Flash faux pas? Modern BMW turbo flash tuning capability is greatly overstated and not what you think it is

[Sticky]

Sorry to put a damper on the parade but the flash tuning capability of the new turbo M models is greatly overstated. A couple of days ago results were posted of a flash tuned S55 inline-6 which is the turbocharged M motor featured under the hood of the F80 M3 and F82 M4. It is true that this car was flashed but after seeing the article BimmerBoost was contacted by a tuner who wanted to set the record straight on what is actually going on.

Nobody at the moment has real control of any modern ECU used in the turbo BMW's. This includes the F30 models, F10, F12/F13, F82, F80, and so on. The tricore ECU's in these cars have not been cracked. So what exactly is going on?

The tuners claiming the ability to flash are all using the same trick but they are not uploading their own custom tuned software. They are essentially flashing the same files that originate internally from BMW. Some of these files are just press files. Oh, you did not know BMW uses different software on cars they let the press test? Well, namely with the F10 M5 and F12/F13 M6 they do.

Why? The BMW press software will allow a higher margin for a CEL (check engine light). That means you will not see any of those nasty reviews saying the cars went into limp mode. This among other things like traction control changes or higher boost itself. Some tuners have even been using the BMW Competition Package software which is not real flash tuning. It is just uploading BMW's own file.

If anyone needs proof of this ask for a custom dyno tune for your F10 M5 or F80 M3. It is not going to happen, at least not yet. Tuners can play with the bootloader but if they modify outside of certain parameters the checksum fails. If it fails, the software will not flash.

All of the big boys are struggling with this believe it or not. Dimsport which is traditionally the source for a lot of automotive ECU cracks that then spread out (for $ from others) can not flash tune the Tricore ECU's. Some guys may be using this Russian software for the Tricore ECU's to read out of the files but what can they do with it once they do?

The tuner that contacted BimmerBoost said to ask the tuners for proof of their ability. No tuner that has contacted BimmerBoost stating they have the ability to flash tune has demonstrated it. So how do you get a dyno graph showing gains with a flash tune? Well, you can run a car until it is hot and then flash BMW's own software that leaked out and once the car cools down showing gains with a handpicked before and after graph.

BimmerBoost stands by this report that nobody has true flash tuning ability at the moment. BimmerBoost will also state that many tuners make their living simply flashing factory files from Europe over on US cars at a markup. We will not name who it is that predominantly does this but the readers here are smart enough to figure it out.

The flash tuning era of the F80 M3 / F82 M4 and F10 M5 / F13 M6 can not even be stated as being in its infancy as the development is not even that far along. We will see what happens but internal sources at BMW that traditionally have helped can not. You would not either if it meant losing your job.

[Payam@BMS]

Told you it was BS. There is no way that $#@! just "leaks"

[Kommodore]

I wonder what's cheaper? Hiring enough development time to break in with no guarantee of success, or develop a plug & play aftermarket ECU?

[Sticky]

I wonder what's cheaper? Hiring enough development time to break in with no guarantee of success, or develop a plug & play aftermarket ECU?

Neither.

[Sticky]

Told you it was BS. There is no way that $#@! just "leaks"

I don't know if 'BS' is the right term as much as 'misleading' is the right term.

[richpike]

That sucks - so much for the hype. Just tell me Santa Claus and the Easter Bunny are still real?

-Rich

[I6+TT=FTW]

That sucks - so much for the hype. Just tell me Santa Claus and the Easter Bunny are still real?

-Rich

[richpike]

NOOOOO!!!!

-Rich

[135pats]

Ugh. Lame.

Not surprised but lame.

[BrenM3]

Not BS. Press files are different and only applied to the M5/M6. No need to debate it though.

I know where HG/JB get their stuff from.

[Sticky2]

Well you guys are getting it from the same source.

[rawad1017]

well that didn't last very long lol

[bobS]

Not BS. Press files are different and only applied to the M5/M6. No need to debate it though.

I know where HG/JB get their stuff from.

