Announcement

Collapse
No announcement yet.

MSS60 OBD locked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    MSS60 OBD locked

    Hi,

    I tried to read via OBD the MSS60 of friend which has an ESS tuning compressor on his engine but it seems to be OBD locked. MSS6x flasher succeeds to identify the ECU but when I click on “Read Tune”, I have “Something went wrong, please try again” (see picture attached). terra do you know what can cause this message ?

    Unfortunately this DME (2008) is injection BDM locked, so I was only able to read the ignition external and processor memories.

    Does someone have a solution to read the injection memories ? I know it is quite a challenge via BDM.

    Strangely, INPA says that I have a 240E program (AIF area) but in the ignition binary it is a 231E program as MSS6x says. Is 231E program a custom program "created" by ESS tuning ? Can it causes my OBD read problems ?
    Attached Files
    Last edited by MpowerE36; 07-09-2021, 01:50 PM.
    https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA

    #2
    A lot of tuners downgrade DMEs to 231E for some reason. Dinan did so as well.

    I don't think there's a feasible way to extract the data from your DME. Just to be sure, are you able to read other DMEs with the application?

    Comment


      #3
      Originally posted by terra View Post
      A lot of tuners downgrade DMEs to 231E for some reason. Dinan did so as well.

      I don't think there's a feasible way to extract the data from your DME. Just to be sure, are you able to read other DMEs with the application?
      Yes I did a full backup of my MSS60 (240E program) with your soft without any problems.

      Is it possible to overwrite the program and the tune with an OEM 240E to unlock the reading by OBD ?
      https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA

      Comment


        #4
        No. On these DMEs, erasing the program section automatically erases the tune. If I knew what they did to lock the reads, then I might be able to figure out a work around, but without having a dump from a BDM unlocked DME, that's difficult to solve.

        *probably* wouldn't be impossible to dump using some sort of glitching attack, but developing such an attack is beyond my capabilities.

        Comment


          #5
          I don't understand why it would be a problem to erase the 231E program and tune via OBD (if it is possible, I haven't tried yet) and then flash back an OEM 240E program and tune. Maybe It would unlock the DME because I guess the trick is in the program or in the tune. Before I opened it, the DME never seems to have been opened, so the bootloader must be stock.

          If someone has an OEM 231E program and tune maybe it will be possible to find the trick because I have the full ignition part extract via BDM (if the trick is in the ignition section too).
          https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA

          Comment


            #6
            I got this E231 (I think I should got all versions) but Iam awarded a bit to offer it because in few times I would offer EWS / CAS Delete by martyn tool and we also will insert obd lock (also bdm lock will comes but need some more testing).

            Comment


              #7
              I have an unlocked 231E program saved somewhere. Maybe I can figure out the lock looking at your ignition dump. Though I don't have nearly as much free time as I used to back when I built the app in the first place.

              Comment


                #8
                Originally posted by terra View Post
                I have an unlocked 231E program saved somewhere. Maybe I can figure out the lock looking at your ignition dump. Though I don't have nearly as much free time as I used to back when I built the app in the first place.
                terra so could you share your 231E program ?
                https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA

                Comment


                  #9
                  Does someone know if it is possible to clear a bit in the flash memory without erasing it with Tool32 or direct DS2 commands ?

                  I succeed to put my ECU in programming mode, then do a "flash_schreiben_adresse" (return OKAY) but when I do a "flash_schreiben" I have ERROR_ECU_TRANSFER_ABORTED.

                  Maybe the program check that you have done a "flash_loeschen" before doing a "flash_schreiben" or maybe check that the byte at the address we want to write is 0xFF before flashing ?

                  Indeed, I've found what bits to clear in order to recover the OBD readiness but I need to clear them via OBD.
                  Last edited by MpowerE36; 09-11-2022, 11:54 AM.
                  https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA

                  Comment


                    #10
                    I've finally succeeded to unlock the OBD readiness without erasing the data section in the injection processor. I've created a custom subroutine in the program section of the external eeprom (written via bdm) which clears some specific bits in the program section of the flash memory of the injection processor in order to recover the OBD readiness. I call this custom subroutine thanks to Tool32.

                    I have to admit that a bdm locked processor with this obd locked trick is almost inviolable.
                    Last edited by MpowerE36; 10-09-2021, 11:55 PM.
                    https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA

                    Comment


                      #11
                      Originally posted by MpowerE36 View Post
                      I've finally succeeded to unlock the OBD readiness without erasing the data section in the injection processor. I've created a custom subroutine in the program section of the external eeprom (written via bdm) which clears some specific bits in the program section of the flash memory of the injection processor in order to recover the OBD readiness. I call this custom subroutine thanks to Tool32.

                      I have to admit that a bdm locked processor with this obd locked trick is almost inviolable.
                      Thanks for the direction from the other thread to this one. Do you have this subroutine available or does it have to be done custom per unit?

                      Essentially, like your first post, i just want to unlock the ess tune and then use mss65 to delete the SAP while keeping the ess tune, if that's possible.

                      Comment


                        #12
                        Your ess tune is currently in a mss60 or a mss65 ?
                        https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA

                        Comment


                          #13
                          MpowerE36 Its a mss60 an 09 m3

                          Comment


                            #14
                            MpowerE36 Do you know how these tuners are locking obd reading after flashing mss60 dme with iflash? I'd like to try loading a file onto the mss60 with mss60flasher and block the ability to read the ecu with obd tools.

                            Comment


                              #15
                              There are many ways to lock the obd readiness. Adrianj73 gives to you a way to lock it in the topic you made.
                              https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA

                              Comment

                              Working...
                              X