Not sure if this is posted already, but may be of use. mss65, but very little difference to mss60. Ionic measurement moved onboard for mss60 with no external modules, EWS4, that's about it.
Note that non-populated CAN transceiver spot on the board (sheet 3, grid E4) for the "messcan" that uses TouCAN C. There's a "messcan" flag in the calibration area that switches the directionality of TouCAN C IIRC. This is used for high speed data logging in the engine test cell and in development cars as well as the real-time tuning via Can Calibration Protocol (CCP) using the INCA tools. There's a good program called ASAP2Demo that can connect to the mss6x if you have a well defined A2L for it. The CCP code in the DME copies the calibration table contents to RAM and CCP connects the external messCAN connected device/software to make real-time changes. I was never clear of the external tool then saved a file to be flashed back in after or if the CCP subroutine then copies the modified tables in RAM back to the flash area.
-
If you buy a new DME which is bdm locked (injection processor), you will not be able to make a clone of your bricked DME with your backup. Indeed, you will not be able to read and write in the flash memory of the injection processor (where are the VIN and the SK).
If you buy a new DME which is not bdm locked, you will be able to make a clone of your bricked DME with your backup. You can use a KTAG or FGTech for that.
Why don't you try to flash your backup in your bricked DME via bdm before buying a new DME ? Maybe the bdm access is not locked.
If it is locked, I can recover it for you but you will have to send me your DME.Last edited by MpowerE36; 11-28-2022, 11:18 AM.Leave a comment:
-
If I Bricked my e92 m3 mss60 engine ecu with a incomplete update, and i want to buy a replacement ecu,
how important is the part number when searching for a replacement MSS60 ECU module?
If I want to flash my original backup from my original ECU, will any MSS60 work or am I limited to a narrower selection, or does it for some reason need to match exactly?
Real oem says they are retrospectively interchangeable so I assume any MSS60 will work to replace and flash with my 2008 MSS60 backup flash / tune files
And is just flashing my full backup to the new device all that is needed to re-populate my original VIN / SK or are there any other steps I'm missing to get that accomplished?Last edited by binary420; 11-24-2022, 09:48 AM.Leave a comment:
-
Do anyone knows what chips is for the oxygen sensor of DME mss65? I would like to replace that chip. ThanksLeave a comment:
-
Hopefully not too late to join the fun, I just picked up an M5 e60. I have a bunch of genuine commercial BDM tool (the usual suspects, ktag etc) and OBD that can read those DME.
Currently in the process of swapping an E92 DCT to replace the terrible SMG.
Leave a comment:
-
Ah I didn't pay that much attention to the subroutine. You're right, that wouldn't work then.Leave a comment:
-
Agree it would take some effort and is not easy to debug but the code required is fairly small - and i bet could be written in C.
Sent from my iPad using TapatalkLeave a comment:
-
While it's not theoretically impossible, it's not the easiest code to write, and would take a fair amount of debugging. You'd have to write something that can execute in RAM to run the uncensor routine, set whatever registers you need, and then restore at least the boot code. And this would more or less all have to be written in assembly.Originally posted by pshoey View PostLeave a comment:
-
Great thanks.
Maybe it would be possible for us to add some code to a full dump to unlock the processor, set the shadow ram and set the access bit?
Sent from my iPad using TapatalkLeave a comment:
-
For the 240E program :Originally posted by pshoey View Post
Fullbinary from MSS6x flasher : 0xF555A (injection) & 0x362B4A (ignition)
External memory binary : 0x7555A (injection) & 0x62B4A (ignition)
Apparently there are also lock instructions for the ignition processor (seems not existing for program older than 240E).Last edited by MpowerE36; 09-08-2021, 02:36 PM.Leave a comment:
-
Since your DME is unlocked now, in theory if you set ACCESS to 1, that should prevent it from being locked even if the censor bits are triggered. Haven't tested that personally.Originally posted by MpowerE36 View PostAfter flashing the shadow region of the injector processor my ECU is unbricked
You just have to write the long 0x20410000 at 0x0 address (UC3FCFIG register).
As I showed in the #100 post, you can replace 0x300 by 0x0 or 0x100 if you don’t want the injector processor to lock anymore (apparently during SK writing).
It's cool to know that I can brick my dme as many times as I want and I could always get it backLeave a comment:
-
Which address needs to be patched to 0 or 100h?
Sent from my iPad using TapatalkLeave a comment:
-
After flashing the shadow region of the injector processor my ECU is unbricked You just have to write the long 0x20410000 at 0x0 address (UC3FCFIG register).
As I showed in the #100 post, you can replace 0x300 by 0x0 or 0x100 if you don’t want the injector processor to lock anymore (apparently during SK writing).
It's cool to know that I can brick my dme as many times as I want and I could always get it back
Last edited by MpowerE36; 09-08-2021, 01:02 PM.Leave a comment:
-
I later on used the shadow region from the ignition side and things still seemed to work properly.Leave a comment:
Leave a comment: