MaxxECU cracked the DCT

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
Looks like the TCU finally got cracked, depending on how you define that. It sounds like the exploit is more of a hardware trick rather than something to do with cracking the flashing process itself but I can't confirm anything, just speculation. The good news, it appears there is a method to read and write to the TCU a modified BIN thanks to @N.Ceder at MaxxECU and I'm told it can be done with the gearbox in the car.

The normal M3 dct has a lower line pressure limit than the 335is and GTS roms. They have this transmission in their shop mustang and decided to set aside two hours to locate the line pressure tables and modified them to allow the higher pressures.

They are apparently in talks with xHP about sharing the method so hopefully we could see something develop soon. I suspect xHP's motivation is to target the F80 DCT rather than the E chassis cars, so hopefully that will trickle down to everyone at some point.

It's kind of the story of the N54 platform as they offered to bring their ecu and skills to us but we scoffed and ran them off about a year ago. People would rather make 300hp out of some silly principle than entertain developments that ultimate can push our platform ahead. Supplementary PI was something people sneared at for several years and look at the new heights it brought us to.

Screenshot_20190823-213657_Facebook.jpgScreenshot_20190823-220816_Facebook.jpgScreenshot_20190823-220743_Facebook.jpgScreenshot_20190823-220908_Facebook.jpgScreenshot_20190823-220835_Facebook.jpgScreenshot_20190823-220937_Facebook.jpgScreenshot_20190823-220930_Facebook.jpgScreenshot_20190823-221040_Facebook.jpgScreenshot_20190823-220952_Facebook.jpgScreenshot_20190823-221115_Facebook.jpgScreenshot_20190823-220726_Facebook.jpgScreenshot_20190823-221238_Facebook.jpg
 

RSL

Lieutenant
Aug 11, 2017
937
501
0
At least someone did. 2.56 in the M3 software would be a big one for E9x DCTs. DriveLogic would be a breeze retrofit at that point and change the whole feel of the car. I wanted IKM0S just to try getting that watered down DriveLogic working.

If @jyamona could add DCT TCU flasher separate or as a module to MHD, that would at least be a great starting point. Read out, start finding tables and test.
 

aus335iguy

Colonel
Nov 18, 2017
2,248
803
0
Down under
Ride
335i DCT 2009
Agree RSL. The first domino has fallen. The rest is now inevitable in some form or another.
If I were a betting man I would say the cost of second hand DCT boxes will eventually go up as well. Once people know they can play in this sort of space we’ll see more transplants into other chassis becoming more commonplace
 
  • Like
Reactions: RSL

aus335iguy

Colonel
Nov 18, 2017
2,248
803
0
Down under
Ride
335i DCT 2009
I think this means it’s cracked. They’ve found the tables related to line pressure. The rest will follow in due course. The first one to market will likely dominate sales.
 
  • Like
Reactions: NoGuru

N.Ceder

New Member
Apr 17, 2019
6
8
0
Ride
mustang with bmw dct
We will most likely NEVER package this to an commercial tcu flash anyway, but we might implement an tcu flash option in our MaxxECU, since that is our platform of development.
We are not tcu flashers, we just wanted to increase line pressure on the M3 gearbox we have behind our 1600Nm Ford coyote engine.

We can probably do some flash options pretty easily if we put a few more hours looking at the binary files, like shifting point, rear end ratio, launch rpms. The problem is to package it as an commercial package for end users as many users seem to want us todo...

Currently, we must use our CAN tool to flash a new firmware, which takes around 18 seconds when the TCU is rebooted into "developer mode", which required an pretty easy CAN sequence and power cycle procedure.

Lets see what happends next, we might give the solution away, we have not yet decided...
 

N.Ceder

New Member
Apr 17, 2019
6
8
0
Ride
mustang with bmw dct
Please consider us poor end users who cant make simple final drive changes yet :sleepy:
You can do that with a simple CAN relayer and probably like 100 lines of code. No need for a tcu flash, if you know how to do it and what to do :)

As I said, our primary target is not guys running srock DMEs.
 

aus335iguy

Colonel
Nov 18, 2017
2,248
803
0
Down under
Ride
335i DCT 2009
I know and I agree it’s straightforward ......for someone who knows.