Ok so if Bren is saying it's not bs....then is it not bs? What is true?

[Sticky]

Ok so if Bren is saying it's not bs....then is it not bs? What is true?

Nobody has full access to the ECU is the truth.

[leveraged sellout]

I'm still not sold on this idea that it's a "press tune" since the numbers put down by M5s and M6s by journalists have been slower than what private owners have gotten time and time again.

Looks like it's turning out to be the same for the M3/4 as well. There may well be a different file, but the idea that it's a "press tune" makes no sense to me.

Also, I keep hearing about this "press tune" for S63tu cars but nobody ever seems to be able to verify its existence or even have any evidence that this is what its used for. In fact, I've never seen a single dyno run by any "press tuned" M5 or M6 ever. And, the only times I've seen journalists dyno an M5 or M6, they've gotten lower numbers than what private owners have been able to generate.

Will be very interesting to see what happens with the M3 and M4, looking forward to developments.

[Terry@BMS]

The s63tu flash file that is passed around is the comp package flash. Several tuners market and install it as a flash tune. It's well documented.

On the s55 stuff no idea. The dyno tuned flashed dyno chart they posted seems to closely match our stock s55 numbers and we have no problems pulling our stock car to 170mph (on the speedo) on the dyno. Shrug.

[Sticky]

I'm still not sold on this idea that it's a "press tune" since the numbers put down by M5s and M6s by journalists have been slower than what private owners have gotten time and time again.

As stated it is not just about power. Additionally, press files exist for multiple manufacturers.

Also, I keep hearing about this "press tune" for S63tu cars but nobody ever seems to be able to verify its existence or even have any evidence that this is what its used for.

It's pretty clearly stated.

[Sticky]

The s63tu flash file that is passed around is the comp package flash. Several tuners market and install it as a flash tune. It's well documented.

On the s55 stuff no idea. The dyno tuned flashed dyno chart they posted seems to closely match our stock s55 numbers and we have no problems pulling our stock car to 170mph (on the speedo) on the dyno. Shrug.

The Competition Package stuff should be well known. It should also be well known that many Mercedes tuners used the factory AMG P31 file as a standard C63 tune. This happens with multiple companies not just BMW.

Regarding the flash baseline we saw it was a little low not that all dynojets read the same. The tuned run wasn't even higher than the majority of baseline runs we have seen. So, what's really up?

The fact is nobody has control of these ECU's. I don't care if you can get some factory file to write. That isn't tuning.

[BrenM3]

Press tune was an original thing most did with the F10. Sticky is right. However, Not anymore.

It does not apply anymore or to the F80.

I know the person who originally wrote the tool. There are files for downpipes / bigger turbos / etc. There are full editable definitions available for all F cars if your wallet is deep.

It will be more common as more tuners purchase it. And the truth will be revealed soon.

Your question is better sent to jailbreak.

[Sticky]

Press tune was an original thing most did with the F10. Sticky is right. However, Not anymore.

It does not apply anymore or to the F80.

I know the person who originally wrote the tool. There are files for downpipes / bigger turbos / etc. There are full editable definitions available for all F cars if your wallet is deep.

It will be more common as more tuners purchase it. And the truth will be revealed soon.

Show me a dyno tuned F80 M3.

[leveraged sellout]

What else would it be about...I've seen people get a stock M5 (no comp package) to 60 in less than 3.7 seconds and cut sub-12 quarter mile times. No "press car" has ever done that. Some comp package cars get close, but not quite.

I know it's being stated, but I'm saying I simply don't believe it. I think this is a story that was told by a few and got passed around as fact. Not trying to say you did that, but just in general that seems to be what everyone always says. Also, the people who had their car "press-tuned" by guys who supposedly were able to even do that mysteriously never get their cars dyno'd or run them at the strip. Always seemed funny to me. Like many say, I believe that the "press tune" was a leak of the comp package tune. That would make sense to me.

Its not really a big deal, I just like to stick to known facts. So far, I've never seen a BMW that didn't perform as well or better than BMW or the journalists said it would. Now Ferrari on the other hand....

[Sticky]

What else would it be about...I've seen people get a stock M5 (no comp package) to 60 in less than 3.7 seconds and cut sub-12 quarter mile times. No "press car" has ever done that. Some comp package cars get close, but not quite

I don't know what makes you think press test numbers are the be all end all. So what? Ok, you take a car on a strip. So? The press cars aren't ever prepped for a strip and they likely aren't even testing on a strip.

BMW changes the files to keep the CEL from coming on from repeated laps as stated along with other things. I mean I don't have a whole breakdown for you as I did not develop the software but obviously there are changes to parameters that affect things other than acceleration.

Always seemed funny to me. Like many say, I believe that the "press tune" was a leak of the comp package tune. That would make sense to me.

You seriously think there is just one map? We had reports that BMW was testing the cars with over 700 horsepower. Doubt it? What do you think they do? Just develop one file and that is the chosen one?

Its not really a big deal, I just like to stick to known facts. So far, I've never seen a BMW that didn't perform as well or better than BMW or the journalists said it would. Now Ferrari on the other hand....

You're still missing the point.

[klipseracer]

The way these DME's get hacked quite literally is by someone eaves dropping/infecting bmw employee's computers etc and getting schematics, information, tapping email conversations etc in order to find out clues on how to get around the protections, how protocols work and so on and then they charge boat loads of money for the information. Either that information has not been found, or nobody has paid the sum which is being asked for on the grey/black market.

[Unklejoe]

Sorry for the huge post but is anyone familiar with the security on these ECUs? Or Bosch ECUs in general?

Just trying to learn the technical details for my own curiosity. This info is so hard to come by.

What I gather so far is:

Originally (on older ECUs), the ECU would check the RSA signature of the uploaded flash image AFTER any OBD flashing attempt but ONLY IF certain conditions were met. I have NO IDEA what those conditions are/were, but apparently if you could un-satisfy them, the RSA check would be skipped after flashing. If the signature IS checked, and it is invalid, a flag is set and the car will not start.

Then, Bosch/Infineon supposedly fixed this by forcing the ECU to check the hash every time there was an OBD flash. Simple enough. To get around this, people were forcing the CPU in to “boot mode” by asserting a special pin which allowed them to perform reads/writes via some special CAN pins on the CPU. This bypassed the OBD flashing code and therefore the RSA check. It also required the ECU to be opened.

So now all you would need to do is make sure some general checksums are correct and you could modify the image. But if you ever tried to flash via OBD, you would run in to the same problem.

Do I have this right so far?

Then apparently, some people were able to patch over the portion of the code inside of the function that actually checks the signatures and force it to return a TRUE (or something along those lines). This meant that you could take your protected ECU apart, apply the TPROT disable patch using "boot mode", and then you would be able to flash via OBD again as many times as you want. (This implies to me that it is not possible to flash the boot loader via OBD, but more on that later.)

Either this, or I also read somewhere that they substitute a public key for one which has a known secret key. The result is that you can now sign the images using the new key and it will pass. I don’t know which method is used. The only issue is that the public key was in a region of memory that couldn’t be updated via OBD, so you still needed to take the ECU apart and use the alternate boot method.

My main question is: how is this done on a 2011 N55 for example? You are able to flash those via OBD without manually patching over the tuning protection code.

In other words:

I can use a Cobb to flash my car without having to open the ECU and modify anything and I highly doubt that Cobb has obtained or cracked the BMW encryption key (although I’m not ruling that out). They must be using some other method of getting around the hash check. But how? Maybe the developers of that open source flasher tool for the N54 could explain this to me?

Also, since the ECU will calculate check the RSA signature of the uploaded flash image AFTER any OBD flashing attempt, there is nothing stopping me from uploading a custom image to a 2013 BMW ECU other than the fact that it will brick the ECU afterwards, right?

