That's interesting! I've been waiting for a used PEmicro multilink interface to appear on ebay or something but the MPC56x apparently needs the "FX" version which seem to be rare.

But even more interesting that you can recover the SK - will you share some information about that? Are you saying you can achieve a high enough level of authorization to read the SK from the DME via OBDII? Or that you know how to decrypt a CAS dump?

Edit: I can post some production model MSS60 pictures if you still are interested. I have to pull the DME to get them but it's a nice day in Boston and like most, I'm stuck at home and pretty tired of Zoom lectures and conferences.

I believe it's doable. Take a look at the attachment (extracted from: https://www.nxp.com/downloads/en/dev...MPC56X_GMD.zip)

The change censor function is interesting. Said package include an s19 file that I believe can be uploaded directly via BDM using something like a PEMicro. Unfortunately the hardware and corresponding software is not cheap. This post (in the context of an MPC555, but close enough) states the ClearSensor function can execute from RAM. So I think that's the ticket.

Clearing censorship will wipe that internal flash. But between my app and my newly found ability to recover the EWS4 SK, that's fine.

I wonder if there is something that can be done about BDM access. The Freescale data sheet for the MPC56x clearly defines a mechanism for hardware censorship of the internal flash (UC3F) by setting censorship bits in the UC3F EEPROM Configuration Register. Censorship explicitly applies to debug modes (BDM or NEXUS), when booting from external memory or while under control of an external master. It seems like a simple mechanism that BMW might have employed to frustrate their customers. Perhaps you've already thought about this and could explain why it might or might not be a viable approach.

One technical problem is that in-circuit debugging tools are necessary to access and set bits, something like CodeWarrior and a PEmicro USB FX hardware interface. It's not clear to me from casual inspection of the data sheet but the shadow register censorship bits might not ever be accessible. In any case, I don't have such tools and their cost is not trivial. Second problem is that censorship cannot be cleared without loss of flash memory contents. So if you don't know your SK/ISN, and don't know how to retrieve it from the CAS3+ where it is encrypted (which I do not), you will never be able to start your car (unless you know how to defeat EWS, which I do not).

I've successfully read read out partial and fulls from my bench MSS65 with this with no issues. I have flashed back modified partials with no issues over CAN so far (using a Bimmergeeks cable).

Yes, I'll pm you when he's signed up

Sent you a PM.

And for everyone who has the app, please give me some feedback as soon as possible.

Interested in testing too! I've got a MSS60 in the garage and have a good bit of experience with BDM flashing/recovery if necessary. I have a bench setup as well. Please PM me details!

Cool - is he willing to sign up and get in touch with me?

I have a friend with an e60 m5 who’s interested!

Bravo! Much faster than KessV2! Love to try it but my MSS60 (from MY 2011) is not BDM accessible so I'll have to restrain myself..

I wanted to ask whether the MSS65 flashed with MSS60 code will run the S65 engine? I know this has been discussed before but I do not recall if anyone actually went the distance and tried it.

Sent out PMs to those who expressed interest

Yeah so the application will work on even later MSS60s, it's just there's no recovery options should something drastically go wrong. I don't *think* there are any permabrick bugs left in the application, but I'll feel more comfortable about that when I have a few people with recoverable DMEs confirming that they did not have to recover anything.

Cool, I'll send out PMs shortly. Just converting my DME back into an MSS65 to make sure I didn't break anything while fixing things up for the MSS60.

Interested, I have a few M5s. PM sent.

Awesome

🙋‍♂️ I'm all stock (well...just AFE intake)