But I don't have a VAG product... Otherwise I'd be a VAG-com customer too!

Matt

ps, I downloaded the software, and loaded it, but didn't install a cable yet... Sometime when I have some free time I'll see what it gets... But in reading the web site there was some hard to read gibberish about downloading the file and encripting it so that it can be sent to a tuner for tuning in the master SW... I don't know if the stuff you can download is the master or the slave or what it takes to poke around the binary to know what bits do what to whom. There's a reference to WIN-OLS or something that lots of hackers use to look in to binaries, but I think it's a bit of an art to figure out the maps.

 

Yeah....not a lot of support....Kind of out of my league without some sort of guidance.

Yeah the VAG stuff is the bomb....wish they would of finished the BIMcom stuff. You can do some crazy stuff on VAG vehicles with it!

 

X,

I'm down in York so if your MINI is down, we can use mine to check some stuff out... let me know. (I also tried to add you as a myspace friend, but was denied... no email...)

 

i have foud this but need our advice ...


http://www.minipowerprog.com/

 

That looks like another mail in tune. You use the cable they provide to get your file from the car and then send it to them for modification.

 

here one of the members has the mini power prog:

https://www.northamericanmotoring.co....php?p=1694749

 

This is from my friend in Germany...

************************************************** ***

It's not quiet clear from the description. It seems that their reader (They call it 'Master') is doing some encoding that only works with the right Tuner software. The 'Semimaster' can write open ECU files (not encoded by the tuning software) but will create encoded files when reading (encoded with the Signature from the Master).

Here is how they make sure you don't abuse their products:

" We reserve the right to check every request for a master unit. The company must proof that she is capable to create her own tuning files. This can be done with a valid license for a full version of one of the usual tuning software (e.g Winols, Digiview, Race2000 Pro). The documents must show that the requesting company and license owner are identical.
We must state clear for liability reasons that a sell/resell of any devices to private persons is not possible and explicitly forbidden."

The software might work with generic hardware, but one needs to encode the protocol between the Application and the hardware. If they don't use an authentication method like VAG-COM, one can re-engineer the whole thing by monitoring the USB and the OBD-II/CAN to the ECU.

Aren't tools like this:
http://cgi.ebay.ie/kWP-2000-PLUS-PRO...QQcmdZViewItem
do the same? Reading and flashing the ECU?
Isn't this enough to get the ECU dump and start the bit whacking?
There is a standard (I think J1939) that deals with flashing the ECU via the diagnostic port.

*****************EndComment

So there MAY be ways to get the binary, but then you have to know how to modify it yourself. That's really where the knowledge is, the binary map. That and the checksum calculation. It looks to me that this isn't what we're looking for, but may just be a step in the right direction.

MiniPowerProg or whatever is MTH like, in that you can get the file yourself, but then you have to send it to someone for a map. So no custom tune, and a limited number of mod configuration.

Matt

 

So, we are on the right path, but have not found the answer?
At least we(you guys) are making a great pathway for the Mini ECU

 

to get the map out isn't really that hard for the computer savvy. The communications protocols are defined in SAE standards documents. But what to do with the binary? This is where it get's real hard real fast. The reason that the Dimsport stuff costs what it does is they've cracked the checksum math, and have pretty good knowledge of the binary files so that tuners can get in there and tweak things.

Even with a binary in/out method, you're still screwed on the checksum and the meanings of the map.

Matt

 

Very true. Snooping the binary signal from the OBD port is fairly straightforward, understanding it is $$$$. What we really need is a source inside Siemens (or MINI ). Anyone?

 

Are there any Mini Techs out there on this forum that want to give it to the Man? This knowledge should be free, it should be our choices to whether or not we want to "mess" with our cars.

 

not exactly.

 

What logging software is available? Just as important to see what's going on with the car while you're tuning it.....

 

Go out and buy a factory diagnostic unit. That's $12k-$20k. But this still doesn't get you the binary maps. There are some lower cost units that are in the $4k plus or minus that do most of what the factory units do, but this still doesn't get you the facotry maps. And then there are OBD-II products that get you some data from some of the car, but doesn't do anything like the factory tools. (no coding new modules onto the busses for example).

For tuning, you can buy some of the programs that allow you to hack, and sniff the binaries, but what you're buying is the convinience (They bought the prototcols, and wrote the interface, but they have amassed information about the binaries that isn't public domain).

What you're asking for is like saying to Microsoft, I bought office, now give me the sourcecode! There's a lot of IP and trade secrets in how they do what they do, and there's no reason to expect them to give it away.

Matt

 

Dr. O has it spot on.

The idea that I toyed around with and ultimately abandoned due to having hopelessly little time is fairly do-able, albeit admittedly seriously 'gray hat'... Using the MTH software and cable (or similar tool) to read your stock program over the OBD-II, you can intercept the command series and program code. At that point, you have to read the binary. That is the real job, right there. And you've gotta know more than I to decipher it and modify it (herein being the IP). Anyone can screw around and render the car useless, few can do it right . So, as I stated above, with most of us being low on resources, we would need serious "help" to accomplish anything.

 

I'll ask again, any real time logging software that shows knock, octane rating, etc? i.e.:
http://www.limitless.co.nz/

 

This is about writing to ECUs...

*****************************************
During development and manufacturing of the ECU the ‘JTAG’ interface is used to flash the controller. JTAG is a standard interface supported by most controllers. It allows direct access to the complete memory range. Of course this interface is disabled after manufacturing to prevent unauthorized access.

From now on flashing is only possible via the diagnostic interface (K-Line or CAN). The microcontroller on the ECU can be triggered via the diagnostic tester to switch to boot-load mode. The software interface is pretty much standardized and available, but to read or write data is protected by two mechanism:
Authorization
The diagnostic tester must authorize itself. To do so, it requests a seed (random number) from the ECU, calculates the Key (using a secret algorithm) and sends it to the ECU. The ECU knows the algorithm too and will authorize the request.
Since every diagnostic tester must know the algorithm, this is not a very strong protection.
Validation
A much stronger mechanism to prevent manipulation is the validation of the software after flashing.
The car-maker generates a digital fingerprint of the firmware. This is basically a checksum, but very sophisticated. Using a mechanism called
SHA-1 generates a checksum of fixed length that will change with even minor changes of the firmware (change a bit and you get a new checksum..)
This checksum is encrypted by the car-maker with a private key. This is called the ‘signature’.
The signature is stored with the firmware in the microcontroller.
The boot-loader of the ECU knows the public key, encrypts the signature and gets the fingerprint. No wit can validate the firmware.

That’s the theory….Obviously people have found ways around the validation it. How else would they be able to do chip-tuning?
************************************************** *******

Now, as to logging software, there are a couple solutions for the R50-53, no good ones for the R56...

BiM-COM is good and fast, but never made it out of Beta. There's no good public knowledge on what's up with it, and Ross-Tech has gone silent. There is a Yahoo group on it, but it's pretty much dormant.

There is an AutoEnginuity program out with BMW extensions, but it SUCKS for data throughput. I have a copy and I really am dissapointed with what it does for logging. It makes flowing molassas on a cold day seem quick! And it's almost $500!

Matt

 

Did anyone get anywhere with this?? downloading the ECU and writing it back again is fine but I really need to know what I am editing :( What memory ranges are what map??

 

It's not just that, it's hacking the checksum so that the ECU doesn't lock up. But to answer your question, no, no one has....

Matt

 

Oh thats not so hard either with the right software too.

Just wish I could get all the maps discovered....

 

what you need to do is find someone who has the "entrepenirial spirit" and one of the commercial ECU tuning packages... What's interesting here is that while they all have thier magic encription for sending the data back and forth for the checksum calc, when it goes into and out of the ECU, all that stuff is stripped and it's just the binary in its pure form that goes into and out of the car. Then, with some systematic work, you can reverse enegineer all the maps the tuning software knows about to find the right bit fields..... Course, that would violate all the terms of use and the like, but if I were to do it, that's how I'd skin the cat....

Matt

 

I need help skinning the cat! lol I have the fueling, timing and a couple of other tables but missing so many :( If the first ECU files that if you put into WinOLS it finds nothing at all!

 

Sorry to severely necropost, but this is the only thread that I can find on the subject. Has anything come of this?

 

From my previous searching, nothing ever came of "open-ecu" for the Mini's. However, due to the mods on my car & other tunes having issues, out of necessity I have started reading & writing the BINs in my R53 and figuring out the maps. In essence, I have done much of what has been talked about in this thread. I am an EE by trade so that has helped, and I'm debating what I should do with what I have learned. Make a pkg to sell, or help others. Unfortunately I'm busy, and spending countless hours answering support emails for free doesn't sound like fun. Also with the many hours of work involved in finding & figuring out maps, scalars, constants, switches, etc., I really don't feel like giving it all away for free. Once I get it all sorted, I'll consider putting some kind of package together for people to use, but no promises as I still gotta make a living with real work stuff.

 

I am thinking about trying to learn XML to figure things out, but programming never was my forte. Started at Turbo Pascal, and never really got it, but I seem to be pretty good with human languages. Go figure.