BMW M3 Forum
BMW M3 Forum BMW M3 Gallery BMW M3 Reviews BMW M3 Social Groups BMW M3 Chat M3Forum Sponsors >>
Loading


Mobile M3forum
Go Back   BMW M3 Forum.com (E30 M3 | E36 M3 | E46 M3 | E92 M3 | F80/X) > BMW M3 Discussions > E46 M3 (2001-2006) > Coding and Tuning
Tire Rack Buy Winter Tires Now!
Not a member? Register Now!
Register Gallery All Albums Garage Search Today's Posts Mark Forums Read Calendar FAQ

Coding and Tuning Discuss all avenues of coding and tuning here!


Reply
 
Thread Tools Display Modes
Old Thu, Mar-16-2017, 09:13:38 PM   #321
gobuffs
Registered User
 
Join Date: Jul 2004
Posts: 1,030
Reputation: 0 gobuffs is on a distinguished road
Location: Lake Tyler, Texas

United States




Default Re: MK60 DSC thread

Thanks!

I was hoping that I could modify the BMW Mini protocol in the AiM Race Studio 3 to add the DSC light....but you can't. You have to start from scratch. So I don't have the info on everything else.
__________________
Turning Benjamins into noise since 1997.
Jump to top gobuffs is offline   Reply With Quote
Sponsored Links
Register now and remove these ads
Old Sat, Mar-18-2017, 04:08:40 PM   #322
e36 323ti
Registered User
 
e36 323ti's Avatar
 
Join Date: Sep 2011
Posts: 149
In the garage:
Reputation: 0 e36 323ti is on a distinguished road

Norway




Default Re: MK60 DSC thread

E46 mk60 Analytics: Took one of my e46 out for a spin on snow, recorded CAN data and did some analytics. Can even see which of the wheels that got help from the mk60...



Jump to top e36 323ti is offline   Reply With Quote
Old Sun, Mar-19-2017, 08:57:54 PM   #323
e36 323ti
Registered User
 
e36 323ti's Avatar
 
Join Date: Sep 2011
Posts: 149
In the garage:
Reputation: 0 e36 323ti is on a distinguished road

Norway




Default Re: MK60 DSC thread

E46 mk60 Analytics: By combining various CAN data from the mk60 and the DME, physics and knowledge about the car, it is possible to determine which gear the car had at the time of CAN data recording...

Jump to top e36 323ti is offline   Reply With Quote
Old Fri, Mar-24-2017, 10:39:32 PM   #324
TheGenius46M
Registered User
 
TheGenius46M's Avatar
 
Join Date: Sep 2012
Posts: 1,806
In the garage:
Reputation: 0 TheGenius46M is on a distinguished road
Location: Pleasanton, CA

United States




Default Re: MK60 DSC thread

Now someone just needs to find out which parameters control wheel slip and yaw so I can make my mtrack even less invasive, but still have a safety net.
__________________
2003 E46 M3 TiAg/Cinnamon 6MT
Purchased: 11/13 with 58k miles
Recaro | OMP | Eibach | Besian | AKG | UUC | Rogue | Schroth | Bimmerworld | Turner | PFC | CSF | Status Gruppe |


]

My Build Thread | My Build Journal | Instagram:@thegenius46m
Jump to top TheGenius46M is offline   Reply With Quote
Old Sun, Mar-26-2017, 03:13:03 PM   #325
e36 323ti
Registered User
 
e36 323ti's Avatar
 
Join Date: Sep 2011
Posts: 149
In the garage:
Reputation: 0 e36 323ti is on a distinguished road

Norway




Default Re: MK60 DSC thread

E46 mk60 Analytics: Dived into the book "Racing Car Dynamics" by Milliken & Milliken and used it as a reference for equations for doing analysis of MK60 CAN data w.r.t. to over/understeer. Seems like the MK60 is a hidden gold mine when it comes to data...

Jump to top e36 323ti is offline   Reply With Quote
Old Sun, Apr-09-2017, 04:35:13 PM   #326
terraphantm
Moderator
 
Join Date: Dec 2010
Posts: 10,505
In the garage:
Reputation: 11 terraphantm is on a distinguished road
Location: Philadelphia

United States




Default Re: MK60 DSC thread

So I wanted to revisit the possibility of dumping the full flash contents. I've been reading up on the KWP2000 format and I've also been working at disassembling newer BMW DMEs -- I generally have a better understanding of how the commands work now compared to when this thread started.

So when you run a "Speicher_Lesen" job with Tool32, it seems to send the following command
Code:
B8 29 F1 06 XX XX XX 03 YY
29 is the ID of the destination module (DSC in this case)
F1 is the the ID of the source computer (doesn't have to be F1, but BMW uses that)
06 is the length of the message
XX XX XX is the start address
03 is the "segment type"
YY is the requested number of bytes (Tool32 limits you to 4 bytes, I don't know if that's a real limitation or not).

So let's take a look at that "segment type" byte. This is how the memory segments are defined for other BMW modules (including the MK60_E5):

SEG_BYTESEG_NAMESEG_TEXT
0x00LARlinearAdressRange
0x01ROMIROM / EPROM, internal
0x02ROMXROM / EPROM, external
0x03NVRAMNV-RAM (characteristic zones, DTC memory)
0x04RAMISRAM, internal (short MOV)
0x05RAMXXRAM, external (x data MOV)
0x06FLASHFlash EPROM, internal
0x07UIFMUser Info Field Memory
0x08VODMVehicle Order Data Memory
0x09FLASHXFlash EPROM, external
0x0BRAMILRAM, internal (long MOV / Register)
0xFF???unbekanntes Speichersegment

03 corresponds to NVRAM, which seems to line up with the data we get when we run that command.

So it might be worth trying to read off data using mode 00, 01, or 06. If we can get a full dump that way, we might also be able to disassemble the code and figure out how to use the flash routines as well.

Edit: Welp, never mind. I get a "subfunction not supported" / "invalid response" error on everything except 03.
__________________

Last edited by terraphantm; Sun, Apr-09-2017 at 05:07:10 PM.
Jump to top terraphantm is offline   Reply With Quote
Old Sun, Apr-09-2017, 08:23:21 PM   #327
e36 323ti
Registered User
 
e36 323ti's Avatar
 
Join Date: Sep 2011
Posts: 149
In the garage:
Reputation: 0 e36 323ti is on a distinguished road

Norway




Default Re: MK60 DSC thread

Quote:
Originally Posted by terraphantm View Post
So I wanted to revisit the possibility of dumping the full flash contents. I've been reading up on the KWP2000 format and I've also been working at disassembling newer BMW DMEs -- I generally have a better understanding of how the commands work now compared to when this thread started.

So when you run a "Speicher_Lesen" job with Tool32, it seems to send the following command
Code:
B8 29 F1 06 XX XX XX 03 YY
29 is the ID of the destination module (DSC in this case)
F1 is the the ID of the source computer (doesn't have to be F1, but BMW uses that)
06 is the length of the message
XX XX XX is the start address
03 is the "segment type"
YY is the requested number of bytes (Tool32 limits you to 4 bytes, I don't know if that's a real limitation or not).

So let's take a look at that "segment type" byte. This is how the memory segments are defined for other BMW modules (including the MK60_E5):

SEG_BYTESEG_NAMESEG_TEXT
0x00LARlinearAdressRange
0x01ROMIROM / EPROM, internal
0x02ROMXROM / EPROM, external
0x03NVRAMNV-RAM (characteristic zones, DTC memory)
0x04RAMISRAM, internal (short MOV)
0x05RAMXXRAM, external (x data MOV)
0x06FLASHFlash EPROM, internal
0x07UIFMUser Info Field Memory
0x08VODMVehicle Order Data Memory
0x09FLASHXFlash EPROM, external
0x0BRAMILRAM, internal (long MOV / Register)
0xFF???unbekanntes Speichersegment

03 corresponds to NVRAM, which seems to line up with the data we get when we run that command.

So it might be worth trying to read off data using mode 00, 01, or 06. If we can get a full dump that way, we might also be able to disassemble the code and figure out how to use the flash routines as well.

Edit: Welp, never mind. I get a "subfunction not supported" / "invalid response" error on everything except 03.
Interesting....

Some comments:
Your
Code:
 B8 29 F1 ...
is almost correct.

The correct is
Code:
 B8 29 F1 06 23 xx xx xx 03 yy cs
23 is the KWP2000 spec readMemoryByAddress service.

I have tried with more than 4 bytes in my software, but it seems like the limitation is in the mk60. Gets a nack if larger than 4 bytes.

Prior to the readMemoryByAddress, the sequrityAccess handshake (or seed/key) is performed. I guess sequrityAccess is also needed for the other modes?

In my KBus implementation I use the following from the KWP2000 spec:

Code:
#define startDiagnosticSession				0x10
#define readDiagnosticTroubleCodes			0x13
#define clearDiagnosticInformation			0x14
#define readDiagnosticTroubleCodesByStatus		0x18
#define readStatusOfDiagnosticTroubleCodes		0x17
#define readECUIdentification				0x1A

#define stopDiagnosticSession				0x20
#define readDataByLocalIdentifier			0x21
#define readDataByCommonIdentifier			0x22
#define readMemoryByAddress				0x23
#define sequrityAccess					0x27

#define startRoutineByLocalIdentifier			0x31
#define stopRoutineByLocalIdentifier			0x32
#define requestRoutineResultsByLocalIdentifier	        0x33
#define requestDownload					0x34
#define requestUpload					0x35
#define requestTransferData				0x36
#define requestTransferExit				0x37
#define startRoutineByAddress				0x38
#define stopRoutineByAddress				0x39
#define requestRoutineResultsByAddress			0x3A

#define writeDataByCommonIdentifier			0x2E
#define writeDataByLocalIdentifier			0x3B
#define writeMemoryByAddess				0x3D

#define startCommunication				0x81
#define stopCommunication				0x82
Several other commands/responses to/from the mk60 makes sence looking to the KWP2000 spec.

