Announcement

**omhl** · 04-20-2020, 04:26 PM

I had an ESS tune prior, I flashed it back to stock using WINKFP Prog Update. 241E

I then did a full READ. then loaded that flash in for the RSA SLOW.

I tried changing some DTC supression in HEX editor using the 2nd full bin read after rsa and saved it.

However, now when i try to load the editted full binary - it says file full file is invalid or something?

I load up the original saved full binary and the RSA bypass full binary and both loads ok tho.

Any ideas whats going on? Is there a difference between full read slow and full read button on main menu. I'm looking at the differences between full reads from before and AFTER the RSA bypass reads and it seems like there are a few things changed. Trying to troubleshoot this some more from looking at the differences between the files.

I'm guessing I'm failing one of the sanity checks:

Added sanity checks for loaded files.
Tunes
- Check that SW reference is compatible with installed program
- Check that injection and ignition tunes are of the same version
- Check that injection and ignition tunes are in the correct order
Full writes:
- Check that Program Reference is compatible with DME hardware
- Check that injection and ignition programs are of the same version
- Check that a tune is loaded in the binary and passes above tune checks

**terra** · 04-20-2020, 05:00 PM

Did you edit the fresh 241E flash or did you edit the ESS tune? If the latter, was the ESS tune on 241E?

What were the actual changes you made? You can PM them to me if you don't feel comfortable sharing publicly.

**omhl** · 04-20-2020, 05:29 PM

I did the edits off the fresh 241E flash. the ess was on 240e and I didn't want that.

Did a little more troubleshooting and I got a bit further, i looked at the surrounding hex (for the addresses that I thought I knew) for some of the editing to verify my suspicion, I noticed that some of them were matching. However, for some other ones its different.
Apparently some of the offsets for a few mappings for this 2008 m3 dme is different than another 2011 m3 dme that I worked on. They are both on 241E which is weird.

So, it seems like its not a problem with your program but rather I was expecting tables and things to be in the same spot for all years of E9X M3 since its all on 241e. haha your program correctly identified that I incorrectly editing wrong parts for this 2008.
Are there variants of e9x M3s?

some observations:
+70000 offset for the FGTECH reads
Tables that seem to match up:

Speed Limiter xb128 8x1
RPM x6062 6x1
Vanos Admission xa862 16x12
Vanos Admission Heating xabd6 16x2

going to try to compare the 2008 and 2011 and see if I can get the address offsets correctly manually.

**terra** · 04-20-2020, 05:57 PM

Hmm, 241E should be 241E, weird. Some values might vary year to year, but they should still be in the correct locations - I can't really explain why the program was tripping up unless your changes were to things I check for consistency.

For the tune, I check the following:

0x0 -> 0x7 and 0x10000 -> 0x10007 are 5A5A5A5ACCCCCCCC (this check failing will throw a "not a valid tune" message)
The strings at 0x256 and 0x10256 are equal to each other and match the program version (and I don't check. the 3rd digit - i.e 240E vs 241E, since the DME doesn't actually care if those differ between the tune and program -- in fact, you'll find a stock 241E flash will still call itself 240E in the tune)
And I make sure that each half is in the correct order (0x252 == 1, 0x10252 == 2).

If those are all true, it *should* accept the tune.

For a full read, if you were getting the "not a valid program" message, then that means either 10000 -> 10007 or 290000 -> 2900007 were not equal to 5A5A5A5A33333333

**omhl** · 04-20-2020, 08:45 PM

I'll check into this again tommorow. my eyes hurt from looking at hex and tunerpro is being glitchy so it might be from that as well.
i have a mix of frieling, alienkess, and fgtech bins so its possible i'm mixing them up.

**Martyn** · 04-20-2020, 10:38 PM

When you flashed back to stock did you use comfort mode? If so, did you tick the ‘force program programming in comfort mode’? Every time I’ve had to flash a tuned E92 I’ve had to revert the program space before it would accept another tune.

**omhl** · 04-21-2020, 10:26 AM

Yep, comfort mode. I did a Program Update 7848137 to 7854376. So I'm fairly confident that the entire program space was overwritten.

i'll give another crack at this. Terra's post #79 is really helpful

It was a problem with my XDF lol. sorry user mistake and reminds me that I need to double check my work.

**terra** · 04-22-2020, 06:14 PM

Minor update to the app. Only new function is when you read the ISN from the MSS65, it'll show the CAS format in addition to the DME format (like below). Otherwise some typo fixes.

**omhl** · 04-22-2020, 07:20 PM

Is there flash counter for MSS60 using your tool? I know in WINKFP UIF writes records it or something.

I shoulda asked that first before going ham.

**terra** · 04-22-2020, 07:22 PM

Originally posted by omhl View Post

Is there flash counter for MSS60 using your tool? I know in WINKFP UIF writes records it or something.

I shoulda asked that first before going ham.

MSS6x doesn't have a flash counter. There is a UIF limit unlike some other newer BMW DMEs, but this app won't touch the UIF. Even if you did max out the UIF limit, you could still flash the DME, you just wouldn't be able to change the reported software number, VIN, etc.

**MSSAddict** · 04-22-2020, 07:38 PM

terra hi
I'm waiting for my D-CAN bimmergeek cable, for now I have read my partial file and my fullbinary, if I want to flash a modified partial file (by myself), I have to load the new partial file, then on #advanced # then I have to flash the RSA BY PASS (slow), I wait about 15 min for it to be finished, and I can flash my new modified partial file, is that correct please?
the tool is new I discover the software 😅
Thank you to you and to all the people who participated from the loan or from far away in this fabulous tool

**terra** · 04-22-2020, 07:44 PM

If you have an MSS65, then all you have to do is flash the modified partial. No need to mess with any RSA Bypass or anything like that. For an MSS60, you need the RSA Bypass. Fast version will take about 12-15 minutes, slow version will take about twice as long. End result should be the same either way.

If your car is a D-CAN car (September 2007 or newer E60/E63, or any E9x M3), then you need the bimmergeeks cable in order to do a flash.

**MSSAddict** · 04-22-2020, 07:44 PM

Martyn
And I also want to thank Martyn who always answers questions with passion, he’s a very serious and very helpful person, he also develops fantastic tools
thx
Chris///

**MSSAddict** · 04-22-2020, 07:51 PM

terra
Thank you for your quick reply
I preferred to buy a bimmergeek cable all the same, if I flash a Fullbinary of 5120ko which I modified with the tool of Martyn , should I flash the RSA By Pass for a fullbinary please?or just flash directly as a partial file?
thank You

**omhl** · 04-22-2020, 07:51 PM

Originally posted by MSSAddict View Post

terra hi
I'm waiting for my D-CAN bimmergeek cable, for now I have read my partial file and my fullbinary, if I want to flash a modified partial file (by myself), I have to load the new partial file, then on #advanced # then I have to flash the RSA BY PASS (slow), I wait about 15 min for it to be finished, and I can flash my new modified partial file, is that correct please?
the tool is new I discover the software 😅
Thank you to you and to all the people who participated from the loan or from far away in this fabulous tool

You have to read your full binary then load the same full binary you just read then press RSA BYPASS SLOW. What it does is that it takes your FULL BIN you just read and changes some values for checksum. I actually compared the read before and after RSA bypass so I know the full binary gets changed after the bypass. From what I read from past, the way the algo tricking works is that checksums runs for x amount of time on a section of the program space - all the rsa bypass does is it tricks it into calculating it correctly until time runs out?

If you are going to be writing full programs in future , you will need to do another full read to get the full binary with RSA bypass intact in your read. Your original full read will not have the RSA bypass.
I would do it just to have a backup anyways.

Otherwise, you can work off your partial binary and flash tunes. cuz your not working in the program space anymore.

At least this is from what I understand.

Announcement

MSS6x Flasher - Now released!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment