Current Status on E38, E67, etc.. Hacking Toys

[hjtrbo]

The obsolete HP Tuners NGauge is similar to what you're thinking about.

Good general info here
https://www.scribd.com/document/670573576/CANBUS-Info

[Tazzi]

The more I look into this the more I'm learning towards a standalone Arduino solution. It would be pretty cool to have a little box that can be hard coded to perform functions based on simple LCD menu and buttons. No DLL required. I already found some libraries regarding can bus for vehicles. Seems like I'm gearing up a winter project. Should be able to make a device that reads ECU at push of button and write them to micro SD. Could even have built in functions to read entire memory, enter desired vin and write back. One long Arduino file.

Just keep in mind the creation of the kernel (The custom program that uploads to the ecu) which provides the ability to read and write the ecu directly.

But, with a kernel, a basic arduino board with a canbus+SDcard shield could be made to read and write a tune. It would be a heap of work, but.. it is possible. I initially did this with my own kernel to test out the idea of trying to do sub 15second writes by only writing the exact section that were modified using a Teensy3.1 and custom board for sdcard+canbus.

OBDX has been asked several times to make a standalone flashing tool that works from an sdcard. But honestly, everyone has a smart phone, so you'd be crazy not to just create a phone app that controls a scantool instead. But... thats just my thoughts!

[Tre-Cool]

if you want to be able to read/upload tunes & have a logger, then just buy an efilive v3 unit.

[Tre-Cool]

kinda on topic. I have been using ghidra for a few months now to find additional maps/switches for e38/t43 controllers & since i have an abundance of bandwidth I was going to configure a vm to run a ghidra server & move my local results to it.

If this is something of interest for others I can create user access to it.

[hjtrbo]

Not sure if my level of knowledge qualifies me, but I would like to see your results.

[Tre-Cool]

okay. i still need to move the vm to my desktop at my workshop tomorrow, but when it's moved it should be reachable on default port 13100

I've spent most of my time looking through the T43.24256025 os because that is what i have in 2 of my cars. It's inter-changeable with 24256125.

Ghidra.PNG (4.41 KiB) Viewed 2281 times

now because ghidra launches with the default windows username account you have to modify the launch.properties file in the ghidra support directory with this
# Username
VMARGS=-Duser.name=PCM-View

Small warning if you have some local work already you will need to modify your project file usernames to match or u get errors. ideally, send me a pm with a legit name & i will create a dedicated account for you & send you details for server connection.

[Meistro]

if you want to be able to read/upload tunes & have a logger, then just buy an efilive v3 unit.

I have HP tuners mvpi2 that I use. I'm going to try to capture everything it does to write a tune to E67. The downside is I'll have to spend 100 bucks to do it. It will hopefully be worth it. I have some more can bus sniffing tools arriving tomorrow. There's a raspberry pi can-bus hat that I'm going to play with also. There's already plenty of code to start with out in the wild. I think I'll be able to capture the kernel that the HP tuners uses. Maybe lol

[ironduke]

if you want to be able to read/upload tunes & have a logger, then just buy an efilive v3 unit.

I have HP tuners mvpi2 that I use. I'm going to try to capture everything it does to write a tune to E67. The downside is I'll have to spend 100 bucks to do it. It will hopefully be worth it. I have some more can bus sniffing tools arriving tomorrow. There's a raspberry pi can-bus hat that I'm going to play with also. There's already plenty of code to start with out in the wild. I think I'll be able to capture the kernel that the HP tuners uses. Maybe lol

They use the same kernels as GM does along with write procedure.. They send the kernel in reverse but it is the exact same kernel..
Only one different I've seen is the write security they have for E38's, is that available for the E67?

[Meistro]

I have no idea what I'm about to get myself into. I know absolutely zero about the gen 4. I have high hopes about logging all communication between the Mvpi2 and the ECU. I'm thinking theoretically I should be able to use the log to see every command sent to the ECU. I have to get started reading about the protocol so I might have a clue what I'm looking at once I do finally get something to look at. Is there an auto can bus for dummies resource anyone can share?

[hjtrbo]

Starting to play with Ghirda. I'm slowly getting through mapping out the tables HP has defined, that is going well.

I was wondering what workflow is used to locate the PIDs that HP logs within Ghirda? We have broadcast and polled.