Close

    • Real BMW S55, N63, N63TU, S63TU tuning coming - F-Series Infineon TriCore ECU's cracked

      A few months ago BimmerBoost brought you a story about the tuner flash tuning claims on modern BMW turbo platforms not being what they were cracked up to be. You may have noticed how tuners making these claims have not been able to display much of anything in terms of proof.


      Well, the F-Series cars which share the Infineon TriCore ECU's have been cracked and can be flash tuned now. Real flash tuning, not just flashing some of BMW's own files that have been leaked.

      There is more than one source on this and Bimmerboost can not share all the details but the one we can mention is Flashtec from Switzerland. They are taking pre-orders on their flashing device.

      You have to be one of their dealers to get the details but fortunately we have members who have access to the customer page. Their device is set to ship next month:

      CMDFlash BMW Fxx PWD READER for Tricore Bootmode
      ( Special Probe and Plugin, you must have Tricore bootmode )
      Shipment from January 5th 2015


      Now this is an ECU out method. It means the ECU needs to be physically removed and sent in to a tuner. We hear an OBD-II method is on the way from someone but they want to keep this quiet and for themselves for obvious reasons. The first one to get it gets the gold, right?

      What they seem to be doing is generating their own RSA key pair to bypass BMW's verification method. If it sounds like BMW makes tuning a bitch that is because they do. They just are not any fun any more these days.

      Another source claiming to have ability is Russia's Avtotools. Whether they do or not we do not know but their release is scheduled for this month:


      ECU-Explorer tool exclusively designed to read Infineon Tricore MCU’s over CAN-bus.
      Supports Read/Write EEPROM function for secured and non-secured SAC-TC1766, SAC-TC1767, SAC-TC1797 microcontrollers.

      ECU-Explorer comes with Mileage, DPF, ECU system time and ISN built-in calculators.

      Purpose of use:

      1. Change power level (320-328) (System time reset only, you must use ESYS for coding and ISTA to make final programming)
      2. Switch OFF oxygen sensors (System time reset only, you must use ESYS for coding and ISTA to make final programming)
      3. Switch OFF check engine lamp(System time reset only, you must use ESYS for coding and ISTA to make final programming)
      4. Reset mileage
      5. Reset system time
      6. Change ISN (for engines N13,N20,N55 etc.)


      Supported ECU types:


      • F-Series
        DDE701A
        DDE701P
        DDE721B
        DDE721P
        DDE73A
        DDE731A
        DDE741A
        DDE751A
        MEVD1725 ( N13 ) F20 ,F21 Серия
        MEVD1724 ( N20 ) F10 , F11 , F12 , F13 , F18 , F25, F30 , F31 , F35 Серия
        MEVD1726 (N55) F01 F10 F25 F25 F30
        MEVD1728 (N63 S63) F01 F10
        MEVD1729 (N20) F10 F20 F25 F30 F32
        MEVD172 ( N55 ) F01 , F02 , F07 , F10 , F11 , F18 , F25
        MEVD172P (N20) F10 F20 F25 F30 F32
        MEVD172S (N55) F10 F20 F25 F30 F32
        MEVD172G (N55) F10 F20 F25 F30 F32


      So what does this mean for tuning? It means real tuning options will open up not just those relegated to piggybacks feeding the ECU info to increase boost. If people wanted to go beyond just increasing boost on the stock turbos this is the key for that to happen. Now we will finally see things like turbocharger upgrades for the N63, S63, S63TU, S55, etc. with the tuning to make use of the hardware.

      An M5 with upgraded turbos may finally be a reality next year. The BMW guys will not have to allow the 63 AMG's to have all the fun any longer.

      The other issue now will be watching tuners all fight for superiority and we will see who rips off whom as this spreads. It also makes tuners claims from years ago about doing turbo upgrades on M5's seem funny now when you consider they had no way to tune the cars and it has taken a good 5+ years to crack these ECU's. We are barely in the infancy of it all right now.

