Most of this is over my head, but really appreciate seeing an expert work through these challenges. Thanks for bringing us along!

I used a cheap PCB heater similar to this one https://www.amazon.com/Preheating-El...dp/B0CFTZKYTB/ and a heatgun. Basically preheated the PCB for a good while, then blasted the MCU with hot air until the solder loosened up enough to lift the CPU. Cleaned up the pads with a few passes of solder braid (and I made a few passes beyond the above picture). Cleaned up the area well with alcohol. Applied a thin layer of flux to all the pads. Lined up the 'new' CPU as close as I reasonably can, and then heated it up with hot air. BGA is more or less self aligning as long as you're close, and you can kinda see it drop into place as the solder melts.

All in all seems like the solder lined up and melted pretty well. Bench stuff seems to work fine. TBD if everything would work as expected on a real car

​

I didn't harvest an old CPU myself because said CPU would need to be reballed, and that adds a layer of complexity to the project. If I were doing this professionally / more often, I'd probably get a better board heater, use a real hot air station (I do have one, but not quite upto the task for larger devices), buy / build a proper reflow oven, and setup to reball old CPUs.

What tools did you use to do that? You are a badass

I don't know 100% if I trust it in a car between doing this by hand and using a gray market Chinese and probably secondhand MCU, but I did manage to replace the MCU. Seems to be functional. Sadly can't really get MPC563s from reliable sources anymore. MPC564 is likely compatible and does appear to still be sourceable, but minimum order quantity I could find is 200 units. Brand new would also likely be the C revision instead of the B revision, and I'm not sure if that would cause issues. I also did see some code that seemed to imply an MPC565/6 might work appropriately too. Those actually can be sourced, but are expensive enough that you're probably better off getting a new DME anyway



​​

​

So this whole fiasco made me look into the DME's censor routines a little closer. If I'm reading this correclty, the MSS60 won't censor itself if IWS is set to 0 -- presumably to avoid the issue I ran into above. Could explain why early MSS60s weren't censored despite the code being present as far back as 060E. If the shadow block on the early ones was set to 00000000 like the M5, that would skip the censor routine. Risky to test though since if wrong, then the DME is theoretically permanently stuck in censored mode.

​
​


That said, I still don't quite understand why my MSS65 isn't able to trigger erases of its internal flash anymore. Doesn't seem like being stuck in censorship mode should make it behave any differently than if it were censored and IWS=1.

Got it. Well unfortunately I think this is a scenario.

Basically I was messing with the censorship states on my MSS65 which by default has its UC3FCFIG as 00000000 instead of 20410000. The clear censor operation requires being able to do an interlock write, which with IWS 0 means writing to the main UC3F array. And if that's in a censored state, the DME is stuck. And interestingly this seems to have also made it that I can't even trigger an erase or write while the DME is operating. So this thing is basically stuck in stasis.

The reference manual glosses over it, but freescale's extra documentation does support this.

​

Oh well. Maybe I'll try to take a crack at replacing the CPU. Good thing I don't actually depend on this thing for anything and I still have my MSS60

But on that note, I can confirm I have been able to clear censorship mode using the USBJtag NT device. Just need that IWS bit to be set to 15 if erasing the censor registers while in censored mode. I'll write that up and some scripts soon​

As far as I can remember, there’s nothing irreversible about this MCU but I haven't worked on this MCU for a long time.

MpowerE36

You'd probably know this. Am I correct in assuming that setting the censorship mode while IWS = 0 means the MCU is forever stuck in censored mode?

If so... oops

So there is no way to unbrick MSS60 in BDM with Ktag after Flashing RSA Bypass with cheap cable?

You will need tool created by Vincent to unlock the processor. Contact MpowerE36 .

i read this Thread in the end i find lot infos but nothing what Helps me i search Backup BDM (KTAG) for MSS60 most interessed on MPC maybe anone can help me here ??ß

Z08E is an update released in Jul2008
Hardware 7841981 and soft EU 7841976 (ZB 7841975) US 7841978 (ZB 7841977)
If you need I could send

pshoey Do you know what version of SP-DATEN had the 080E? I have a half BDM read of one, but no full OBD read. Want to flash an mss60 with it from WinKFP and do some testing on it.

This similar to SBOOT on newer ECUs?

Nice. Are you open to doing similar RSA bypass for other BMW ECUs as paid work? Tried to PM you, won’t let me.