terra do you remember what OCD Speed setting you used with your Wiggler?

Also, seems my 5KW9586 ECU is BDM locked. I borrowed a Yanhua ACDP adapter that can read out either side - worked perfectly on my MSS65 but on the MSS60s I have, works on right side (obviously) but not on left side.

Interestingly, on 2 of the later ECU units, the error on the left side was CPU Encrypted but on the 9586 the error was "wrong model" (related to cpu identity).

I have one unit left to try, a 5KW9588 with 080E version of software. I'll open it up tomorrow if I get time.

It would seem to me that the "BDM lock" was introduced by a software update, given that the lock is software activated - I know you (@terra) disagree with that general opinion.

Remember to reset the CPU and disable the watchdog

Thanks for the pics of the daughter board btw. I was hoping they would just use that header labeled BDM instead of having a different daughterboard.

not getting anything useful from the usb wiggler - was getting garbage initially but after reinstalling the drivers now just getting all zeros.

i've tried all the ocd_commanders I can find (all seem to produce the same results) - running on Windows 10 32bit - I believe I have the BDM pogo pins aligned correctly but will try an futz a little with them tomorrow.

Finally got around to unpacking my USB Wiggler MPC5XX version. Here are some hi-res pictures of the boards.

terra let me know if you need/want anything else from this. I'm going to try and unlock one of my MSS60s and build a C program using the Macraigor API to automate the unlock process.

Looks like the daughter board is similar but different enough (I bought one of the ONCE USB Wigglers too).

Thank you very much!

I have a couple observations/questions (I have an IT background, but very little experience with digging into binary files, so I apologize in advance for any stupid questions)

I am mostly interested in applying some features like cold start delete and MAF delete to my S85, but my car already has a tune on it, and I am concerned by the large areas of ffffffff data in the binary files I downloaded from my ECU.
(if these are censored areas and I used ECUworx tool to modify the full binary, would I overwrite existing tune data with "empty" data if I flashed a modified binary back to my ECU?)

To see if there is pattern, I took and compared my tune file to the one pshoey provided and the large areas of ffffffff data matches.

So question 1 is to pshoey, do you know if the MSS65 ECU you dumped had a stock tune on it?

Question 2 is, do we have an idea as to why there are large areas of the ECU full/tune files that contains "blank" data (is this an example of "censored" data areas)?
For example, both pshoey's and my MSS65 tune files contain fairly large areas of ffffffff data from 0x96a8 - 0xfff9 and again from 0x1a9df - 0x1fffb

I really like what you guys are doing here, I like to see the MSS6X data freed and used by the community rather than just in the realm of professional tuners.

Thanks!

Of course - get it here:

I am interested in the dump of the MSS65 :-)

Thanks!

Well I know I have a lot to learn about this stuff. Thanks for checking my file and correcting my assumption.

P.


Sent from my iPad using Tapatalk

Yeah I don't see a clear way to read the MSS65 ISN from RAM, so that needs a patch to enable that section to be read over OBDII.

The file you sent has 5000+ bytes differing with my "untuned" 240e.

I already can see some vanos angle and axis scaling changes..

I don't think it was tuned - the tune file is identical to one of the others - here is the dump:

https://mega.nz/file/2dFgBB7S#OKyLVl...3k89nk9GZDK6a4

Let me know what you find.

Thanks
P.

Edit:

Now I'm confused - i saw the message "Could not read ISN, please flash RSA Bypass to enable reading" which now looking at the flasher code, means it was the MSS65 DME that failed to read the ISN - so the all the MSS60 units must have worked.

I'm still trying to get my BDM stuff to work, so I won't know which ones are locked until I do.

Reading the ISN has nothing to do with the lock. The lock effects BDM operation only. I would expect the first one to be BDMable and the latter two to not be BDMable.

Was the middle one tuned? Some tuning protection mechanisms might inadvertently break the ability for me to read the ISN from RAM. If it wasn't tuned, then I'd be interested in getting a full dump of that software. There could be various program versions where my search routine fails for whatever reason.

Nothing obvious to see. I’m assuming that trying to read the ISN and that failing is an indication that the unit is locked??

Both the units I marked as unlocked did not need the RSA patch whereas the middle one did.

P.


Sent from my iPad using Tapatalk

That recent one being unlocked is interesting. Any evidence the DME was ever opened up before you got to it?

I wonder if there was one of the program variants in the middle didn't have the lock code for some reason.

Just to follow on with this chain of thought.......

I have 3 MSS60 DMEs (not including the one in my 2008 M3 which I have not attacked yet) and 1 MSS65 DME.

MSS65 is obviously unlocked.

7837831 / 5WK9361 - 19.08.05

MSS60 DMEs:

7841364 / 5WK9586 - 30.01.08 - unlocked
7845558 / 5WK95910 - 29.12.10 - locked
7846409 / 5WK95912 - 15.04.11 - unlocked

it is interesting that the most recent unit is unlocked - i suppose it could have been messed with but I'm pretty sure these are all stock flashed units.

I have the dumps if anyone is interested.

P.