Announcement

Collapse
No announcement yet.

MSS60 Research

Collapse
X
Collapse
 
  • Page of 10
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 10 template Next
  • terra
    replied
    So this whole fiasco made me look into the DME's censor routines a little closer. If I'm reading this correclty, the MSS60 won't censor itself if IWS is set to 0 -- presumably to avoid the issue I ran into above. Could explain why early MSS60s weren't censored despite the code being present as far back as 060E. If the shadow block on the early ones was set to 00000000 like the M5, that would skip the censor routine. Risky to test though since if wrong, then the DME is theoretically permanently stuck in censored mode.


    Click image for larger version Name: image.png Views: 0 Size: 183.0 KB ID: 348803


    That said, I still don't quite understand why my MSS65 isn't able to trigger erases of its internal flash anymore. Doesn't seem like being stuck in censorship mode should make it behave any differently than if it were censored and IWS=1.

    Leave a comment:

  • terra
    replied
    Got it. Well unfortunately I think this is a scenario.

    Basically I was messing with the censorship states on my MSS65 which by default has its UC3FCFIG as 00000000 instead of 20410000. The clear censor operation requires being able to do an interlock write, which with IWS 0 means writing to the main UC3F array. And if that's in a censored state, the DME is stuck. And interestingly this seems to have also made it that I can't even trigger an erase or write while the DME is operating. So this thing is basically stuck in stasis.

    The reference manual glosses over it, but freescale's extra documentation does support this.

    Click image for larger version Name: image.png Views: 14 Size: 127.9 KB ID: 347360

    Oh well. Maybe I'll try to take a crack at replacing the CPU. Good thing I don't actually depend on this thing for anything and I still have my MSS60

    But on that note, I can confirm I have been able to clear censorship mode using the USBJtag NT device. Just need that IWS bit to be set to 15 if erasing the censor registers while in censored mode. I'll write that up and some scripts soon​
    • Likes 1

    Leave a comment:

  • MpowerE36
    replied
    As far as I can remember, there’s nothing irreversible about this MCU but I haven't worked on this MCU for a long time.

    Leave a comment:

  • terra
    replied
    MpowerE36

    You'd probably know this. Am I correct in assuming that setting the censorship mode while IWS = 0 means the MCU is forever stuck in censored mode?

    If so... oops

    Leave a comment:

  • pyth0n
    replied
    So there is no way to unbrick MSS60 in BDM with Ktag after Flashing RSA Bypass with cheap cable?

    Leave a comment:

  • Tomba
    replied
    Originally posted by obdshop View Post
    i read this Thread in the end i find lot infos but nothing what Helps me i search Backup BDM (KTAG) for MSS60 most interessed on MPC maybe anone can help me here ??ß
    You will need tool created by Vincent to unlock the processor. Contact MpowerE36 .

    Last edited by Tomba; 09-10-2024, 04:43 AM.

    Leave a comment:

  • obdshop
    replied
    i read this Thread in the end i find lot infos but nothing what Helps me i search Backup BDM (KTAG) for MSS60 most interessed on MPC maybe anone can help me here ??ß

    Leave a comment:

  • ppm008
    replied
    Originally posted by adrianj73 View Post

    pshoey Do you know what version of SP-DATEN had the 080E? I have a half BDM read of one, but no full OBD read. Want to flash an mss60 with it from WinKFP and do some testing on it.
    Z08E is an update released in Jul2008
    Hardware 7841981 and soft EU 7841976 (ZB 7841975) US 7841978 (ZB 7841977)
    If you need I could send

    Leave a comment:

  • adrianj73
    replied
    Originally posted by pshoey View Post
    terra do you remember what OCD Speed setting you used with your Wiggler?

    Also, seems my 5KW9586 ECU is BDM locked. I borrowed a Yanhua ACDP adapter that can read out either side - worked perfectly on my MSS65 but on the MSS60s I have, works on right side (obviously) but not on left side.

    Interestingly, on 2 of the later ECU units, the error on the left side was CPU Encrypted but on the 9586 the error was "wrong model" (related to cpu identity).

    I have one unit left to try, a 5KW9588 with 080E version of software. I'll open it up tomorrow if I get time.

    It would seem to me that the "BDM lock" was introduced by a software update, given that the lock is software activated - I know you (@terra) disagree with that general opinion.
    pshoey Do you know what version of SP-DATEN had the 080E? I have a half BDM read of one, but no full OBD read. Want to flash an mss60 with it from WinKFP and do some testing on it.

    Leave a comment:

  • Tomba
    replied
    Originally posted by terra View Post
    That resistor to boot from external SRAM could be useful for recovering complete bricks.
    This similar to SBOOT on newer ECUs?

    GitHub - bri3d/Simos18_SBOOT: Documentation and tools about Simos18 SBOOT (Supplier Bootloader), including a Seed/Key bypass and Tricore boot password recovery tool.
    https://github.com/bri3d/Simos18_SBOOT
    Documentation and tools about Simos18 SBOOT (Supplier Bootloader), including a Seed/Key bypass and Tricore boot password recovery tool. - bri3d/Simos18_SBOOT


    Leave a comment:

  • adrianj73
    replied
    Originally posted by terra View Post
    Yeah I've written modified programs with no issue. RSA bypass needs to be done first
    Nice. Are you open to doing similar RSA bypass for other BMW ECUs as paid work? Tried to PM you, won’t let me.

    Leave a comment:

  • terra
    replied
    Yeah I've written modified programs with no issue. RSA bypass needs to be done first
    • Likes 1

    Leave a comment:

  • adrianj73
    replied
    Originally posted by terra View Post

    That's quite the resource there, much appreciated. That resistor to boot from external SRAM could be useful for recovering complete bricks.

    A2Ls are hard to find for this DME. Only public one I'm aware of is from a prototype (which appears to be an old enough prototype to still be EWS3). Not sure how close the maps / config are to final.
    I believe that if you take a known good A2L and use it as a template, you can delete all the unnecessary declarations for measurements, characteristics, functions, etc that aren’t pertinent to you tuning goal. Then with some R/E you can identify hex locations for the ones you want to keep in whatever version you’re creating the A2L for, correct the map addresses, sizes, etc. and it should work. One of my goals this year getting back into it. Realistically, live tuning you probably need access to less than 20-30 calibration curves. Everything else would be primarily configuration changes that can be done by standard reflash.

    have you verified your flasher can write a modified program? I want to move a few functions and customize them to test and relocate and enlarge a few KLs and KFs.

    Leave a comment:

  • terra
    replied
    Originally posted by adrianj73 View Post
    Not sure if this is posted already, but may be of use. mss65, but very little difference to mss60. Ionic measurement moved onboard for mss60 with no external modules, EWS4, that's about it.

    Note that non-populated CAN transceiver spot on the board (sheet 3, grid E4) for the "messcan" that uses TouCAN C. There's a "messcan" flag in the calibration area that switches the directionality of TouCAN C IIRC. This is used for high speed data logging in the engine test cell and in development cars as well as the real-time tuning via Can Calibration Protocol (CCP) using the INCA tools. There's a good program called ASAP2Demo that can connect to the mss6x if you have a well defined A2L for it. The CCP code in the DME copies the calibration table contents to RAM and CCP connects the external messCAN connected device/software to make real-time changes. I was never clear of the external tool then saved a file to be flashed back in after or if the CCP subroutine then copies the modified tables in RAM back to the flash area.
    That's quite the resource there, much appreciated. That resistor to boot from external SRAM could be useful for recovering complete bricks.

    A2Ls are hard to find for this DME. Only public one I'm aware of is from a prototype (which appears to be an old enough prototype to still be EWS3). Not sure how close the maps / config are to final.
    • Likes 1

    Leave a comment:

  • Tomba
    replied
    Originally posted by adrianj73 View Post
    Not sure if this is posted already, but may be of use. mss65, but very little difference to mss60. Ionic measurement moved onboard for mss60 with no external modules, EWS4, that's about it.

    Note that non-populated CAN transceiver spot on the board (sheet 3, grid E4) for the "messcan" that uses TouCAN C. There's a "messcan" flag in the calibration area that switches the directionality of TouCAN C IIRC. This is used for high speed data logging in the engine test cell and in development cars as well as the real-time tuning via Can Calibration Protocol (CCP) using the INCA tools. There's a good program called ASAP2Demo that can connect to the mss6x if you have a well defined A2L for it. The CCP code in the DME copies the calibration table contents to RAM and CCP connects the external messCAN connected device/software to make real-time changes. I was never clear of the external tool then saved a file to be flashed back in after or if the CCP subroutine then copies the modified tables in RAM back to the flash area.
    Main issue is getting a latest (241E) A2L for the ECU. Of course available but not public. All available I know off are likely pre-development which won't suit latest map layout, not to mention ram addresses for variables.
    If available it would help a lot to map higher duration camshaft on that engine.

    Very generous sharing such circuit diagram! Love it.

    • Likes 1

    Leave a comment:

Previous 1 10 template Next
Working...
X