E90Post
 


Coby Wheel
 
BMW 3-Series (E90 E92) Forum > E90 / E92 / E93 3-series Powertrain and Drivetrain Discussions > NA Engine (non-turbo) / Drivetrain / Exhaust Modifications > I cloned my MSV70 DME



Reply
 
Thread Tools Search this Thread
      06-26-2018, 04:56 PM   #1915
hassmaschine
Major General
United_States
3940
Rep
7,216
Posts

Drives: "NBO" 330i
Join Date: Jun 2014
Location: earth

iTrader: (0)

Quote:
Originally Posted by Jonas225 View Post
Hi @hassmaschine,

I didn‘t read all 89 pages but maybe you can answer a few questions. It‘s for my better understanding. I‘m familiar with coding but not with mapping (yet).
I read a lot of the xHP thread and the RSA signature, whichs is used for (some) ECUs.

Some have a 512-bit and some have a 1024-bit signature.

1. Which ECU has which signature?

The 512-bit signing key is now known and we (you) can sign a modified 0da file.
The ZF trans uses 512 bits - GM uses 1024 bits. Aside from MS45, all of the DMEs that use RSA are at least 1024 bit.

Quote:

2. What about the 1024- bit signature? How does xHP sign/bypass their custom files? How did they crack that 1024-bit signature and sign their files?
Basically they are modifying RAM values with a special command to bypass the signature check. I'll bet the new N55 OBD-only flashes do something similar.

On the transmissions the program is compressed, so it's not possible to disassemble and hack the code like we did for the other DMEs, which is why they do it that way. With the ZF, we don't need to bypass the RSA signature check since the signature is valid anyway.

Quote:

At Bimmerlabs there are 0pa files with RSA delete.

3. What is changed in this file? Why doesn‘t WinKFP reject to flash the modified 0da file?
The main changes are to disable the RSA signature check on future flashes (program or parameter). WinKFP doesn't reject the flash because of security holes in Siemen's implementation of the RSA signature. Basically, it thinks the signature is valid even though it's not, because we have constructed the file to trick the signature check algorithm.

Quote:

For modifying the 0da files we have to convert is to .bins or read the ECU.

4. Is there a tool to convert the modified .bin to a 0da file again? Where can I download that tool?
5. Is there also a tool for signing these modified files?
The tool is built into Bimmerlabs. I don't have it fully exposed to the public yet - if we have the RSA key, it already signs the file for you, there's no separate program for that. I'm still deciding how exactly making it available to everyone will work.

Quote:

I have a 2011 BMW 116i E87 here with MSD81 and N43B20 engine and want to upgrade the software to get the same power as the 118i (complete same hardware). As far as I know I can modify the power class of a 118i 0da to match the power class stored in CAS.

6. Is that right? Will there be support for that engine in Bimmerlabs?

The engine (N43B20) is the same for the 116i/118i/120i. The 116i and 118i has the same hardware. The 120i has a different intake manifold (2 stage), different camshaft, exhaust manifold,...

So upgrading to OEM 118i software should be safe.
I have looked at that a little bit and I think it is possible to do. But basically yes, you could change the power class on the 118i file and flash it to your 116i. Bimmerlabs could support it providing I knew which file it needed to be (not hard to find) and assuming I know the location of the power class byte and have an RSA delete for your specific program version.

Last edited by hassmaschine; 06-26-2018 at 05:19 PM..
Appreciate 0
      06-26-2018, 06:14 PM   #1916
Terraphantm
Captain
253
Rep
775
Posts

Drives: E46 M3 Coupe
Join Date: Apr 2009
Location: N/A

iTrader: (1)

So the 4-cylinder models seem to use the MSD81.2 rather than the MSD80/81 like their 6-cylinder cousins. Undoubtedly the code is very similar, but without seeing a full dump, it's hard to say one way or another whether we can support it for sure.
Appreciate 0
      06-26-2018, 06:27 PM   #1917
Jonas225
New Member
5
Rep
22
Posts

Drives: E92 335i
Join Date: Oct 2016
Location: Bavaria, Germany

iTrader: (0)

Wow, thank you for the fast answer!

