[Terraphantm]

It's easier to flash the 330 software and edit the powerclass byte. Or you can even flash a custom program that allows the power class to be changed even after 10 hours, which would allow you to use stock 330i software.

Haven't worked with any of the N53 software, but I imagine it's close enough the N54 MSD80/81 code (which we do know how to work with).

[hassmaschine]

you have to modify the boot code either way, so it makes more sense to just start with the 330i file rather than trying to cobble together a frankentune.

[PD330]

What do you mean with boot code? Boot loader, which would have to be flashed on bench or just the startup code of programm?

As far as I understood so far, there is a power class saved on the ECU, the stat_bsz_wert, which can be changed within the first 10 hours.

And there is an power class byte in the software. The software itself checks if these values are equal. So there are two ways:
-Adapt stat_bsz_wert to upper power class and flash a stock 330i software
-Modify power class byte in 330i software to lower class
Is that correct?

Regarding this, I think boot loader does not have to be modified or am I missing something?

[Terraphantm]

Quote:

Originally Posted by PD330

What do you mean with boot code? Boot loader, which would have to be flashed on bench or just the startup code of programm?

As far as I understood so far, there is a power class saved on the ECU, the stat_bsz_wert, which can be changed within the first 10 hours.

And there is an power class byte in the software. The software itself checks if these values are equal. So there are two ways:
-Adapt stat_bsz_wert to upper power class and flash a stock 330i software
-Modify power class byte in 330i software to lower class
Is that correct?

Regarding this, I think boot loader does not have to be modified or am I missing something?

You're forgetting one crucial piece: The tune is signed with a 1024-bit RSA key. Changing a single byte (even the power class byte) will invalidate the signature. The signature verification is done by the boot sector. So to change that one byte, the boot sector has to be modified to bypass the signature verification step (which we're able to do because there's a flaw in how BMW checks the boot / program signature).

Alternatively, using a similar trick, we can modify the program to allow the power class in the eeprom to be changed even after 10 hours - this can be done without actually flashing a modified boot sector.

[hassmaschine]

Yeah, you can't just change the powerclass byte, the signature check will fail.

Quote:

Originally Posted by Terraphantm

Alternatively, using a similar trick, we can modify the program to allow the power class in the eeprom to be changed even after 10 hours - this can be done without actually flashing a modified boot sector.

True, but you still have to write an 0pa - which flashes the boot sector regardless, just not with a modified version. And then you're stuck with whatever stock files are available, since without the signature check bypass you can't modify any parameters.

For MS45 and GKE191/211 we can give it a valid signature so no code mods are needed - would be great if we could do the same on the newer ones but it's just not feasible to hash a 1024 bit key.

[Terraphantm]

Quote:

Originally Posted by hassmaschine

Yeah, you can't just change the powerclass byte, the signature check will fail.



True, but you still have to write an 0pa - which flashes the boot sector regardless, just not with a modified version. And then you're stuck with whatever stock files are available, since without the signature check bypass you can't modify any parameters.

Yeah I know, though at that point it's no different than a stock WinKFP flash. I guess a part of me likes having that power class match what "it should be", even though it doesn't actually matter.

Quote:

Originally Posted by hassmaschine

For MS45 and GKE191/211 we can give it a valid signature so no code mods are needed - would be great if we could do the same on the newer ones but it's just not feasible to hash a 1024 bit key.

Yeah, making a valid signature just isn't feasible today without NSA-level resources. In 10 years it might be doable on a high end PC. I am still investigating the possibility of flashing a custom tune without touching the boot sector, but so far no luck

[bmwcar]

you can read/write it with chip tuning tools, over obd, or in boot mode. no problem, and it read's password also

[hassmaschine]

Sure - but those OBD tools are also bypassing the RSA sig check to do so by modifying the boot code.

[Terraphantm]

Quote:

Originally Posted by bmwcar

you can read/write it with chip tuning tools, over obd, or in boot mode. no problem, and it read's password also

Ever notice that initial flash that takes about 10-15 minutes with those tools?

[rjahl]

Quote:

Originally Posted by Terraphantm

Ever notice that initial flash that takes about 10-15 minutes with those tools?

Some of them read all of the microprocessor and flash ram, modify the contents and flash back all of it. I think it's a generic solution for multiple types of units. The ODB Galletto is like that, it will only work with 2.5 meg files and takes something like an hour to read and and another to write.

It was so cool when we moved to flashing with Winfkp and that dropped to 45 seconds.

[hassmaschine]

I think the OFT works in a similar way. FWIW, a buddy of mine bought a $7000 flash tool that also takes an hour to flash every single time. He was pissed needless to say - you can't dyno tune at $90 an hour for the dyno session and make a profit that way..

We want to stick to those 45 second flashes!

[rjahl]

Been a little quite that last few days. Swamped at work and the car broke down. Radiator expansion tank let go during some really slow moving traffic on the freeway. I actually thought the car was on fire. No temp warning light and plenty of white smoke coming from all sides of the hood. Pulled over took out my belongings and fully expected the car to burn up right there. Of course the white smoke turned out to be steam but the thought process was certainly there.

