According to a member by the name of dave205t, the RSA encryption the 6hp26(TU)/6hp32(TU) has been bypassed. This should allow for uploading a custom file to the TCU finally.
For those who don't know, TU stands for technical update and AFAIK, the 6HP26(TU) is the 6HP28 and the 6HP32(TU) was the 6HP34(Link), however was never released to production so I'm not sure exactly what dave205t means. But the good news, is that this method should work for all 6HP transmissions and opens the door to customization of shift points, line pressures, shift speed and possibly transplantation.
This can be accomplished using any INPA cable probably much like MHD/bummerboost Flash, however he has yet to decide how he wants to monetize his discovery. This is from dave205t:
Other details include the fact that development mode of the DME was not enabled in order for the exploit to work, RayBan81 and Mik325tds have been given test versions of the tool, in which RayBan81 has confirmed writing works on a 325d and Mik325tds has confirmed it working on a 335d(I know, names are confusing).
Here is an update from RayBan81 regarding the commercialization of the product:
To clear up any confusion about which transmission generation you may have, this is a high value post which i'm reposting here.
TL;DR: This only works with 2nd gen, 6HP19TU AKA 6HP21 and the 6HP26TU AKA 6HP28. This will not currently work with the 6HP19 or 6HP26 without additional development not currently planned.
And here is another update regarding the status of development and table discovery:
We've asked for clarification on what "secure method of flashing" means, most likely a VIN locked flashing process of some kind, in conjunction with safety features to reduce the risk of flashing a brick.
UPDATE from DWR:
Either way, $100 seems like a good deal to us. Let the transmission tuning begin, I'm ready to see for 7500+ RPM shift points.
For those who don't know, TU stands for technical update and AFAIK, the 6HP26(TU) is the 6HP28 and the 6HP32(TU) was the 6HP34(Link), however was never released to production so I'm not sure exactly what dave205t means. But the good news, is that this method should work for all 6HP transmissions and opens the door to customization of shift points, line pressures, shift speed and possibly transplantation.
This can be accomplished using any INPA cable probably much like MHD/bummerboost Flash, however he has yet to decide how he wants to monetize his discovery. This is from dave205t:
1) write a tool to read an unmodified standard binary from the TCU -> completed
2) decrypting the compressed code (by writing a tool that can do this) to make sense of it -> completed
3) analyzing code paths in Ida, locating relevant ones to be able to do next steps -> completed
4) writing a tool for correcting checksum, RSA and related on modified file -> completed
5) write a tool to flash this modified (checksum corrected) binary back to TCU and get it to run it -> completed (today - 8-18-16)
Other details include the fact that development mode of the DME was not enabled in order for the exploit to work, RayBan81 and Mik325tds have been given test versions of the tool, in which RayBan81 has confirmed writing works on a 325d and Mik325tds has confirmed it working on a 335d(I know, names are confusing).
Here is an update from RayBan81 regarding the commercialization of the product:
Hi Guys,
first of all, thanks for your patience on this. I can imagine that it's really tough to wait any longer, if you know theres already a solution out there. However, what Dave has developed, is the method to crack the RSA signature and do all the Checksums on the calibration file. What he has not done, is make a failsafe and convenient application. At the moment it's just a command line tool, that can easily brick the TCU if the input is wrong.
As Michael said it took Dave quite a while to get this far, and its completely understandable, that he wants some reward for that. Additionally he has a normal day job, and wants to fully return to that work. That means, he has no interest to make the tool perfect and fail safe.
From my side, it's quite the same as it is with Dave. It started just as a hobby, but the workload kind of exploded and its somewhere in the hundreds of hours right now since beginning of the year. That was my own decision of course, but I kind of slipped into it. I know some people in the tuning industry too and invested time and money to get hold of information on the maps in our TCU the last months. But it turned out, that there simple is NO information around for this unit. I have description files for older BMW 6HP units, i gathered some 6HP files from other brands, but they are all of very little use because of a totally different structure. I was surprised to see, that even the same generation 6HPs from other OEMs are organized in a different way. So we had to go the hard way with countless hours of comparing cal files, flashing, logging, flashing, logging again and so on. Maybe some day a complete description file will come up, but I don't expect that to be easy. (more $$)
To really benefit everyone in and outside of the community we basically need 4 parts:
- Easy distribution channel (-> no hardware/shipping)
- Cheap, failsafe, easy to use tool (~ 100 USD, Windows or Android application)
- OTS maps. (335d will be the start, but extension to 335i N54/N55 later on is very likely)
- A way people can create their own maps (create XDF files for TunerPro seems reasonable)
So the plan is to achieve exactly that and I hope that everyone will be satisfied this way. Input is always welcome. Most likely the tool will be released with some basic functionality and will be updated free of charge continously.
