Announcement

Collapse
No announcement yet.

MSS60 Research

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #61
    Ok, something to check out - thanks.

    Of course, I bought the "wrong" usbWiggler on ebay not knowing what I should have been looking for, so I went ahead and ordered the correct one from macraigor - i'll send pictures once I receive it.

    P.

    Comment


      #62
      Originally posted by terra View Post
      Yeah seems like there's a lot of misinformation about that. Typical industry guys obfuscating information I guess.

      It seems to be only early 08 models (really ~2007 builds) that are unlocked. There's also all sorts of claims that BMW introduced the lock through an update and the lock could be cleared by flashing an older update. None of that appears to be true. If the DME was unlocked from the factory it stays unlocked, if the DME was locked from the factory, it stays locked (until we figure out how to send that clear censorship code to it anyway).
      Just to follow on with this chain of thought.......

      I have 3 MSS60 DMEs (not including the one in my 2008 M3 which I have not attacked yet) and 1 MSS65 DME.

      MSS65 is obviously unlocked.

      7837831 / 5WK9361 - 19.08.05

      MSS60 DMEs:

      7841364 / 5WK9586 - 30.01.08 - unlocked
      7845558 / 5WK95910 - 29.12.10 - locked
      7846409 / 5WK95912 - 15.04.11 - unlocked

      it is interesting that the most recent unit is unlocked - i suppose it could have been messed with but I'm pretty sure these are all stock flashed units.

      I have the dumps if anyone is interested.

      P.
      Last edited by pshoey; 11-21-2020, 06:25 AM.

      Comment


        #63
        That recent one being unlocked is interesting. Any evidence the DME was ever opened up before you got to it?

        I wonder if there was one of the program variants in the middle didn't have the lock code for some reason.

        Comment


          #64
          Nothing obvious to see. I’m assuming that trying to read the ISN and that failing is an indication that the unit is locked??

          Both the units I marked as unlocked did not need the RSA patch whereas the middle one did.

          P.


          Sent from my iPad using Tapatalk

          Comment


            #65
            Originally posted by pshoey View Post
            Nothing obvious to see. I’m assuming that trying to read the ISN and that failing is an indication that the unit is locked??

            Both the units I marked as unlocked did not need the RSA patch whereas the middle one did.

            P.


            Sent from my iPad using Tapatalk
            Reading the ISN has nothing to do with the lock. The lock effects BDM operation only. I would expect the first one to be BDMable and the latter two to not be BDMable.

            Was the middle one tuned? Some tuning protection mechanisms might inadvertently break the ability for me to read the ISN from RAM. If it wasn't tuned, then I'd be interested in getting a full dump of that software. There could be various program versions where my search routine fails for whatever reason.

            Comment


              #66
              I don't think it was tuned - the tune file is identical to one of the others - here is the dump:

              https://mega.nz/file/2dFgBB7S#OKyLVl...3k89nk9GZDK6a4

              Let me know what you find.

              Thanks
              P.

              Edit:

              Now I'm confused - i saw the message "Could not read ISN, please flash RSA Bypass to enable reading" which now looking at the flasher code, means it was the MSS65 DME that failed to read the ISN - so the all the MSS60 units must have worked.

              I'm still trying to get my BDM stuff to work, so I won't know which ones are locked until I do.

              Last edited by pshoey; 11-18-2020, 07:31 PM.

              Comment


                #67
                Originally posted by pshoey View Post
                I don't think it was tuned - the tune file is identical to one of the others - here is the dump:

                https://mega.nz/file/2dFgBB7S#OKyLVl...3k89nk9GZDK6a4

                Let me know what you find.

                Thanks
                P.

                Edit:

                Now I'm confused - i saw the message "Could not read ISN, please flash RSA Bypass to enable reading" which now looking at the flasher code, means it was the MSS65 DME that failed to read the ISN - so the all the MSS60 units must have worked.

                I'm still trying to get my BDM stuff to work, so I won't know which ones are locked until I do.
                The file you sent has 5000+ bytes differing with my "untuned" 240e.

                I already can see some vanos angle and axis scaling changes..
                Last edited by dmlf; 11-18-2020, 11:49 PM.

                Comment


                  #68
                  Originally posted by pshoey View Post

                  Now I'm confused - i saw the message "Could not read ISN, please flash RSA Bypass to enable reading" which now looking at the flasher code, means it was the MSS65 DME that failed to read the ISN - so the all the MSS60 units must have worked.

                  I'm still trying to get my BDM stuff to work, so I won't know which ones are locked until I do.
                  Yeah I don't see a clear way to read the MSS65 ISN from RAM, so that needs a patch to enable that section to be read over OBDII.

                  Comment


                    #69
                    Originally posted by dmlf View Post

                    The file you sent has 5000+ bytes differing with my "untuned" 240e.

                    I already can see some vanos angle and axis scaling changes..
                    Well I know I have a lot to learn about this stuff. Thanks for checking my file and correcting my assumption.

                    P.


                    Sent from my iPad using Tapatalk

                    Comment


                      #70
                      Originally posted by pshoey View Post

                      Just to follow on with this chain of thought.......

                      I have 3 MSS60 DMEs (not including the one in my 2008 M3 which I have attached yet) and 1 MSS65 DME.

                      MSS65 is obviously unlocked.

                      7837831 / 5WK9361 - 19.08.05

                      MSS60 DMEs:

                      7841364 / 5WK9586 - 30.01.08 - unlocked
                      7845558 / 5WK95910 - 29.12.10 - locked
                      7846409 / 5WK95912 - 15.04.11 - unlocked

                      it is interesting that the most recent unit is unlocked - i suppose it could have been messed with but I'm pretty sure these are all stock flashed units.

                      I have the dumps if anyone is interested.

                      P.
                      I am interested in the dump of the MSS65 :-)

                      Thanks!

                      Comment


                        #71
                        Of course - get it here:



                        Comment


                          #72
                          Thank you very much!

                          I have a couple observations/questions (I have an IT background, but very little experience with digging into binary files, so I apologize in advance for any stupid questions)

                          I am mostly interested in applying some features like cold start delete and MAF delete to my S85, but my car already has a tune on it, and I am concerned by the large areas of ffffffff data in the binary files I downloaded from my ECU.
                          (if these are censored areas and I used ECUworx tool to modify the full binary, would I overwrite existing tune data with "empty" data if I flashed a modified binary back to my ECU?)

                          To see if there is pattern, I took and compared my tune file to the one pshoey provided and the large areas of ffffffff data matches.

                          So question 1 is to pshoey, do you know if the MSS65 ECU you dumped had a stock tune on it?

                          Question 2 is, do we have an idea as to why there are large areas of the ECU full/tune files that contains "blank" data (is this an example of "censored" data areas)?
                          For example, both pshoey's and my MSS65 tune files contain fairly large areas of ffffffff data from 0x96a8 - 0xfff9 and again from 0x1a9df - 0x1fffb

                          I really like what you guys are doing here, I like to see the MSS6X data freed and used by the community rather than just in the realm of professional tuners.

                          Thanks!

                          Comment


                            #73
                            Originally posted by terra View Post

                            I haven't been at my setup in some time and to be honest every time I've done it I've just looked at the reference manual and trial/errored my way into sending the right commands. I'll try to work it out again and make a proper repeatable script next time I have an actual weekend off.

                            I also did grab myself a USB wiggler, but unfortunately got one configured for the wrong processor. Opening it up it seems like it should be feasible to reconfigure it for a MPC BDM port, but the company has no documentation to that effect. If the one you got is an MPC 5xx/8xx unit, I'd really appreciate pictures of both sides of the board. Hopefully the code running on the xilinx fpga inside is the same for all of them.

                            The bdm lock is done internally. Triggering the SK lock also calls a routine that sets the censorship mode on the DME.

                            Finally got around to unpacking my USB Wiggler MPC5XX version. Here are some hi-res pictures of the boards.

                            terra let me know if you need/want anything else from this. I'm going to try and unlock one of my MSS60s and build a C program using the Macraigor API to automate the unlock process.

                            Looks like the daughter board is similar but different enough (I bought one of the ONCE USB Wigglers too).


                            Click image for larger version  Name:	IMG_5949.jpg Views:	6 Size:	236.3 KB ID:	80761 Click image for larger version  Name:	IMG_5950.jpg Views:	6 Size:	266.3 KB ID:	80762 Click image for larger version  Name:	IMG_5951.jpg Views:	6 Size:	295.7 KB ID:	80763 Click image for larger version  Name:	IMG_5952.jpg Views:	6 Size:	222.1 KB ID:	80764 Click image for larger version  Name:	IMG_5953.jpg Views:	6 Size:	263.6 KB ID:	80765
                            Last edited by pshoey; 01-23-2021, 04:33 PM.

                            Comment


                              #74
                              not getting anything useful from the usb wiggler - was getting garbage initially but after reinstalling the drivers now just getting all zeros.

                              i've tried all the ocd_commanders I can find (all seem to produce the same results) - running on Windows 10 32bit - I believe I have the BDM pogo pins aligned correctly but will try an futz a little with them tomorrow.
                              Last edited by pshoey; 01-23-2021, 05:10 PM.

                              Comment


                                #75
                                Remember to reset the CPU and disable the watchdog

                                Code:
                                reset
                                word 0xff000004 = 0xffffff88
                                Thanks for the pics of the daughter board btw. I was hoping they would just use that header labeled BDM instead of having a different daughterboard.

                                Comment

                                Working...
                                X