Odometer hacks

Whacko

Whacko

New member
netercol said:
the e46 beemers (should include the m3 i think) stores the true milage in at least 5 differant places, the cluster, ZKE, key, EWS i think, not sure where else.. anyways, the point being,unless whoever hacked the odo really went to a lot of trouble changing the km's in all the controllers it gets stored, (the ZKE being a bastard to hack as i understand), the true km's will still be stored in the other controllers, accessable with any tool like bmw scanner, carsoft, ect..

the secure eeprom ,m35080,which stores the milage in e46 clusters, is very easy to hack nowadays, with several generic tools avaidible even on e-bay..
Click to expand...

I did see so, did some google. Gonna be shopping online maybe. I'm not sure what I should do, at the moment I'm really p.. off at these guys, so it is in the heat of the moment still, I will get some dyno tests to check the motor's condition.
 
Hellas

Hellas

///Member
netercol said:
the e46 beemers (should include the m3 i think) stores the true milage in at least 5 differant places, the cluster, ZKE, key, EWS i think, not sure where else.. anyways, the point being,unless whoever hacked the odo really went to a lot of trouble changing the km's in all the controllers it gets stored, (the ZKE being a bastard to hack as i understand), the true km's will still be stored in the other controllers, accessable with any tool like bmw scanner, carsoft, ect..
Click to expand...

After all this trouble for electronic security, the hack fails by the last place the hacker seemed to look: Black ink on white paper in the service book...
 
Z

zaleonardz

Well-known member
Ok this is just fscking scary.... im sorry.

I ordered a VAG cable for our Golf 5, as I need to sort out an airbag light issue. The software which I will not mention, actually has the ability to change odo readings right off the interface, the other stuff I have can do it as well on the BMW's, but that requires a bit more of an IQ then this...

This was like a 600 fleabay cable... wtf, and its a late model CAN interface as well. I will never trust the odo's of a car again...
 
M

M3turbo

Member
Whacko said:
zaleonardz said:
Its not just possible, its highly likely.

You can have an odo hacked for like 2k, or get a tool off of ebay for like 900 bucks or less

Very simple what you do, contact the dealer, tell him you have evidence of the hack, and that he should refund your purchase price in full including interest.

If he refuses, you contact the bank where you financed at, and make a case, they will come down on the dealer, but hard, and cancel your agreement.

Also, there is onbudsman, but the banks will make some waves for sure, dont take this laying down dude.
Click to expand...

It's a bit more messy than that, problem is I paid cash for the damn thing. BMW wouldn't give me the service history before I purchased the vehicle, as you need to proof ownership. It's only after the deal and the vehicle got registered to my name that I could submit the proof of ownership, and that's when I noticed the irregularities.
Real bummer..
Click to expand...

This makes no sense to me???
 
Whacko

Whacko

New member
M3turbo said:
Whacko said:
zaleonardz said:
Its not just possible, its highly likely.

You can have an odo hacked for like 2k, or get a tool off of ebay for like 900 bucks or less

Very simple what you do, contact the dealer, tell him you have evidence of the hack, and that he should refund your purchase price in full including interest.

If he refuses, you contact the bank where you financed at, and make a case, they will come down on the dealer, but hard, and cancel your agreement.

Also, there is onbudsman, but the banks will make some waves for sure, dont take this laying down dude.
Click to expand...

It's a bit more messy than that, problem is I paid cash for the damn thing. BMW wouldn't give me the service history before I purchased the vehicle, as you need to proof ownership. It's only after the deal and the vehicle got registered to my name that I could submit the proof of ownership, and that's when I noticed the irregularities.
Real bummer..
Click to expand...

This makes no sense to me???
Click to expand...

Which part does not make sense? The vehicle was not sold to me by a BMW dealership, it was a second hand car dealership. My first request to BMW was after I received the invoice, but before payment to the dealer, and it had the body number and VIN number on it. Using this info Randburg club motors refused to forward any service plan history unless I could prove that I am the owner, namely the registration documentation. The irregularity stems from the inscription in the service book that an odometer change was done by club motors at 66 014 km's, and I was explicitly told by the dealer that this was the case, hence the 15 000 odd km's on the odometer. When I received the service history from BMW after registration to my name, I noted services under motorplan at a higher km reading than when the proposed odometer change reset the odometer to 0 km's. There is also no record at BMW that the odo was changed at all. ;-)

William
 
netercol

netercol

New member
I ordered a VAG cable for our Golf 5, as I need to sort out an airbag light issue. The software which I will not mention, actually has the ability to change odo readings right off the interface, the other stuff I have can do it as well on the BMW's, but that requires a bit more of an IQ then this...

This was like a 600 fleabay cable... wtf, and its a late model CAN interface as well. I will never trust the odo's of a car again...
Click to expand...

hehe.. you can rest a LITTLE BIT easier ,its not quite that easy on the later beemers (dont know much about VAG though)

from about 2002 onwards, bmw amongst other manufacturers started using a "secure" eeprom m35080 in their clusters to try to eliminate tampering. the basic concept in plain english is that the eeprom will allow mileage to increment, but never decrease.. if you try to write a lower milage than is already recorded,using any type of obdii interface(bmw's oem GT1) included, the cluster will simply refuse. but if you fit a brand new cluster, the milage can be incremented to the correct mileage using any interface tool, oem, carsoft ect.

so far so good.. unfortunatly the eeprom in question can now be forced to reset (forced to write whatever you want) using in-circuit programmers (meaning you remove the cluster and solder the programmer's leads onto the circuit board directly) which are also freely avaidible on fleabay :(

at least this means that the person tampering with the odo has to have at least basic electronic exp. , it cannot yet be done with obdii or can interfaces afaik :mmm:

the only fullproof way imho is the way i bought my own beemer, took my laptop and humble ebay error code reader with to the dealership , logged in and checked whether the mileage was the same in all the storage places in the car.. VERY rarely does the tamperer bother to change it everywhere, especially since the body computer (zke) is very difficult to rewrite, it also has to be done in circuit, or the eprom has to be desoldered..

sry, i see i got a bit carried away there :)
 
Whacko

Whacko

New member
netercol said:
I ordered a VAG cable for our Golf 5, as I need to sort out an airbag light issue. The software which I will not mention, actually has the ability to change odo readings right off the interface, the other stuff I have can do it as well on the BMW's, but that requires a bit more of an IQ then this...

This was like a 600 fleabay cable... wtf, and its a late model CAN interface as well. I will never trust the odo's of a car again...
Click to expand...

hehe.. you can rest a LITTLE BIT easier ,its not quite that easy on the later beemers (dont know much about VAG though)

from about 2002 onwards, bmw amongst other manufacturers started using a "secure" eeprom m35080 in their clusters to try to eliminate tampering. the basic concept in plain english is that the eeprom will allow mileage to increment, but never decrease.. if you try to write a lower milage than is already recorded,using any type of obdii interface(bmw's oem GT1) included, the cluster will simply refuse. but if you fit a brand new cluster, the milage can be incremented to the correct mileage using any interface tool, oem, carsoft ect.

so far so good.. unfortunatly the eeprom in question can now be forced to reset (forced to write whatever you want) using in-circuit programmers (meaning you remove the cluster and solder the programmer's leads onto the circuit board directly) which are also freely avaidible on fleabay :(

at least this means that the person tampering with the odo has to have at least basic electronic exp. , it cannot yet be done with obdii or can interfaces afaik :mmm:

the only fullproof way imho is the way i bought my own beemer, took my laptop and humble ebay error code reader with to the dealership , logged in and checked whether the mileage was the same in all the storage places in the car.. VERY rarely does the tamperer bother to change it everywhere, especially since the body computer (zke) is very difficult to rewrite, it also has to be done in circuit, or the eprom has to be desoldered..

sry, i see i got a bit carried away there :)
Click to expand...

I see you know your stuff. ;-) It is a SPI 8 pin device, should not be too problematic to replace. Only problem is, what does the Siemens controller store on there, and is it encrypted. Do you know if the cluster has it's own micro on?
 
netercol

netercol

New member
It is a SPI 8 pin device, should not be too problematic to replace. Only problem is, what does the Siemens controller store on there, and is it encrypted. Do you know if the cluster has it's own micro on?
Click to expand...

hehe, yes the prom is also freely avaidible .. a little bit difficult to replace because it is on the hidden side of the circuit board, meaning the odo has to be dissasembled to get to the device and desolder it.. i guess they tried their best to make it as difficult as possible :)

as to what else is stored on the eeprom, its only the first page of memory(32 bytes) that is treated securely, the rest stores stuff like vin, date of manufacture, ect. i would imagine, and im sure it would be encrypted. so if you physically replaced the eeprom, i guess you would need to backup the data first and then rewrite it to the new replacement. the cluster does have its own micro on , not sure what they used though.. a bmw egghead once told me that the average e46 has about 74 microprocessors in various controllers around the car! :mmm:
 
You must log in or register to reply here.

Similar threads

Keatonraman330dMSport
AGM Battery ‘17 BMW F30 320D
Replies
6
Views
1K
Xcede Performance
Xcede Performance
Kishore
discussion BMW x5 G05 Motorplan not wanting to pay
2
Replies
36
Views
8K
General.Massacre
General.Massacre
JordanB
technical Crankshaft Pulley dead? Tips and recommendations?
Replies
9
Views
1K
naeem9
N
Paul_Pret
Service Record after motorplan
Replies
7
Views
2K
tamgoem
T
X
X5 F15 3.0D Msport - Preventative Maintenance
Replies
9
Views
1K
boost3d
boost3d
Top