Just noticed this in the Macgraigor FAQ:

Yeah, I saw the usual internet badasses who claimed that had some knowledge of the dark arts and could do it. But no one who said how.

Even if I do come up with a good script (effectively all I did was disable the watchdog and then follow the steps in the reference manual on setting / clearing the censor), I do think this is unfortunately a bit beyond most people. Fewer and fewer people own desktops nowadays, which is pretty much required for the PCIe parallel port (USB will not work). I guess an expresscard parallel port should work, but how many laptops even have expresscard nowadays? Thunderbolt to PCIe or exprescard adapters do exist, but at that point you may as well buy the more expensive pemicro stuff.

And the reality is even back when they were mainstream, parallel ports have always been notoriously finicky - there will be trouble shooting involved no matter what.

Ha I saw the ECP part, but I didn't notice the "simple uni-directional device" part. I guess that must relate to individual pin behavior rather than the device as a whole? In any case, I did have to force the virtual bios to "output only" rather than bidirectional or EPP.

So looking into the shadow memory a little bit more, there may indeed be a difference between MSS60 and MSS65 there.

On my MSS65, the first 4 bytes (UC3FCFIG) are set to 0, everything else is FF. This is the case for both processors.

On my MSS60, the injection side was impossible to read. On the ignition side, the first 4 bytes are set to 20 41 00 00

The differences translate to:

Bus pins drive strength — This bit determines the bus pins’ (address, data, and control) driving capability to be either full or reduced drive. The bus default drive strength is full; upon default, it also causes the CLKOUT drive strength to be full. See Table 6-7 for more information. BDRV controls the default state of COM[1] in the SIUMCR. 0 Full drive 1 Reduced drive
-MSS65 = Full drive
-MSS60 = Reduced drive

Debug pins configuration — See Section 6.2.2.1.1, “SIU Module Configuration Register (SIUMCR)” for this field definition. The default value is that these pins function as: VFLS[0:1], BI, BR, BG and BB. See Table 6-8.
-MSS65 = VFLS[0:1] BI BG BR BB
-MSS60 = VFLS[0:1] STS VF0 VF1 VF2

Interlock write select — This bit determines which interlock write operation should be used during the clear censorship operation. IWS always comes from the UC3FCFIG, it will never use the external reset configuration word (RSTCONF=0) or the default internal reset configuration word (RSTCONF=1 and HC=1). 0 Interlock write is a write to any UC3F array location 1 Interlock write is a write to the UC3FMCR register.
MSS65 = 0 (Interlock write = write to any UC3F array)
MSS60 = 1 (Interlock write = write to UC3FMCR register)


I don't know for sure how much of a difference any of that stuff makes, and whether or not I should assume the injection / ignition sides should be set the same. I feel like best would be to get a dump of a factory unlocked one, but that's easier said than done without buying one myself.

So interestingly, my DME managed to relock itself.

What I had done: Wrote ignition side's shadow memory to injection side, wrote a "virgin" flash to me DME (blank SK, blank AIF), wrote a new AIF entry with WinKFP, wrote and locked a new SK with tool32. I suspect that last bit triggered a lock routine, but it's hard to say for sure.

Edit: Pretty sure it's writing (or more likely locking) the SK via tool32 command that locked the CPU. Makes some sense that they'd be delivered to BMW in an unlocked state and only lock themselves after the SK is burned in. With the ability to read full dumps and unlock it doesn't really matter, but I'd say just write the SK at the time of the BDM programming instead of waiting to do it in tool32.

So for whatever it's worth, I got myself a Cyclone MAX and while in theory it could work great, currently it does not.

I can get it to clear the censor bits (03 -> 00), but it errors out when trying to set it to 1 or 2 (or even back to 3 for that matter). If I set it via wiggler, the cyclone is happy to program the flash, and it is far faster than any of the automotive interfaces I've tried. However it errors out on the external flash despite selecting the correct chip... so that limits its usefulness. I suspect same will apply for the Multilink BDM / FX interfaces.

I posted on PEMicro's forums, maybe they can get a patch going. We'll see.

edit:

On another note, my neighbor let me borrow his e92 M3 to mess with. Cloned his ECU onto my bench MSS60 and threw it in the car - starts right up like it belongs.

Does anybody know if the bdm ports on the MSS60 are the same as listed here?How about the processors?
Which one is locked? Left or right regarding the picture? Is it ignition or injection?

I'm starting to play with mss60 and bought a locked dme which I'd like to rewrite with my dme full backup made with mss6x flasher ( thanks for this great piece of soft btw )

What hardware should I get to reset the censor byte ?
Next step would be to just rewrite through BDM ?

I only have access to a xprog right now, no worries if I need to buy some new toys

Would mind sharing the JTAG pinout ?
I'll get myself a wiggler and play with OpenOCD.
My car is a 2007 so DME is already BDM unlocked, but I want to have a second ECU, I bought a cheap 5WK9588 from ebay to play with but I need to unlock it to rewrite the ISN / VIN.

Same as listed there. Left one is locked. It is injection.

i found a cheap UsbWiggler on ebay - hopefully will work on newer Windows versions.

terra can you post or PM the specific commands to reset the censor register?

Well done on working it out. I'll look at the tool32 job that sets the secret key - i'm intrigued to see if the bdm lock is done from the tool32 job side or internally from the dme side.

thanks

I haven't been at my setup in some time and to be honest every time I've done it I've just looked at the reference manual and trial/errored my way into sending the right commands. I'll try to work it out again and make a proper repeatable script next time I have an actual weekend off.

I also did grab myself a USB wiggler, but unfortunately got one configured for the wrong processor. Opening it up it seems like it should be feasible to reconfigure it for a MPC BDM port, but the company has no documentation to that effect. If the one you got is an MPC 5xx/8xx unit, I'd really appreciate pictures of both sides of the board. Hopefully the code running on the xilinx fpga inside is the same for all of them.

The bdm lock is done internally. Triggering the SK lock also calls a routine that sets the censorship mode on the DME.

is the tool32 job to write the key this one: STEUERN_EWS4_SK?

Which arguments did you use as there are 4?

LOCK_SERVER_SK
LOCK_CLIENT_SK
WRITE_SERVER_SK
WRITE_CLIENT_SK

Write client writes the key. Lock client locks it. The other arguments are for the cas module.

And you have to lock the client for it to apply the key?

Dunno. The key is written to the right spot even before locking. Then locking it changes one of the status bytes and causes the read routine to just return FFs. Not sure if it has to be locked for the car to actually start or not.