I am a two-year tuning master. For some time I’ve been interested in the process, since I’ve seen the guys do a bench flash on my ECU. Ruining the FRM on my car made me a bit more determined to really dive into coming to grips with the BDM process.
So, I placed a few orders in China and all the boxes came in the last few days. now these are all clone tools, not genuine, but I’m not paying 20 times more for original tools just to scratch an itch. Granted, some of them might not be as good as the real thing and do work perfectly.
As you can see, there’s enough to keep me occupied for some time. There’s a Kess V2, K-tag, FgTech Galletto V54 Master, Xprog V5.50, R270, J-link and a UPA USB V18.104.22.168 red color device programmer. On the Diag side I’ve got an BWM ICOM diagnostic and programming system without WIFI and a Vas5054 for VAG. There’s also an EDC17 C41 ECU for the E90 320d LCI and I’ve got the FRM that came out of my car. Getting the FRM going is the first job. As with most of the ECUs in the later cars, they all security protected so getting them to submit to flashing is pretty painful so I’m holding thumbs that the tools I have will be able to do what they say it should.
Getting stuck into the complex electronics part is no problem for me, as I’ve got a very well kitted out Lab in which to play. I used to do some serious embedded electronics and programming stuff in a past life and the passion is still there!
I was going to tackle the FRM tonight, but we’re now the victim of load shedding so that idea went out the window. I will be updating this thread with more meat as I go, hopefully you guys will get some benefit out of it as well
All the tools I have can do checksum calcs. In fact I had a tuner friend over tonight and he showed me some of the ropes using the K-Tag. He even showed me the process in opening these – we had a couple on the grill in the kitchen in order to soften up the glue. My wife only shook her head…
We flashed a few Tricore ECUs in boot mode and the KTag Ksuite 6.070 master worked perfectly with the difficult EDC17 C41 I had laying about.
What became obvious is that flashing is the really easy part, it’s literally a couple of mouse clicks and it’s done (after butchering the ECU of course). The hard part is understanding how the various aspects of the firmware modules in the ECU interacts with other components in the car, like the CAS. These things are packed full of security to specifically prevent what we’re doing here…
Anyway, a few stripped Tricores being massaged into submission
Another one of the silly things I wanted to do was to see if I can’t revive the old FRM3 that stopped working in my car. What happened at the time was that I had disconnected the battery and someone went and closed the boot. The only way I could get the boot open was to connect a PSU to the jump points in the engine bay. Problem was that I only had a 5A PSU at the time; this was enough to release the boot but I managed to mess up the FRM in the process. That’s one of the reasons I built a proper 70A PSU as well.
Anyway, I suspected that the microprocessor in the FRM went into ‘security mode’ because it detected a brown out condition. This sets the tamper flag inside the FRM and it goes dead. Problem is, you can’t read these microprocessors with normal programmers as the code is encrypted and you need a security key to access them.
In comes the XPROG M Box ECU tuning kit that basically allows you to bypass the security measures in these microcontrollers and thus opens it up for you to mess with.
I took a flash dump of the working FRM I’ve got in my car:
I then grabbed the faulty FRM and loaded a known working software version into it and voila! I’ve managed to fix the faulty FRM and my suspicion was confirmed – the FRM was ok electrically but its firmware got messed.
I’m now super chuffed that I can read the security locked microprocessors in these ECU modules. Incidentally, the CAS also uses a microcontroller from the same security protected family
In other news, I flashed my whole car with the latest 2014 software. And managed to make the USB and BT inoperable.
When looking at the config files of the radio now, I see that there’s no more option to enable USB and BT so I can only assume that BMW ICOM ISTA/P loaded the firmware into the radio that’s used for radios with built in USB and BT. This causes the radio to ignore the MOST loop as it doesn’t need to break out of the radio for these functions anymore. I confirmed that because the MOST loop is now only working under diagnostics, not otherwise. So it’s not bothering to check for a MULF on the MOST bus because it doesn’t need to.
I’ll have to update the radio with the correct software in order to rectify this, but this is merely a theory at this point. I’ve a sneaky feeling this will take a while to get sorted out. In hindsight I should’ve just left the software alone, but where’s the fun in that .