Hello,

I have a BMW which I am flashing with Bootmod3. They don't allow you to see the map data for their OTS maps (like the specific values in the individual calibration tables for wastegate control, fueling etc...), but you can see the map data for a self-tune or stock map.

I have logged the bytes which Bootmod3 transfers to my ECU during the programming session. It's 306,900 bytes when I do a "partial" flash. Partial meaning the ECU was already flashed with BM3 and I just changed some data in a self-tuned table and reflash.

I expected that maybe only a few bytes would change, but actually only about 72KB are identical (the first chunk) and the remainder is largely changed. It doesn't look to be like any sort of sophisticated encryption or compression, because some random lengths of bytes in these areas ARE still the same... but are mostly different...

Anyway, is what I am trying to do possible? What am I missing? I have the ISO 14229-1 spec which matches at least what the programming session is doing, but as far as the actual data contents go for this session, I am totally blind. Is there a BMW spec somewhere I can find? Or does that come from Bosch? It's a Bosch ECU (Aurix based).

Thanks for any help!!

Lol, are you being facetious??

Why would they help me "steal" something they are protecting? They don't want people to know what their proprietary tune consists of and have a method to encrypt the maps on their software. I am wondering if the data transmitted to the ECU is still in an encrypted form, or not (because I doubt the ECU would support that?)

Aha! I Think we are on to something here...

It's 34 10, meaning compressed but unencrypted.

What does compression = 1 mean? How do I decompress the stream -- is there a standard/spec somwhere?

Dang... Does anyone know what BMW MG1 uses?

I guess I will try to derive it from some statistical analysis of the hex

The steps would be to re-construct the block flashed from a sniff, decrypt using the correct aes keys(if encrypted), decompress using the correct decompression algo(if compressed) and there you have it. However this process is about 50% of what is needed to create a flashing protocol (without an exploit or a hack) and it is too much of an effort for something that many calibration engineers can do. So Why bother at all ?

It seems like attempt for pain in the ass on full...... Why not start normal way - use propper editing tool as for greenhorn you may buy St1 form known vendor and resolve mappack demand. Start learning and ask more specific questions in forums if required - there always help possible.