      This article was originally published in forum thread: F-Series 3-Series ECU's cracked started by Sticky View original post
      Comments 45 Comments
      1. subaru335i's Avatar
        subaru335i -
        Oh really?! Hopefully this will push the N55 farther than it is now. The market just got a whole lot bigger.
      1. Sticky's Avatar
        Sticky -
        I wouldn't expect this to spread like wildfire just yet.
      1. subaru335i's Avatar
        subaru335i -
        I am assuming that means it wasn't Cobb who cracked the ecu?
      1. George Smooth's Avatar
        George Smooth -
        Click here to enlarge Originally Posted by subaru335i Click here to enlarge
        I am assuming that means it wasn't Cobb who cracked the ecu?
        Flashtec which makes the popular CMD tool has opened pre orders. It looks like a ECU out method.
      1. George Smooth's Avatar
        George Smooth -
        Signed into my account:

        CMDFlash BMW Fxx PWD READER for Tricore Bootmode
        ( Special Probe and Plugin, you must have Tricore bootmode )

        Shipment from January 5th 2015
      1. Sticky's Avatar
        Sticky -
        Click here to enlarge Originally Posted by George Smooth Click here to enlarge
        Signed into my account:

        CMDFlash BMW Fxx PWD READER for Tricore Bootmode
        ( Special Probe and Plugin, you must have Tricore bootmode )

        Shipment from January 5th 2015
        Care to explain further @George Smooth?

        What account did you sign into?
      1. George Smooth's Avatar
        George Smooth -
        Click here to enlarge Originally Posted by Sticky Click here to enlarge
        Care to explain further @George Smooth?

        What account did you sign into?
        I have their tools and a up to date subsription so I can go into the commercial side of their site that give you the options to buy products. It usually has more details. So in this case tricore means the ECU needs to be whipped out and a probe directly on the board is used to read and write to the ECU so its not a flash via the OBD port solution.
      1. Sticky's Avatar
        Sticky -
        Click here to enlarge Originally Posted by George Smooth Click here to enlarge
        I have their tools and a up to date subsription so I can go into the commercial side of their site that give you the options to buy products. It usually has more details. So in this case tricore means the ECU needs to be whipped out and a probe directly on the board is used to read and write to the ECU so its not a flash via the OBD port solution.
        How can I guess access to the commercial side?

        Can I get some screenshots or further details? I'd like to jump on this before anyone else.
      1. George Smooth's Avatar
        George Smooth -
        Click here to enlarge Originally Posted by Sticky Click here to enlarge
        How can I guess access to the commercial side?

        Can I get some screenshots or further details? I'd like to jump on this before anyone else.
        You cant you need to own a master tool. Sent you some of the info in a pm otherwise drop them a email.
      1. Unklejoe's Avatar
        Unklejoe -
        So to clarify some things (and have some things clarified to me):

        At boot, the ECU checks its image's signature (which was generated by BMW by hashing the image then signing the hash with their secret key). It compares this with it's own calculation using its public key (which is common on all ECUs). Therefore, you can't modify the flash without knowing BMW's secret key.

        It does not seem like they actually cracked the encryption of the images (meaning they didn't figure out BMW's private key). So this means that you can't update via OBD2 like Cobb does because you can't sign the image without knowing the private key.

        The obvious way around this is to generate your own RSA key pair and sign the images with your own private key. You would then need to somehow change the public key that's stored in the ECU to match.

        The problem is, from what I understand, that the ECU uses something called "tuner protection" which basically prevents you from jumping in to the bootloader and uploading a new image to the area of memory that contains the public key.

        You need to issue a password to get it in to the boot loader. Previously, there was a process that could be used to extract the password which would then allow you to update the flash. Then, you could modify the public key in the ECU to match your own generated private key so you could make your own flashes and update via OBD from there on out.

        That's why a lot of the flashes require you to remove the ECU once but then you can flash over OBD after that.

        My guess is that this is similar. If they have full access to the image, I don't see why they coudn't modify the public key to match their own private key or even disable the check all together.

        I'm sure I'm missing things but this info is hard to come by so this is my interpretation.
      1. Unklejoe's Avatar
        Unklejoe -
        And this does seem like good news for the N55 guys as well. A logical assumption is that if a workaround/hack exists for the newer ECUs, it likely exists for the older ones as well. They probably use the same ECU.

