Shimano_pls
New Member
- Region
- Europe
Hello all, I am hear out of the goodness of my own heart to show you how to change your destination market and tyre circumference (among other settings) on Shimano e-bikes.
Don't bother spending money on getting people to flash your bike when you can do it yourself!
Things you will require:
I didn't know which port would work initially, so I plugged in my SM-PCE02 to each port (disconnecting the plug already in that socket) and ran "Connection Check" in the E-Tube software to see when it was recognising a connection to the motor. See the SM-PCE02 manual for more info: https://www.manualslib.com/manual/2725412/Shimano-Sm-Pce02.html#manual
I am going to initially state the bare minimum procedure for each of the steps to unlock the speed limit, followed by a designated section for the nerds with some extra info for those who are interested.
The reason why all of this is possible is because v3.4.5 of E-Tube Professional allows for complete reverse engineering of the program into its .NET C# code. So a bit of coding will be happening here. Brace yourself, it is worth it, and should not take more than 15 minutes. I will try explain this as simply as possible. Any questions, comment below
If at any point this screws up, uninstall E-Tube Project and start again; alternatively, make a copy of the E-Tube Professional directory (C:\\Program Files (x86)\\Shimano\\E-tube Project\\) to restore from.
There are 3 steps to do on the software side:
Picture
https://imgvibe.com/image/saj7
For The Nerds:
From what I figured out, the bike has a regulation unlock procedure which you can force E-Tube Professional to execute by modifying the above variable to true. The code uses this variable to decide whether to go through the regulation unlock procedure in ProcessRegulationSetAuth(). It does this by computing an authentication key and a "Common AES Key" based off the motor's serial number - this function is universal; so not secure.*
Based off the bike's response to sending this key to it with the ProcessRegulationSetAuth() function, E-Tube will run either UnlockRegulationSetAuth() and unlock the settings, or in my bike's case, proceed to read in several messages from the bike containing some randomised bytes. Then, by encrypting these bytes using AES with the "Common AES Key" in EncryptRandVal() and sending it back to the bike, the regulation settings will be unlocked by E-Tube itself. I have a Python script which can do this successfully, however something about my initialisation procedure was wrong and setting the destination or tyre circumference returned errors.
Picture
https://imgvibe.com/image/sm0A
For The Nerds:
All we have done here is force the bike to set the destination of the bike to the US OEM destination. Specifically, slotNo here is the device "slot" the SM-PCE01/02 is writing to. In this case, I have reused the argument, but from observation with the bike off only my motor would be visible; the slot number in this case with only one device attached is "0".
The second argument put into the command that is sent to the bike that you wish to modify the OEM destination. If this was 0, then it would modify the factory destination I observed.
Then, the final "1" is the US destination. "0" is EU, "1" is US, "2" for Japan, "3" for Taiwan and "4" for Korea. All but the US destination are speed limited to 25km/h. You can observe the commands in EtubeData.dll, in
Picture
https://imgvibe.com/image/1-unlock-firmware-downgrade.spJQ
For The Nerds:
In version 4.7.7, Shimano makes the firmware tell E-tube which version of E-Tube it is expecting. In firmware 4.7.7, it asks for E-Tube Professional V5, the latest version. We make the software bypass this check when you click to rewrite the firmware to the bike, so in essence, the software thinks the firmware on the bike told it accepts v3.4.0. Even though it is actually saying, "I want v5.0.3 please!". Which is what it actually asks for if you reverse engineer the communications further.
Some More Discussion For The Nerds
The SM-PCE02 communicates at baud 200,000. You can open a connection to it in Python like so:
Anyway, enjoy going fast, don't kill yourself. I absolve any responsibility if you do, it is your choice to do these steps, not mine. Do your own research. I am not a lawyer.
Don't bother spending money on getting people to flash your bike when you can do it yourself!
Things you will require:
- Windows PC (I have tested this on Windows 11).
- Shimano E-Tube Professional v3.4.5 https://bettershifting.com/di2-e-tube-software-and-downloads/https://bike.shimano.com/en-EU/e-tube/project/archive.html or
- Shimano SM-PCE01 or SM-PCE02 to talk to the bike. This will cost a couple hundred euros or dollars depending on your location. You may be able to borrow one from someone local, or split it with a friend. And you can maintain your bike with it.
- DnSpyEx 32-bit https://github.com/dnSpyEx/dnSpy/releases/download/v6.4.1/dnSpy-net-win32.zip
Prelude
I would recommend changing the software first and then figuring out connecting to the bike. To connect to the bike, you will need to take the side cover off on the motor to access the proprietary Shimano connector ports on the side. It will be easier to change the software first instead of freezing outside huddled up to your laptop.I didn't know which port would work initially, so I plugged in my SM-PCE02 to each port (disconnecting the plug already in that socket) and ran "Connection Check" in the E-Tube software to see when it was recognising a connection to the motor. See the SM-PCE02 manual for more info: https://www.manualslib.com/manual/2725412/Shimano-Sm-Pce02.html#manual
I am going to initially state the bare minimum procedure for each of the steps to unlock the speed limit, followed by a designated section for the nerds with some extra info for those who are interested.
