BMW F Series Gear Selector, Part One: Failures

If you're here to find out what CAN messages control a BMW F series GWS module, skip this post and read the later parts. The BMW documents note that PT-CAN2 is a redundant link so we can hope it carries the same messages as PT-CAN for the three connected modules. The first two bytes change on every message, and they are probably an in-message checksum and a "Counter" value that other modules use to ignore accidentally repeated or "Stuck" messages. Maybe BMW has reused the message IDs or formats? The E60 lever sends status on ID 0x198, this lever sends status on 0x197 - that seems hopeful, right? Even sending variations on the E60 message IDs and the message payloads, my GWS continued to stare back at me blank and unresponsive. It's possible to do a little better than sending purely random CAN messages: if one field in the message is probably a checksum, then it's possible to send a sequence of bytes where we increment one byte only each time and try all values 0x00 - 0xFF, then move to trying the next byte, etc, etc. In my case, I was thinking differential power analysis - closely measure the power consumption of the chip under two different conditions (in my case, valid CAN message received vs invalid CAN message received) and use this as a feedback function to guess valid CAN messages.