Hi!

Today I have E46 330D 2000 year that I need to change mileage.
Inside is 93C66 (B58608) and odo is Motometer
HW9 and SW 16
6 906 884
0 263 606 265

KM is in next lines

0020: xx xx xx xx xx xx 2A A9 04 17 C6 5F 2A A9 04 17
0030: C6 5F xx xx xx xx xx xx xx xx xx xx xx xx xx xx

So, car came with 304 814km on odo. Customer wants 740 000-750 000km.

Nyo,Tachosoft,licznik...NOT working with this odometer.

I have manage to make file with 747 875km (randomly trying to calculate some values) but with pure luck.
I have few examples that I did try in this odo (all files are tested in this odo), so if someone who know how to calculate or know how to find algo for this type of calculation PLEASE teach me.

Let's start:

304 814 = E4 2C 11 59 06 8B original value

215 715 = 3C 2B 16 44 1F 53 Tachosoft calculate this value also for 780 000km and for 215 715km

432 651 = F3 4C 36 68 9E EB

153 685 = 2C F8 C6 44 1F 53

075 913 = 3D 3D 06 44 1F 53

862 345 = 3D3B 06 44 1F 53

862 857 = 3C 3B 06 44 1F 53

863 881 = 3E 3B 06 44 1F 53

627 875 = 80 2E 13 46 1D EF This is random guess.Next values I play with licznik and get result that I need. Licznik don't show original value like it should for example this value is shown like 103585

647 875 = 6C 2E 13 86 DD 03 licznik 123585

747 875 = 7B 2B 16 C6 9D 14 licznik 223585

Once again these are calculations that I tested in this odo.

Thanks in advance

Best regards

why bother, mighty digywigy makes this in two minutes and two walks around the car.
connect under the bonnet and ask your friend to sit in the car and watch the magic as you wont be able to see it because of the cable which is shorter than the chinese kid who made it itself.

Yes, I know that these cars are easy to change mileage trough OBD (bmw scanner...). I want to learn how this type of odo calculate hex values...

post your original file with exact km

the way you work out a calculation is, you grab the original dump and compare its exact value to the algorithms you already know,

if that does work, you run up 1km or a similarly small distance and grab another dump, looking for what part is incrementing, this will give you your LSB, and may flag a checksum, if that is not obvious grab a few more dumps like this and see if a pattern emerges,

now that you have a starting point, you can try and find your value again, it could be * or / some value, it could be xor'd, it could use a lookup table and be encrypted, but with enough dumps you can spot that (if something is fully encrypted by a lookup table, you would need atleast 256 dumps to fully crack it, but that is another story)

ok, so you have your milage, next comes the most likely thing in a dump that took you that much effort to break, checksums, there can be ones that just check the milage locations, and there can be ones that check regions, or the entire file, there are atleast 15 different methods for checksums i have become aware of, with the most basic being the sum (check... sum) of all the locations involved,

the fact your milage still displayed after tweaking it is a good sign that there is no checksum, or it doesn't care what it is,

Why you need whole file when mileage calculation is made only in this two lines but here you are

303101

@Rerouter
Thanks.
Yes, there is no checksum, or it doesn't care what it is because you can write what ever you want and it will always show some mileage. I understand checksums (some of them). I have manually try to find algo for this but no luck (xor,swap,make some kind of table...).
I know that this is pain in the a.. but I'm just curious if someone know this type of calculation.
Who have Omega there is some calculator that is able to do this kind of odo.

..... the best way would be to actually run up the cluster to see how its incrementing it, rather than trial and error, when you get it showing 075913km it could well be 9,075,913km, and the cluster may just ignore the millions column, i've played this game with enough algos to say if you cant get it after a 10 minute sit down with windows calculator, you need more original unmodified files to work from...

0 A9 2D 10 08 53 C6 A9 2D 10 08 53 C6
2 A9 2D 10 0C 57 C6 A9 2D 10 0C 57 C6
4 A9 2D 10 10 4B C6 A9 2D 10 10 4B C6
6 A9 2D 10 14 4F C6 A9 2D 10 14 4F C6
8 A9 2D 10 18 43 C6 A9 2D 10 18 43 C6
10 A9 2D 10 1C 47 C6 A9 2D 10 1C 47 C6

20 A9 2D 10 30 6B C6 A9 2D 10 30 6B C6
30 A9 2D 10 44 1F C6 A9 2D 10 44 1F C6
40 A9 2D 10 58 03 C6 A9 2D 10 58 03 C6
50 A9 2D 10 6C 37 C6 A9 2D 10 6C 37 C6
60 A9 2D 10 80 DB C6 A9 2D 10 80 DB C6
70 A9 2D 10 94 CF C6 A9 2D 10 94 CF C6
80 A9 2D 10 A8 F3 C6 A9 2D 10 A8 F3 C6
90 A9 2D 10 BC E7 C6 A9 2D 10 BC E7 C6
100 A9 2D 10 D0 8B C6 A9 2D 10 D0 8B C6

OK, so looks like it does have a checksum, second last byte, take the third last and Xor with 5B,

I strongly doubt that 5B is a constant, and if you go higher than 140km that will likely show it changing as the next byte increments,

From hcips list, we know the 3rd last byte is the LSB, and has no dips so its unlikely to be xor'd or something silly,
Next up would be finding the second LSB, In this case i think the mileage is started at an offset,

Why you need whole file when mileage calculation is made only in this two lines but here you are

303101

I think I missed calculation by 4 kilometer lower.......

@hcip
or I didn't remember right, you calculation is maybe ok.

Did you make this software or this is something from UPA packet (I'm not using UPA)?

does other ecus need to be corrected to so they match or the marker light appears on the dash#?

does other ecus need to be corrected to so they match or the marker light appears on the dash#?

This is older car so no need for other ECUs to change mileage and there is no marker light or any light everything works like it should. But if you use diagnostic and check mileage for example in engine ECU there will be original value which in this case is 304 810km.

the way you work out a calculation is, you grab the original dump and compare its exact value to the algorithms you already know,

if that does work, you run up 1km or a similarly small distance and grab another dump, looking for what part is incrementing, this will give you your LSB, and may flag a checksum, if that is not obvious grab a few more dumps like this and see if a pattern emerges,




now that you have a starting point, you can try and find your value again, it could be * or / some value, it could be xor'd, it could use a lookup table and be encrypted, but with enough dumps you can spot that (if something is fully encrypted by a lookup table, you would need atleast 256 dumps to fully crack it, but that is another story)

ok, so you have your milage, next comes the most likely thing in a dump that took you that much effort to break, checksums, there can be ones that just check the milage locations, and there can be ones that check regions, or the entire file, there are atleast 15 different methods for checksums i have become aware of, with the most basic being the sum (check... sum) of all the locations involved,

the fact your milage still displayed after tweaking it is a good sign that there is no checksum, or it doesn't care what it is,



Or just post the dump on here, get the money off the punter up front, go down the cafe, get a butty, go the betting shop, stick a few bob on an 'orse, get the the electronic ciggy topped up, swift pint down the pub then back to the computer for the answer, put the dump back in the punters car......look up at the sky and say "thank you dk members for giving me an easy life"

So,should we introduce a Paypal system here in the Dashboard Section ? What you reckon,€100 per file ?

I sometimes have to stop,and think, "Why is he still here,if he's so unhappy with this site !"

So,should we introduce a Paypal system here in the Dashboard Section ? !"

Depends who and what 1 post 300 downloads yes, contributing members no.

Tuelly woodman. Why not just go to cafe in-correction, coffee, burger and file.