If there are other modules following the KWP2000 spec, it would have been interesting to know which identifiers is used to read/write flash. Or are they all simply using 0x23 for read and 0x3D for write flash?
Jump to top e36 323ti is offline   Reply With Quote
Old Sun, Apr-09-2017, 09:44:03 PM   #328
terraphantm
Moderator
 
Join Date: Dec 2010
Posts: 10,505
In the garage:
Reputation: 11 terraphantm is on a distinguished road
Location: Philadelphia

United States




Default Re: MK60 DSC thread

I deliberately didn't include the checksum byte in my post

Most use 23 for read. I don't remember write, but I think it's 3D. Erasing and writing requires security access, which on most newer BMW modules uses assymetric encryption. The other modules do tend to have multiple levels of security access, each protected by a different key.

I wonder if we'd have to kick the module into development mode or something to get the other read modes to work.
__________________
Jump to top terraphantm is offline   Reply With Quote
Old Mon, Apr-10-2017, 10:15:42 AM   #329
e36 323ti
Registered User
 
e36 323ti's Avatar
 
Join Date: Sep 2011
Posts: 149
In the garage:
Reputation: 0 e36 323ti is on a distinguished road

Norway




Default Re: MK60 DSC thread

I was thinking more about the missing KWP2000 SID '23', not the cs...

The sequrity access in the MK60 is assymetric.

In a previous post it is mentioned that e.g. when NCSexpert is updating the MK60, going from std to M-Track, uses SID 22 id 30 00 for read and SID 2E id 30 00 for write (15 bytes). Do not recall if security access was involved, but think the module was switched to adjustment mode. When using SID 23 the module is first put into adjustment mode, then security access handshake before read request.

Have tried to switch the mk60 to development mode (0x86) as well as programming mode (0x85), but did not succeed. There is an access_nr attached to the development mode, but do not know how that comes into account...

Managed also to read 2x519 bytes using non-std KWP2000 (09 7F, 09 8F), so it could be that the flash read /write is not following KWP2000?

Last edited by e36 323ti; Mon, Apr-10-2017 at 10:40:42 AM.
Jump to top e36 323ti is offline   Reply With Quote
Old Tue, Apr-11-2017, 01:01:18 AM   #330
terraphantm
Moderator
 
Join Date: Dec 2010
Posts: 10,505
In the garage:
Reputation: 11 terraphantm is on a distinguished road
Location: Philadelphia

United States




Default Re: MK60 DSC thread

Oh, I didn't realize I missed that 23. I knew it was supposed to be there.

By asymmetric encryption, I'm referring to RSA. Module sends a challenge, which is usually some identifier (VIN maybe?) + a random number. Receiver takes the challenge, encrypts it using the private key, and sends that back to the module. Module decrypts response with public key, and compares to the initial challenge. If valid, security access is granted.

Yeah I saw those 09 7F and 09 8F commands. Not defined in the KWP2000 standards and I couldn't find anything similar on the KWP2000 DMEs.

I wonder if the DSC software found in WinKFP for various modules is close enough to disassemble and figure out what's going on.


edit: Well I picked a random MK60 0PA from the E9x. Seems to disassemble as an ARM processor. I don't have a lot of experience with ARM code, but let's see if there's anything cool in there.

Of course I don't know how helpful this is without a full dump since the diagnostic routines might be in a section of code that WinKFP doesn't flash.
__________________

Last edited by terraphantm; Tue, Apr-11-2017 at 01:56:42 AM.
Jump to top terraphantm is offline   Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT. The time now is 08:55:14 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
M3Forum.com and M3forum.net is in no way sponsored, endorsed or affiliated by or with BMW NA / BMW AG or any of it's subsidiaries or vendors.
BMW and M3 (E90 M3 | E92 M3 | E93 M3 | E46 M3 | E36 M3 | E30 M3) are registered trademarks of BMW AG.
M3Forum Terms of Service
Copyright 1999-2014 M3Forum.com
Discussing MK60 DSC thread in the Coding and Tuning Forum - Discuss all avenues of coding and tuning here! at BMW M3 Forum.com (E30 M3 | E36 M3 | E46 M3 | E92 M3 | F80/X)