Thank you very much!

I have a couple observations/questions (I have an IT background, but very little experience with digging into binary files, so I apologize in advance for any stupid questions)

I am mostly interested in applying some features like cold start delete and MAF delete to my S85, but my car already has a tune on it, and I am concerned by the large areas of ffffffff data in the binary files I downloaded from my ECU.
(if these are censored areas and I used ECUworx tool to modify the full binary, would I overwrite existing tune data with "empty" data if I flashed a modified binary back to my ECU?)

To see if there is pattern, I took and compared my tune file to the one pshoey provided and the large areas of ffffffff data matches.

So question 1 is to pshoey, do you know if the MSS65 ECU you dumped had a stock tune on it?

Question 2 is, do we have an idea as to why there are large areas of the ECU full/tune files that contains "blank" data (is this an example of "censored" data areas)?
For example, both pshoey's and my MSS65 tune files contain fairly large areas of ffffffff data from 0x96a8 - 0xfff9 and again from 0x1a9df - 0x1fffb

I really like what you guys are doing here, I like to see the MSS6X data freed and used by the community rather than just in the realm of professional tuners.

Thanks!

Of course - get it here:

I am interested in the dump of the MSS65 :-)

Thanks!

Well I know I have a lot to learn about this stuff. Thanks for checking my file and correcting my assumption.

P.


Sent from my iPad using Tapatalk

Yeah I don't see a clear way to read the MSS65 ISN from RAM, so that needs a patch to enable that section to be read over OBDII.

The file you sent has 5000+ bytes differing with my "untuned" 240e.

I already can see some vanos angle and axis scaling changes..

I don't think it was tuned - the tune file is identical to one of the others - here is the dump:

https://mega.nz/file/2dFgBB7S#OKyLVl...3k89nk9GZDK6a4

Let me know what you find.

Thanks
P.

Edit:

Now I'm confused - i saw the message "Could not read ISN, please flash RSA Bypass to enable reading" which now looking at the flasher code, means it was the MSS65 DME that failed to read the ISN - so the all the MSS60 units must have worked.

I'm still trying to get my BDM stuff to work, so I won't know which ones are locked until I do.

Reading the ISN has nothing to do with the lock. The lock effects BDM operation only. I would expect the first one to be BDMable and the latter two to not be BDMable.

Was the middle one tuned? Some tuning protection mechanisms might inadvertently break the ability for me to read the ISN from RAM. If it wasn't tuned, then I'd be interested in getting a full dump of that software. There could be various program versions where my search routine fails for whatever reason.

Nothing obvious to see. I’m assuming that trying to read the ISN and that failing is an indication that the unit is locked??

Both the units I marked as unlocked did not need the RSA patch whereas the middle one did.

P.


Sent from my iPad using Tapatalk

That recent one being unlocked is interesting. Any evidence the DME was ever opened up before you got to it?

I wonder if there was one of the program variants in the middle didn't have the lock code for some reason.

Just to follow on with this chain of thought.......

I have 3 MSS60 DMEs (not including the one in my 2008 M3 which I have not attacked yet) and 1 MSS65 DME.

MSS65 is obviously unlocked.

7837831 / 5WK9361 - 19.08.05

MSS60 DMEs:

7841364 / 5WK9586 - 30.01.08 - unlocked
7845558 / 5WK95910 - 29.12.10 - locked
7846409 / 5WK95912 - 15.04.11 - unlocked

it is interesting that the most recent unit is unlocked - i suppose it could have been messed with but I'm pretty sure these are all stock flashed units.

I have the dumps if anyone is interested.

P.

Ok, something to check out - thanks.

Of course, I bought the "wrong" usbWiggler on ebay not knowing what I should have been looking for, so I went ahead and ordered the correct one from macraigor - i'll send pictures once I receive it.

P.

Dunno. The key is written to the right spot even before locking. Then locking it changes one of the status bytes and causes the read routine to just return FFs. Not sure if it has to be locked for the car to actually start or not.

And you have to lock the client for it to apply the key?

Write client writes the key. Lock client locks it. The other arguments are for the cas module.