Where does new DME flash development generally start?

bradsm87

Corporal
Dec 15, 2016
162
53
0
It doesn't take a rocket scientist to figure out that generally one company gets DME flashing working then the rest reverse engineer it.

Who is usually the first?

Is it a matter of small tuning companies with Dimsport or other tools get a customer come in wanting a tune then the tuner works with the large tuning tool provider (eg sending the DME overseas to them) to get bench flashing and/or OBD flashing working?

Is there something that B58 owners can do to accelerate the availability of flash tuning?

I'm holding off a car purchase until I know flash tuning is available so I'm very keen to help with the push for it.
 

doublespaces

Administrator
Oct 18, 2016
9,310
4,342
0
AZ
Ride
2009 E93 335i
It doesn't take a rocket scientist to figure out that generally one company gets DME flashing working then the rest reverse engineer it.

Who is usually the first?

Is it a matter of small tuning companies with Dimsport or other tools get a customer come in wanting a tune then the tuner works with the large tuning tool provider (eg sending the DME overseas to them) to get bench flashing and/or OBD flashing working?

Is there something that B58 owners can do to accelerate the availability of flash tuning?

I'm holding off a car purchase until I know flash tuning is available so I'm very keen to help with the push for it.

From my experience working directly with the BMW Flash which requires the BT cable, as well as the documents from those conversations which I compiled, I can say that there is not just one way for this to happen. But a there is definitely an international 'underground' hacker element to all of this. And by that it can mean anything, hacking into BMW engineer's emails, gleaning technical documents to probe weaknesses, etc. A bunch of companies will come out with a certain flashing capability (Bench or OBD) simultaneously, because it becomes available to them all at the same time. But somewhere up the food chain, an individual sold an exploit to other people within that connected network of people and made a bunch of money as a result of that.

This doesn't mean its the only way these types of things happen, but the MSD80 flash tuning capability, is no more than an exploit. As I vaguely recollect, its a trick to get the DME to accept a BIN with one section modified by using the confirmed cryptographic signature from another area which wasn't modified(more or less). You can stumble upon these things yourself if you are highly skilled, or you can pay for these exploits or toolkits.

Many years ago, I held off on the whole flash tune idea back when it was only GIAC and others, because BMW could easily patch this up if they wanted. What you need is a very good reverse engineer or money.
 
  • Like
Reactions: Fsociety

Twisted Tuning

Lieutenant
Platinum Vendor
Oct 25, 2016
982
915
0
New York
www.twistedtuning.com
Ride
N54 and N55 Cars
I've done tons of this...

First place to start is, lets say you have a car. Pull the ECU and open it up. Why? this is to verify exactly which processor and etc is actually being used in the ECU. This is the first step to ECU reverse engineering. Once you have the exact processor that is being used you can then Search for the Specific Chipset documentation which will have all the information you need to know on how to talk to the chip, often times how to rip the info from it in bootmode, how to flash it, and etc.

Why do you need do you need that information from the chip? because that's what you all know as the BIN and thats needed for finding tables and etc.

Often times certain chips are used in numerous models of cars, so you can start cross referencing the chip with other makes and see if some of the work has already been done and someone has a tool already for reading and writing the chip and etc. Sometimes thats half the work. Generally speaking reading and writing is the easy part. The Disassembly of the ROM (table defining, logic learning, and etc) is the hard part and is often times guessing for people with no experience with a particular ROM image. Having DAMOS files and OEM documentation makes all of this so much easier. but those docs are generally hard to get hands on for the regular guys out there. SO most of the table finding and defining is done painfully and longwindedly (yes i know not a word, lol) the manual way using Hex editors and etc. WinOls, is a very common one.

Honestly, its not about big or small companies. its about who is willing to take the time and spend the money to get it working. and decipher everything. Doesn't take a big company to do it. Often times its never the big company that does it. Its a couple of guys in their rooms or garage cracking stuff and selling it to the big companies.

For the B58 people. First things first... Pull the DME, pull a couple from different models and years to see exactly which processor is actually in there. And pulling a couple different ones will help determine if they mainly use the same Processor. Then find the Chipset docs, or see if there is anything out there that already can read and write the DME so you can get the file off of the DME. I have a Ktag Master for that. So if you guys get a couple DME's and see what the processor is. We can see if Ktag supports it. If it does send it over and ill pull the un-encrypted file off of the DME. but first thing first. find out exactly what Processor is in there.
 

Jake@MHD

Major
Platinum Vendor
Nov 7, 2016
1,612
2,077
0
Philly
CMD Flashtec is usually the first, and I would bet they will be first for B58 as well. With today's level of ECU security, you will always need to bench flash the bootloader first to bypass the RSA check. Unless the keys get leaked :)
 

doublespaces

Administrator
Oct 18, 2016
9,310
4,342
0
AZ
Ride
2009 E93 335i
CMD Flashtec is usually the first, and I would bet they will be first for B58 as well. With today's level of ECU security, you will always need to bench flash the bootloader first to bypass the RSA check. Unless the keys get leaked :)

I have not looked into it, but I know that the method I'm familiar with on the MSD80/1 only allows 1 of 3 sections to be modified. Is the flash for the N55's the same way? Or does that bench flash permit unrestricted access to all areas?