BMW M5 Forum and M6 Forums banner

21 - 40 of 84 Posts

·
Registered
Joined
·
95 Posts
An update from my side after playing with an SMG2 TCU, it turns out flashing modified 0DAs will only work with the Intel-Hex checksum corrected, the 0DA file checksum corrected, and the data area checksum corrected too.



You can bypass the last one by unticking 'test checksum' in WinKFP but the unit fails to respond to certain requests afterwards, which isn't really a suprise.
 

·
Registered
Joined
·
1,345 Posts
Discussion Starter #23 (Edited)
Interesting, I suppose I should try the same thing while I'm waiting....

I found an SMG2 TCU on ebay for cheap so I got it, I'm interested in seeing if the hardware is different and if it's not If the bootloaders are. I have a sneaking suspicion it's going to be identical.


Luckily I have a project that could use a logic analyzer, so I picked up a 34 channel one and waiting on it. The plan is fairly simple going to hook up A0-A18 and clock it off OE, I figured out a hack using a cheaper 16 channel one but why not go all out. Using a simple enough trigger off the A15-A18 and post sampling of 4 clocks, I should be able to see the accessed address and the code calling it, then just back track into the functions in ida pro. The C167 isn't cached and is running out of flash so this should work nicely.
 

·
Registered
Joined
·
1,345 Posts
Discussion Starter #25
LOL that would sure make things simpler... I'm thinking when we have enough headway reaching out the M3 guys and seeing who has interested, maybe someone there has access..

Once we can see how the data is validated we could just correct it ourselves.

I hate that they riveted the board to the housing.
 

·
Registered
Joined
·
1,345 Posts
Discussion Starter #26
Oh yeah the other thing I should do is capture some sample can messages between the TCU and DME. I have a bench setup but I want it when the engine is running.
 

·
Registered
Joined
·
5,663 Posts
I did have one in my garage I had drilled the rivets out on, if only I could find it lol.


Know anyone with WinOLS and the SMG checksum plugin? :)


https://www.evc.de/en/product/ols/plugins_detail.asp?cksName=OLS271
Following along on this in the background, have toyed with the idea of this for a while, but just don't have any bandwidth.

AFAIK, there is no checksum available from EVC or anyone else. I don't think anyone ever thought the ROI was there to spend the time figuring it out, there are so few units in the field.
 

·
Registered
Joined
·
5,663 Posts
Oh yeah the other thing I should do is capture some sample can messages between the TCU and DME. I have a bench setup but I want it when the engine is running.
I have captures from DME to idle actuators over LLS-CAN that might help week out non-applicable ArbIDs.
 

·
Registered
Joined
·
1,345 Posts
Discussion Starter #29 (Edited)
I have captures from DME to idle actuators over LLS-CAN that might help week out non-applicable ArbIDs.

Anything you got that you wanna share here or over PM is appreciated. :grin


You might even save me a step or two, I'm gonna have so many test leads hanging off this thing I'm not sure how to mange them all :)
 

·
Registered
Joined
·
95 Posts
Following along on this in the background, have toyed with the idea of this for a while, but just don't have any bandwidth.

AFAIK, there is no checksum available from EVC or anyone else. I don't think anyone ever thought the ROI was there to spend the time figuring it out, there are so few units in the field.

Thanks for chiming in Jim.


It looks like OLS271 does cover SMG3, it looks like support was added in 2008.


<table class="tabelle1" width="95%" cellspacing="0" cellpadding="3" border="1"><tbody><tr><td>15.01.2008</td><td>2.06</td><td>New</td><td>Now also BMW M5-V10 SMG gear shift controller</td></tr></tbody></table>
 

·
Registered
Joined
·
5,663 Posts
Thanks for chiming in Jim.


It looks like OLS271 does cover SMG3, it looks like support was added in 2008.


<table class="tabelle1" width="95%" cellspacing="0" cellpadding="3" border="1"><tbody><tr><td>15.01.2008</td><td>2.06</td><td>New</td><td>Now also BMW M5-V10 SMG gear shift controller</td></tr></tbody></table>
Interesting. Will have to evaluate if there's enough value in purchasing that. Might be hard to justify since the FRC iFlash will already correct them.

