Hi, your pictures arent very well.
I've attached what you want

Haven't seen this in this thread. Sry. So need to test a bit more to secure the solution even more.

As told, won't share for free because the correct solution was to much time effort.
It's tested in all known MSS60 and MSS65 sw-versions (only MT atm) and atm also running in 4 swap cars as standalone. True standalone .

Just to follow up on my Bricked MSS85 (M5) DME, and how I recovered it:

Bought KTAG clone off Ebay (You need KTAG, not KESS. Make sure it isn't coming with OBDII connectors.) Apparently a BDM100 off Aliexpress will work also (cheaper, longer to ship), or a Galletto 4 V54.

Opened, ECU, soldered pins on the BDM header connectors (pins came with KTAG).

Installed KTAG software, Make sure you install Visual C++ 2005 and reboot after install or you will get Checksum errors.

Read data from ECU to have a backup of what is there. If you get Checksum errors, STOP and fix them. The reads are worthless with these, and these reads could be important.

At least with KTAG it complained about the protocol being wrong for the right processor (instructions say 117, but it wanted 116). I just used the one it suggested and it worked fine. I believe this is a difference with the Siemens vs Continental DME builds (mine was an '08 and Continental).

Take you backup you made with MSS6X flasher (you did take one, right?), and use a hex editor to break it into 4 files. 0-0x7FFFF, 0x80000-0x27FFFF, 0x280000-0x2FFFFF, and 0x300000-0x4FFFFF. (512kb, 2048kb, 512, 2048)

The first block is the left MPC. The second is the Left External Flash. Third is right MPC, Fourth is right Ext Flash.
Flash these back to the DME. That should be it.

When I did this, I got a DME EWS error. My backup did not have the ISN in it. However, the ISN will be in your BDM backup that you took before you wrote. Open up the left micro backup file read by BDM. ISN is the 6 bytes at 0x7940. Move these to your your Flasher backup file and write back to the ECU.

Even better, make sure you read the ISN with MSS6X flasher before you even try to flash anything back. This will prove that the RSA bypass and everything is working.

You may want to just write to the Left Ext Flash first and the right MPC and flash, and see if you recover it. This will avoid overwriting the ISN if the left MPC is otherwise healthy.

I've now written back to the ECU many, many times with the MSS6X flasher program with no issues. I have no idea what failed, but it was a fluke based on my experience. I'm going to go see if I can find an obvious corruption between my BDM backup and what I was trying to write with the MSS6X flasher.

I thought you already had obd and bdm lock?

nop address 0x12A70 of injection
and 0x12C2C of ignition

as for bdm lock terra used a wiggler to set the
UC3FMCR from 43 FF 00 FF to 41 FF 00 FF

care to share your ews delete info?

OBD lock is easy? Share with us .
BDM Unlock? Where? just set micro config disable for read and write and it's ended.
Never test reading ram via this tool by running engine.

OBD lock is easy? Share with us .
BDM Unlock? Where? just set micro config disable for read and write and it's ended.
Never test reading ram via this tool by running engine.

Do you mean you want to sniff?

In which file size format you were working? This offset only can be in fullread... but in 3FExxx section there shouldn't be code .
Just a hint. The correct immo off (working and tested, without CAS Unit (in mss60 and mss65)) is in left side of ecu . Maybe other ways are possible but in left side.
Attach you several Rams of different versions of working DMEs from me

Search in the threader... addresses are written down before .


In which file size format you were working? This offset only can be in fullread... but in 3FExxx section there shouldn't be code .
Just a hint. The correct immo off (working and tested, without CAS Unit (in mss60 and mss65)) is in left side of ecu . Maybe other ways are possible but in left side.
Attach you several Rams of different versions of working DMEs from me

Anything in particular you're looking for? The app itself can dump the RAM