MaxxECU cracked the DCT

  • Login or Register, members don't see Ads!
  • Tip: You can toggle the Dark Theme at the bottom of the page

doublespaces

Administrator
Oct 18, 2016
7,986
AZ
Looks like the TCU finally got cracked, depending on how you define that. It sounds like the exploit is more of a hardware trick rather than something to do with cracking the flashing process itself but I can't confirm anything, just speculation. The good news, it appears there is a method to read and write to the TCU a modified BIN thanks to @N.Ceder at MaxxECU and I'm told it can be done with the gearbox in the car.

The normal M3 dct has a lower line pressure limit than the 335is and GTS roms. They have this transmission in their shop mustang and decided to set aside two hours to locate the line pressure tables and modified them to allow the higher pressures.

They are apparently in talks with xHP about sharing the method so hopefully we could see something develop soon. I suspect xHP's motivation is to target the F80 DCT rather than the E chassis cars, so hopefully that will trickle down to everyone at some point.

It's kind of the story of the N54 platform as they offered to bring their ecu and skills to us but we scoffed and ran them off about a year ago. People would rather make 300hp out of some silly principle than entertain developments that ultimate can push our platform ahead. Supplementary PI was something people sneared at for several years and look at the new heights it brought us to.

Screenshot_20190823-213657_Facebook.jpgScreenshot_20190823-220816_Facebook.jpgScreenshot_20190823-220743_Facebook.jpgScreenshot_20190823-220908_Facebook.jpgScreenshot_20190823-220835_Facebook.jpgScreenshot_20190823-220937_Facebook.jpgScreenshot_20190823-220930_Facebook.jpgScreenshot_20190823-221040_Facebook.jpgScreenshot_20190823-220952_Facebook.jpgScreenshot_20190823-221115_Facebook.jpgScreenshot_20190823-220726_Facebook.jpgScreenshot_20190823-221238_Facebook.jpg
 

RSL

Sergeant
Aug 11, 2017
395
At least someone did. 2.56 in the M3 software would be a big one for E9x DCTs. DriveLogic would be a breeze retrofit at that point and change the whole feel of the car. I wanted IKM0S just to try getting that watered down DriveLogic working.

If @jyamona could add DCT TCU flasher separate or as a module to MHD, that would at least be a great starting point. Read out, start finding tables and test.
 

aus335iguy

Captain
Nov 18, 2017
1,027
Agree RSL. The first domino has fallen. The rest is now inevitable in some form or another.
If I were a betting man I would say the cost of second hand DCT boxes will eventually go up as well. Once people know they can play in this sort of space we’ll see more transplants into other chassis becoming more commonplace
 
  • 1Like
Reactions: RSL

aus335iguy

Captain
Nov 18, 2017
1,027
I think this means it’s cracked. They’ve found the tables related to line pressure. The rest will follow in due course. The first one to market will likely dominate sales.
 
  • 1Like
Reactions: NoGuru

N.Ceder

New Member
Apr 17, 2019
6
We will most likely NEVER package this to an commercial tcu flash anyway, but we might implement an tcu flash option in our MaxxECU, since that is our platform of development.
We are not tcu flashers, we just wanted to increase line pressure on the M3 gearbox we have behind our 1600Nm Ford coyote engine.

We can probably do some flash options pretty easily if we put a few more hours looking at the binary files, like shifting point, rear end ratio, launch rpms. The problem is to package it as an commercial package for end users as many users seem to want us todo...

Currently, we must use our CAN tool to flash a new firmware, which takes around 18 seconds when the TCU is rebooted into "developer mode", which required an pretty easy CAN sequence and power cycle procedure.

Lets see what happends next, we might give the solution away, we have not yet decided...
 

N.Ceder

New Member
Apr 17, 2019
6
Please consider us poor end users who cant make simple final drive changes yet :sleepy:
You can do that with a simple CAN relayer and probably like 100 lines of code. No need for a tcu flash, if you know how to do it and what to do :)

As I said, our primary target is not guys running srock DMEs.
 

aus335iguy

Captain
Nov 18, 2017
1,027
I know and I agree it’s straightforward ......for someone who knows.

Just has MHD has surpassed the jb4(my opinion folks) the best solution is not another device.
 

doublespaces

Administrator
Oct 18, 2016
7,986
AZ
You can do that with a simple CAN relayer and probably like 100 lines of code. No need for a tcu flash, if you know how to do it and what to do :)

As I said, our primary target is not guys running srock DMEs.
It's great what you guys have accomplished. Your efforts are appreciated!
 
  • 1Agree
Reactions: fmorelli

azshantris

New Member
Aug 27, 2019
4
Awesome news in any scenario! Has me awfully hopeful and excited for some rather sweet options later! I was just messaging a tuner today about how to get more out of the dct in my 135i. Looking forward to seeing where this goes
 

NoQuarter

Captain
Nov 24, 2017
1,162
Indiana, USA
You can do that with a simple CAN relayer and probably like 100 lines of code. No need for a tcu flash, if you know how to do it and what to do :)

As I said, our primary target is not guys running srock DMEs.
Are you implying we can intercept the CAN message to the TCU and substitute one message for another? Is the CAN message a drive ratio or something more subtle?
 

aus335iguy

Captain
Nov 18, 2017
1,027
And no the ‘speedo healer’ thingies won’t do it unless they’re designed to convert can messaging. My understanding is that they simply change the number of pulses the DSC sees. This wouldn’t be good if you intend to drive your car on the street. For a track car though.....
 

NoQuarter

Captain
Nov 24, 2017
1,162
Indiana, USA
So...
1) Attach canbus device between the DSC and the PT-CAN
2) Log messages coming from the DSC to PT-CAN
3) Correlate those messages with increasing wheel speeds
5) Determine the address that carries wheel speed data
6) Attempt to determine encoding scheme of the speed in the data packet
7) Do the math to determine what speed we need the TCU to see
8) Attach canbus device between the TCU and PT-CAN
9) Intercept incoming wheel speed address from PT-CAN.
10) Forward corrected wheel speed packet to TCU
11) Pass all other addresses

??
 

aus335iguy

Captain
Nov 18, 2017
1,027
This is what I think ...


1) Attach canbus device between the TCU and the PT-CAN
2) Log messages coming from the DSC to TCU
3) Correlate those messages with increasing wheel speeds
5) Determine the address that carries wheel speed data
6) Attempt to determine encoding scheme of the speed in the data packet
7) Do the math to determine what speed we need the TCU to see
8) Attach canbus device between the TCU and PT-CAN
9) Intercept incoming wheel speed address from PT-CAN.
10) Forward corrected wheel speed packet to TCU
11) Pass all other addresses
 

aus335iguy

Captain
Nov 18, 2017
1,027
Caveat - My advice is purely from a theoretical perspective and is untested. I might just be some crazy bloke on the internet :D I understand how packet networks carry data and know what needs to be done but don’t have the skills to do the coding to get it to work without investing significant time to relearn.

All other devices connected to the network eg KOMBi and DSC would need accurate wheel speed data. The interception/substitution of wheel speed data should only be for the TCU hence my slight correction of your plan.

After you’ve built it I’ll buy one off you.
 

NoQuarter

Captain
Nov 24, 2017
1,162
Indiana, USA
The interception/substitution of wheel speed data should only be for the TCU hence my slight correction of your plan.
We are on the same page here.

Your line 2 - Don't know at this point what the DSC address is. Here we would see everything on the PT-CAN and hidden in the mix would be the DSC packets.

My Line 2 reads packets that could only be coming from the DSC thus revealing the address(s). Likewise, my number 8 would imply figuring out the TCU address(s)

Anyway... seems plausible. I have done similar reading/writing to the PT-CAN
 
  • 1Like
Reactions: aus335iguy

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Top