Would mind sharing the JTAG pinout ?
I'll get myself a wiggler and play with OpenOCD.
My car is a 2007 so DME is already BDM unlocked, but I want to have a second ECU, I bought a cheap 5WK9588 from ebay to play with but I need to unlock it to rewrite the ISN / VIN.

I'm starting to play with mss60 and bought a locked dme which I'd like to rewrite with my dme full backup made with mss6x flasher ( thanks for this great piece of soft btw )

What hardware should I get to reset the censor byte ?
Next step would be to just rewrite through BDM ?

I only have access to a xprog right now, no worries if I need to buy some new toys

Does anybody know if the bdm ports on the MSS60 are the same as listed here?How about the processors?
Which one is locked? Left or right regarding the picture? Is it ignition or injection?

So for whatever it's worth, I got myself a Cyclone MAX and while in theory it could work great, currently it does not.

I can get it to clear the censor bits (03 -> 00), but it errors out when trying to set it to 1 or 2 (or even back to 3 for that matter). If I set it via wiggler, the cyclone is happy to program the flash, and it is far faster than any of the automotive interfaces I've tried. However it errors out on the external flash despite selecting the correct chip... so that limits its usefulness. I suspect same will apply for the Multilink BDM / FX interfaces.

I posted on PEMicro's forums, maybe they can get a patch going. We'll see.

edit:

On another note, my neighbor let me borrow his e92 M3 to mess with. Cloned his ECU onto my bench MSS60 and threw it in the car - starts right up like it belongs.

So interestingly, my DME managed to relock itself.

What I had done: Wrote ignition side's shadow memory to injection side, wrote a "virgin" flash to me DME (blank SK, blank AIF), wrote a new AIF entry with WinKFP, wrote and locked a new SK with tool32. I suspect that last bit triggered a lock routine, but it's hard to say for sure.

Edit: Pretty sure it's writing (or more likely locking) the SK via tool32 command that locked the CPU. Makes some sense that they'd be delivered to BMW in an unlocked state and only lock themselves after the SK is burned in. With the ability to read full dumps and unlock it doesn't really matter, but I'd say just write the SK at the time of the BDM programming instead of waiting to do it in tool32.

So looking into the shadow memory a little bit more, there may indeed be a difference between MSS60 and MSS65 there.

On my MSS65, the first 4 bytes (UC3FCFIG) are set to 0, everything else is FF. This is the case for both processors.

On my MSS60, the injection side was impossible to read. On the ignition side, the first 4 bytes are set to 20 41 00 00

The differences translate to:

Bus pins drive strength — This bit determines the bus pins’ (address, data, and control) driving capability to be either full or reduced drive. The bus default drive strength is full; upon default, it also causes the CLKOUT drive strength to be full. See Table 6-7 for more information. BDRV controls the default state of COM[1] in the SIUMCR. 0 Full drive 1 Reduced drive
-MSS65 = Full drive
-MSS60 = Reduced drive

Debug pins configuration — See Section 6.2.2.1.1, “SIU Module Configuration Register (SIUMCR)” for this field definition. The default value is that these pins function as: VFLS[0:1], BI, BR, BG and BB. See Table 6-8.
-MSS65 = VFLS[0:1] BI BG BR BB
-MSS60 = VFLS[0:1] STS VF0 VF1 VF2

Interlock write select — This bit determines which interlock write operation should be used during the clear censorship operation. IWS always comes from the UC3FCFIG, it will never use the external reset configuration word (RSTCONF=0) or the default internal reset configuration word (RSTCONF=1 and HC=1). 0 Interlock write is a write to any UC3F array location 1 Interlock write is a write to the UC3FMCR register.
MSS65 = 0 (Interlock write = write to any UC3F array)
MSS60 = 1 (Interlock write = write to UC3FMCR register)


I don't know for sure how much of a difference any of that stuff makes, and whether or not I should assume the injection / ignition sides should be set the same. I feel like best would be to get a dump of a factory unlocked one, but that's easier said than done without buying one myself.

Yeah, I saw the usual internet badasses who claimed that had some knowledge of the dark arts and could do it. But no one who said how.

Even if I do come up with a good script (effectively all I did was disable the watchdog and then follow the steps in the reference manual on setting / clearing the censor), I do think this is unfortunately a bit beyond most people. Fewer and fewer people own desktops nowadays, which is pretty much required for the PCIe parallel port (USB will not work). I guess an expresscard parallel port should work, but how many laptops even have expresscard nowadays? Thunderbolt to PCIe or exprescard adapters do exist, but at that point you may as well buy the more expensive pemicro stuff.

And the reality is even back when they were mainstream, parallel ports have always been notoriously finicky - there will be trouble shooting involved no matter what.

Ha I saw the ECP part, but I didn't notice the "simple uni-directional device" part. I guess that must relate to individual pin behavior rather than the device as a whole? In any case, I did have to force the virtual bios to "output only" rather than bidirectional or EPP.

Just noticed this in the Macgraigor FAQ:

My bench MSS60 is dead unfortunately

You are first.

I feel I have searched exhaustively and PM'd everyone who seemed to have even a shred of relevant information. There are few comments out there from people who thought they knew how to do it or even claim to have done it. But no one sharing any useful information or proof of the accomplishment.

Again, awesome.

Basically yep. BDM flash finished, and I confirmed the DME is responsive now.

I think I'm the first to successfully unlock one of these DMEs. Publicly anyway

You have a factory unlocked MSS60 right? When you get the chance do you think you'd be able to read the shadow memory from it? CMDFlash just tacks it onto the end of the internal flash, not sure about others. I made the assumption that the shadow memory from the MSS65 is good enough (and it probably is), but I just want to be sure there isn't anything different.

Great progress Mirza, so the register is now set to 41FF00FF the same as both processors like the factory MSS65?

Boom.



Turns out clearing / setting the censor disables the UC3F array altogether, but you can reenable that by setting the IMMR.

Now I gotta see if I could make a script to automate all this.

Confirmed BDM100 will now read the DME (all FF'd of course). Now I'm just flashing back my OBDII backup (along with the shadow region from the MSS65 hoping it's the same here) and hopefully it will work.

I got the interface working. Had to set the parallel port mode in the VM bios to "Output Only" instead of bidirectional / EPP / ECP. Doesn't really make sense to me since it seems like communications are going both ways... but who knows.



This is my MSS65, but I'll try the MSS60 next. I guess I would just manually set the registers as noted in the reference manual

Edit: Meh, I clearly have some reading to do. Except you know, macraigor has literally 0 documentation. On this DME I can pretty much only do 1 command before I start getting junk or FFs back. I guess I'm running into the watchdog or something?

Edit: Sigh, I think I broke it. I managed to change the censor bytes from 11 to 00. But then when I tried setting to 01, all of the UC3F registers started reading as FF, and manipulating them seemingly doesn't work. DME doesn't boot anymore, and BDM100 still treats it the same as before.

Yeah, on one hand, it'd probably be a nicer programmer than my clone BDM100. Especially since if you forget the pinout on that is non-standard, you'll be sending 12V into the MCU and killing it.

On the other hand, I don't exactly need it, but could justify it if it kills the censor.