I can check the ZUSB next week. I can also provide a dump of the ECU. With the BB app it should be easy.

All ZF have 512 bit? So we can modify the 0da, sign it and flash it without the need of xHP?

In conclusion:
ECU‘s with 512 bit can be signed and flashed

ECU‘s with 1024 bit (or more) can‘t be signed because the key is unknown. You have a bypass for the 0pa file. That deactivates the „check“ in the 0da file. -> RSA delete

Is that right?
Appreciate 0
      06-26-2018, 06:33 PM   #1918
hassmaschine
Major General
United_States
3940
Rep
7,216
Posts

Drives: "NBO" 330i
Join Date: Jun 2014
Location: earth

iTrader: (0)

Yes, that is correct.
Appreciate 0
      06-26-2018, 06:41 PM   #1919
Jonas225
New Member
5
Rep
22
Posts

Drives: E92 335i
Join Date: Oct 2016
Location: Bavaria, Germany

iTrader: (0)

In the xHP thread dave said the 6HP26/28 uses 1024 bit and the 6HP19/21 512?

You say all ZFs use 512?
Appreciate 0
      06-26-2018, 07:07 PM   #1920
rjahl
Colonel
rjahl's Avatar
996
Rep
2,287
Posts

Drives: Z4 35is
Join Date: Jun 2011
Location: Tampa

iTrader: (0)

Garage List
2012 Z4 35is  [0.00]
He's partially correct, early 6 speed ZF transmissions use 512. Second generation and newer use 1024.

Bimmerlabs handles the first generation very well.
Appreciate 0
      06-26-2018, 07:20 PM   #1921
hassmaschine
Major General
United_States
3940
Rep
7,216
Posts

Drives: "NBO" 330i
Join Date: Jun 2014
Location: earth

iTrader: (0)

Pre-lci it looks like GKE191 to me - which is 512 bit.

We support GKE191/211/195/215
Appreciate 0
      06-26-2018, 09:33 PM   #1922
Terraphantm
Captain
253
Rep
775
Posts

Drives: E46 M3 Coupe
Join Date: Apr 2009
Location: N/A

iTrader: (1)

Quote:
Originally Posted by Jonas225 View Post
ECU‘s with 512 bit can be signed and flashed

ECU‘s with 1024 bit (or more) can‘t be signed because the key is unknown. You have a bypass for the 0pa file. That deactivates the „check“ in the 0da file. -> RSA delete
And implicit in this is the fact that 512-bit keys can be factored pretty quickly on modern computers. Get something like a threadripper cpu with an nvidia graphics card and you can probably factor a key at home in a little over a day.

1024-bit is still out of the realm of possibility outside of the NSA, though I suspect in the next decade or so we'll have consumer-grade hardware capable of factoring those keys. 2048-bit and higher, and you'll probably be waiting for quantum computers.
Appreciate 0
      07-04-2018, 05:29 AM   #1923
_Ryan_
Captain
No_Country
59
Rep
741
Posts

Drives: E87 130i
Join Date: Jan 2012
Location: Melbourne, AU

iTrader: (0)

Garage List
2005 BMW 130i  [5.24]
Quote:
Originally Posted by hassmaschine View Post
It's fine to do, unless you're planning on getting an emissions inspection within the next month or so, because it also resets emissions monitors, then I would wait. Also you must do this with the ignition on (but car turned off) and you'll probably have to clear error codes and restart after the first startup.



Pretty much what I wrote above. There's probably a small bump in power, but otherwise I can't ever have a MAF failure.

The throttle would be pretty easy to tweak. Is your car 6mt or auto? I haven't noticed any real 'lag' with the 6mt, but I think a lot of it comes from the custom tune.

6MT. I perceive the throttle to have a delay when first applied.


Could this be the throttle curve you mentioned?