I will keep this thread updated and hope we can communicate a timeline soon!
Best,
Richard
To clear up any confusion about which transmission generation you may have, this is a high value post which i'm reposting here.
TL;DR: This only works with 2nd gen, 6HP19TU AKA 6HP21 and the 6HP26TU AKA 6HP28. This will not currently work with the 6HP19 or 6HP26 without additional development not currently planned.
Hi guys,
it`s a little confusing, but I will try to sum it up:
6HP is available in 2 generations in the BMW E9x cars. The first generations are called 6HP19 and 6HP26 by BMW. The second generation is called 6HP19TU and 6HP26TU by BMW. To make things a little more complicated BMW only refers to the transmissions like that in internal documents, but not in the parts cataloge. There all transmissions are referred as 6HP19Z and 6HP26Z, regardless of the generation. This is all BMW notation. While ZF calls them 6HP19 (1st gen) resp. 6HP21 (second gen) and 6HP26 (first gen) resp. 6HP28 (2nd gen). Thats my knowledge at the moment.
The dates for the switch from 1st to 2nd gen are as follows:
Mar 07 for 335i
Mar 07 for 335d
Sep 08 for 325d/330d (M57)
Since AFAIK the 335d was introduced in 2009 to the US market the tool should work for EVERY US 335d.
To clarify: At the moment the tool ONLY works with 2nd gen 6HP transmissions. 1st gen are organized completely different. Sadly that means that 1st gen cars will not be supported at all. Not at the start and possibly even not later. That depends if parts of the method can be carried over, or if there has to be found a completely different loophole.
Best,
Richard
And here is another update regarding the status of development and table discovery:
It has been a while since there has been a progress update by the tuning team. Most of you probably just want to know when the tuner will be available and the price. So, I won't make you read the details below - we don't know that yet.
A member has been added to the team to specifically address the flashing of the tunes. As most are aware, dave205t developed the method to get past the RSA. We have been using that method to test experimental flashes. However, it is not going to be released to the public. Therefore, a secure method of flashing is in development and is progressing nicely.
A flashing method isn't much good without changes to the calibration file. Finding the maps for shifting points and TCC lockup was relatively easy. I believe I identified them a year ago. Mik325tds has been been perfecting a calibration he is quite happy with. At low load, shifts come on sooner. Kick downs can be eliminated. Essentially, we can make the shifts happen when we want. I've been able to measure a 3%-4% mileage improvement, over several hundred miles, using a lower shift point strategy. So, if you are averaging 36 mpg, expect that to raise to as much as 37.5 mpg.
As a little treat, Mik325tds spent considerable time finding the bits for turning on D1-D6 display in the dashboard. Kind of a "cool factor" mod.![]()
Controlling shifting speed and firmness is much more complex. For every shift there are pressure adjustments for oncoming and offgoing clutches, shift delays, torque reduction, temperature compensations ... and more. These are organized in sets that pertain to what we are calling the shift programs, meaning multiple levels of automatic, D and manual.
RayBan81 and I have been work together to catalog and observe most of the shift programs. There is much work to been done to trace critical maps to these shift programs. dave205t has been tracing logic and identifying map axis to help connect the various pieces. We have made some recent headway in identifying patterns for the various maps including, clutch pressures for upshifts and downshifts, for oncoming and offgoing clutches, torque reduction, and engine rpm shift point limits.
Still much work to do, but progress continues.![]()
We've asked for clarification on what "secure method of flashing" means, most likely a VIN locked flashing process of some kind, in conjunction with safety features to reduce the risk of flashing a brick.
UPDATE from DWR:
It means quite simply that Dave's method will be protected.
Either way, $100 seems like a good deal to us. Let the transmission tuning begin, I'm ready to see for 7500+ RPM shift points.