Derestricting a Shimano STEPS E-Bike

Shimano_pls

New Member
Region
Europe
Hello all, I am hear out of the goodness of my own heart to show you how to change your destination market and tyre circumference (among other settings) on Shimano e-bikes.

Don't bother spending money on getting people to flash your bike when you can do it yourself!

Things you will require:

Prelude​

I would recommend changing the software first and then figuring out connecting to the bike. To connect to the bike, you will need to take the side cover off on the motor to access the proprietary Shimano connector ports on the side. It will be easier to change the software first instead of freezing outside huddled up to your laptop.

I didn't know which port would work initially, so I plugged in my SM-PCE02 to each port (disconnecting the plug already in that socket) and ran "Connection Check" in the E-Tube software to see when it was recognising a connection to the motor. See the SM-PCE02 manual for more info: https://www.manualslib.com/manual/2725412/Shimano-Sm-Pce02.html#manual

I am going to initially state the bare minimum procedure for each of the steps to unlock the speed limit, followed by a designated section for the nerds with some extra info for those who are interested.

The reason why all of this is possible is because v3.4.5 of E-Tube Professional allows for complete reverse engineering of the program into its .NET C# code. So a bit of coding will be happening here. Brace yourself, it is worth it, and should not take more than 15 minutes. I will try explain this as simply as possible. Any questions, comment below :)

If at any point this screws up, uninstall E-Tube Project and start again; alternatively, make a copy of the E-Tube Professional directory (C:\\Program Files (x86)\\Shimano\\E-tube Project\\) to restore from.

Do I Need to Downgrade?​

If the firmware on your bike is newer or equal to this (check using E-Tube Professional) then you will need to downgrade.
  • DU-E80X0 (DU-E8000, DU-E8080) 4.9.5
  • DU-E7000 and DU-E61X0 (DU-E6100, DU-E6100-CRG, DU-E6110, DU-E6180) : 4.7.7
  • DU-E50X0 (DU-E5000, DU-E5080) : 4.4.10

Let's Get Started!​

So, to get started, you are going to need to have a bike with firmware less than version 4.7.7. After this entire process is complete, you can upgrade the E-Bike past this, but will need to downgrade it at some point in order to revert back in certain situations (e.g. when taking the bike in for a service they might check...).

There are 3 steps to do on the software side:
  1. Force unlock bike regulation.
  2. Force the software to set destination OEM to US (to unlock 32km/h limit) at the same time it sets tire circumference.
  3. Set destination OEM and tyre circumference in E-Tube Professional.
  4. (Optional) Add firmware check bypass when you rewrite firmware.
  5. (Optional) Downgrading firmware.

Step 1: Force Unlock Bike Regulation​

  1. Open DnSpyEx
  2. Open C:\\Program Files (x86)\\Shimano\\E-tube Project\\E-tube Project.exe.
  3. Navigate the Assembly Explorer tree on the top left to E-tube Project > E-tube Project.exe > OptionSettingBase > isOptionAvailable : bool.
  4. Right click on get and select Edit Method.
  5. Replace everything bounded by the get and curly braces { } with get { return true; }
  6. Click compile in the bottom right of the window.
  7. We have now forced the bike to unlock its regulation settings. Now save by selecting File > Save All...
Code
C#:
public bool IsOptionAvailable
{
    get
    {
        return true;
    }
}

Picture
https://imgvibe.com/image/saj7

For The Nerds:
From what I figured out, the bike has a regulation unlock procedure which you can force E-Tube Professional to execute by modifying the above variable to true. The code uses this variable to decide whether to go through the regulation unlock procedure in ProcessRegulationSetAuth(). It does this by computing an authentication key and a "Common AES Key" based off the motor's serial number - this function is universal; so not secure.*

Based off the bike's response to sending this key to it with the ProcessRegulationSetAuth() function, E-Tube will run either UnlockRegulationSetAuth() and unlock the settings, or in my bike's case, proceed to read in several messages from the bike containing some randomised bytes. Then, by encrypting these bytes using AES with the "Common AES Key" in EncryptRandVal() and sending it back to the bike, the regulation settings will be unlocked by E-Tube itself. I have a Python script which can do this successfully, however something about my initialisation procedure was wrong and setting the destination or tyre circumference returned errors.


Step 2: Make Software Set Destination OEM to US​

  1. Open DnSpyEx
  2. Open C:\\Program Files (x86)\\Shimano\\E-tube Project\\EtubeDataLinks.dll
  3. Navigate the Assembly Explorer tree on the top left to EtubeDataLinks > EtubeDataLinks.dll > Shimano.EtubeDataLinks > DUUnitDataLink > SetTireCircumference(byte, ushort)
    1. There are two. One says SetTireCircumference(byte, ushort, bool). We do not want to modify this one!
  4. Right click on SetTireCircumference(byte, ushort) and select Edit Method.
  5. Above the "return" line, press enter and add in DUUnitDataLink.SetDestination(slotNo, 1, 1);
  6. Click compile in the bottom right of the window.
  7. We have made E-Tube set the destination to US every time we set the bike's tyre circumference. Now save by selecting File > Save All...
Code
C#:
public static bool SetTireCircumference(byte slotNo, ushort tireCircumference)
{
    DUUnitDataLink.SetDestination(slotNo, 1, 1);
    return DUUnitDataLink.SetTireCircumference(slotNo, tireCircumference, false);
}

Picture
https://imgvibe.com/image/sm0A

For The Nerds:
All we have done here is force the bike to set the destination of the bike to the US OEM destination. Specifically, slotNo here is the device "slot" the SM-PCE01/02 is writing to. In this case, I have reused the argument, but from observation with the bike off only my motor would be visible; the slot number in this case with only one device attached is "0".

The second argument put into the command that is sent to the bike that you wish to modify the OEM destination. If this was 0, then it would modify the factory destination I observed.

Then, the final "1" is the US destination. "0" is EU, "1" is US, "2" for Japan, "3" for Taiwan and "4" for Korea. All but the US destination are speed limited to 25km/h. You can observe the commands in EtubeData.dll, in
EtubeData > EtubeData.dll > Shimano.EtubeData > UnitCommandDefine()

Step 3: Setting Destination OEM and Tyre Circumference.​

  1. Open E-Tube Professional normally.
  2. Click on the big black wire button on the right of the window above "Di2 ADAPTER FOR OTHER E-BIKE SYSTEM".
  3. Click Next.
  4. Wait for it to talk to the bike and know what devices it can see
  5. Click Ok if there is any popup.
  6. Click Complete.
  7. Click Customize
  8. Click Drive unit setting.
  9. Modify the tyre circumference if needed (i.e. if you want to be stealthy and make the bike think it is going slower than it actually is, you can reduce the tyre circumference).
    1. If you do not want to change this, just click the arrows up and down. This will allow you to click the "Set" button. From what we did before, this will tell the bike it is in the US.
  10. It may not say Setting value: 20mph initially. You may have to re-open E-Tube.
  11. You're done!

Step 4 (Optional): Add Firmware Check Bypass​

  1. Open DnSpyEx
  2. Open C:\\Program Files (x86)\\Shimano\\E-tube Project\\EtubeDataLinks.dll
  3. Navigate the Assembly Explorer tree on the top left to EtubeDataLinks > Shimano.EtubeDataLinks > Unit > GetRequiredAppVersion(byte)
  4. Alternatively, use the search function in the bottom middle (where it says Locals | Breakpoints | Search) to search for GetRequiredAppVersion.
  5. Right click on GetRequiredAppVersion and select Edit Method.
  6. On the line under if(flag2), replace version = blah` with `version = new Version(3, 4, 0);
  7. Click compile in the bottom right of the window.
  8. We have now bypassed the firmware check. Now save by selecting File > Save All...
Code
C#:
public static Version GetRequiredAppVersion(byte slotNo)
    {
        Version version = null;
        string text = "PCA_SUPPORT_VER_GET";
        UnitCommandSetting unitCommandSetting = UnitCommandSetting.Make(slotNo, 0x32, 0xB4, new byte[1]).SetCommandName(text).SetReplyParamLength(3)
            .RemoveLogOutputTimings(CommunicationResult.Success);
        UnitCommandReply unitCommandReply = EtubeDataLinksUnitCommand.SendReceiveUnitCommand(unitCommandSetting);
        bool flag = unitCommandReply.Result == CommunicationResult.Success;
        bool flag2 = flag;
        if (flag2)
        {
            version = new Version(3, 4, 0);
            EtubeDataLinksLog.ReceiveNormalResponseLog((int)slotNo, text, new string[]
            {
                "version",
                version.ToString(3)
            });
        }
        return version;
    }

Picture
https://imgvibe.com/image/1-unlock-firmware-downgrade.spJQ

For The Nerds:
In version 4.7.7, Shimano makes the firmware tell E-tube which version of E-Tube it is expecting. In firmware 4.7.7, it asks for E-Tube Professional V5, the latest version. We make the software bypass this check when you click to rewrite the firmware to the bike, so in essence, the software thinks the firmware on the bike told it accepts v3.4.0. Even though it is actually saying, "I want v5.0.3 please!". Which is what it actually asks for if you reverse engineer the communications further.

Step 5 (Optional): Downgrading Firmware​

  1. Search for "shimano firmware downgrade" on Google.
  2. Find the firmware for your bike which has a lesser version than 4.7.7.
  3. There is a lot of stuff there. It involves renaming the files to have a higher version number to trick the software into thinking they are the latest.
  4. Once you have the old firmware, navigate to C:\\ProgramData\\E-tube Project\\FW (you may need to show hidden files and folders) and put the old, renamed firmware in here.
  5. Open E-Tube Professional normally.
  6. Click on the big black wire button on the right of the window above "Di2 ADAPTER FOR OTHER E-BIKE SYSTEM".
  7. Click Next.
  8. Wait for it to talk to the bike and know what devices it can see
  9. Click Ok if there is any popup.
  10. Click Complete.
  11. Scroll down and click "Rewrite firmware".

Some More Discussion For The Nerds
The SM-PCE02 communicates at baud 200,000. You can open a connection to it in Python like so:
Python:
def open_sm_pce02():
    ser = serial.Serial()
    ser.port = 'COM#'
    ser.baudrate = 2000000
    ser.timeout=2.0
    ser.setDTR(False)
    ser.open()
    return ser
  • The communication is sent in what is called a "DCAS frame"
  • The first byte is the type of command.
  • The second byte is the Slot Number to write to.
  • The third and fourth bytes are the actual specified command.
  • For some amount of bytes after this is the parameters for the command (if there are any).
  • A frame check sum is added at the end which is computed in `CreateFCS()`.
  • All these bytes are surrounded by `"0xbb ...DATA... 0xbb".`
  • Then, the message to be sent is padded by 0xFFs up to 128 bytes.
  • Received messages are usually 64 bytes in length.
I also have command listings, but these can really be seen quite simply using DnSpyEx.
Anyway, enjoy going fast, don't kill yourself. I absolve any responsibility if you do, it is your choice to do these steps, not mine. Do your own research. I am not a lawyer.
 
Thank you for sharing!
In the E-Tube Project version 3.4.5, there is no class for the DU-EP800 in the EtubeDataLinks library. I assume this means that it won't work with the EP8 motor?
However, version 4.0.4 has a DuEp800Unit class in the EtubeDataLinks dll. They restructured the project, but you can find the same IsOptionAvailable method inside the EtubeProjectV4.dll > Shimano.EtubeProject > OptionSettingBase class. Could the modifications work with version 4.0.4, too? What's the reason for version 3.4.5? I don't have a SM-PCE02 to test it.
 
how it works with eplus flash? that people have adjust the firmware that you can go 50km/h and display the correct speed on the display.
i want that too, but don`t want pay €150 for the software
 
Thank you for sharing :)

For the new models EP801 and EP6, you have any suggestion?
In my case I only want to change from EU, to US spec.
 
Back