Anyone care to shoot me a binary?
 

·
Registered
Joined
·
95 Posts
Interesting. Will have to evaluate if there's enough value in purchasing that. Might be hard to justify since the FRC iFlash will already correct them.

Anyone care to shoot me a binary?

2 Checksum points via OLS.


I was looking at the protocol unlock for my Frieling cable, it's 1000 USD but isnt clear if it covers SMG3 or just 2. I'm not sure what format files it would be after either.



What format are you after Jim?
 

·
Registered
Joined
·
5,663 Posts
2 Checksum points via OLS.


I was looking at the protocol unlock for my Frieling cable, it's 1000 USD but isnt clear if it covers SMG3 or just 2. I'm not sure what format files it would be after either.



What format are you after Jim?
I'm fairly certain it will do SMG3, Benvo uses it I believe.

Just the converted .0pa or .0da I can throw into IDA
 

·
Registered
Joined
·
1,345 Posts
Discussion Starter #35
Well I managed to make my life harder, the logic analyzer was a good plan I see a lot of interesting access to the data/tune area and can easily match them up with the accessing code.




As an example ... address 0x782e1 is 00 in the US tune and 01 in the Euro Tune, in the code below and on the logic screen you can see it reads from the address( the Flash is in word mode and C167 auto fixes the read), then compares it to 1 and takes left path, storing to sram 1. Later on the SRAM address is used in another logic flow, which I'm working through.. To complicate things the C166 is pipelined( I mistakenly said it wasn't earlier) so it'll prefetch the next instruction, it's not a big deal and between IDA and watching the address bus you can decipher what's up. I wish I had another 16 channels for data now though :)



The problem is, I have this mess, I'm going to have to get this on acrylic or pick up another TCU to be my test TCU. I think this how I ended up with 4 spare dme's too.
 

Attachments

·
Registered
Joined
·
1,460 Posts
The problem is, I have this mess, I'm going to have to get this on acrylic or pick up another TCU to be my test TCU. I think this how I ended up with 4 spare dme's too.
I'm happy to donate a spare TCU I ended up with. It was shipped to me to be euro-flashed, but had some water damage and the UIF area is corrupt (data shifted by 1-byte, no idea how that happened). I couldn't re-write the UIF no matter what I tried. It does run, will complete adaptations, etc. If you think you can use it just PM me your address.
 

·
Registered
Joined
·
1,345 Posts
Discussion Starter #38
I'm happy to donate a spare TCU I ended up with. It was shipped to me to be euro-flashed, but had some water damage and the UIF area is corrupt (data shifted by 1-byte, no idea how that happened). I couldn't re-write the UIF no matter what I tried. It does run, will complete adaptations, etc. If you think you can use it just PM me your address.

Awesome.. I can probably fix it.. PM incoming
 

·
Registered
Joined
·
225 Posts
Quickly investigating the 0DA, it seems like the GDSMG3 is RSA secured like the DME, and also like the DME it's 1024-bit so factoring the key is not feasible. A bypass is probably feasible like most other BMW modules, but until it's publicly worked out, you'll need to either flash modifications to the eeprom directly or use boot mode
 

·
Registered
Joined
·
1,345 Posts
Discussion Starter #40
Quickly investigating the 0DA, it seems like the GDSMG3 is RSA secured like the DME, and also like the DME it's 1024-bit so factoring the key is not feasible. A bypass is probably feasible like most other BMW modules, but until it's publicly worked out, you'll need to either flash modifications to the eeprom directly or use boot mode

Agreed... For today eeprom flashing works, the next step is boot mode, the SMGII board has test points on the pins the SMGIII they removed the test points but the pins are big enough that you can solder a lead on to. The pins are accessible from the top of the board so there would be no need to drill the rivets



The goal would ultimately be a way for anyone to flash their own mod.
 
21 - 40 of 84 Posts
Top