The reason why all of this is possible is because v3.4.5 of E-Tube Professional allows for complete reverse engineering of the program into its .NET C# code. So a bit of coding will be happening here. Brace yourself, it is worth it, and should not take more than 15 minutes. I will try explain this as simply as possible. Any questions, comment below
If at any point this screws up, uninstall E-Tube Project and start again; alternatively, make a copy of the E-Tube Professional directory (C:\\Program Files (x86)\\Shimano\\E-tube Project\\) to restore from.
Do I Need to Downgrade?
If the firmware on your bike is newer or equal to this (check using E-Tube Professional) then you will need to downgrade.- DU-E80X0 (DU-E8000, DU-E8080) 4.9.5
- DU-E7000 and DU-E61X0 (DU-E6100, DU-E6100-CRG, DU-E6110, DU-E6180) : 4.7.7
- DU-E50X0 (DU-E5000, DU-E5080) : 4.4.10
Let's Get Started!
So, to get started, you are going to need to have a bike with firmware less than version 4.7.7. After this entire process is complete, you can upgrade the E-Bike past this, but will need to downgrade it at some point in order to revert back in certain situations (e.g. when taking the bike in for a service they might check...).There are 3 steps to do on the software side:
- Force unlock bike regulation.
- Force the software to set destination OEM to US (to unlock 32km/h limit) at the same time it sets tire circumference.
- Set destination OEM and tyre circumference in E-Tube Professional.
- (Optional) Add firmware check bypass when you rewrite firmware.
- (Optional) Downgrading firmware.
Step 1: Force Unlock Bike Regulation
- Open DnSpyEx
- Open C:\\Program Files (x86)\\Shimano\\E-tube Project\\E-tube Project.exe.
- Navigate the Assembly Explorer tree on the top left to
E-tube Project > E-tube Project.exe > OptionSettingBase > isOptionAvailable : bool. - Right click on
getand select Edit Method. - Replace everything bounded by the get and curly braces { } with
get { return true; } - Click compile in the bottom right of the window.
- We have now forced the bike to unlock its regulation settings. Now save by selecting
File > Save All...
C#:
public bool IsOptionAvailable
{
get
{
return true;
}
}Picture
https://imgvibe.com/image/saj7
For The Nerds:
From what I figured out, the bike has a regulation unlock procedure which you can force E-Tube Professional to execute by modifying the above variable to true. The code uses this variable to decide whether to go through the regulation unlock procedure in ProcessRegulationSetAuth(). It does this by computing an authentication key and a "Common AES Key" based off the motor's serial number - this function is universal; so not secure.*
Based off the bike's response to sending this key to it with the ProcessRegulationSetAuth() function, E-Tube will run either UnlockRegulationSetAuth() and unlock the settings, or in my bike's case, proceed to read in several messages from the bike containing some randomised bytes. Then, by encrypting these bytes using AES with the "Common AES Key" in EncryptRandVal() and sending it back to the bike, the regulation settings will be unlocked by E-Tube itself. I have a Python script which can do this successfully, however something about my initialisation procedure was wrong and setting the destination or tyre circumference returned errors.
Step 2: Make Software Set Destination OEM to US
- Open DnSpyEx
- Open C:\\Program Files (x86)\\Shimano\\E-tube Project\\EtubeDataLinks.dll
- Navigate the Assembly Explorer tree on the top left to
EtubeDataLinks > EtubeDataLinks.dll > Shimano.EtubeDataLinks > DUUnitDataLink > SetTireCircumference(byte, ushort)- There are two. One says SetTireCircumference(byte, ushort, bool). We do not want to modify this one!
- Right click on
SetTireCircumference(byte, ushort)and select Edit Method. - Above the "return" line, press enter and add in
DUUnitDataLink.SetDestination(slotNo, 1, 1); - Click compile in the bottom right of the window.
- We have made E-Tube set the destination to US every time we set the bike's tyre circumference. Now save by selecting
File > Save All...
C#:
public static bool SetTireCircumference(byte slotNo, ushort tireCircumference)
{
DUUnitDataLink.SetDestination(slotNo, 1, 1);
return DUUnitDataLink.SetTireCircumference(slotNo, tireCircumference, false);
}Picture
https://imgvibe.com/image/sm0A
For The Nerds:
All we have done here is force the bike to set the destination of the bike to the US OEM destination. Specifically, slotNo here is the device "slot" the SM-PCE01/02 is writing to. In this case, I have reused the argument, but from observation with the bike off only my motor would be visible; the slot number in this case with only one device attached is "0".
The second argument put into the command that is sent to the bike that you wish to modify the OEM destination. If this was 0, then it would modify the factory destination I observed.
Then, the final "1" is the US destination. "0" is EU, "1" is US, "2" for Japan, "3" for Taiwan and "4" for Korea. All but the US destination are speed limited to 25km/h. You can observe the commands in EtubeData.dll, in
EtubeData > EtubeData.dll > Shimano.EtubeData > UnitCommandDefine()Step 3: Setting Destination OEM and Tyre Circumference.
- Open E-Tube Professional normally.
- Click on the big black wire button on the right of the window above "Di2 ADAPTER FOR OTHER E-BIKE SYSTEM".
- Click Next.
- Wait for it to talk to the bike and know what devices it can see
- Click Ok if there is any popup.
- Click Complete.
- Click Customize
- Click Drive unit setting.
- Modify the tyre circumference if needed (i.e. if you want to be stealthy and make the bike think it is going slower than it actually is, you can reduce the tyre circumference).
- If you do not want to change this, just click the arrows up and down. This will allow you to click the "Set" button. From what we did before, this will tell the bike it is in the US.
- It may not say
Setting value: 20mphinitially. You may have to re-open E-Tube. - You're done!
Step 4 (Optional): Add Firmware Check Bypass
- Open DnSpyEx
- Open C:\\Program Files (x86)\\Shimano\\E-tube Project\\EtubeDataLinks.dll
- Navigate the Assembly Explorer tree on the top left to
EtubeDataLinks > Shimano.EtubeDataLinks > Unit > GetRequiredAppVersion(byte) - Alternatively, use the search function in the bottom middle (where it says Locals | Breakpoints | Search) to search for
GetRequiredAppVersion. - Right click on
GetRequiredAppVersionand select Edit Method. - On the line under
if(flag2), replaceversion = blah` with `version = new Version(3, 4, 0); - Click compile in the bottom right of the window.
- We have now bypassed the firmware check. Now save by selecting
File > Save All...
C#:
public static Version GetRequiredAppVersion(byte slotNo)
{
Version version = null;
string text = "PCA_SUPPORT_VER_GET";
UnitCommandSetting unitCommandSetting = UnitCommandSetting.Make(slotNo, 0x32, 0xB4, new byte[1]).SetCommandName(text).SetReplyParamLength(3)
.RemoveLogOutputTimings(CommunicationResult.Success);
UnitCommandReply unitCommandReply = EtubeDataLinksUnitCommand.SendReceiveUnitCommand(unitCommandSetting);
bool flag = unitCommandReply.Result == CommunicationResult.Success;
bool flag2 = flag;
if (flag2)
{
version = new Version(3, 4, 0);
EtubeDataLinksLog.ReceiveNormalResponseLog((int)slotNo, text, new string[]
{
"version",
version.ToString(3)
});
}
return version;
}Picture
https://imgvibe.com/image/1-unlock-firmware-downgrade.spJQ
For The Nerds:
In version 4.7.7, Shimano makes the firmware tell E-tube which version of E-Tube it is expecting. In firmware 4.7.7, it asks for E-Tube Professional V5, the latest version. We make the software bypass this check when you click to rewrite the firmware to the bike, so in essence, the software thinks the firmware on the bike told it accepts v3.4.0. Even though it is actually saying, "I want v5.0.3 please!". Which is what it actually asks for if you reverse engineer the communications further.
Step 5 (Optional): Downgrading Firmware
- Search for "shimano firmware downgrade" on Google.
- Find the firmware for your bike which has a lesser version than 4.7.7.
- There is a lot of stuff there. It involves renaming the files to have a higher version number to trick the software into thinking they are the latest.
- Once you have the old firmware, navigate to C:\\ProgramData\\E-tube Project\\FW (you may need to show hidden files and folders) and put the old, renamed firmware in here.
- Open E-Tube Professional normally.
- Click on the big black wire button on the right of the window above "Di2 ADAPTER FOR OTHER E-BIKE SYSTEM".
- Click Next.
- Wait for it to talk to the bike and know what devices it can see
- Click Ok if there is any popup.
- Click Complete.
- Scroll down and click "Rewrite firmware".
Some More Discussion For The Nerds
The SM-PCE02 communicates at baud 200,000. You can open a connection to it in Python like so:
Python:
def open_sm_pce02():
ser = serial.Serial()
ser.port = 'COM#'
ser.baudrate = 2000000
ser.timeout=2.0
ser.setDTR(False)
ser.open()
return ser- The communication is sent in what is called a "DCAS frame"
- The first byte is the type of command.
- The second byte is the Slot Number to write to.
- The third and fourth bytes are the actual specified command.
- For some amount of bytes after this is the parameters for the command (if there are any).
- A frame check sum is added at the end which is computed in `CreateFCS()`.
- All these bytes are surrounded by `"0xbb ...DATA... 0xbb".`
- Then, the message to be sent is padded by 0xFFs up to 128 bytes.
- Received messages are usually 64 bytes in length.
Anyway, enjoy going fast, don't kill yourself. I absolve any responsibility if you do, it is your choice to do these steps, not mine. Do your own research. I am not a lawyer.