Just has MHD has surpassed the jb4(my opinion folks) the best solution is not another device.
 

doublespaces

Administrator
Oct 18, 2016
9,303
4,331
0
AZ
Ride
2009 E93 335i
You can do that with a simple CAN relayer and probably like 100 lines of code. No need for a tcu flash, if you know how to do it and what to do :)

As I said, our primary target is not guys running srock DMEs.

It's great what you guys have accomplished. Your efforts are appreciated!
 
  • Agree
Reactions: fmorelli

azshantris

Corporal
Aug 27, 2019
151
136
0
Ride
2011 135i N55 DCT GTX1000
Awesome news in any scenario! Has me awfully hopeful and excited for some rather sweet options later! I was just messaging a tuner today about how to get more out of the dct in my 135i. Looking forward to seeing where this goes
 

JohnDaviz

Lieutenant
Jan 6, 2019
863
577
0
Ride
335i E92 DCT
So somebody is in contact with them.

MHD? XHP?

Give us some info :D Pllllsss
 

Attachments

  • Bildschirmfoto 2019-09-07 um 10.03.12.png
    Bildschirmfoto 2019-09-07 um 10.03.12.png
    190.4 KB · Views: 244

NoQuarter

Major
Nov 24, 2017
1,662
1,066
0
Indiana, USA
Ride
Z4 35is, 535xi, X5 35i
You can do that with a simple CAN relayer and probably like 100 lines of code. No need for a tcu flash, if you know how to do it and what to do :)

As I said, our primary target is not guys running srock DMEs.

Are you implying we can intercept the CAN message to the TCU and substitute one message for another? Is the CAN message a drive ratio or something more subtle?
 

aus335iguy

Colonel
Nov 18, 2017
2,248
803
0
Down under
Ride
335i DCT 2009
And no the ‘speedo healer’ thingies won’t do it unless they’re designed to convert can messaging. My understanding is that they simply change the number of pulses the DSC sees. This wouldn’t be good if you intend to drive your car on the street. For a track car though.....
 

NoQuarter

Major
Nov 24, 2017
1,662
1,066
0
Indiana, USA
Ride
Z4 35is, 535xi, X5 35i
So...
1) Attach canbus device between the DSC and the PT-CAN
2) Log messages coming from the DSC to PT-CAN
3) Correlate those messages with increasing wheel speeds
5) Determine the address that carries wheel speed data
6) Attempt to determine encoding scheme of the speed in the data packet
7) Do the math to determine what speed we need the TCU to see
8) Attach canbus device between the TCU and PT-CAN
9) Intercept incoming wheel speed address from PT-CAN.
10) Forward corrected wheel speed packet to TCU
11) Pass all other addresses

??
 

aus335iguy

Colonel
Nov 18, 2017
2,248
803
0
Down under
Ride
335i DCT 2009
This is what I think ...


1) Attach canbus device between the TCU and the PT-CAN
2) Log messages coming from the DSC to TCU
3) Correlate those messages with increasing wheel speeds
5) Determine the address that carries wheel speed data
6) Attempt to determine encoding scheme of the speed in the data packet
7) Do the math to determine what speed we need the TCU to see
8) Attach canbus device between the TCU and PT-CAN
9) Intercept incoming wheel speed address from PT-CAN.
10) Forward corrected wheel speed packet to TCU
11) Pass all other addresses
 

aus335iguy

Colonel
Nov 18, 2017
2,248
803
0
Down under
Ride
335i DCT 2009
Caveat - My advice is purely from a theoretical perspective and is untested. I might just be some crazy bloke on the internet :D I understand how packet networks carry data and know what needs to be done but don’t have the skills to do the coding to get it to work without investing significant time to relearn.

All other devices connected to the network eg KOMBi and DSC would need accurate wheel speed data. The interception/substitution of wheel speed data should only be for the TCU hence my slight correction of your plan.

After you’ve built it I’ll buy one off you.
 

NoQuarter

Major
Nov 24, 2017
1,662
1,066
0
Indiana, USA
Ride
Z4 35is, 535xi, X5 35i
The interception/substitution of wheel speed data should only be for the TCU hence my slight correction of your plan.

We are on the same page here.

Your line 2 - Don't know at this point what the DSC address is. Here we would see everything on the PT-CAN and hidden in the mix would be the DSC packets.

My Line 2 reads packets that could only be coming from the DSC thus revealing the address(s). Likewise, my number 8 would imply figuring out the TCU address(s)

Anyway... seems plausible. I have done similar reading/writing to the PT-CAN
 
  • Like
Reactions: aus335iguy