        And actually, a lot of cars probably use the same Bosch ECU, so this could be good for a lot of people.

        As far as I know, since they didn't crack a key, it's not like it would take a multiple of the time to use the exploit on other ECUS.

        This $#@! is very interesting. I wish I knew more.
      1. George Smooth's Avatar
        George Smooth -
        Click here to enlarge Originally Posted by Unklejoe Click here to enlarge
        So to clarify some things (and have some things clarified to me):

        At boot, the ECU checks its image's signature (which was generated by BMW by hashing the image then signing the hash with their secret key). It compares this with it's own calculation using its public key (which is common on all ECUs). Therefore, you can't modify the flash without knowing BMW's secret key.

        It does not seem like they actually cracked the encryption of the images (meaning they didn't figure out BMW's private key). So this means that you can't update via OBD2 like Cobb does because you can't sign the image without knowing the private key.

        The obvious way around this is to generate your own RSA key pair and sign the images with your own private key. You would then need to somehow change the public key that's stored in the ECU to match.

        The problem is, from what I understand, that the ECU uses something called "tuner protection" which basically prevents you from jumping in to the bootloader and uploading a new image to the area of memory that contains the public key.

        You need to issue a password to get it in to the boot loader. Previously, there was a process that could be used to extract the password which would then allow you to update the flash. Then, you could modify the public key in the ECU to match your own generated private key so you could make your own flashes and update via OBD from there on out.

        That's why a lot of the flashes require you to remove the ECU once but then you can flash over OBD after that.

        My guess is that this is similar. If they have full access to the image, I don't see why they coudn't modify the public key to match their own private key or even disable the check all together.

        I'm sure I'm missing things but this info is hard to come by so this is my interpretation.
        You have hit the nail on the head with everything posted.
        In some cases the RSA key pair can be used and after the first Tricore read and write the OBD is left open and in others it cannot be done, not sure of the reason though. Recently the Bosch EDC17 boards where cracked straight via the OBD port so great strides have happened recently in regard to the new Tricore chipsets from Infinion.

        If you into this stuff the next step is to read up on a program called Winols which is a advanced map editor and Damos files which are basically road maps to the structuring of the cars mapping and location.
      1. Sticky's Avatar
        Sticky -
        A few months ago BimmerBoost brought you a story about the tuner flash tuning claims on modern BMW turbo platforms not being what they were cracked up to be. You may have noticed how tuners making these claims have not been able to display much of anything in terms of proof.

        Click here to enlarge

        Well, the F-Series cars which share the Infineon TriCore ECU's have been cracked and can be flash tuned now. Real flash tuning, not just flashing some of BMW's own files that have been leaked.

        There is more than one source on this and Bimmerboost can not share all the details but the one we can mention is Flashtec from Switzerland. They are taking pre-orders on their flashing device.

        You have to be one of their dealers to get the details but fortunately we have members who have access to the customer page. Their device is set to ship next month:

        CMDFlash BMW Fxx PWD READER for Tricore Bootmode
        ( Special Probe and Plugin, you must have Tricore bootmode )
        Shipment from January 5th 2015


        Now this is an ECU out method. It means the ECU needs to be physically removed and sent in to a tuner. We hear an OBD-II method is on the way from someone but they want to keep this quiet and for themselves for obvious reasons. The first one to get it gets the gold, right?

        What they seem to be doing is generating their own RSA key pair to bypass BMW's verification method. If it sounds like BMW makes tuning a $#@! that is because they do. They just are not any fun any more these days.

        Another source claiming to have ability is Russia's Avtotools. Whether they do or not we do not know but their release is scheduled for this month:

        Click here to enlarge

        ECU-Explorer tool exclusively designed to read Infineon Tricore MCU’s over CAN-bus.
        Supports Read/Write EEPROM function for secured and non-secured SAC-TC1766, SAC-TC1767, SAC-TC1797 microcontrollers.

        ECU-Explorer comes with Mileage, DPF, ECU system time and ISN built-in calculators.

