Close

Page 3 of 6 FirstFirst 12345 ... LastLast
Results 51 to 75 of 133
  1. #51
    Join Date
    Mar 2010
    Location
    AZ
    Posts
    2,826
    Rep Points
    -73.0
    Mentioned
    43 Post(s)
    Rep Power
    0


    1 out of 1 members liked this post. Yes Reputation No
    Also, someone who is going to be very helpful with the details, @ncat10

  2. #52
    Join Date
    Mar 2010
    Location
    AZ
    Posts
    2,826
    Rep Points
    -73.0
    Mentioned
    43 Post(s)
    Rep Power
    0


    Yes Reputation No
    Transmission is: Getrag GS7D36SG

  3. #53
    Join Date
    Mar 2010
    Location
    AZ
    Posts
    2,826
    Rep Points
    -73.0
    Mentioned
    43 Post(s)
    Rep Power
    0


    Yes Reputation No

  4. #54
    Join Date
    Mar 2010
    Location
    AZ
    Posts
    2,826
    Rep Points
    -73.0
    Mentioned
    43 Post(s)
    Rep Power
    0


    Yes Reputation No
    From ncat10 previous post:

    TCU: GS40

    More searching, its made by Siemens.

  5. #55
    Join Date
    Mar 2010
    Location
    AZ
    Posts
    2,826
    Rep Points
    -73.0
    Mentioned
    43 Post(s)
    Rep Power
    0


    Yes Reputation No
    I have obtained the 335is 0pa and 0da from a helpful friend here on the boards, Now just need the CPU model number in the Siemens GS 40 to see if there is even a chance.

  6. #56
    Join Date
    Mar 2010
    Location
    AZ
    Posts
    2,826
    Rep Points
    -73.0
    Mentioned
    43 Post(s)
    Rep Power
    0


    Yes Reputation No
    Does anyone know what this might mean:

    GETRAG ESE-1

    GETRAG ESA-3

    CC-TCS

  7. #57
    Join Date
    Sep 2013
    Location
    SC
    Posts
    364
    Rep Points
    700.4
    Mentioned
    4 Post(s)
    Rep Power
    8


    1 out of 1 members liked this post. Yes Reputation No
    I'd love to see some kind of TCU flash for the non-M DCT, especially an adjustable RPM for launch control which is stuck at a ridiculous 5,000 RPM! I talked to Roman at ESS awhile back and he said he would check with the guy that did the M-DCT tuning but never heard any more about it.

    I have a 2011 335is DCT with ILA0S DME like BuraQ. Same car down to the color. I pulled what info I could about the transmission with the BT tool. Not sure if this is helpful or not.
    Attached Images Attached Images   
    E92 335is DCT

  8. #58
    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    120,249
    Rep Points
    32,700.6
    Mentioned
    2130 Post(s)
    Rep Power
    328


    Yes Reputation No
    Click here to enlarge Originally Posted by ajsalida Click here to enlarge
    Nah you just announce the first annual Bimmerboost Worldwide Automotive Hacking Tournament in hacker forums. First to crack N54 6HP21 TCU wins. Grand Prize includes tour of BB skyscraper & penthouse plus keys to Sticky's M3 for a night. Case of pop tarts and an inflatable girlfriend.
    I'd enter.
    Chrome Space Bar Issue: http://www.boostaddict.com/showthrea...338#post738338


    Stage 2 or 2.5 E9X M3 S65 V8 supercharger kit for sale
    : http://www.boostaddict.com/showthrea...r-kit-for-sale

  9. #59
    Join Date
    Feb 2013
    Location
    Maryland
    Posts
    1,661
    Rep Points
    2,781.2
    Mentioned
    74 Post(s)
    Rep Power
    28


    Yes Reputation No
    Klipse would a similar BT cable pull from a 6HP21 car be as useful? $#@! I can pull that right when i'm back in town...kinda guessing we're done that though or it's not useful.
    E88 N54 w stuff
    F30 335 X-Drive EBII....PPK otherwise Stock
    Click here to enlarge

  10. #60
    Join Date
    Oct 2013
    Posts
    20
    Rep Points
    38.0
    Mentioned
    0 Post(s)
    Rep Power
    0


    Yes Reputation No
    We need some guys from the XDA forum over here... they'd have an Android and an Apple version to tune the TCU done in a week lol Click here to enlarge

  11. #61
    Join Date
    Feb 2013
    Location
    Maryland
    Posts
    1,661
    Rep Points
    2,781.2
    Mentioned
    74 Post(s)
    Rep Power
    28


    Yes Reputation No
    Click here to enlarge Originally Posted by 2Times Click here to enlarge
    We need some guys from the XDA forum over here... they'd have an Android and an Apple version to tune the TCU done in a week lol Click here to enlarge
    Welcome.

    Isn't XDA Windows and Android based development? Could you expand? We need all the help we can get seeing as how none of us are devs.

    I still need to look at startup guides when I get a new computer lol.
    E88 N54 w stuff
    F30 335 X-Drive EBII....PPK otherwise Stock
    Click here to enlarge

  12. #62
    Join Date
    Oct 2013
    Posts
    20
    Rep Points
    38.0
    Mentioned
    0 Post(s)
    Rep Power
    0


    1 out of 1 members liked this post. Yes Reputation No
    Click here to enlarge Originally Posted by 135pats Click here to enlarge
    Welcome.

    Isn't XDA Windows and Android based development? Could you expand? We need all the help we can get seeing as how none of us are devs.

    I still need to look at startup guides when I get a new computer lol.
    It was a comment in general, not likely to happen. You're correct though, anything Android, Windows, Linux (actually, anything that is code-related). They seem to find an exploit when people say it can't be done. I'll post the question over there to see if there are any BMW guys interested in giving it a shot.

  13. #63
    Join Date
    Nov 2011
    Location
    GA
    Posts
    233
    Rep Points
    367.2
    Mentioned
    10 Post(s)
    Rep Power
    4


    3 out of 3 members liked this post. Yes Reputation No
    -'09 135i MT - Custom 6466 ST - 680whp Click here to enlarge
    -'08 135i AT - 6466 ST - dead
    -'97 318is - Daily
    -'82 320i

  14. #64
    Join Date
    Jul 2010
    Posts
    87
    Rep Points
    47.8
    Mentioned
    6 Post(s)
    Rep Power
    0


    Yes Reputation No
    You probably need some ASAM based diagnostic tooling for the tcu platform.

    http://de.wikipedia.org/wiki/Associa...suring_Systems

    http://www.asam.net/ (Good page) (Siemens mentioned on FrontPage)

    https://www.dspace.com/en/pub/home/c...dards/asam.cfm


    But somebody above was right, you can't break the encryption, only by stupid luck and that is still a nearly impossible chance...
    You have to look to find an opening around the bootloader, classic approach, take out the encryption validation from the bootloader and you can load custom sizzle..

    You need a bench, diagnostic tooling and time to fully understand the OS... Assembly knowledge would be very usefull, but first step is to understand how the TCU operates, firmware updates, reason why firmware has been updated (Potential weakspots) ... Or insight knowledge.. Bribe somebody ;-)

  15. #65
    Join Date
    Jul 2012
    Location
    On the Road Again
    Posts
    296
    Rep Points
    319.2
    Mentioned
    10 Post(s)
    Rep Power
    4


    Yes Reputation No
    INPA has some transmission accessibility:
    Select E90 (mine says v1.32)
    Transmission: I have three options:
    Gearbox / Automatic GS19
    Gearbox / Sequential SSG
    Gearbox / DXC VGSG

    I selected GS19 and was able to get into some menus. The first ones were informational and some others clearly showed status as well as the ability to set values. Somewhere I thought we could set shift values - maybe I dreamt that.
    I'll try to upload some screen shots.
    2008 E90 335xi AT 58K MILES - FAILING XFER CASE MOUNT
    MHD CUSTOM E50, N20 TMAP, FUEL-IT TBI & STG 2 LPFP, cPE CHARGE PIPE, HELIX IC, FORGE DV, BMS DCI, BMS T-STAT DELETE, BMS OCC, RB PCV, KW-V1 COILOVERS, APEX ARC-8, 235/265 MICHELIN PSS, ALPINA B3 TCU, SCOOPSClick here to enlarge

  16. #66
    Join Date
    Jul 2012
    Location
    On the Road Again
    Posts
    296
    Rep Points
    319.2
    Mentioned
    10 Post(s)
    Rep Power
    4


    1 out of 1 members liked this post. Yes Reputation No
    Here are some INPA transmission menus.
    Click here to enlargeClick here to enlarge
    Attached Images Attached Images    
    2008 E90 335xi AT 58K MILES - FAILING XFER CASE MOUNT
    MHD CUSTOM E50, N20 TMAP, FUEL-IT TBI & STG 2 LPFP, cPE CHARGE PIPE, HELIX IC, FORGE DV, BMS DCI, BMS T-STAT DELETE, BMS OCC, RB PCV, KW-V1 COILOVERS, APEX ARC-8, 235/265 MICHELIN PSS, ALPINA B3 TCU, SCOOPSClick here to enlarge

