Announcement

Collapse
No announcement yet.

MSS60 Research

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #61
    Ok, something to check out - thanks.

    Of course, I bought the "wrong" usbWiggler on ebay not knowing what I should have been looking for, so I went ahead and ordered the correct one from macraigor - i'll send pictures once I receive it.

    P.

    Comment


      #62
      Originally posted by terra View Post
      Yeah seems like there's a lot of misinformation about that. Typical industry guys obfuscating information I guess.

      It seems to be only early 08 models (really ~2007 builds) that are unlocked. There's also all sorts of claims that BMW introduced the lock through an update and the lock could be cleared by flashing an older update. None of that appears to be true. If the DME was unlocked from the factory it stays unlocked, if the DME was locked from the factory, it stays locked (until we figure out how to send that clear censorship code to it anyway).
      Just to follow on with this chain of thought.......

      I have 3 MSS60 DMEs (not including the one in my 2008 M3 which I have not attacked yet) and 1 MSS65 DME.

      MSS65 is obviously unlocked.

      7837831 / 5WK9361 - 19.08.05

      MSS60 DMEs:

      7841364 / 5WK9586 - 30.01.08 - unlocked
      7845558 / 5WK95910 - 29.12.10 - locked
      7846409 / 5WK95912 - 15.04.11 - unlocked

      it is interesting that the most recent unit is unlocked - i suppose it could have been messed with but I'm pretty sure these are all stock flashed units.

      I have the dumps if anyone is interested.

      P.
      Last edited by pshoey; 11-21-2020, 07:25 AM.

      Comment


        #63
        That recent one being unlocked is interesting. Any evidence the DME was ever opened up before you got to it?

        I wonder if there was one of the program variants in the middle didn't have the lock code for some reason.

        Comment


          #64
          Nothing obvious to see. I’m assuming that trying to read the ISN and that failing is an indication that the unit is locked??

          Both the units I marked as unlocked did not need the RSA patch whereas the middle one did.

          P.


          Sent from my iPad using Tapatalk

          Comment


            #65
            Originally posted by pshoey View Post
            Nothing obvious to see. I’m assuming that trying to read the ISN and that failing is an indication that the unit is locked??

            Both the units I marked as unlocked did not need the RSA patch whereas the middle one did.

            P.


            Sent from my iPad using Tapatalk
            Reading the ISN has nothing to do with the lock. The lock effects BDM operation only. I would expect the first one to be BDMable and the latter two to not be BDMable.

            Was the middle one tuned? Some tuning protection mechanisms might inadvertently break the ability for me to read the ISN from RAM. If it wasn't tuned, then I'd be interested in getting a full dump of that software. There could be various program versions where my search routine fails for whatever reason.

            Comment


              #66
              I don't think it was tuned - the tune file is identical to one of the others - here is the dump:

              https://mega.nz/file/2dFgBB7S#OKyLVl...3k89nk9GZDK6a4

              Let me know what you find.

              Thanks
              P.

              Edit:

              Now I'm confused - i saw the message "Could not read ISN, please flash RSA Bypass to enable reading" which now looking at the flasher code, means it was the MSS65 DME that failed to read the ISN - so the all the MSS60 units must have worked.

              I'm still trying to get my BDM stuff to work, so I won't know which ones are locked until I do.

              Last edited by pshoey; 11-18-2020, 08:31 PM.

              Comment


                #67
                Originally posted by pshoey View Post
                I don't think it was tuned - the tune file is identical to one of the others - here is the dump:

                https://mega.nz/file/2dFgBB7S#OKyLVl...3k89nk9GZDK6a4

                Let me know what you find.

                Thanks
                P.

                Edit:

                Now I'm confused - i saw the message "Could not read ISN, please flash RSA Bypass to enable reading" which now looking at the flasher code, means it was the MSS65 DME that failed to read the ISN - so the all the MSS60 units must have worked.

                I'm still trying to get my BDM stuff to work, so I won't know which ones are locked until I do.
                The file you sent has 5000+ bytes differing with my "untuned" 240e.

                I already can see some vanos angle and axis scaling changes..
                Last edited by dmlf; 11-19-2020, 12:49 AM.

                Comment


                  #68
                  Originally posted by pshoey View Post

                  Now I'm confused - i saw the message "Could not read ISN, please flash RSA Bypass to enable reading" which now looking at the flasher code, means it was the MSS65 DME that failed to read the ISN - so the all the MSS60 units must have worked.

                  I'm still trying to get my BDM stuff to work, so I won't know which ones are locked until I do.
                  Yeah I don't see a clear way to read the MSS65 ISN from RAM, so that needs a patch to enable that section to be read over OBDII.

                  Comment


                    #69
                    Originally posted by dmlf View Post

                    The file you sent has 5000+ bytes differing with my "untuned" 240e.

                    I already can see some vanos angle and axis scaling changes..
                    Well I know I have a lot to learn about this stuff. Thanks for checking my file and correcting my assumption.

                    P.


                    Sent from my iPad using Tapatalk

                    Comment


                      #70
                      Originally posted by pshoey View Post

                      Just to follow on with this chain of thought.......

                      I have 3 MSS60 DMEs (not including the one in my 2008 M3 which I have attached yet) and 1 MSS65 DME.

                      MSS65 is obviously unlocked.

                      7837831 / 5WK9361 - 19.08.05

                      MSS60 DMEs:

                      7841364 / 5WK9586 - 30.01.08 - unlocked
                      7845558 / 5WK95910 - 29.12.10 - locked
                      7846409 / 5WK95912 - 15.04.11 - unlocked

                      it is interesting that the most recent unit is unlocked - i suppose it could have been messed with but I'm pretty sure these are all stock flashed units.

                      I have the dumps if anyone is interested.

                      P.
                      I am interested in the dump of the MSS65 :-)

                      Thanks!

                      Comment


                        #71
                        Of course - get it here:

                        https://mega.nz/file/PN0klTDI#3Ezd8D...1YeWXUWlomPn3M

                        Comment


                          #72
                          Originally posted by pshoey View Post
                          Thank you very much!

                          I have a couple observations/questions (I have an IT background, but very little experience with digging into binary files, so I apologize in advance for any stupid questions)

                          I am mostly interested in applying some features like cold start delete and MAF delete to my S85, but my car already has a tune on it, and I am concerned by the large areas of ffffffff data in the binary files I downloaded from my ECU.
                          (if these are censored areas and I used ECUworx tool to modify the full binary, would I overwrite existing tune data with "empty" data if I flashed a modified binary back to my ECU?)

                          To see if there is pattern, I took and compared my tune file to the one pshoey provided and the large areas of ffffffff data matches.

                          So question 1 is to pshoey, do you know if the MSS65 ECU you dumped had a stock tune on it?

                          Question 2 is, do we have an idea as to why there are large areas of the ECU full/tune files that contains "blank" data (is this an example of "censored" data areas)?
                          For example, both pshoey's and my MSS65 tune files contain fairly large areas of ffffffff data from 0x96a8 - 0xfff9 and again from 0x1a9df - 0x1fffb

                          I really like what you guys are doing here, I like to see the MSS6X data freed and used by the community rather than just in the realm of professional tuners.

                          Thanks!

                          Comment

                          Working...
                          X