Hopefully not too late to join the fun, I just picked up an M5 e60. I have a bunch of genuine commercial BDM tool (the usual suspects, ktag etc) and OBD that can read those DME.
Currently in the process of swapping an E92 DCT to replace the terrible SMG.
-
Ah I didn't pay that much attention to the subroutine. You're right, that wouldn't work then.Leave a comment:
-
Agree it would take some effort and is not easy to debug but the code required is fairly small - and i bet could be written in C.
Sent from my iPad using TapatalkLeave a comment:
-
While it's not theoretically impossible, it's not the easiest code to write, and would take a fair amount of debugging. You'd have to write something that can execute in RAM to run the uncensor routine, set whatever registers you need, and then restore at least the boot code. And this would more or less all have to be written in assembly.Originally posted by pshoey View PostLeave a comment:
-
Great thanks.
Maybe it would be possible for us to add some code to a full dump to unlock the processor, set the shadow ram and set the access bit?
Sent from my iPad using TapatalkLeave a comment:
-
For the 240E program :Originally posted by pshoey View Post
Fullbinary from MSS6x flasher : 0xF555A (injection) & 0x362B4A (ignition)
External memory binary : 0x7555A (injection) & 0x62B4A (ignition)
Apparently there are also lock instructions for the ignition processor (seems not existing for program older than 240E).Last edited by MpowerE36; 09-08-2021, 02:36 PM.Leave a comment:
-
Since your DME is unlocked now, in theory if you set ACCESS to 1, that should prevent it from being locked even if the censor bits are triggered. Haven't tested that personally.Originally posted by MpowerE36 View PostAfter flashing the shadow region of the injector processor my ECU is unbricked
You just have to write the long 0x20410000 at 0x0 address (UC3FCFIG register).
As I showed in the #100 post, you can replace 0x300 by 0x0 or 0x100 if you don’t want the injector processor to lock anymore (apparently during SK writing).
It's cool to know that I can brick my dme as many times as I want and I could always get it backLeave a comment:
-
Which address needs to be patched to 0 or 100h?
Sent from my iPad using TapatalkLeave a comment:
-
After flashing the shadow region of the injector processor my ECU is unbricked You just have to write the long 0x20410000 at 0x0 address (UC3FCFIG register).
As I showed in the #100 post, you can replace 0x300 by 0x0 or 0x100 if you don’t want the injector processor to lock anymore (apparently during SK writing).
It's cool to know that I can brick my dme as many times as I want and I could always get it back
Last edited by MpowerE36; 09-08-2021, 01:02 PM.Leave a comment:
-
I later on used the shadow region from the ignition side and things still seemed to work properly.Leave a comment:
-
If I understand correctly he used the injector shadow region of a MSS65 and flash it in the injector shadow region of his MSS60. Unfortunately I don't have a MSS65, so I will read the shadow region of the ignition processor of my MSS60 in order to flash it in the injector one. I hope it will workOriginally posted by hobbit382 View PostLast edited by MpowerE36; 09-06-2021, 04:30 AM.Leave a comment:
-
I've finally succeeded to write 41 FF 00 FF in the 0x2FC800 register. So my injector processor is bdm unlocked. I've succeeded to flash my backup in the 2 processors and 2 external eeproms but my ecu doesn't respond by obd. I will verify the flash with a bdm read but it is strange that both mpc don't respond by obd. Indeed before debugging my injector mpc, my ignition mpc responds by obd (with ram_lesen function for example)
I think it could come from the shadow region of my injector mpc. I think I have to flash it back after the clearing and setting censor manipulations. I hope it is the same as the ignition shadow region...Last edited by MpowerE36; 09-05-2021, 04:50 PM.Leave a comment:
-
I am using PEmicro's device but I don't think it is a tool problem.Originally posted by hobbit382 View Post
terra Do you remember if you modified some registers before doing the setting censor process ? Maybe we have to disable external interruption with the spr 81 register before ?
It is like the current value store in the censor NVM CAM cell (0x00) is constantly reloaded in censor bits. So my 0x01 value is immediately overwritten before I succeed to finalize the program sequence.Last edited by MpowerE36; 08-29-2021, 04:14 AM.Leave a comment:
Leave a comment: