⚙️ MultiMap “MEVD17.2.6 BMW F30 335i” — Reverse Engineering Journey

This one started as a classic: get the full readout, find a control hook, then build a clean map switch. It turned into a FlexRay detour and ended with a secure, processor-bound setup that can’t be cloned.

1) Readout & first probes¶

• Full ECU read with BFlash.
• Quick CAN sweep for likely entry points: dash RPM, cruise buttons, paddle shifts, driver-mode selector, etc.
• I could interrupt the dash and confirm RPM injection, but the driver-mode state wasn’t showing up where I expected.

Early result: good for UI/dash tricks, not enough for reliable map selection.

2) The BMW twist — FlexRay¶

A deeper look at the network topology confirmed what many BMW platforms do: driver modes ride on FlexRay, not CAN. I didn’t have a FlexRay sniffer on the bench that day, so I pivoted.

Plan B: find the RAM variables after FlexRay frames are parsed, then key the map switch off those.

3) RAM exploration via UDS¶

I patched the ECU for debug and used a small Python UDS helper with a PEAK interface to read memory and watch live changes. After a short scan of the comms stack buffers, I located the parsed driver-mode variable and a few related status bits.

Once you know the RAM address, you don’t need to decode FlexRay on the wire—just read the state the ECU already computed.

```python

demo: readMemoryByAddress (UDS 0x23) to poll a known RAM address¶

NOTE: illustrative, not a full library¶

from uds import UDSClient

MODE_ADDR = 0xXXXXXX # resolved during RAM sweep MODE_LEN = 1

with UDSClient(channel="PCAN_USBBUS1", req_id=0x7E0, res_id=0x7E8) as c: raw = c.read_memory_by_address(addr=MODE_ADDR, length=MODE_LEN) # 0x23 mode = int.from_bytes(raw, "big") print("Driver mode:", mode) # e.g., 0=Comfort, 1=Sport, 2=Sport+

VIDEO: