xHP Flashtool - 6HP21/28 TCU cracked

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
According to a member by the name of dave205t, the RSA encryption the 6hp26(TU)/6hp32(TU) has been bypassed. This should allow for uploading a custom file to the TCU finally.

For those who don't know, TU stands for technical update and AFAIK, the 6HP26(TU) is the 6HP28 and the 6HP32(TU) was the 6HP34(Link), however was never released to production so I'm not sure exactly what dave205t means. But the good news, is that this method should work for all 6HP transmissions and opens the door to customization of shift points, line pressures, shift speed and possibly transplantation.

This can be accomplished using any INPA cable probably much like MHD/bummerboost Flash, however he has yet to decide how he wants to monetize his discovery. This is from dave205t:

1) write a tool to read an unmodified standard binary from the TCU -> completed
2) decrypting the compressed code (by writing a tool that can do this) to make sense of it -> completed
3) analyzing code paths in Ida, locating relevant ones to be able to do next steps -> completed
4) writing a tool for correcting checksum, RSA and related on modified file -> completed
5) write a tool to flash this modified (checksum corrected) binary back to TCU and get it to run it -> completed (today - 8-18-16)

Other details include the fact that development mode of the DME was not enabled in order for the exploit to work, RayBan81 and Mik325tds have been given test versions of the tool, in which RayBan81 has confirmed writing works on a 325d and Mik325tds has confirmed it working on a 335d(I know, names are confusing).

Here is an update from RayBan81 regarding the commercialization of the product:

Hi Guys,

first of all, thanks for your patience on this. I can imagine that it's really tough to wait any longer, if you know theres already a solution out there. However, what Dave has developed, is the method to crack the RSA signature and do all the Checksums on the calibration file. What he has not done, is make a failsafe and convenient application. At the moment it's just a command line tool, that can easily brick the TCU if the input is wrong.

As Michael said it took Dave quite a while to get this far, and its completely understandable, that he wants some reward for that. Additionally he has a normal day job, and wants to fully return to that work. That means, he has no interest to make the tool perfect and fail safe.

From my side, it's quite the same as it is with Dave. It started just as a hobby, but the workload kind of exploded and its somewhere in the hundreds of hours right now since beginning of the year. That was my own decision of course, but I kind of slipped into it. I know some people in the tuning industry too and invested time and money to get hold of information on the maps in our TCU the last months. But it turned out, that there simple is NO information around for this unit. I have description files for older BMW 6HP units, i gathered some 6HP files from other brands, but they are all of very little use because of a totally different structure. I was surprised to see, that even the same generation 6HPs from other OEMs are organized in a different way. So we had to go the hard way with countless hours of comparing cal files, flashing, logging, flashing, logging again and so on. Maybe some day a complete description file will come up, but I don't expect that to be easy. (more $$)

To really benefit everyone in and outside of the community we basically need 4 parts:

- Easy distribution channel (-> no hardware/shipping)
- Cheap, failsafe, easy to use tool (~ 100 USD, Windows or Android application)
- OTS maps. (335d will be the start, but extension to 335i N54/N55 later on is very likely)
- A way people can create their own maps (create XDF files for TunerPro seems reasonable)

So the plan is to achieve exactly that and I hope that everyone will be satisfied this way. Input is always welcome. Most likely the tool will be released with some basic functionality and will be updated free of charge continously.

I will keep this thread updated and hope we can communicate a timeline soon!


Best,
Richard

To clear up any confusion about which transmission generation you may have, this is a high value post which i'm reposting here.

TL;DR: This only works with 2nd gen, 6HP19TU AKA 6HP21 and the 6HP26TU AKA 6HP28. This will not currently work with the 6HP19 or 6HP26 without additional development not currently planned.

Hi guys,


it`s a little confusing, but I will try to sum it up:


6HP is available in 2 generations in the BMW E9x cars. The first generations are called 6HP19 and 6HP26 by BMW. The second generation is called 6HP19TU and 6HP26TU by BMW. To make things a little more complicated BMW only refers to the transmissions like that in internal documents, but not in the parts cataloge. There all transmissions are referred as 6HP19Z and 6HP26Z, regardless of the generation. This is all BMW notation. While ZF calls them 6HP19 (1st gen) resp. 6HP21 (second gen) and 6HP26 (first gen) resp. 6HP28 (2nd gen). Thats my knowledge at the moment.


The dates for the switch from 1st to 2nd gen are as follows:


Mar 07 for 335i
Mar 07 for 335d
Sep 08 for 325d/330d (M57)


Since AFAIK the 335d was introduced in 2009 to the US market the tool should work for EVERY US 335d.


To clarify: At the moment the tool ONLY works with 2nd gen 6HP transmissions. 1st gen are organized completely different. Sadly that means that 1st gen cars will not be supported at all. Not at the start and possibly even not later. That depends if parts of the method can be carried over, or if there has to be found a completely different loophole.


Best,
Richard

And here is another update regarding the status of development and table discovery:

It has been a while since there has been a progress update by the tuning team. Most of you probably just want to know when the tuner will be available and the price. So, I won't make you read the details below - we don't know that yet.

A member has been added to the team to specifically address the flashing of the tunes. As most are aware, dave205t developed the method to get past the RSA. We have been using that method to test experimental flashes. However, it is not going to be released to the public. Therefore, a secure method of flashing is in development and is progressing nicely.

A flashing method isn't much good without changes to the calibration file. Finding the maps for shifting points and TCC lockup was relatively easy. I believe I identified them a year ago. Mik325tds has been been perfecting a calibration he is quite happy with. At low load, shifts come on sooner. Kick downs can be eliminated. Essentially, we can make the shifts happen when we want. I've been able to measure a 3%-4% mileage improvement, over several hundred miles, using a lower shift point strategy. So, if you are averaging 36 mpg, expect that to raise to as much as 37.5 mpg.

As a little treat, Mik325tds spent considerable time finding the bits for turning on D1-D6 display in the dashboard. Kind of a "cool factor" mod.
smile.gif


Controlling shifting speed and firmness is much more complex. For every shift there are pressure adjustments for oncoming and offgoing clutches, shift delays, torque reduction, temperature compensations ... and more. These are organized in sets that pertain to what we are calling the shift programs, meaning multiple levels of automatic, D and manual.

RayBan81 and I have been work together to catalog and observe most of the shift programs. There is much work to been done to trace critical maps to these shift programs. dave205t has been tracing logic and identifying map axis to help connect the various pieces. We have made some recent headway in identifying patterns for the various maps including, clutch pressures for upshifts and downshifts, for oncoming and offgoing clutches, torque reduction, and engine rpm shift point limits.

Still much work to do, but progress continues.
thumbsup.gif

We've asked for clarification on what "secure method of flashing" means, most likely a VIN locked flashing process of some kind, in conjunction with safety features to reduce the risk of flashing a brick.

UPDATE from DWR:
It means quite simply that Dave's method will be protected.

Either way, $100 seems like a good deal to us. Let the transmission tuning begin, I'm ready to see for 7500+ RPM shift points.
 

RayBan

Corporal
Oct 27, 2016
154
155
0
42
www.rbttuning.com
Thx to Tyler, for inviting me here and putting the actual state together.

This project evolved out of the US 335d community at E90Post.com, where I stumbled across approx. 1.5 years ago. Some members there (Mik325td, Derek and more) were putting a lot of effort into kickstarting this with gathering information, logging stuff and connecting people. After some quick wins, the project hit a hard barrier, when we discovered that calibration files are digitaly RSA signed by BMW. Only files with the correct signature are accepted by the TCU. Otherwise it will stay in boot mode and won't start at all.

After some months of full stop one member brought up dave205t who has extensive experience in ECU development and then invested a few months of his spare time to work on cracking the TCU. He finally made it this summer and we were able to successfully flash the first TCU. Lucky guy I am, I was running the first modded ZF6HP26TU transmission in a BMW at the end of July. "Modded" is a big word in that context, it was just the Alpina B3 software running on a non matching transmission and a non matching engine. As expected, the outcome was fairly poor. :)

Since then we - a small project Team of 4 people - were constantly flashing, modding, logging, comparing in a never ending process to discover the Maps in the TCU and their purpose. A lot of progress has been made since then and we're able to control many aspects of the tranmission behaviour by now. There are still things to discover, but at least for the Diesel guys a pretty decent calibration is ready.

That said, the first release will focus on the 335d/330d/325d cars with a 2nd gen 6HP, (see post above for release dates of the 2nd gen) but support will be extended asap to the N54/N55 cars. I'm not able to post a release date for the tool by now, but I hope we can narrow down the timeframe in the next 2 weeks.

As posted by Tyler it will be priced very competitive and I definitely want it to be community driven. That means everyone will have the opportunity to flash his own calibrations, which of course includes sharing information on the maps, scalars from our side. A VIN lock is obligatory, but I do have yet to decide how this will be handled exactly.

I will update this thread as we progress!

Richard
 

LD335xi

New Member
Nov 5, 2016
5
3
0
TCs MN
I will be keeping an eye on this one. I would love to tweak some shift points and firmness in my car.
 

101duck

Specialist
Nov 5, 2016
60
86
0
Straya
Thx to Tyler, for inviting me here and putting the actual state together.

This project evolved out of the US 335d community at E90Post.com, where I stumbled across approx. 1.5 years ago. Some members there (Mik325td, Derek and more) were putting a lot of effort into kickstarting this with gathering information, logging stuff and connecting people. After some quick wins, the project hit a hard barrier, when we discovered that calibration files are digitaly RSA signed by BMW. Only files with the correct signature are accepted by the TCU. Otherwise it will stay in boot mode and won't start at all.

After some months of full stop one member brought up dave205t who has extensive experience in ECU development and then invested a few months of his spare time to work on cracking the TCU. He finally made it this summer and we were able to successfully flash the first TCU. Lucky guy I am, I was running the first modded ZF6HP26TU transmission in a BMW at the end of July. "Modded" is a big word in that context, it was just the Alpina B3 software running on a non matching transmission and a non matching engine. As expected, the outcome was fairly poor. :)

Since then we - a small project Team of 4 people - were constantly flashing, modding, logging, comparing in a never ending process to discover the Maps in the TCU and their purpose. A lot of progress has been made since then and we're able to control many aspects of the tranmission behaviour by now. There are still things to discover, but at least for the Diesel guys a pretty decent calibration is ready.

That said, the first release will focus on the 335d/330d/325d cars with a 2nd gen 6HP, (see post above for release dates of the 2nd gen) but support will be extended asap to the N54/N55 cars. I'm not able to post a release date for the tool by now, but I hope we can narrow down the timeframe in the next 2 weeks.

As posted by Tyler it will be priced very competitive and I definitely want it to be community driven. That means everyone will have the opportunity to flash his own calibrations, which of course includes sharing information on the maps, scalars from our side. A VIN lock is obligatory, but I do have yet to decide how this will be handled exactly.

I will update this thread as we progress!

Richard
Hey mate

Is the 335d Tranny stronger than the 335i Tranny? or just a revision? I have one of each sitting around and am curious to know what the differences are and are they interchangeable.
 

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
Hey mate

Is the 335d Tranny stronger than the 335i Tranny? or just a revision? I have one of each sitting around and am curious to know what the differences are and are they interchangeable.

They aren't interchangeable, and they are different altogether. They are from the same generation(2) but are different models. The 335d transmission(6hp28) is stronger. The 335i transmission (6hp21) has an upgrade through nizpro being tested. Nizpro builds the 6hp28 to over 1000hp.

There is a little bit more details in this thread:

Nizpro 6HP21 Upgrade?
 

nitemare

Private
Nov 5, 2016
38
25
0
Jax, FL
In for updates.....I would love to shift at 7300rpm. Hopefully it will work with a built Propulsion Dynamics/European Transmission with their flashing that is done.
 

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
In for updates.....I would love to shift at 7300rpm. Hopefully it will work with a built Propulsion Dynamics/European Transmission with their flashing that is done.

If you knew what I can't tell you, then you'd be pretty happy.
 
  • Like
Reactions: RayBan

Jabber88

Lurker
Nov 6, 2016
11
8
0
St. Louis
Would love to see the Alpina flash tweaked or even the factory settings tweaked to shift more like the Alpina (more so the second).

I know the highest torque #'s are low in the rev range but I just feel like being in 5th gear by 40 is causing the motor to work harder having to constainly produce high toque numbers to pull its self in high gear at low speeds in D. Then when in DS it holds the gear way to long at times. Lingering around 4K just cruising seems to high strung for our motors. I think we need a happy medium between stock and the b3 flash.

I'd be interested to see if there is any way to make shift points variable on load instead of rpm.
 
  • Agree
Reactions: doublespaces

RayBan

Corporal
Oct 27, 2016
154
155
0
42
www.rbttuning.com
Hi Guys,

today is the day, a lot of you have been waiting for!
smile.gif
Well, maybe not THAT day, but it's the day, where we can lift the curtain and give you a lot of information, on the tool itself, the release date and present you with a small teaser I put together on YouTube, to show some of the features. Basically, not much has changed, since my last post to this topic. We're on a good way, to get things going exactly as promised ->Link

The tool will be released under the name xHP - Flashtool and as said will be available on Google Play Store/Android Platform! Planned release date is February 2017.

I know, that we've been quiet the last weeks, but this was due to an immense workload to make this happen in time. Most of the work, was further reverse - engineering of the calibration files. As it turned out, there is absolutely NO information present on the market covering the 2nd gen 6HP transmissions and (of course...) it's very different in many aspects from the 1st gen 6HPs. Even 2nd gen layout differ massively between OEMs. Audi handles everything different then BMW for example. That said, we had to go the hard way of reversing (most of) everything to make this happen. The outcome so far are well over 1000 tables, which define how this transmission handles everything. There are still a lot more to examine, but as I speak we were able to take 95% control of:
  • Shift Points
  • Torque Converter Lockup
  • Torque Management
  • Shift Pressures, Line pressures
  • Paddle Reaction Time
  • Warmup behaviour
  • ..
  • .

For the ones, who don't want to read any more and just watch the actual state of play, here's the link to Youtube: http://bit.ly/2gHK5Hk

The video represents a work-in-progress state of the tune on an N57 diesel. It's not final, nor can i be compared to what is possible on gasoline engines! (in terms of shift times for example)

This very car has it's paddle response time cut by 30% and the shift-time overall by 50%!

It's another league when driving this side-by-side! And of course, this is not stopped with my watch at the wrist, this times are extracted out of logfiles done with Testo! Big thx, to pheno and his work!

After completing most of the Tune and sorting out tables, the next 2 months will be mostly dedicated to developing the App itself. DWR was so kind to agree on producing a XDF file for TunerPro, as soon as we've double checked everything. The xdf will be released together with the App and is - of course - free of charge.

Additionally there will be OTS files to buy in-App for those, wo don't want to shuffle with bits & bytes by themselfs. The first group who will get this tunes, are N57/M57 diesels with a 2nd gen 6HP transmission. I will elaborate more on this in the next weeks, as BMW (or ZF/Bosch) was so great to not only change memore layouts between 1st and 2nd gen, but even in 2nd gen there are different versions with different memory layouts. My search shows, that differing cals where probably only used during transitions from 1st to 2nd gen (so should by very seldom in the field), but it's hard to judge this 100% for now. From what I can tell it's safe to say, that EVERY US-based 335d is covered for sure. I will be posting more on that topic in the next weeks!

After market introduction, the next step will be covering the N54/N55 platform. I cannot give a timeline for that, but it's first on my list and I definitely want this to happen asap! So expect it to happen shortly afterwards.

So, I'm sad that we can't make it in time for Santa, but just think about the saying "Anticipation, is the greatest joy!" ;-)

Plz feel free to post, ask or suggest things you want to see until release!

Best,
Richard
 

135Pats

Specialist
Nov 17, 2016
70
48
0
MD
Tremendous! I would have thought this a fools errand a year or two ago.

Now praying that this works for the 6HP in my 1er. it's identical to the E9x 6HP so here's to hoping.