Announcement

Collapse
No announcement yet.

Any DCT owners changed their final drive / diff ratio?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    this is GTS HW-NR 7844978 ZB-NR 7845773 - SW-NR 7845781
    Last edited by olza; 09-07-2020, 05:28 AM.

    Comment


      #17
      Originally posted by Tomba View Post
      xHP currently supports some DCT transmission and adds the possibility to change the final drive ratio.
      Unfortunately I don't have an A2L file for the DCT transmission. I can read it with X17/Flex tool (MagicMotorsport). But don't know the location/value to edit.

      In attachment DKG/DCT read from E9X M3.
      Internal Flash
      Memory configuration
      Sector Address Size Type
      01 0xA0000000 0x00004000 RW
      02 0xA0004000 0x00004000 RW
      03 0xA0008000 0x00004000 RW
      04 0xA000C000 0x00004000 RW
      05 0xA0010000 0x00004000 RW
      06 0xA0014000 0x00004000 RW
      07 0xA0018000 0x00004000 RW
      08 0xA001C000 0x00004000 RW
      09 0xA0020000 0x00020000 RW
      10 0xA0040000 0x00040000 RW
      11 0xA0080000 0x00080000 RW
      12 0xA0100000 0x00078000 RW

      can you try to rewrite any of first 8 sectors? if so, i can give you patched data with signature check bypass.

      Comment


        #18
        Originally posted by olza View Post

        Internal Flash
        Memory configuration
        Sector Address Size Type
        01 0xA0000000 0x00004000 RW
        02 0xA0004000 0x00004000 RW
        03 0xA0008000 0x00004000 RW
        04 0xA000C000 0x00004000 RW
        05 0xA0010000 0x00004000 RW
        06 0xA0014000 0x00004000 RW
        07 0xA0018000 0x00004000 RW
        08 0xA001C000 0x00004000 RW
        09 0xA0020000 0x00020000 RW
        10 0xA0040000 0x00040000 RW
        11 0xA0080000 0x00080000 RW
        12 0xA0100000 0x00078000 RW

        can you try to rewrite any of first 8 sectors? if so, i can give you patched data with signature check bypass.
        I don't have a car by hand currently. But can do this once I am working again.
        I can change the final drive ratio and read out the memory again after flashing. I suspect they (magicmotorsport) bypass RSA themself. At least as far as I know they do this on Fxx DMEs as well. First flash takes 5-8 minutes. One after that mostly 2 or less minutes. I haven't flashed any DCT yet.

        Comment


          #19
          Originally posted by Tomba View Post

          I don't have a car by hand currently. But can do this once I am working again.
          I can change the final drive ratio and read out the memory again after flashing. I suspect they (magicmotorsport) bypass RSA themself. At least as far as I know they do this on Fxx DMEs as well. First flash takes 5-8 minutes. One after that mostly 2 or less minutes. I haven't flashed any DCT yet.
          it may be other deal, note what calibration is in sector 9. and address edited! its 0x271FE!
          Last edited by olza; 10-08-2020, 10:26 AM.

          Comment


            #20
            Okay, i can write now changed data to DCT via winkfpt.
            So they who have non-stock final gear, or want something else - pm me.

            Comment


              #21
              olza, do you know what the second 1024-bit RSA key is for? In the full binary posted earlier I see 2: One at 0x1F200 and the other at 0x5A7F8. The first one seems to be what's actually used to validate the signatures. Can't figure out what the second one is used for.

              I do have the complete factorization (and therefore the corresponding private key) of the second one, but I just don't know what it's useful for.

              Comment


                #22
                Originally posted by olza View Post

                it may be other deal, note what calibration is in sector 9. and address edited! its 0x271FE!
                Changed it and works. No limp mode or error codes!
                Do you know how to disable error codes?

                Comment


                  #23
                  Originally posted by Tomba View Post

                  Changed it and works. No limp mode or error codes!
                  Do you know how to disable error codes?
                  yes. Did you use your tool to rewrite data? M3/gts version differs with 135/335 not only final ratio, but also wheel factor and other system variables.

                  Comment


                    #24
                    Originally posted by olza View Post
                    yes. Did you use your tool to rewrite data? M3/gts version differs with 135/335 not only final ratio, but also wheel factor and other system variables.
                    I used MagicMotorsport FLEX. After I have written the file with different differential ratio the read was exactly the same.
                    Do you have A2L or disassembled this?

                    Comment


                      #25
                      Originally posted by Tomba View Post

                      I used MagicMotorsport FLEX. After I have written the file with different differential ratio the read was exactly the same.
                      Do you have A2L or disassembled this?
                      disassembled. so there is a proof that bmw tools checks signature only after reflash and once )

                      terra nope. this is how i thinking it is stored.
                      0x1F200 is "compiler bootloader" public signature key. seed key is at 0x1F100. 0-1FFFF boot.
                      data signature is at 0x3FE00 - this is what bmw checks after data reflash. 20000 - 3FFFF data
                      code signature is at 0x40100. 40000 - 16FFFF code...

                      also there are some hashes in a code for "realtime" code consistency checks. but leave them alone.

                      Tomba is there A2L for sale somewhere? id like to look. because of too much tables.
                      Last edited by olza; 11-17-2020, 12:55 PM.

                      Comment


                        #26
                        Originally posted by olza View Post
                        terra nope. this is how i thinking it is stored.
                        0x1F200 is "compiler bootloader" public signature key. seed key is at 0x1F100. 0-1FFFF boot.
                        data signature is at 0x3FE00 - this is what bmw checks after data reflash. 20000 - 3FFFF data
                        code signature is at 0x40100. 40000 - 16FFFF code...
                        Yeah I figured out that much. I just don't know what the purpose of the key embedded in the code section is. Maybe a remnant of something else.

                        Comment


                          #27
                          Originally posted by olza View Post


                          Tomba is there A2L for sale somewhere? id like to look. because of too much tables.
                          I am really impressed what you and tera do and hope I can educate myself to such level program/disassembling wise. Keep up the good work

                          And yes, someone offered me an A2L file for M3 DKG but wanted too much money for it. He was quite offended when I told him that. I am confident a new offer by someone else will come in the future.
                          Most people selling A2L files think they are god, I refuse to play that way. If a new offer comes and you want to contribute in payment of it, just drop me a PM.

                          Comment


                            #28
                            Yes im interested.

                            I am preparing own xdf based on analysis. Shiftmaps, logic keys, limits described. Now shift speed and torque corrections. Pressure next.

                            Comment


                              #29
                              Originally posted by Tomba View Post

                              I am really impressed what you and tera do and hope I can educate myself to such level program/disassembling wise. Keep up the good work

                              And yes, someone offered me an A2L file for M3 DKG but wanted too much money for it. He was quite offended when I told him that. I am confident a new offer by someone else will come in the future.
                              Most people selling A2L files think they are god, I refuse to play that way. If a new offer comes and you want to contribute in payment of it, just drop me a PM.
                              how much was he asking for the A2L file? I'm happy to participate in a group buy at some point.

                              Comment


                                #30
                                I'm also interested in assisting.

                                From what i've read the 3.45 dct works fine, it's the 3.62 that creates problems. However, it seems like a few tuners are able to edit this and make it work properly. I am sure this is not rocket science, but as usual the very few tuners who spent a few hours figuring this out aren't about to tell us abour ir

                                I wish the xhp dct software worked on the e9x dct. It would be nice to have faster than gts software shifts

                                Comment

                                Working...
                                X