Also, the fact that the flash can be written via OBD leads me to believe that the program on the ECU copies itself to RAM upon boot up rather than actually executes from flash. Any insight? If the program does NOT copy itself to RAM, it would be impossible to write to flash because the program would be overwriting itself. The other alternative is that the ECU goes in to some sort of boot loader mode during OBD flashing. This indicates that the boot loader is un-modifiable via OBD, due to the same restrictions as above. If the boot loader CAN be updated via OBD (and therefore resides in RAM during flashing), then this means that there must be a way to flash a modified boot loader that is patched to ignore any RSA checks. Only issue is the RSA check after flashing and setting that flag. What would happen if there was a timed CPU reset during OBD flashing just before it could calculate the RSA and set the flag? (This all goes out the window if the ECU checks the signature at every bootup or during runtime).


Questions about the Tricore Alternate Boot Mode:

My question is...what exactly is "boot mode"? From what I gather, this is a hardware mode which allows direct reading and writing of the processor's flash memory (which apparently is inside of the CPU's die, no? Is the flash external?). I believe that when in boot mode, you can read/write memory via designated CAN bus pins.

Is boot mode a hardware feature of the processor or does the boot pin force the ECU in to some sort of boot loader that BMW/Bosch designed? If it's a feature of the hardware, then you should be able to read/write whatever you want to the memory address. If "boot mode" is actually a boot loader, then you are at the mercy of the programming to allow reads/writes. Either could be possible, and I know someone knows the answer. I have a hunch that "boot mode" is a boot loader because of the fact that you can read and write via CAN. The CAN protocol itself can be done in hardware, but the process of issuing commands such as read/write/etc tells me that it relies on a software driver.

I remember reading on Infineon forum that "alternate boot mode" simply alters the reset address of the CPU and causes it to jump in to another boot loader other than default. IDK

Is the flash memory that the CPU BOOTS from (i.e. it's reset address) internal to the CPU die or is it some peripheral chip? Sometimes you can boot strap CPUs to SPI flash.

Another thing that tells me that "boot mode" is actually a boot loader rather than a hardware interface is that there apparently is some sort of password that's required to even enter boot mode. Apparently, there used to be ways to read the boot mode password, but it's extremely hard to find details on this. I have no idea how this password is entered; presumably over the CAN bus.

If "boot mode" was NOT a boot loader but instead a hardware feature, you could run whatever code you wanted to on the CPU. Doubtful.

When the ECU gets updated by the dealer or WinKFP or whatever....does the boot loader get updated as well?

Is the ECU program image provided in the SP-DATEN file encrypted and decoded once inside the ECU by the boot loading code (or whatever code is responsible for handling the OBD flash process)?

Probably. If not, we would be able to disassemble the boot loader portion and go from there. (If there is even a boot loader update over OBD).


Once again, sorry for this long ass post but this forum seems to have smarter people than some of the other ones. This info could benefit everyone.

[leveraged sellout]

I don't know what makes you think press test numbers are the be all end all. So what? Ok, you take a car on a strip. So? The press cars aren't ever prepped for a strip and they likely aren't even testing on a strip.

BMW changes the files to keep the CEL from coming on from repeated laps as stated along with other things. I mean I don't have a whole breakdown for you as I did not develop the software but obviously there are changes to parameters that affect things other than acceleration.



You seriously think there is just one map? We had reports that BMW was testing the cars with over 700 horsepower. Doubt it? What do you think they do? Just develop one file and that is the chosen one?



You're still missing the point.

My point is exactly that the press numbers are not the be-all end-all...frankly I couldn't give a $#@! what they get out of them. I use it as a guideline, but I always see more reliable numbers from private owners.

It's pretty clear that the 700 hp flash map never made it out, we've had heard of it by now. My whole point is that any "press tune" clearly isn't doing anything for the power, as you say. And this "BMW Press Tune" for "more power" that people seem to have "flashed" to their cars seems like at most a leaked version of the Comp. package tune, and frankly I haven't even heard of this for a year at least.

What point is there to miss? My whole point is that there is no leaked press tune for M5s, and so far doesn't seem to be evidence of that happening with the S55 cars either. That's all I'm trying to say.