Announcement

**pshoey** · 01-24-2021, 07:40 AM

terra do you remember what OCD Speed setting you used with your Wiggler?

Also, seems my 5KW9586 ECU is BDM locked. I borrowed a Yanhua ACDP adapter that can read out either side - worked perfectly on my MSS65 but on the MSS60s I have, works on right side (obviously) but not on left side.

Interestingly, on 2 of the later ECU units, the error on the left side was CPU Encrypted but on the 9586 the error was "wrong model" (related to cpu identity).

I have one unit left to try, a 5KW9588 with 080E version of software. I'll open it up tomorrow if I get time.

It would seem to me that the "BDM lock" was introduced by a software update, given that the lock is software activated - I know you (@terra) disagree with that general opinion.

**Lambda1** · 01-25-2021, 03:05 AM

If iam right its bootloader change

, like in never versions done by Bosch (ME, MED, MEVD17 and newer onces like MG1, MD1... since ~06.2020. You cant do bench or bootmode there atm).

**terra** · 01-25-2021, 08:38 AM

Originally posted by pshoey View Post

It would seem to me that the "BDM lock" was introduced by a software update, given that the lock is software activated - I know you (@terra) disagree with that general opinion.

Originally posted by Lambda1 View Post

If iam right its bootloader change

, like in never versions done by Bosch (ME, MED, MEVD17 and newer onces like MG1, MD1... since ~06.2020. You cant do bench or bootmode there atm).

I explained earlier in this thread how the lock is triggered. You can test yourself by flashing an unlocked DME with the newest software - it will remain unlocked. What triggers the lock is locking the EWS SK, which under normal circumstances is done at the factory. Early MSS60 software variants probably didn't trigger the censorship routine when locking the EWS key.

**Lambda1** · 01-25-2021, 09:32 AM

Well, we should read all before posting

. Thanks for explaining there.

**pshoey** · 01-25-2021, 10:26 AM

Originally posted by terra View Post

I explained earlier in this thread how the lock is triggered. You can test yourself by flashing an unlocked DME with the newest software - it will remain unlocked. What triggers the lock is locking the EWS SK, which under normal circumstances is done at the factory. Early MSS60 software variants probably didn't trigger the censorship routine when locking the EWS key.

Yes, I read your previous posts but since the lock is triggered when writing/locking the SK which is code in the ECU, I'm really wondering what the code uses to distinguish a DME to lock vs a DME not to lock?

Especially as I have a 9586 unit that seems to be locked and you have one that is unlocked.

**terra** · 01-25-2021, 10:43 AM

Originally posted by pshoey View Post

Yes, I read your previous posts but since the lock is triggered when writing/locking the SK which is code in the ECU, I'm really wondering what the code uses to distinguish a DME to lock vs a DME not to lock?

Especially as I have a 9586 unit that seems to be locked and you have one that is unlocked.

The code that triggers the DME lock is embedded within the EWS lock subroutine on newer program variants. Theoretically a DME that was updated to a newer program variant before the EWS was programmed could be in such a state (old stock being used during vehicle manufacturing for example). Or possibly someone used BDM to clear the ISN, and then used Tool32 to program a new one.

**pshoey** · 01-25-2021, 11:11 AM

ok - now I understand - so just updating the sw is not what causes the bdm lock, but locking the SK on newer sw versions causes the lock - now that makes perfect sense.

back to trying to get my damn wiggler to give me something meaningful 😕

**terra** · 01-25-2021, 01:08 PM

I found a MPC/BDM USB2demon on ebay and ordered that - if I can get it working like the parallel port interface, I'll let you know what steps I took.

**pshoey** · 01-25-2021, 02:30 PM

Nice find and at a great price (assuming it works !!)

If you can outline the steps - I'm pretty sure I can put together a program using their interface API to make it easily repeatable.

**terra** · 02-21-2021, 09:33 AM

So far no luck on my end with the USBDemon. Though I only tried for a little bit today. Dunno if it's a hardware issue or a java issue.

Might try the linux version of OCDCommander, but that looks like a royal pain to setup.

Edit: Actually I can get it to communicate with the slave. Master errors on reset. I wonder if it's a cable issue? Even on the slave, I'm having to use the lowest speed possible. Maybe I need to build a better adapter for the 2.5 -> 1.27mm spacing.

Also I had the wrong command above to reset the watchdog. Try

Code:

reset
word 0x2FC004 = 0x0000FF80

**pshoey** · 02-21-2021, 02:46 PM

I'm using POGO pins and not having great luck either - I was thinking I'll try and solder some pins to the pads.

Master is the right side and slave the left?

**terra** · 02-21-2021, 03:27 PM

Yeah sorry - master = injection = left.

Still not having luck connecting to that CPU. I know it is possible since I did so with the parallel port interface.. You'd think a USB interface that retails for $750 would be more reliable lol. My headers are directly soldered. I doubt any of those joints broke over the last year, especially since this DME has been in storage rather than in an actual car.

**pshoey** · 02-21-2021, 06:06 PM

Originally posted by terra View Post

Yeah sorry - master = injection = left.

This makes sense as the left side, i.e. master is the CPU that gets BDM locked!!

I'll try with my parallel port wiggler again also - like you i was assuming USB would be more "reliable" than the parallel port version.

**terra** · 03-24-2021, 04:48 PM

So for what it's worth, I tested the parallel port interface again and it works fine (need a native or PCI/PCIe parallel port - usb won't work). I suspect the debugger for the PEMicro interfaces would also work and certainly would be more convenient than passing a parallel port into a virtual machine and doing things that way. But I don't really want to spend the $200. The programming / flashing application is advertised to be able to clear the censor, but the function is broken. And PEMicro stopped responding to my support requests

**pshoey** · 03-24-2021, 05:33 PM

Which specific PEMicro device is required? I'll contact sales @ PEMicro and see if they have anything to say about it - i recall you said you posted on their forum? Any chance you can send the link to you post/thread?

Already wasted $250 on the USBWiggler it seems - what's another couple of hundred !!

Announcement

MSS60 Research

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment