|
|
|
|
|
|
BMW Garage | BMW Meets | Register | Today's Posts | Search |
|
BMW 3-Series (E90 E92) Forum
>
I cloned my MSV70 DME
|
|
12-02-2016, 12:30 AM | #1035 |
Major General
3978
Rep 7,212
Posts |
Yeah, i get it - basically that whole section has to match. It reads the signature, calculates the hash from the reference offsets, and sees if it matches.
I will try so see if i can test this soon. It would be huge - no need for a $300 oft or $500 one time use programmer. Or having to use bdm (for some things though, bdm is best). The irony is, flashes with Winkfp are faster than most programmers - since it only writes the 128kb calibration instead of the 2560kb full binary. Could be fast enough for dyno tuning (even BDM writes take a minute); although building custom 0da files for flashing at the moment is not straight forward. I have a plan for that though. Last edited by hassmaschine; 12-02-2016 at 12:36 AM.. |
Appreciate
0
|
12-02-2016, 02:48 AM | #1036 | ||
Colonel
1000
Rep 2,287
Posts |
Quote:
|
||
Appreciate
0
|
12-02-2016, 02:55 AM | #1037 | |
Colonel
1000
Rep 2,287
Posts |
Quote:
Fully thing, with fast mode turned on and on a bench, I can flash an ODA file in 45 seconds. But fast mode does not work in the car. The converter program is written in excel VBA and is not fantastic or super fast but it works. |
|
Appreciate
0
|
12-02-2016, 02:57 AM | #1038 | |
Colonel
1000
Rep 2,287
Posts |
Quote:
You know my time is very limited these days. Still pulling 60 plus hours trying to get my department into shape. |
|
Appreciate
0
|
12-02-2016, 08:56 AM | #1040 | |
Colonel
1000
Rep 2,287
Posts |
Quote:
I'll send it over tonight. Don't have it with me. |
|
Appreciate
0
|
12-02-2016, 09:38 AM | #1041 |
Major General
3978
Rep 7,212
Posts |
Cool thanks.
In other news, I'm up to 8774 parameters. There are 152 undefined (148 in the original A2L). I honestly wasn't sure I'd get more than 90% of them, but I looks like i can get all of them. I also realized i have mapped out 2000 RAM values by hand. lol. I usually just do whatever is nearby to the code I'm looking at. Unfortunately, you can't really use an algorithm to map RAM values.. |
Appreciate
1
Levanime191.00 |
12-02-2016, 01:29 PM | #1042 |
Major General
3978
Rep 7,212
Posts |
Working on this a bit - it's not clear to me where the pointers are in the boot sector.
There are 3 RSA keys for the boot sector - I suppose they must be for boot 1, boot 2, and boot 3. IIRC all of my mods are in Boot 3, so I would do the third one. While the pointers for the parameters and program are obvious, I don't see anything that stands out in the boot sector (also probably because the check happens in the space between 0x860000-0x880000, not in the actual boot sector). For fun I tried to flash a modified file without the RSA key fix and of course I got "Security access denied". |
Appreciate
0
|
12-02-2016, 02:40 PM | #1043 | |
Captain
253
Rep 775
Posts |
Quote:
I don't know what the first and second are used for (though it's worth noting the second is bit for bit identical between the MS45 and MSV70, suggesting it's perhaps used for secure diagnostic comms or something along those lines). The 3rd is the public key used to decrypt the signature. Boots 1 and 2 shouldn't have RSA signatures, since the DME never writes to those areas. Boot3's signature seems to be computed as just a segment tacked onto the program section. The only pointers you should have to edit are the ones in the program section. |
|
Appreciate
0
|
12-02-2016, 03:09 PM | #1044 | |
Colonel
1000
Rep 2,287
Posts |
Quote:
I'm still in the office but isn't the addresses you are looking the temporary address for boot three before it's moved down? |
|
Appreciate
0
|
12-02-2016, 03:16 PM | #1045 |
Major General
3978
Rep 7,212
Posts |
I didn't even think about that.. the program signature covers the boot section too. Duh. That explains why the 5 blocks for the program include 0x60000-0x7FF7F.
So basically, copy the data signature to the program, and copy the data blocks to the program, and theoretically it should pass.. |
Appreciate
0
|
12-02-2016, 03:17 PM | #1046 |
Major General
3978
Rep 7,212
Posts |
Yes I was looking for 0x60000 but I couldn't find it in the boot sector.... because it was in the program section the entire time. The worst part is, I've already seen it before...
|
Appreciate
0
|
12-02-2016, 03:20 PM | #1047 | |
Captain
253
Rep 775
Posts |
Quote:
|
|
Appreciate
0
|
12-03-2016, 10:19 AM | #1048 |
Major General
3978
Rep 7,212
Posts |
Need to look at my MSV70 RSA delete - even flashed over BDM, authentication fails when flashing a modified 0da. A similar mod for MS45 definitely works - and i swear rjahl tested it and it worked for him.
|
Appreciate
0
|
12-03-2016, 10:22 AM | #1049 |
Colonel
1000
Rep 2,287
Posts |
Yes it did. I might even be still running it. Can't remember
|
Appreciate
0
|
12-03-2016, 10:45 AM | #1051 |
Colonel
1000
Rep 2,287
Posts |
|
Appreciate
0
|
12-03-2016, 11:23 AM | #1052 | |
Colonel
1000
Rep 2,287
Posts |
Quote:
The last RSA delete I tried for you was the bytes in the UIF section. Initially it failed to start but realigning the EWS solved the problem. We swapped messages on this around Sept 5th. I might give time to test this again later this afternoon if you need to confirm. Last edited by rjahl; 12-03-2016 at 11:33 AM.. Reason: wrong date |
|
Appreciate
0
|
12-03-2016, 12:56 PM | #1054 | |
Colonel
1000
Rep 2,287
Posts |
Quote:
Where you able to redirect the RSA pointers and flash an 0PA file? |
|
Appreciate
0
|
Bookmarks |
|
|