        Purpose of use:

        1. Change power level (320-328) (System time reset only, you must use ESYS for coding and ISTA to make final programming)
        2. Switch OFF oxygen sensors (System time reset only, you must use ESYS for coding and ISTA to make final programming)
        3. Switch OFF check engine lamp(System time reset only, you must use ESYS for coding and ISTA to make final programming)
        4. Reset mileage
        5. Reset system time
        6. Change ISN (for engines N13,N20,N55 etc.)


        Supported ECU types:


        • F-Series
          DDE701A
          DDE701P
          DDE721B
          DDE721P
          DDE73A
          DDE731A
          DDE741A
          DDE751A
          MEVD1725 ( N13 ) F20 ,F21 Серия
          MEVD1724 ( N20 ) F10 , F11 , F12 , F13 , F18 , F25, F30 , F31 , F35 Серия
          MEVD1726 (N55) F01 F10 F25 F25 F30
          MEVD1728 (N63 S63) F01 F10
          MEVD1729 (N20) F10 F20 F25 F30 F32
          MEVD172 ( N55 ) F01 , F02 , F07 , F10 , F11 , F18 , F25
          MEVD172P (N20) F10 F20 F25 F30 F32
          MEVD172S (N55) F10 F20 F25 F30 F32
          MEVD172G (N55) F10 F20 F25 F30 F32


        So what does this mean for tuning? It means real tuning options will open up not just those relegated to piggybacks feeding the ECU info to increase boost. If people wanted to go beyond just increasing boost on the stock turbos this is the key for that to happen. Now we will finally see things like turbocharger upgrades for the N63, S63, S63TU, S55, etc. with the tuning to make use of the hardware.

        An M5 with upgraded turbos may finally be a reality next year. The BMW guys will not have to allow the 63 AMG's to have all the fun any longer.

        The other issue now will be watching tuners all fight for superiority and we will see who rips off whom as this spreads. It also makes tuners claims from years ago about doing turbo upgrades on M5's seem funny now when you consider they had no way to tune the cars and it has taken a good 5+ years to crack these ECU's. We are barely in the infancy of it all right now.
      1. maxnix's Avatar
        maxnix -
        Well, bench tuning, or more specifically, removing the DME is a daunting task on some of these new engines. But I bet someone will produce a remote mount to make this more easily available on the long run.

        For now, it appears that encryption via the OBD II port has been broken yet.
      1. Sticky's Avatar
        Sticky -
        The OBD-II stuff is coming. I mean it's all a process.

        This is a big step forward. It truly sucks BMW can hold your car hostage the way they are.
      1. bobS's Avatar
        bobS -
        Good news.. something tells me bmw isn't the only OEM that will be doing this so hopefully this will allow us to keep tuning. The amount of warranty savings they can get by locking up the ECM/DME is justification alone to do it so I see why its done.
      1. quattr0's Avatar
        quattr0 -
        Good things will come to those who wait ;-)
      1. Sticky's Avatar
        Sticky -
        Click here to enlarge Originally Posted by bobS Click here to enlarge
        Good news.. something tells me bmw isn't the only OEM that will be doing this so hopefully this will allow us to keep tuning. The amount of warranty savings they can get by locking up the ECM/DME is justification alone to do it so I see why its done.
        I'd gladly sign a warranty waiver than have to fight to modify my own hardware.

        Imagine if Windows forced you to use IE or whatever hardware they choose.
      1. bobS's Avatar
        bobS -
        I gotcha.... but there are a ton of dishonest people. How many n54 guys tune a leased car? How about Evo's....how many of those stay stock? Its a problem, bmw decided to take it into their own hands and eliminate it, i understand why they do it. Still sucks though
      1. Sticky's Avatar
        Sticky -
        Click here to enlarge Originally Posted by bobS Click here to enlarge
        I gotcha.... but there are a ton of dishonest people. How many n54 guys tune a leased car? How about Evo's....how many of those stay stock? Its a problem, bmw decided to take it into their own hands and eliminate it, i understand why they do it. Still sucks though
        You're right many people screw it up for the rest of us.

        How about people like me who don't tune a leased car and want to tune the car they own but it takes years because BMW is a $#@! about it? Do I not count?

        There needs to be some kind of legal challenge to this. If I bought a computer and Dell told me I had to run their operating system it would never fly.