Extracted BMW F series ESYS commands (DME/ECU/Tune/Code)

bmw-esys-series-codes.java

// Random code sequences I found throughout a flashing tool

D = new hs("RCS_EraseCoding", "31 01 0F 01", 3, false);
e = new ha("DSC_DS", "10 01");
f = new ha("DSC_ES", "10 03");
g = new ha("DSC_PS", "10 02");
h = new ha("DSC_DEVS", "10 4F");
i = new ha("DSC_CS", "10 41");
j = new ku("RCS_SEMD", "31 01 0F 0C 00");
k = new ku("RCS_SEMF", "31 01 0F 0C 03");
n = new ku("RCS_SEXMF", "31 01 10 03 01");
new ha("DSC_SWTS", "10 41");
new hs("RCS_EraseInfoStorage", "31 01 0F 06", 4, false);
new hs("TP", "3E 00", 2, true);
new ht("RDBI_InfoStorage", "22 20 00");
new ku("RCS_ACT_N_FM", "31 01 10 0F");
new ku("RCS_ACT_P_FM", "31 01 10 0E");
new ku("RCS_SEMP", "31 01 0F 0C 01");
new ku("RCS_SEMT", "31 01 0F 0C 02");
private final if a = new if("DNMT", "28 01 01", this);
private final if a = new if("DTCOff", "85 02", this);
private final if a = new if("RCS_CheckProgDeps", "31 01 FF 01", this);
private final if a = new if("RCS_CPPC", "31 01 02 03", this);
private final if a = new if("RCS_CPPC", "31 01 02 06", this);
private final if a = new if("RCS_GAC", "31 01 10 11", this);
private final if a = new if("RDTCI_0C", "19 02 0C", this);
private final if a = new if("ReadActiveSessionState", "22 F1 00", this);
private final if b = new if("ClearAllDTC", "14 FF FF FF", this);
private final if b = new if("DSC_PS", "10 02", this);
private final if b = new if("ReadActiveDiagnosticSession", "22 F1 86", this);
private final if b = new if("ReadCurrentSVK", "22 F1 01", this);
private final if b = new if("ReadPlantSVK", "22 F1 03", this);
private final if b = new if("ReadSysSuppSVK", "22 F1 02", this);
private final if c = new if("DSC_CS", "10 41", this);
private final if c = new if("DSC_DS", "10 01", this);
private final if c = new if("HardReset", "11 01", this);
public lg() { super("ReadCPS", "22 37 FE"); }
public lj() { super("ReadEcuManufacturingData", "22 F1 8B"); }
public lk() { super("ReadEnergyMode", "22 10 0A"); }
public ll() { super("ReadECUSerialNumber", "22 F1 8C"); }
public lm() { super("ReadExtendedMode", "22 10 0E"); }
public ln() { super("ReadFlashTimingParameter", "22 25 04"); }
public lo() { super("ReadGWRoutingStatus", "22 25 08"); }
public lp() { super("RDBI_IPCONFIG", "22 17 2A"); }
public lq() { super("ReadMemoryAddress", "22 25 06"); }
public lr() { super("ReadMemorySegmentationTable", "22 25 01"); }
public ls() { super("ReadProgrammingCounterMax", "22 25 03"); }
public lt() { super("ReadProgrammingCounter", "22 25 02"); }
public lv() { super("ReadStdCoreModules", "22 17 26"); }
public lw() { super("ReadStdCoreVersion", "22 17 20"); }
public lx() { super("ReadSGBDIndex", "22 F1 50"); }
public ma() { super("RDBI_SLC", "22 17 35"); }
public mb() { super("ReadVIN", "22 F1 90"); }
super("DSC_ES", "10 03");

// Random payloads used
private static final byte[] a = q.b("00 00 44 00 00 00 00 00 00 00 00");
private static final byte[] a = q.b("27 00 FF FF FF FF");
private static final byte[] a = q.b("31 01 02 02 12");
private static final byte[] a = q.b("31 01 02 02 13");
private static final byte[] a = q.b("31 01 02 04 00");
private static final byte[] a = q.b("31 01 40 07 00");
private static final byte[] a = q.b("31 01 FF 00 01 44 00 00 00 00 00 00 00 00 06");
private static final byte[] a = q.b("31 03 40 08");
private static final byte[] a = q.b("51 01"); private static he b;
private static final byte[] a = q.b("59 02");
private static final byte[] a = q.b("62 F1 86");
private static final byte[] a = q.b("6E 37 FE");
private static final byte[] a = q.b("6E F1 5A");
private static final byte[] a = q.b("6E F1 90");
private static final byte[] a = q.b("71 01 02 04");
private static final byte[] a = q.b("71 01 FF 00");
private static final byte[] a = q.b("71 01");
private static final byte[] a = q.b("71 03");
private static final byte[] b = q.b("10 02 00 00");
private static final byte[] b = q.b("31 01 02 02 12 40 00 00 00 00 00 00");
private static final byte[] b = q.b("31 01 02 04 00 40 00 00 00 00");
private static final byte[] b = q.b("31 01 FF 00 02");
private static final byte[] b = q.b("50 01");
private static final byte[] b = q.b("50 41");
private static final byte[] b = q.b("59 0A");
private static final byte[] b = q.b("62 F1 00");
private static final byte[] b = q.b("71 01 02 02");
private static final byte[] b = q.b("71 01 02 06");
private static final byte[] b = q.b("71 01 0F 0C");
private static final byte[] b = q.b("71 01 10 21");
private static final byte[] b = q.b("71 01 10 22");
private static final byte[] b = q.b("71 01 40 07");
private static final byte[] b = q.b("71 01 40 08");
private static final byte[] b = q.b("71 02 40 08");
private static final byte[] c = q.b("00 01");
private static final byte[] c = q.b("10 02 11 11");
private static final byte[] c = q.b("31 01 FF 00 02 40 00 00 00 00");
private static final byte[] c = q.b("50 02");
private static final byte[] d = q.b("00 01");
public static class a extends if { private static final byte[] a = q.b("31 01 40 08");
public static class a extends if { private static final byte[] a = q.b("31 02 40 08");
public static class c extends if { private static final byte[] a = q.b("31 01 10 22");
public static class d extends if { private static final byte[] a = q.b("31 01 10 21");
public static final byte[] a = q.b("00 00 00 00 00 11");
static final byte[] b = q.b("00 00 00 00 00 10");
static final byte[] c = q.b("00 00 00 04 00 01 F4 DF 3E 80");
 
// Command names
c("HardReset");
c("DEFSESS");
c("EXTDIAGSESS");
c("PROGSESS");
c("CODSESS");
c("SWTSESS");
c("ReadCurrentSVK");
c("ReadFlashTimingParameter");
c("ReadActiveDiagnosticSession");
c("ReadActiveSessionState");
c("ReadEnergyMode");
c("ReadExtendedMode");
c("ReadCurrentSVK");
c("DTCOff");
c("DNMT");
c("SetEnergyModeDefault");
c("SetEnergyModeFlash");
c("SetEnergyModeProduction");
c("SetEnergyModeTransport");
c("SetExtendedModeFlash");
c("CheckProgPreCond");
c("ActivateParallelFlashMode");
c("ActivateNormalFlashMode");
c("RequestTransferExit");
c("ReadMemoryAddress");
c("ReadMemorySegmentationTable");
                                  
// Why? Because paying $800-$3,000 for transferring a hex stream over an OBD port is kind of a rip off... especially when it is inflated based on the MSRP of your car (M5 tax...)
// I think this is the magic sequence that does ECU flashing, but it is just a very uneducated hunch. I can't confirm it. I need to manually by hand resolve the obfuscated class names below:
// All mapped and in order:

a = new he(); //HardReset
b = new le(); //ReadActiveDiagnosticSession
new ln(); //ReadFlashTimingParameter
c = new lk(); //ReadEnergyMode
new lm(); //ReadExtendedMode
new lx(); //ReadSGBDIndex
d = new lh(); //ReadCurrentSVK
new lu(); //ReadPlantSVK
new ly(); //ReadSysSuppSVK
e = new ha("DSC_DS", "10 01"); //DiagnosticSessionControlService
f = new ha("DSC_ES", "10 03"); //DiagnosticSessionControlService
g = new ha("DSC_PS", "10 02"); //DiagnosticSessionControlService
h = new ha("DSC_DEVS", "10 4F"); //DiagnosticSessionControlService
i = new ha("DSC_CS", "10 41"); //DiagnosticSessionControlService
new ha("DSC_SWTS", "10 41"); //DiagnosticSessionControlService
j = new ku("RCS_SEMD", "31 01 0F 0C 00"); //RCS_NoResultByte_Service
new ku("RCS_SEMT", "31 01 0F 0C 02"); //RCS_NoResultByte_Service
new ku("RCS_SEMP", "31 01 0F 0C 01"); //RCS_NoResultByte_Service
k = new ku("RCS_SEMF", "31 01 0F 0C 03"); //RCS_NoResultByte_Service
l = new gt(); //DTCOff_Service
m = new gs(); //DNMT_Service
new kl(); //RCS_CheckProgrammingPower_Service
n = new ku("RCS_SEXMF", "31 01 10 03 01"); //RCS_NoResultByte_Service
new ku("RCS_ACT_P_FM", "31 01 10 0E"); //RCS_NoResultByte_Service
new ku("RCS_ACT_N_FM", "31 01 10 0F"); //RCS_NoResultByte_Service
o = new me(); //RequestSeed_Service
p = new mg(); //SendKey_Dissector
q = new mn(); //WDBI_CodingData
r = new kq(); //RCS_EraseMemoryIndexed_Service
new kp(); //RCS_EraseMemoryAdressed_Service
s = mf.a; //RequestUpDownload_Service.java
t = new hv(); //TransferData_Service
u = new hs("RTE", "37", 1, true); //SimpleMatchingService
v = new kj(); //RCS_CheckMemoryIndicated_Service
w = new lg(); //RDBI_CPS_Service
x = new mb(); //RDBI_VIN_Service
new lq(); //ReadMemoryAddress
new mo(); //WDBI_VIN_Service
new mk(); //WDBI_CPS_Service
y = new li(); //RDBI_CodingData_Service
z = new mm(); //WDBI_CodingData
new kz(); //RCS_ReadSweProgrammingStatus_Service
A = new km(); //RCS_CheckProgrammingPreconditions_Service
B = new kk(); //RCS_CheckProgDeps_Service
C = new kx(); //RCS_ReadDevelopmentInfo_Service
new ks(); //RCS_GetActualConfig_Service
new lp(); //RDBI_IPConfig_Service
new ma(); //RDBI_StatusLifeCycle_Service
new go(); //ClearDTCService
new md(); //ReadDtcsOC_Service
new hs("TP", "3E 00", 2, true); //SimpleMatchingService
new ht("RDBI_InfoStorage", "22 20 00"); //SimpleRDBIService
new hs("RCS_EraseInfoStorage", "31 01 0F 06", 4, false); //SimpleMatchingService
D = new hs("RCS_EraseCoding", "31 01 0F 01", 3, false); //SimpleRDBIService
E = new lt(); //ReadProgrammingCounter
new ls(); //ReadProgrammingCounterMax
new ll(); //ReadECUSerialNumber
                                  
