Announcement

Collapse
No announcement yet.

MSS60 Research

Collapse
X
Collapse
 
  • Page of 10
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 6 10 template Next
  • terra
    replied
    Originally posted by pshoey View Post

    Now I'm confused - i saw the message "Could not read ISN, please flash RSA Bypass to enable reading" which now looking at the flasher code, means it was the MSS65 DME that failed to read the ISN - so the all the MSS60 units must have worked.

    I'm still trying to get my BDM stuff to work, so I won't know which ones are locked until I do.
    Yeah I don't see a clear way to read the MSS65 ISN from RAM, so that needs a patch to enable that section to be read over OBDII.

    Leave a comment:

  • dmlf
    replied
    Originally posted by pshoey View Post
    I don't think it was tuned - the tune file is identical to one of the others - here is the dump:

    https://mega.nz/file/2dFgBB7S#OKyLVl...3k89nk9GZDK6a4

    Let me know what you find.

    Thanks
    P.

    Edit:

    Now I'm confused - i saw the message "Could not read ISN, please flash RSA Bypass to enable reading" which now looking at the flasher code, means it was the MSS65 DME that failed to read the ISN - so the all the MSS60 units must have worked.

    I'm still trying to get my BDM stuff to work, so I won't know which ones are locked until I do.
    The file you sent has 5000+ bytes differing with my "untuned" 240e.

    I already can see some vanos angle and axis scaling changes..
    Last edited by dmlf; 11-18-2020, 11:49 PM.

    Leave a comment:

  • pshoey
    replied
    I don't think it was tuned - the tune file is identical to one of the others - here is the dump:

    https://mega.nz/file/2dFgBB7S#OKyLVl...3k89nk9GZDK6a4

    Let me know what you find.

    Thanks
    P.

    Edit:

    Now I'm confused - i saw the message "Could not read ISN, please flash RSA Bypass to enable reading" which now looking at the flasher code, means it was the MSS65 DME that failed to read the ISN - so the all the MSS60 units must have worked.

    I'm still trying to get my BDM stuff to work, so I won't know which ones are locked until I do.

    Last edited by pshoey; 11-18-2020, 07:31 PM.

    Leave a comment:

  • terra
    replied
    Originally posted by pshoey View Post
    Nothing obvious to see. I’m assuming that trying to read the ISN and that failing is an indication that the unit is locked??

    Both the units I marked as unlocked did not need the RSA patch whereas the middle one did.

    P.


    Sent from my iPad using Tapatalk
    Reading the ISN has nothing to do with the lock. The lock effects BDM operation only. I would expect the first one to be BDMable and the latter two to not be BDMable.

    Was the middle one tuned? Some tuning protection mechanisms might inadvertently break the ability for me to read the ISN from RAM. If it wasn't tuned, then I'd be interested in getting a full dump of that software. There could be various program versions where my search routine fails for whatever reason.
    • Likes 1

    Leave a comment:

  • pshoey
    replied
    Nothing obvious to see. I’m assuming that trying to read the ISN and that failing is an indication that the unit is locked??

    Both the units I marked as unlocked did not need the RSA patch whereas the middle one did.

    P.


    Sent from my iPad using Tapatalk

    Leave a comment:

  • terra
    replied
    That recent one being unlocked is interesting. Any evidence the DME was ever opened up before you got to it?

    I wonder if there was one of the program variants in the middle didn't have the lock code for some reason.

    Leave a comment:

  • pshoey
    replied
    Originally posted by terra View Post
    Yeah seems like there's a lot of misinformation about that. Typical industry guys obfuscating information I guess.

    It seems to be only early 08 models (really ~2007 builds) that are unlocked. There's also all sorts of claims that BMW introduced the lock through an update and the lock could be cleared by flashing an older update. None of that appears to be true. If the DME was unlocked from the factory it stays unlocked, if the DME was locked from the factory, it stays locked (until we figure out how to send that clear censorship code to it anyway).
    Just to follow on with this chain of thought.......

    I have 3 MSS60 DMEs (not including the one in my 2008 M3 which I have not attacked yet) and 1 MSS65 DME.

    MSS65 is obviously unlocked.

    7837831 / 5WK9361 - 19.08.05

    MSS60 DMEs:

    7841364 / 5WK9586 - 30.01.08 - unlocked
    7845558 / 5WK95910 - 29.12.10 - locked
    7846409 / 5WK95912 - 15.04.11 - unlocked

    it is interesting that the most recent unit is unlocked - i suppose it could have been messed with but I'm pretty sure these are all stock flashed units.

    I have the dumps if anyone is interested.

    P.
    Last edited by pshoey; 11-21-2020, 06:25 AM.

    Leave a comment:

  • pshoey
    replied
    Ok, something to check out - thanks.

    Of course, I bought the "wrong" usbWiggler on ebay not knowing what I should have been looking for, so I went ahead and ordered the correct one from macraigor - i'll send pictures once I receive it.

    P.

    Leave a comment:

  • terra
    replied
    Originally posted by pshoey View Post
    And you have to lock the client for it to apply the key?
    Dunno. The key is written to the right spot even before locking. Then locking it changes one of the status bytes and causes the read routine to just return FFs. Not sure if it has to be locked for the car to actually start or not.

    Leave a comment:

  • pshoey
    replied
    And you have to lock the client for it to apply the key?

    Leave a comment:

  • terra
    replied
    Write client writes the key. Lock client locks it. The other arguments are for the cas module.

    Leave a comment:

  • pshoey
    replied
    is the tool32 job to write the key this one: STEUERN_EWS4_SK?

    Which arguments did you use as there are 4?

    LOCK_SERVER_SK
    LOCK_CLIENT_SK
    WRITE_SERVER_SK
    WRITE_CLIENT_SK

    Leave a comment:

  • terra
    replied
    Originally posted by pshoey View Post
    i found a cheap UsbWiggler on ebay - hopefully will work on newer Windows versions.

    terra can you post or PM the specific commands to reset the censor register?

    Well done on working it out. I'll look at the tool32 job that sets the secret key - i'm intrigued to see if the bdm lock is done from the tool32 job side or internally from the dme side.

    thanks
    I haven't been at my setup in some time and to be honest every time I've done it I've just looked at the reference manual and trial/errored my way into sending the right commands. I'll try to work it out again and make a proper repeatable script next time I have an actual weekend off.

    I also did grab myself a USB wiggler, but unfortunately got one configured for the wrong processor. Opening it up it seems like it should be feasible to reconfigure it for a MPC BDM port, but the company has no documentation to that effect. If the one you got is an MPC 5xx/8xx unit, I'd really appreciate pictures of both sides of the board. Hopefully the code running on the xilinx fpga inside is the same for all of them.

    The bdm lock is done internally. Triggering the SK lock also calls a routine that sets the censorship mode on the DME.

    Leave a comment:

  • pshoey
    replied
    i found a cheap UsbWiggler on ebay - hopefully will work on newer Windows versions.

    terra can you post or PM the specific commands to reset the censor register?

    Well done on working it out. I'll look at the tool32 job that sets the secret key - i'm intrigued to see if the bdm lock is done from the tool32 job side or internally from the dme side.

    thanks
    Last edited by pshoey; 11-08-2020, 08:20 PM.

    Leave a comment:

  • terra
    replied
    Originally posted by alfalfa View Post
    Does anybody know if the bdm ports on the MSS60 are the same as listed here?How about the processors?
    Which one is locked? Left or right regarding the picture? Is it ignition or injection?
    Same as listed there. Left one is locked. It is injection.
    • Likes 1

    Leave a comment:

Previous 1 6 10 template Next
Working...
X