E39 M5 platform, such as... '1630'.

Thus, the following will effectively put the speed governor at 220 mph (~354 kmph):
Code:
00 00 00 01 00 02 00 03 00 04 00 05 00 06 00 07
16 30 16 30 16 30 16 30 16 30 16 30 16 30 16 30
Location:
Code:
0502: [B]0x6F62[/B]
1301, 1501, 1601, 1701: [B]0x6F42[/B]
 

·
Registered
Joined
·
57 Posts
Polar - well done for doing all this work! I have a galetto flasher so I would be willing to do some field tests perhaps :)
Don't thank me, thank everyone over at m3forum.net, without whom this wouldn't have been possible. The MSS52 platform is SO CLOSE to the MSS54 that there's no reason we shouldn't be collaborating closely as responsible, enthusiast communities.
 

·
Registered
Joined
·
57 Posts
Rev Limits per gear:
Code:
00 00 00 01 00 02 00 03 00 04 00 05 00 06 00 07 
1B 58 1B 58 1B 58 1B 58 1B 58 1B 58 19 64 1B 58
1B 58 = 7000 RPM
19 64 = 6500 RPM

Is there any reason why the E39 M5 would have a 6500 RPM rev limit in 6th gear?

Any way, if you wanted to raise the rev limits, say by 200 RPM to 7200 RPM, you'd simply modify the curve as follows:
Code:
00 00 00 01 00 02 00 03 00 04 00 05 00 06 00 07 
1C 20 1C 20 1C 20 1C 20 1C 20 1C 20 1C 20 1C 20
In ALL versions, this curve is located at 0x3B0.

Interestingly, in version 0502, the rev limits are different, 8000 RPM across the board!
Code:
00 00 00 01 00 02 00 03 00 04 00 05 00 06 00 07
1F 40 1F 40 1F 40 1F 40 1F 40 1F 40 1F 40 1F 40
 

·
Registered
Joined
·
6,918 Posts
5th gear @ 6200 rpm is 150 mph indicated :hihi:, maybe 6500 is a mechanical speed limiter on 5th since the speed governoronly affects 6th gear?
 

·
Registered
Joined
·
57 Posts
That gear number reference is as follows (typically!) : 0 is neutral, 7 is reverse. So the 6500rpm limit is actually 6th gear as you would expect.
I saw that, and made a ninja edit, but you caught me, heh. I was just rushing through it while looking through versions. :cheers:
 
1 - 20 of 593 Posts
Top