  17. #67
    Join Date
    Jul 2012
    Location
    On the Road Again
    Posts
    296
    Rep Points
    319.2
    Mentioned
    10 Post(s)
    Rep Power
    4


    1 out of 1 members liked this post. Yes Reputation No
    Obviously I really don't know what I'm doing. One of the menus allows you to "actuate" the transmission ... Umm, didn't try that one!
    Does anyone know an INPA expert?

  18. #68
    Join Date
    Sep 2012
    Location
    Portland OR
    Posts
    388
    Rep Points
    104.9
    Mentioned
    37 Post(s)
    Rep Power
    0


    3 out of 3 members liked this post. Yes Reputation No
    It's not INPA that you want, it's WinKFP. Tap the transmit wire on your K+DCAN and packet capture the flash process. You could also call the guys who worked on creating the files....

    ;;Applikation
    ;;ZA_Bearbeiter: Ihle/ Wawczyniak
    ;;ZA_Abteilung: GS-TC/ENC
    ;;ZA_Telefon: 0711/811-43309
    ;;ZA_Freigabedatum: 22.11.2012
    ;
    ;;Software-Entwicklung
    ;;ZS_Bearbeiter: Ihle/ Wawczyniak
    ;;ZS_Abteilung: GS-TC/ENC
    ;;ZS_Telefon: 0711/811-43309
    ;;ZS_Freigabedatum: 22.11.2012
    ;
    ;;EOL-Programmierung
    ;;ZE_Bearbeiter: Keller
    ;;ZE_Abteilung: GS-TC/ENC
    ;;ZE_Telefon: 0711/811-33869
    ;;ZE_Freigabedatum:

  19. #69
    Join Date
    Nov 2011
    Location
    GA
    Posts
    233
    Rep Points
    367.2
    Mentioned
    10 Post(s)
    Rep Power
    4


    Yes Reputation No
    Click here to enlarge Originally Posted by Wedge1967 Click here to enlarge
    It's not INPA that you want, it's WinKFP. Tap the transmit wire on your K+DCAN and packet capture the flash process.
    Dunno if this is any help but I believe Wireshark has a USB capture plugin for Windows, although it captures just raw USB traffic.

    http://wiki.wireshark.org/CaptureSetup/USB
    -'09 135i MT - Custom 6466 ST - 680whp Click here to enlarge
    -'08 135i AT - 6466 ST - dead
    -'97 318is - Daily
    -'82 320i

  20. #70
    Join Date
    Feb 2014
    Posts
    32
    Rep Points
    111.1
    Mentioned
    0 Post(s)
    Rep Power
    2


    1 out of 1 members liked this post. Yes Reputation No
    Click here to enlarge Originally Posted by Xearom3 Click here to enlarge
    Dunno if this is any help but I believe Wireshark has a USB capture plugin for Windows, although it captures just raw USB traffic.

    http://wiki.wireshark.org/CaptureSetup/USB
    He means to capture the CAN messages. Cool tool though.



    One thing to remember:

    We are trying to get access to the 6HP21 transmission (GKE215 I believe), not the DCT. Although I'm sure there is a demand for that as well (maybe more).

    For drag racing, the conventional auto will likely be of choice.

    Another option is to flash the DME (and what ever other modules are required) with manual transmission code and control the auto trans separately.

    In the end, no matter how complicated they make the auto trans control system, it's just actuating some solenoids. This actually makes things easy if you want to manually shift the transmission (or use a stand alone TCU).

    For example, I am running a setup like this on my automatic DSM. It has an electronically shifted transmission but no one knows how to modify the TCU.

    The solution:

    There are two solenoids that control which gear you are in. Obviously, that gives you 4 states (it's a 4 speed trans).

    You simply put the trans in "Drive" then actuate which ever solenoid combination you want for the gear. You leave the line pressure solenoid disconnected and all shifts are now full line pressure.

    Proposal:

    Someone find the solenoids in their transmission and tap the wires. The construct a truth table for all states. Basically, put the trans in each gear and see what each solenoid does.

    My guess would be that there are solenoids to control which clutches are applied and a single solenoid to control the pressure. Another alternative would be that they simply PWM the gear solenoids to control how fast they engage and use that to control line pressure.