go 
  ClearDTCService.java 
  new if("ClearAllDTC", "14 FF FF FF", (ho)this);
  a = q.b("54");
gs
  DNMT_Service.java
  if a = new if("DNMT", "28 01 01", (ho)this);
gt
  DTCOff_Service.java
  a = new if("DTCOff", "85 02", (ho)this);
ha
  DiagnosticSessionControlService.java
  ???
he
  HardReset_Service.java
  c = new if("HardReset", "11 01", (ho)this);
  a = q.b("51 01");
hs
  SimpleMatchingService.java
  ??
ht
  SimpleRDBIService.java
  check response telegram length
hv
  TransferData_Service.java
  b = q.b("76");
  bsc
  data
kj
  RCS_CheckMemoryIndicated_Service.java
  b = q.b("71 01 02 02");
  RoutineControlStartCheckMemory
  a = q.b("31 01 02 02 12");
  b = q.b("31 01 02 02 12 40 00 00 00 00 00 00");
kk
  RCS_CheckProgDeps_Service.java
  if("RCS_CheckProgDeps", "31 01 FF 01", (ho)this);
kl
  RCS_CheckProgrammingPower_Service.java
  if("RCS_CPPC", "31 01 02 06", (ho)this);
  b = q.b("71 01 02 06");
km
  RCS_CheckProgrammingPreconditions_Service.java
  if("RCS_CPPC", "31 01 02 03", (ho)this);
  this.a("1=engine running.");
  this.a("2=immobilizer system not being unlocked.");
  this.a("3=gear box input speed not being zero.");
  this.a("4=gear box output speed not being zero.");
  this.a("5=vehicle's speed not being zero.");
  this.a("6=control active.");
  this.a("7=ignition needing restart. Ignition off-on is required.");
  this.a("8=programming voltage being insufficient.");
  this.a("9=ignition being off (clamp 15 is off).");
  this.a("10=vehicle's electrical system voltage being too low.");
  this.a("11=temperature being too high.");
  this.a("12=temperature being too low.");
  this.a("13=---");
kp
  RCS_EraseMemoryAdressed_Service.java
  RC_ERASEMEMORY_ADRESSED
  q.b("31 01 FF 00 01 44 00 00 00 00 00 00 00 00 06");
kq
  RCS_EraseMemoryIndexed_Service.java
  RCS_ERASEMEMORY_INDEXED
  b = q.b("31 01 FF 00 02");
  c = q.b("31 01 FF 00 02 40 00 00 00 00");
ks
  RCS_GetActualConfig_Service.java
  if("RCS_GAC", "31 01 10 11", (ho)this);
ku
  RCS_NoResultByte_Service.java
kx
  RCS_ReadDevelopmentInfo_Service.java
kz
  RCS_ReadSweProgrammingStatus_Service.java
  a = q.b("71 01 02 04");
  super("RCS_ReadSweProgrammingStatus", arrby2, ho2);
  a = q.b("31 01 02 04 00");
  b = q.b("31 01 02 04 00 40 00 00 00 00");
le
  RDBI_ADS_Service.java
  b = new if("ReadActiveDiagnosticSession", "22 F1 86", (ho)this);
  a = q.b("62 F1 86");
  c = q.b("01,02,03,04,41,42,43");
  d = q.b("00,81,82");
  e = q.b("00,81,82,83,84,85,FF");
  f = q.b("00,81,82,83,84,85,86,FF");
  g = q.b("01,02,03,04,05,06,07,08,09");
  h = q.b("01,02");
lg
  RDBI_CPS_Service.java
  super("ReadCPS", "22 37 FE");
lh
  RDBI_CSVK_Service.java
  if("ReadCurrentSVK", "22 F1 01", (ho)this);
  c = q.b("09,0A,0B,0C,0D,0E,0F");
li
  RDBI_CodingData_Service.java
  WDBI_VIN
lk
  RDBI_EM_Service.java
  super("ReadEnergyMode", "22 10 0A");
  case 0: {
     return "deactivated";
  }
  case 1: {
     return "plantmode activated";
  }
  case 2: {
     return "transportmode activated";
  }
  case 3: {
     return "flashmode activated";
  }
ll
  RDBI_ESN_Service.java
  super("ReadECUSerialNumber", "22 F1 8C");
lm
  RDBI_EXM_Service.java
  super("ReadExtendedMode", "22 10 0E");
  case 0: {
      return "deactivated";
  }
  case 1: {
      return "flash activated";
  }
ln
  RDBI_FTP_Service.java
  super("ReadFlashTimingParameter", "22 25 04");
lp
  RDBI_IPConfig_Service.java
  super("RDBI_IPCONFIG", "22 17 2A");
lq
  RDBI_MA_Service.java
  super("ReadMemoryAddress", "22 25 06");
ls
  RDBI_PCM_Service.java
  super("ReadProgrammingCounterMax", "22 25 03");
lt
  RDBI_PC_Service.java
  super("ReadProgrammingCounter", "22 25 02");
lu
  RDBI_PSVK_Service.java
  if("ReadPlantSVK", "22 F1 03", (ho)this);
lx
  RDBI_SGBDI_Service.java
  super("ReadSGBDIndex", "22 F1 50");
ly
  RDBI_SSVK_Service.java
  if("ReadSysSuppSVK", "22 F1 02", (ho)this);
ma
  RDBI_StatusLifeCycle_Service.java
  super("RDBI_SLC", "22 17 35");
mb
  RDBI_VIN_Service.java
  super("ReadVIN", "22 F1 90");
md
  ReadDtcsOC_Service.java
  if("RDTCI_0C", "19 02 0C", (ho)this);
me
  RequestSeed_Service.java
  a = q.b("27 00 FF FF FF FF");
mg
  SendKey_Dissector.java
mk 
  WDBI_CPS_Service.java
  a = q.b("6E 37 FE");
mm
  WDBI_CodingData_Service.java
  WDBI_CodingData
mn
  WDBI_FingerPrint_Service.java
  a = q.b("6E F1 5A");
mo
  WDBI_VIN_Service.java
  a = q.b("6E F1 90");

What exactly do you want to tell me? Basically the behavior should be identical to EDIABAS, if not there may be a bug.

@uholeschak I did not see all of these commands in EDIABAS. Are you missing some? Are you sure you can read + write from/to DME?

https://en.wikipedia.org/wiki/Unified_Diagnostic_Services

https://gist.github.com/brandonros/4aa6ae51d0f925671d034446947df555