I found a MPC/BDM USB2demon on ebay and ordered that - if I can get it working like the parallel port interface, I'll let you know what steps I took.

ok - now I understand - so just updating the sw is not what causes the bdm lock, but locking the SK on newer sw versions causes the lock - now that makes perfect sense.

back to trying to get my damn wiggler to give me something meaningful 😕

The code that triggers the DME lock is embedded within the EWS lock subroutine on newer program variants. Theoretically a DME that was updated to a newer program variant before the EWS was programmed could be in such a state (old stock being used during vehicle manufacturing for example). Or possibly someone used BDM to clear the ISN, and then used Tool32 to program a new one.

Yes, I read your previous posts but since the lock is triggered when writing/locking the SK which is code in the ECU, I'm really wondering what the code uses to distinguish a DME to lock vs a DME not to lock?

Especially as I have a 9586 unit that seems to be locked and you have one that is unlocked.

Well, we should read all before posting . Thanks for explaining there.

I explained earlier in this thread how the lock is triggered. You can test yourself by flashing an unlocked DME with the newest software - it will remain unlocked. What triggers the lock is locking the EWS SK, which under normal circumstances is done at the factory. Early MSS60 software variants probably didn't trigger the censorship routine when locking the EWS key.

If iam right its bootloader change , like in never versions done by Bosch (ME, MED, MEVD17 and newer onces like MG1, MD1... since ~06.2020. You cant do bench or bootmode there atm).

terra do you remember what OCD Speed setting you used with your Wiggler?

Also, seems my 5KW9586 ECU is BDM locked. I borrowed a Yanhua ACDP adapter that can read out either side - worked perfectly on my MSS65 but on the MSS60s I have, works on right side (obviously) but not on left side.

Interestingly, on 2 of the later ECU units, the error on the left side was CPU Encrypted but on the 9586 the error was "wrong model" (related to cpu identity).

I have one unit left to try, a 5KW9588 with 080E version of software. I'll open it up tomorrow if I get time.

It would seem to me that the "BDM lock" was introduced by a software update, given that the lock is software activated - I know you (@terra) disagree with that general opinion.

Remember to reset the CPU and disable the watchdog

Thanks for the pics of the daughter board btw. I was hoping they would just use that header labeled BDM instead of having a different daughterboard.

not getting anything useful from the usb wiggler - was getting garbage initially but after reinstalling the drivers now just getting all zeros.

i've tried all the ocd_commanders I can find (all seem to produce the same results) - running on Windows 10 32bit - I believe I have the BDM pogo pins aligned correctly but will try an futz a little with them tomorrow.

Finally got around to unpacking my USB Wiggler MPC5XX version. Here are some hi-res pictures of the boards.

terra let me know if you need/want anything else from this. I'm going to try and unlock one of my MSS60s and build a C program using the Macraigor API to automate the unlock process.

Looks like the daughter board is similar but different enough (I bought one of the ONCE USB Wigglers too).

Thank you very much!

I have a couple observations/questions (I have an IT background, but very little experience with digging into binary files, so I apologize in advance for any stupid questions)

I am mostly interested in applying some features like cold start delete and MAF delete to my S85, but my car already has a tune on it, and I am concerned by the large areas of ffffffff data in the binary files I downloaded from my ECU.
(if these are censored areas and I used ECUworx tool to modify the full binary, would I overwrite existing tune data with "empty" data if I flashed a modified binary back to my ECU?)

To see if there is pattern, I took and compared my tune file to the one pshoey provided and the large areas of ffffffff data matches.

So question 1 is to pshoey, do you know if the MSS65 ECU you dumped had a stock tune on it?

Question 2 is, do we have an idea as to why there are large areas of the ECU full/tune files that contains "blank" data (is this an example of "censored" data areas)?
For example, both pshoey's and my MSS65 tune files contain fairly large areas of ffffffff data from 0x96a8 - 0xfff9 and again from 0x1a9df - 0x1fffb

I really like what you guys are doing here, I like to see the MSS6X data freed and used by the community rather than just in the realm of professional tuners.

Thanks!

Of course - get it here:

I am interested in the dump of the MSS65 :-)

Thanks!

Well I know I have a lot to learn about this stuff. Thanks for checking my file and correcting my assumption.

P.


Sent from my iPad using Tapatalk