Have you tested your tune on other cars? Did you raise the rev limit slightly? (can't recall if it was yourself or someone else testing this)
Appreciate 0
      07-04-2018, 09:44 AM   #1924
hassmaschine
Major General
United_States
3940
Rep
7,216
Posts

Drives: "NBO" 330i
Join Date: Jun 2014
Location: earth

iTrader: (0)

I can raise the rev limit but all of the free files have stock limiters (since they are based on stock tunes).

It's been so long since I've driven my car with a stock tune, it might be other changes (there's also a throttle position map). One of these days I'm going to reinstall my MAF and flash the stock tune to remember what it was like (well, I sort of remember - I thought it felt neutered).
Appreciate 0
      07-04-2018, 02:04 PM   #1925
Pinscher
Lieutenant
Canada
113
Rep
513
Posts

Drives: 2008 335i
Join Date: Jan 2018
Location: Vancouver

iTrader: (0)

Garage List
Quote:
Originally Posted by hassmaschine View Post
I can raise the rev limit but all of the free files have stock limiters (since they are based on stock tunes).

It's been so long since I've driven my car with a stock tune, it might be other changes (there's also a throttle position map). One of these days I'm going to reinstall my MAF and flash the stock tune to remember what it was like (well, I sort of remember - I thought it felt neutered).
Do you have an ETA for non stock tunes with lifted limiters and the mods for transmissions too?

I'm going to have some time to install my 3IM so I hope to get the modded tune put onto my 328xi

Last edited by Pinscher; 07-04-2018 at 03:51 PM..
Appreciate 0
      07-16-2018, 10:59 AM   #1926
bryanjb
e91 2011 sport
6
Rep
25
Posts

Drives: 2003 325xit
Join Date: Nov 2017
Location: new england

iTrader: (0)

hass - just finished installing the 3IM, and was checking bimmerlabs for updates and the link to the USB / OBD tool - only to discover the site is down. you are probably aware, but if not - heads up.

Quote:
Originally Posted by hassmaschine View Post
I can raise the rev limit but all of the free files have stock limiters (since they are based on stock tunes).

It's been so long since I've driven my car with a stock tune, it might be other changes (there's also a throttle position map). One of these days I'm going to reinstall my MAF and flash the stock tune to remember what it was like (well, I sort of remember - I thought it felt neutered).
Appreciate 0
      07-16-2018, 12:57 PM   #1927
hassmaschine
Major General
United_States
3940
Rep
7,216
Posts

Drives: "NBO" 330i
Join Date: Jun 2014
Location: earth

iTrader: (0)

yeah, something with Azure went haywire. it's up again.
Appreciate 0
      07-19-2018, 03:25 PM   #1928
bryanjb
e91 2011 sport
6
Rep
25
Posts

Drives: 2003 325xit
Join Date: Nov 2017
Location: new england

iTrader: (0)

thanks - got the files.

2 questions:

is it worth getting the 0Pd data file from my car before flashing the RSA Delete / 330 firmware?

and, any progress to report on the web based tuning system you mentioned? still interested in looking at tables and all that fun stuff. glad to be a low functioning beta if you need one.


Quote:
Originally Posted by hassmaschine View Post
yeah, something with Azure went haywire. it's up again.
Appreciate 0
      07-19-2018, 03:27 PM   #1929
Echoninety
First Lieutenant
Echoninety's Avatar
United_States
84
Rep
327
Posts

Drives: 2006 330i e90 Sport 6mt
Join Date: Jul 2016
Location: DMV

iTrader: (0)

Wow - so much to go through and tinker with...
__________________
2020 M340i Dravit Grey RWD | 2006 330i Sparkling Graphite Metallic
Appreciate 0
      07-19-2018, 06:10 PM   #1930
hassmaschine
Major General
United_States
3940
Rep
7,216
Posts

Drives: "NBO" 330i
Join Date: Jun 2014
Location: earth

iTrader: (0)

Quote:
Originally Posted by bryanjb View Post
thanks - got the files.

2 questions:

is it worth getting the 0Pd data file from my car before flashing the RSA Delete / 330 firmware?

and, any progress to report on the web based tuning system you mentioned? still interested in looking at tables and all that fun stuff. glad to be a low functioning beta if you need one.
No, you don't need to do that. the RSA delete already updates the program.

I don't have the web based stuff available yet - there's always 10,000 other things that need attention first.
Appreciate 0
      07-20-2018, 02:56 PM   #1931
bryanjb
e91 2011 sport
6
Rep
25
Posts

Drives: 2003 325xit
Join Date: Nov 2017
Location: new england

iTrader: (0)

sorry, should have phrased my questions more clearly.

i've seen 4 stock MSV80 files for my car / project on bimmerlabs. just wondering if i should archive my own stock file in case I need to flash it back for some reason?


Quote:
Originally Posted by hassmaschine View Post
No, you don't need to do that. the RSA delete already updates the program.

I don't have the web based stuff available yet - there's always 10,000 other things that need attention first.
Appreciate 0
      07-20-2018, 07:53 PM   #1932
hassmaschine
Major General
United_States
3940
Rep
7,216
Posts

Drives: "NBO" 330i
Join Date: Jun 2014
Location: earth

iTrader: (0)

Nope.. You can just flash any of those stock files later on - either MI20S or MM10S would be fine.
Appreciate 0
      07-20-2018, 09:30 PM   #1933
Terraphantm
Captain
253
Rep
775
Posts

Drives: E46 M3 Coupe
Join Date: Apr 2009
Location: N/A

iTrader: (1)

Only reason to backup would be if you already have some kind of tune I guess. That said, we don't currently give you a means by which you can backup the DME. That might change in the intermediate future
Appreciate 0
      07-21-2018, 10:39 AM   #1934
Jonas225
New Member
5
Rep
22
Posts

Drives: E92 335i
Join Date: Oct 2016
Location: Bavaria, Germany

iTrader: (0)

Quote:
Originally Posted by hassmaschine View Post
I have looked at that a little bit and I think it is possible to do. But basically yes, you could change the power class on the 118i file and flash it to your 116i. Bimmerlabs could support it providing I knew which file it needed to be (not hard to find) and assuming I know the location of the power class byte and have an RSA delete for your specific program version.
I created a project at bimmerlabs but I'm not able to select the DME. I got a dump of the 116i and would like to upload it to bimmerlabs for you. But thats not possible without selecting a DME.

Here are some additional information:

116i E87 N43B20 MSD81.2

ZB number: 8688008
Program: 8672567A.0pa
Data: S8688009.0da
SW: 0044RD0QID0S
Power class: 01 (N43B20K0 according to NCSdummy)


I THINK these are the files for the 118i:
ZB number: 8688004
Program: 8672567.0pa
Data: S8688005.0da
Power class: 00 (N43B20U0 according to NCSdummy)

I tried to find the power class byte, but without an xdf, damos, ... I had no luck. Maybe the description in NCSdummy is not correct.

Would you have a look at these files?
Can I PM you the original file?
Appreciate 0
      07-21-2018, 11:45 AM   #1935
hassmaschine
Major General
United_States
3940
Rep
7,216
Posts

Drives: "NBO" 330i
Join Date: Jun 2014
Location: earth

iTrader: (0)

I haven't added support for MSD81.2 yet which is why you can't select it - but if you can PM me with your email, and send me the full dump, I can probably add it.
Appreciate 0
      07-21-2018, 05:21 PM   #1936
The Nightman
Cometh
The Nightman's Avatar
1067
Rep
1,287
Posts

Drives: Boy's Soul
Join Date: Jul 2016
Location: Boy's Hole

iTrader: (4)

Garage List
I flashed the MAF delete tune and thought I'd share this picture comparing the European IAT sensor to the NA MAF sensor:



I'll post more about the tune after more seat time.
Appreciate 0
Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -5. The time now is 03:32 AM.




e90post
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
1Addicts.com, BIMMERPOST.com, E90Post.com, F30Post.com, M3Post.com, ZPost.com, 5Post.com, 6Post.com, 7Post.com, XBimmers.com logo and trademark are properties of BIMMERPOST