    I'm not an auto trans guy by any means, but this is my take.

    Also, they use a similar method of manually shifting the Chevy 4l80E. Just turn on the solenoid combination you want for the gear.

    Then, someone could use a stand alone TCU which can shift based on what ever parameters they want (even snooping the CAN bus).

    Most of the complexity of the ZF trans comes from the array of sensors that it uses to compare input and output shaft speeds.

    All that bull$#@! goes out the window when you start forcing it in to gear.

  21. #71
    Join Date
    Feb 2014
    Posts
    32
    Rep Points
    111.1
    Mentioned
    0 Post(s)
    Rep Power
    2


    1 out of 1 members liked this post. Yes Reputation No
    Just did a little investigating.

    Looks like we have 7 solenoids.

    Found a thread which elaborates on the idea a little...search for "Making a Transmission Control Module (TCM) from Scratch (for the 4HP24 / E32 750iL)"

    We wouldn't need the controller if we wanted full line pressure all the time for drag racing. This would get old quick in a street car though.

  22. #72
    Join Date
    Mar 2010
    Location
    AZ
    Posts
    2,826
    Rep Points
    -73.0
    Mentioned
    43 Post(s)
    Rep Power
    0


    Yes Reputation No
    Click here to enlarge Originally Posted by Wedge1967 Click here to enlarge
    It's not INPA that you want, it's WinKFP. Tap the transmit wire on your K+DCAN and packet capture the flash process. You could also call the guys who worked on creating the files....

    ;;Applikation
    ;;ZA_Bearbeiter: Ihle/ Wawczyniak
    ;;ZA_Abteilung: GS-TC/ENC
    ;;ZA_Telefon: 0711/811-43309
    ;;ZA_Freigabedatum: 22.11.2012
    ;
    ;;Software-Entwicklung
    ;;ZS_Bearbeiter: Ihle/ Wawczyniak
    ;;ZS_Abteilung: GS-TC/ENC
    ;;ZS_Telefon: 0711/811-43309
    ;;ZS_Freigabedatum: 22.11.2012
    ;
    ;;EOL-Programmierung
    ;;ZE_Bearbeiter: Keller
    ;;ZE_Abteilung: GS-TC/ENC
    ;;ZE_Telefon: 0711/811-33869
    ;;ZE_Freigabedatum:

    I have this information for the DCT file as well, but I seriously doubt they would provide any information and any vulnerabilities they would not be aware of otherwise the would fix them. This is not an absolute, just going with the flow here. These are likely lead programmers or something and would hold liability if any of that information got out so I haven't even bothered thinking about calling.

    We may not even need a bench unit if we find a very skilled individual. I have someone in mind, but they are currently doing some work for me right now. Once they are done, I will show them what I've got here. Sniffing the CAN lines may help you with the flashing protocol, but that does not alleviate the issue with the encryption at all. I think 95% of figuring all of this out will be software reversing. There may come a time when a bench unit is necessary to 'debug' it live. Although I'm not sure if those tools RTA mentions are actually any good for that.

  23. #73
    Join Date
    Feb 2012
    Location
    6500ft ASL
    Posts
    1,116
    Rep Points
    2,239.3
    Mentioned
    11 Post(s)
    Rep Power
    23


    1 out of 1 members liked this post. Yes Reputation No
    I could potentially provide an oscilloscope with CAN decoding and triggering if that would help someone. PM me for more info.

    -Rich

  24. #74
    Join Date
    Feb 2012
    Location
    6500ft ASL
    Posts
    1,116
    Rep Points
    2,239.3
    Mentioned
    11 Post(s)
    Rep Power
    23


    1 out of 1 members liked this post. Yes Reputation No
    Click here to enlarge Originally Posted by richpike Click here to enlarge
    I could potentially provide an oscilloscope with CAN decoding and triggering if that would help someone. PM me for more info.

    -Rich
    Particularly @Terry@BMS if that would help you create a TCU piggy...

    -Rich

  25. #75
    Join Date
    Feb 2013
    Posts
    129
    Rep Points
    223.9
    Mentioned
    10 Post(s)
    Rep Power
    3


    Yes Reputation No
    Click here to enlarge Originally Posted by richpike Click here to enlarge
    Particularly @Terry@BMS if that would help you create a TCU piggy...

    -Rich
    I'd love to see this!

Page 3 of 6 FirstFirst 12345 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •