Announcement

Collapse
No announcement yet.

MSS6x Flasher - Now released!

Collapse
This is a sticky topic.
X
X
Collapse
 
  • Page of 31
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 3 13 23 31 template Next
  • CF-CarParts Motorsport
    replied
    If we share how to OBD lock, do you share how to do an immo off ?
    Nope. I already got obd and bdm lock solution. Only waiting for martyn to mod his tool to implement immo off solution there. But will not be free and also with custom code vin lock (still testing this).

    as for bdm lock terra used a wiggler to set the
    UC3FMCR from 43 FF 00 FF to 41 FF 00 FF
    Haven't seen this in this thread. Sry. So need to test a bit more to secure the solution even more.

    care to share your ews delete info?
    As told, won't share for free because the correct solution was to much time effort.
    It's tested in all known MSS60 and MSS65 sw-versions (only MT atm) and atm also running in 4 swap cars as standalone. True standalone .

    Leave a comment:

  • ZiMMie
    replied
    Originally posted by hobbit382 View Post

    I thought you already had obd and bdm lock?

    nop address 0x12A70 of injection
    and 0x12C2C of ignition

    as for bdm lock terra used a wiggler to set the
    UC3FMCR from 43 FF 00 FF to 41 FF 00 FF

    care to share your ews delete info?


    I'll try to get you a ram read this weekend (motor running).
    • Likes 1

    Leave a comment:

  • hobbit382
    replied
    Originally posted by CF-CarParts Motorsport View Post
    OBD lock is easy? Share with us .
    BDM Unlock? Where? just set micro config disable for read and write and it's ended.
    Never test reading ram via this tool by running engine.
    I thought you already had obd and bdm lock?

    nop address 0x12A70 of injection
    and 0x12C2C of ignition

    as for bdm lock terra used a wiggler to set the
    UC3FMCR from 43 FF 00 FF to 41 FF 00 FF

    care to share your ews delete info?



    • Likes 2

    Leave a comment:

  • MpowerE36
    replied
    Originally posted by CF-CarParts Motorsport View Post
    OBD lock is easy? Share with us .
    BDM Unlock? Where? just set micro config disable for read and write and it's ended.
    Never test reading ram via this tool by running engine.
    If we share how to OBD lock, do you share how to do an immo off ?

    You just have to locate RAM_lesen function in the program. After that it is easy.

    Leave a comment:

  • CF-CarParts Motorsport
    replied
    obd read lock is easy, and now that terra has posted the info to bdm unlock, I feel a few could follow those footsteps to bdm lock both sides.
    OBD lock is easy? Share with us .
    BDM Unlock? Where? just set micro config disable for read and write and it's ended.
    Never test reading ram via this tool by running engine.

    Leave a comment:

  • hobbit382
    replied
    Originally posted by CF-CarParts Motorsport View Post
    Do you mean you want to sniff?
    no, just a ram read while the engine is running.

    I’m able to correct checksums manually, but now that terras flasher is available, it corrects automatically.

    obd read lock is easy, and now that terra has posted the info to bdm unlock, I feel a few could follow those footsteps to bdm lock both sides.

    thanks again for sharing the ram dumps.


    Leave a comment:

  • CF-CarParts Motorsport
    replied
    do you happen to have any dumbs with the vehicle running? I haven’t tried to do a ram read on a running vehicle, but I’m assuming you can?
    Do you mean you want to sniff?
    In attachment a really old one (060E).

    The biggest problem for me was checksum after changed values for immo delete. This takes most of time to figure out and solve it correctly.
    After was to integrate full obd and bdm lock + VIN lock.

    Injection (left) Internal flash - 512KB
    Injection (left) External flash - 2MB
    Ignition (right) Internal flash - 512KB
    Ignition (right) External Flash - 2MB
    Attached Files
    Last edited by CF-CarParts Motorsport; 08-10-2021, 05:51 AM.

    Leave a comment:

  • hobbit382
    replied
    Originally posted by CF-CarParts Motorsport View Post


    In which file size format you were working? This offset only can be in fullread... but in 3FExxx section there shouldn't be code .
    Just a hint. The correct immo off (working and tested, without CAS Unit (in mss60 and mss65)) is in left side of ecu . Maybe other ways are possible but in left side.
    Attach you several Rams of different versions of working DMEs from me
    the ram starts at 3F8000, offset that value to get the address from terras ram read since it’s only reading the ram.

    thank you for the dumps, I’m not seeing the values I expected, but it is helpful.

    do you happen to have any dumbs with the vehicle running? I haven’t tried to do a ram read on a running vehicle, but I’m assuming you can?
    Last edited by hobbit382; 08-10-2021, 04:51 AM.

    Leave a comment:

  • andriym6
    replied
    Originally posted by CF-CarParts Motorsport View Post
    Search in the threader... addresses are written down before .


    In which file size format you were working? This offset only can be in fullread... but in 3FExxx section there shouldn't be code .
    Just a hint. The correct immo off (working and tested, without CAS Unit (in mss60 and mss65)) is in left side of ecu . Maybe other ways are possible but in left side.
    Attach you several Rams of different versions of working DMEs from me
    Thank you for point me. Read full thread but some reason missed it.

    Sent from my SM-N960U using Tapatalk

    Leave a comment:

  • CF-CarParts Motorsport
    replied
    Can you share how to recover through the BDM. I order ktag but don't know how to splice backup file to write in the left and right processor.
    Thank you.
    Search in the threader... addresses are written down before .

    a year ago I was able to get a mss60 to start off a used dme by forcing 3FEB12 to 0. It ran but ran rough and threw a bunch of faults. I thought might have been checksum related. Due to the flash times with kess and not having a test vehicle I left it at that until I found your amazing app. Then I realized it’s not a checksum issue and need to find different way to bypass ews.

    I’m trying to see the values of 3FCEE0 and 3FCEE1 which I believe to be ews_st and ews_stw_st

    also 3FEB10 would be helpful.
    In which file size format you were working? This offset only can be in fullread... but in 3FExxx section there shouldn't be code .
    Just a hint. The correct immo off (working and tested, without CAS Unit (in mss60 and mss65)) is in left side of ecu . Maybe other ways are possible but in left side.
    Attach you several Rams of different versions of working DMEs from me
    Attached Files
    Last edited by CF-CarParts Motorsport; 08-10-2021, 02:33 AM.
    • Likes 1

    Leave a comment:

  • hobbit382
    replied
    Originally posted by terra View Post

    Anything in particular you're looking for? The app itself can dump the RAM
    working on ews delete. I need a ram read from a working dme, maybe even a ram read from a running vehicle?

    a year ago I was able to get a mss60 to start off a used dme by forcing 3FEB12 to 0. It ran but ran rough and threw a bunch of faults. I thought might have been checksum related. Due to the flash times with kess and not having a test vehicle I left it at that until I found your amazing app. Then I realized it’s not a checksum issue and need to find different way to bypass ews.

    I’m trying to see the values of 3FCEE0 and 3FCEE1 which I believe to be ews_st and ews_stw_st

    also 3FEB10 would be helpful.

    Leave a comment:

  • andriym6
    replied
    Originally posted by MpowerE36 View Post
    My feedback on MSS6x flasher and Bimmergeeks cable. I did approximately 10 program flashes without problems. Then I tried another program flash but the writing had stopped for no reason during the "injection program region 2". The progression bar of MSS6x flasher had stopped to progress and the led of the Bimmergeeks cable had stopped flashing. I don't know what was the problem.

    Now, I am going to try to recover it via bdm.
    Can you share how to recover through the BDM. I order ktag but don't know how to splice backup file to write in the left and right processor.
    Thank you.

    Sent from my SM-N960U using Tapatalk

    Leave a comment:

  • terra
    replied
    Originally posted by hobbit382 View Post
    I just stubbled across this. Terra you are amazing. This flasher is so much better than using kess.

    does anyone happen to have a ram read they would mind sharing?
    Anything in particular you're looking for? The app itself can dump the RAM

    Leave a comment:

  • hobbit382
    replied
    I just stubbled across this. Terra you are amazing. This flasher is so much better than using kess.

    does anyone happen to have a ram read they would mind sharing?

    Leave a comment:

  • MpowerE36
    replied
    My feedback on MSS6x flasher and Bimmergeeks cable. I did approximately 10 program flashes without problems. Then I tried another program flash but the writing had stopped for no reason during the "injection program region 2". The progression bar of MSS6x flasher had stopped to progress and the led of the Bimmergeeks cable had stopped flashing. I don't know what was the problem.

    Now, I am going to try to recover it via bdm.
    Last edited by MpowerE36; 08-06-2021, 01:15 PM.

    Leave a comment:

Previous 1 3 13 23 31 template Next
Working...
X