05-02-2017, 04:27 PM | #1 | |
Brigadier General
1593
Rep 3,945
Posts
Drives: 2015 M4 MG/SO
Join Date: Mar 2014
Location: MTL, QC
|
ECU counters and stats
DISCLAIMER: This investigation is intended so we learn about our cars, not responsible for any misuse of information below.
Chasing where car data, logs, counters, stats are stored in our vehicle, I have discovered many interesting facts that are summarized in various threads, one fun one is Interesting stats for DCT. I have many theories but haven't yet done any testing to understand how and if any of those counters survive flashing. An interesting comment made by BuLoOoSki regarding DME programming counter. Quote:
Last edited by aboulfad; 09-09-2017 at 08:45 AM.. |
|
05-02-2017, 07:05 PM | #2 | |
Brigadier General
1593
Rep 3,945
Posts
Drives: 2015 M4 MG/SO
Join Date: Mar 2014
Location: MTL, QC
|
Quote:
|
|
Appreciate
0
|
05-03-2017, 09:30 AM | #3 | |
Colonel
749
Rep 2,108
Posts |
Quote:
__________________
2015 BMW F80 M3: Tractive EDC Suspension / Dinan Anti-Roll Bars / GC Camber Plates / KMP Dual Diff Mount / Girodisc Rotors / GT4 Brake Cooling Kit / PTF Flash Tune / Eisenmann Downpipes / CSF Heat Exchanger / BMS Charge Pipes
2007 BMW E92 335i (SOLD): BMS JB4 / Quaife LSD / Riss Racing DPs / Helix Intercooler / BMS Intake / STETT Charge Pipe / Forge DVs |
|
Appreciate
0
|
05-03-2017, 09:38 AM | #4 |
Colonel
749
Rep 2,108
Posts |
I was just going through the DME files I have and found something interesting. Prior to getting BM3, I had been flashed by another company. That company used CMD flash and the readout files they obtained are slightly different. First off, the DFLASH file is 128KB, and then I realized that they only obtain one of the two 2MB files and only modify that. So I'm guessing that they only modify one area of the DME and leave the other half unchanged? But not sure about the 128KB file.
__________________
2015 BMW F80 M3: Tractive EDC Suspension / Dinan Anti-Roll Bars / GC Camber Plates / KMP Dual Diff Mount / Girodisc Rotors / GT4 Brake Cooling Kit / PTF Flash Tune / Eisenmann Downpipes / CSF Heat Exchanger / BMS Charge Pipes
2007 BMW E92 335i (SOLD): BMS JB4 / Quaife LSD / Riss Racing DPs / Helix Intercooler / BMS Intake / STETT Charge Pipe / Forge DVs |
Appreciate
0
|
05-03-2017, 09:54 AM | #5 |
Brigadier General
1593
Rep 3,945
Posts
Drives: 2015 M4 MG/SO
Join Date: Mar 2014
Location: MTL, QC
|
BuLoOoSki , that is most interesting (read PM). 64Kb is also the size of our BTLD that is most interesting about that company modifying PFLASH0 only, that explain few things, its like I am connecting some dots, but not there yet... a futile exercise.
From region 0x8020 0000 to 0x8021 0000, which is the first 64Kb of PFLASH1 is the same data as in those mysterious stuff being dumped into FASTA (STATUS_TRIPRCRD*), given that other company modified the first 2Mb, it could imply many stuff without some details about the content of the 2nd 2Mb. Previous devices from Infineon only had 2Mb, the TC1797 being a high end chip has 2x2Mb (PMU0/PMU1). I gotta finish me mapping the TC1797 memory usage and stop being lazy... The tamper code delete most likely does not lie in data, but rather in program memory, similar to the techniques to remove any other DTC, but i am only learning so don't quote me. Last edited by aboulfad; 05-03-2017 at 09:59 AM.. |
Appreciate
1
M3SQRD2146.00 |
05-03-2017, 11:26 AM | #6 | |
Addicted to Speed.
711
Rep 2,375
Posts |
Quote:
__________________
2017 991.2s
2015 F15 35i 2017 Macan gts |
|
Appreciate
0
|
05-03-2017, 12:37 PM | #7 | |
Brigadier General
1593
Rep 3,945
Posts
Drives: 2015 M4 MG/SO
Join Date: Mar 2014
Location: MTL, QC
|
Quote:
And we're guessing the contents of that file, I don't have it to look into it but it seems closely linked to triprcrd... and I have those via FASTA. Last edited by aboulfad; 05-03-2017 at 12:46 PM.. |
|
Appreciate
0
|
05-03-2017, 06:17 PM | #8 |
Colonel
749
Rep 2,108
Posts |
Like it says in my post quoted in the OPs first post, I don't know. But I think so. There is an option on the BM3 that says Full Restore, haven't tried it.
__________________
2015 BMW F80 M3: Tractive EDC Suspension / Dinan Anti-Roll Bars / GC Camber Plates / KMP Dual Diff Mount / Girodisc Rotors / GT4 Brake Cooling Kit / PTF Flash Tune / Eisenmann Downpipes / CSF Heat Exchanger / BMS Charge Pipes
2007 BMW E92 335i (SOLD): BMS JB4 / Quaife LSD / Riss Racing DPs / Helix Intercooler / BMS Intake / STETT Charge Pipe / Forge DVs |
Appreciate
0
|
05-03-2017, 06:32 PM | #9 |
Brigadier General
1593
Rep 3,945
Posts
Drives: 2015 M4 MG/SO
Join Date: Mar 2014
Location: MTL, QC
|
|
Appreciate
0
|
05-03-2017, 09:31 PM | #10 | |
Brigadier General
1593
Rep 3,945
Posts
Drives: 2015 M4 MG/SO
Join Date: Mar 2014
Location: MTL, QC
|
Quote:
The first 64k (roughly) of the TC1797 is the bootloader and the next 64k is still not figured out. How do I know all this, well thanks to the .xml files we have in the psdZ, more to come BTW, that company grabbed Segment 1 of DME, because at 0x8018 0000 is the DME variant file |
|
Appreciate
0
|
05-04-2017, 11:29 AM | #11 | |
Lieutenant
253
Rep 472
Posts |
Quote:
A. So that is where the DME is identified as a ZCP, non-ZCP, GTS, etc? B. Once you've mapped the DME memory, would it be useful to capture the I/O of an actual DME flash or two? Using your memory map as template, perhaps you could then track which regions are changing/not-changing when flashing different swfls. For example, if you captured the I/Os of flashing ZCP, non-ZCP, and ECE swfls, by process of elimination you might able to identify which regions are free of FSC or other write limitations and which ones aren't. |
|
Appreciate
0
|
05-04-2017, 11:56 AM | #12 | ||
Brigadier General
1593
Rep 3,945
Posts
Drives: 2015 M4 MG/SO
Join Date: Mar 2014
Location: MTL, QC
|
Quote:
Quote:
As far to your comment for FSC, give it up, it is so much more complex than you can imagine, I wager it's easier that we figure out how to tune our engines than cracking engine FSCs, and tuning engines is an insanely infinitely complex task ! I'll post shortly the memory map, in the end it was easy, but wont be of much help to no one |
||
Appreciate
0
|
05-04-2017, 12:57 PM | #13 | |
Lieutenant
253
Rep 472
Posts |
Quote:
I was referring to the use of a tool like tcpdump to capture the raw TCP/IP data transferred when flashing the DME with e-sys. Using the timestamp of the e-sys logs, the timestamped raw TCP I/O data, and your memory map, you may be able to specify further which regions of the DME memory remain constant amongst the various DME configs (260a, 260c, 38a8, 38ac, etc), as well as which ones change, during the actual flashing process. |
|
Appreciate
0
|
05-04-2017, 01:20 PM | #14 | |
Brigadier General
1593
Rep 3,945
Posts
Drives: 2015 M4 MG/SO
Join Date: Mar 2014
Location: MTL, QC
|
Quote:
Btw, just to add mystery for your FSC/ZCP curiosity, I have a dB that contains pretty much all the software file list for all the variants and the ZCP has a special entry that does not map to any file! |
|
Appreciate
1
Celestion252.50 |
05-04-2017, 01:30 PM | #15 | |
Lieutenant
253
Rep 472
Posts |
Quote:
Code:
17-04-23 22:10:07,860 [INFO] [FlashTask - vin:WBS8M9C55G5D30728 - ecu:DME2 - da:0x12] com.bmw.prodias.io.tcp.HsfzTcpCommunicationLink: will send data for host 169.254.113.41 on port 6801, SA= 0xF4, TA= 0x12, link data= 0x00 0x00 0x10 0x00 0x00 0x01 0xF4 0x12 0x36 0x84 0x3B 0x00 0x02 ... 0x37 0x01 0xE4 0xF1 [ParallelTask-41] DiagAdresses: 0xf4 -> 0x12 0x00 0x00 0x10 0x00 0x00 0x01 0xF4 0x12 0x36 0x84 0x3B 0x00 0x02 If that was found in the TCP dump and was unique to the time of 22:10:07,860 within the TCP dump, then you could look for that data sequence (plus a large chunk of immediately adjacent data to maximize probability of have a unique piece of data), in the DME and swfl. This would allow you to correlate the swfl data and the DME memory data on a 1:1 basis. That would be pretty cool IMO. |
|
Appreciate
0
|
05-04-2017, 01:34 PM | #16 | |
Brigadier General
1593
Rep 3,945
Posts
Drives: 2015 M4 MG/SO
Join Date: Mar 2014
Location: MTL, QC
|
Quote:
Oh what about your ESys psdZ log when you flashed DME. Can you me send it my way, please? |
|
Appreciate
0
|
05-04-2017, 01:43 PM | #17 |
Brigadier General
1593
Rep 3,945
Posts
Drives: 2015 M4 MG/SO
Join Date: Mar 2014
Location: MTL, QC
|
FYI, Celestion , putting aside FSC stuff, I've correlated 1:1 where stuff goes, because I have found an M4 DME file on the net I know exactly what goes where, minus that ~60k just before 0x8002 0000 (seg 1 of file Z)
I thought that was cool, but gives you almost nothing, it's step 0 for the next 100 remaining steps. |
Appreciate
0
|
05-04-2017, 02:10 PM | #18 | |
Lieutenant
253
Rep 472
Posts |
Quote:
errr, I removed them for... science? |
|
Appreciate
0
|
05-04-2017, 02:43 PM | #19 |
Lieutenant
253
Rep 472
Posts |
|
Appreciate
0
|
05-04-2017, 03:04 PM | #20 |
Brigadier General
1593
Rep 3,945
Posts
Drives: 2015 M4 MG/SO
Join Date: Mar 2014
Location: MTL, QC
|
FYI, You can't modify the swfl's without re-calculating a special checksum and probably the hash is signed (or some weird stuff), so what experiments were you thinking about ? as I mentioned in my other thread, a previous BP member almost came close to prog max trying to get ZCP firmware to run on M4, I think you must be related to each other
|
Appreciate
0
|
05-04-2017, 03:18 PM | #21 | |
Lieutenant
253
Rep 472
Posts |
Quote:
You would need to have the TCP dump mapped to do this though. |
|
Appreciate
0
|
05-04-2017, 03:50 PM | #22 | ||
Brigadier General
1593
Rep 3,945
Posts
Drives: 2015 M4 MG/SO
Join Date: Mar 2014
Location: MTL, QC
|
Quote:
Quote:
The purpose of this service is to transmit data that is protected against attacks from third parties, which could endanger data security" - Most of the hex you see in your file are UDS request/response control messages, so yes you need the tcpdump, and sniffing a DME flash session may not be a great idea especially if you are running wireshark//tcpdump on the same host, but it is dooable. - I appreciate your enthusiasm, there are specific checksum algos from each ECU manufacturer for each ECU, this is another world... (FYI, I know very little, but enough to know this is extremely complex) and without specialized tools, you/I/we are just shooting in the dark ok now I need to figure the remaining bit... |
||
Appreciate
0
|
Post Reply |
Bookmarks |
|
|