I did try flashing that troublesome DME a few more times, this time with another power supply. No joy. According to INPA the flash takes, so I miffed. If I get a chance today, I'll install it in the car just for kicks. Maybe my cable has finally taken a dump.

[Terraphantm]

Quote:

Originally Posted by rjahl

Some of them read all of the microprocessor and flash ram, modify the contents and flash back all of it. I think it's a generic solution for multiple types of units. The ODB Galletto is like that, it will only work with 2.5 meg files and takes something like an hour to read and and another to write.

It was so cool when we moved to flashing with Winfkp and that dropped to 45 seconds.

My post was in reference to the Tricore stuff. Can't enter "boot mode" (bad name, but it's stuck) without recovering the passwords. Can't recover the passwords (or EWS SK) without modifying the program. Can't do that without bypassing RSA.

[bmwcar]

Quote:

Originally Posted by Terraphantm

Ever notice that initial flash that takes about 10-15 minutes with those tools?

initial flash 31minutes, after that 3minutes

btw. today I flash file that I made with 130i block pasted to 125i file, but car didnt want to start. Only dtc stored was 2EF5 Map thermostat. Then I deleted few maps in begining of block that
I didnt know meaning of, write again, and car started, no dtc. Power is even better than with pro-tuned files in high rpms, but lost low end torque compare to 125i tuned. Thats becose they
increased torque limiters from low rpm.
Now I made 130i simple tuned file (+3deg to ignition) and torqe limiter increased 10%, and some other tweaks, I will try today.

one more thing, Is there any gain by increasing rpm limit to 7200-7300rpm ? I see in tuned files its increased. And in BMW pdf describing n52 eingine, I read that maximum rpm for n52 is 7000 ?

[hassmaschine]

Yes. The initial flash is modifying the boot code, like we said.

Did you copy everything from 0x40000 to 0x7E6FF? And did you change the power class to match your car? Could be a checksum wasn't correct as well.

As far as RPM - the maximum factory RPM is 7000, but it can definitely rev higher. However, on an otherwise stock engine there's not a whole lot to gain from it.

[bmwcar]

yes, but after 64c66 is all empty space (obd read),
ps. tune didnt make much differenc in top end, just more torque, but to really tune na engine, I'll need to go to dyno

[Terraphantm]

Why don't you just flash a complete 330i file and change the powerclass byte?

[PD330]

Quote:

Originally Posted by Terraphantm

You're forgetting one crucial piece: The tune is signed with a 1024-bit RSA key. Changing a single byte (even the power class byte) will invalidate the signature. The signature verification is done by the boot sector. So to change that one byte, the boot sector has to be modified to bypass the signature verification step (which we're able to do because there's a flaw in how BMW checks the boot / program signature).

Alternatively, using a similar trick, we can modify the program to allow the power class in the eeprom to be changed even after 10 hours - this can be done without actually flashing a modified boot sector.

Yeah of course, RSA would need to be corrected. Just had in mind that there are several ways like OFT or KESS, but the last posts clearified this topic Didn't realized yet these tools are also bypass RSA check but now I also understand why initial flashing takes so much more time.

I'm still reading parts of the thread, I think around pages 50-60 there are a lot of usefull informations regarding RSA bypass and changing powerclass with modified software.

Quote:

Originally Posted by Terraphantm

It's easier to flash the 330 software and edit the powerclass byte. Or you can even flash a custom program that allows the power class to be changed even after 10 hours, which would allow you to use stock 330i software.

Haven't worked with any of the N53 software, but I imagine it's close enough the N54 MSD80/81 code (which we do know how to work with).

So you already know how to modify the code on msd80 for N54? I also can image with the knowledge it could be simply adapted to N53 so I would really appreciate to get some help here.

[Terraphantm]

Quote:

Originally Posted by PD330

So you already know how to modify the code on msd80 for N54? I also can image with the knowledge it could be simply adapted to N53 so I would really appreciate to get some help here.

Yes - I have semi-regular access to an E60 535, so I cloned the DME and have been using that car to test things out.

If the N53 software happens to use the same program version (or at least the same boot sector) as the N54 software, then there's pretty much no extra work needed on our part. Otherwise we'd need to figure out where the branch instructions we need to modify are and then locate the powerclass byte, but that's not super difficult.

[roflmao]

Hello to all. I'm sorry for disturbing you with my noob questions, but i really need help Is i understand there is no opportunity to change powerclass byte in MSD81 for n53 ecu? But if i reset runtime from DME and get bsz_stat_wert 0 , i will need to change the power class in CAS. And this is a problem, because cas rejected to change with with error. So, what to do with this?

[hassmaschine]

I saw your PM, and changing the power class can be done - but I can't do it immediately. I have some project deadlines that can't slip, so 'extra' projects like yours I can't do right now.

[roflmao]

Quote:

Originally Posted by hassmaschine

I saw your PM, and changing the power class can be done - but I can't do it immediately. I have some project deadlines that can't slip, so 'extra' projects like yours I can't do right now.

Ok,thank you very much. I will wait for you.