Announcement

**heinzboehmer** · 04-18-2020, 04:32 PM

Originally posted by terra View Post

New version.

Changes:
Moved the RSA bypass to the "Advanced" menu, and added a slow and fast version. Slow is probably technically safer, but IMO the risk with fast is negligible if you're using a good cable.
I now verify the binary being flashed for an RSA bypass is a stock file and matches the program version you are currently on. If those conditions are not met, the program will refuse to let you go do the RSA bypass.
Now before tune and program writes, I check if the tune / program is stock and whether or not you have an RSA bypass. If the tune (MSS60 only) or program (both) are not stock and you don't have an RSA bypass, you'll get a warning saying the flash might fail. But you won't be forced to stop the flash in case you have an RSA bypass that I can't easily detect.
I put my money where my mouth is and did several flashes on my (currently) locked MSS60. No issues whatsoever so far.

Same link as before will work to download the latest version (someone let me know if it does not). I think I will be releasing shortly, after which point the latest version will be hosted here on the first post.

Wrong thread?

**terra** · 04-18-2020, 04:36 PM

Originally posted by heinzboehmer View Post

Wrong thread?

Yep, fixed now.

**terra** · 04-21-2020, 11:15 AM

So I got my wiggler in, but I'm not sure it's working right. Setup a new XP virtual machine and ran macraigor's OCD Commander to see if I could get some basic info out of the CPU - http://www.macraigor.com/ocd_cmd.htm

Getting pretty much junk data though. It works enough that it can tell when the device isn't connected to the parallel port, but otherwise I get junk data out of it whether or not I'm hooked up to the BDM header. Messing with the ECP/EPP settings within the VM bios didn't make a difference. Not sure if there's anything I could mess with at the host side to help.

I'm half tempted to pull one of my old motherboards/processors with a native parallel port out of storage.. but that sounds painful frankly.

**dpaul** · 04-21-2020, 12:11 PM

That is frustrating - could be a hardware problem with the wiggler or a problem with the virtual machine - I guess finding/setting up an old computer is the only way to know.

Can I ask an unrelated question? I promise I will not bother you further with random coding questions. I've been unable to compile EdiabasLib. I downloaded it today and am using Visual Studio 2019. Using the make file EdiabasLib.sln, I am getting the following errors:

EDIT: Nevermind. I'll get the binaries.

**terra** · 04-21-2020, 12:20 PM

Originally posted by dpaul View Post

That is frustrating - could be a hardware problem with the wiggler or a problem with the virtual machine - I guess finding/setting up an old computer is the only way to know.

Can I ask an unrelated question? I promise I will not bother you further with random coding questions. I've been unable to compile EdiabasLib. I downloaded it today and am using Visual Studio 2019. Using the make file EdiabasLib.sln, I am getting the following errors:

EDIT: Nevermind. I'll get the binaries.

I got an older version of OCDCommander via archive.org and got a little farther. The program will now actually be able to tell if the CPU is on / off, and it will read at least a few registers correctly before returning junk data. I wonder if it's something as simple as the clock speed being too damn high.

Try loading the ediabslib dll itself as a resource.

**dpaul** · 04-21-2020, 12:25 PM

Originally posted by terra View Post

I got an older version of OCDCommander via archive.org and got a little farther. The program will now actually be able to tell if the CPU is on / off, and it will read at least a few registers correctly before returning junk data. I wonder if it's something as simple as the clock speed being too damn high.

Try loading the ediabslib dll itself as a resource.

thanks - I did get the binary - all is good. Would think it should compile tho.

**terra** · 04-21-2020, 05:45 PM

Sigh, I guess my basement is not very hospitable to old electronics. My old CPU/mobo combos won't post.

There's a few PEMicro Cyclone Maxes on eBay for not crazy money. And with the Cyclones, it sounds like the programming software is free (you can download it right from PEMicro's website). Maybe I should just buy one of those.

What concerns me t hough is the user manual doesn't actually mention anything about clearing the censor for the MPC5xx / 8xx.

**dpaul** · 04-21-2020, 07:20 PM

Originally posted by terra View Post

Sigh, I guess my basement is not very hospitable to old electronics. My old CPU/mobo combos won't post.

There's a few PEMicro Cyclone Maxes on eBay for not crazy money. And with the Cyclones, it sounds like the programming software is free (you can download it right from PEMicro's website). Maybe I should just buy one of those.

What concerns me t hough is the user manual doesn't actually mention anything about clearing the censor for the MPC5xx / 8xx.

Nothing in the manual but there is a routine in the "Algorithms for MPC5xx/8xx, internal flash" download for enabling the shadow memory where the UC3F control block is located. Even a warning about losing the contents of the internal flash.

Seems like it should be able to change the UC3FMCR register. But at $200, it would be greatly disappointing if it didn't work.

**terra** · 04-21-2020, 07:48 PM

Originally posted by dpaul View Post

Nothing in the manual but there is a routine in the "Algorithms for MPC5xx/8xx, internal flash" download for enabling the shadow memory where the UC3F control block is located. Even a warning about losing the contents of the internal flash.

Seems like it should be able to change the UC3FMCR register. But at $200, it would be greatly disappointing if it didn't work.

Yeah, on one hand, it'd probably be a nicer programmer than my clone BDM100. Especially since if you forget the pinout on that is non-standard, you'll be sending 12V into the MCU and killing it.

On the other hand, I don't exactly need it, but could justify it if it kills the censor.

**terra** · 04-21-2020, 08:06 PM

I got the interface working. Had to set the parallel port mode in the VM bios to "Output Only" instead of bidirectional / EPP / ECP. Doesn't really make sense to me since it seems like communications are going both ways... but who knows.

This is my MSS65, but I'll try the MSS60 next. I guess I would just manually set the registers as noted in the reference manual

Edit: Meh, I clearly have some reading to do. Except you know, macraigor has literally 0 documentation. On this DME I can pretty much only do 1 command before I start getting junk or FFs back. I guess I'm running into the watchdog or something?

Edit: Sigh, I think I broke it. I managed to change the censor bytes from 11 to 00. But then when I tried setting to 01, all of the UC3F registers started reading as FF, and manipulating them seemingly doesn't work. DME doesn't boot anymore, and BDM100 still treats it the same as before.

**terra** · 04-21-2020, 10:59 PM

Boom.

Turns out clearing / setting the censor disables the UC3F array altogether, but you can reenable that by setting the IMMR.

Now I gotta see if I could make a script to automate all this.

Confirmed BDM100 will now read the DME (all FF'd of course). Now I'm just flashing back my OBDII backup (along with the shadow region from the MSS65 hoping it's the same here) and hopefully it will work.

**Martyn** · 04-21-2020, 11:08 PM

Great progress Mirza, so the register is now set to 41FF00FF the same as both processors like the factory MSS65?

**terra** · 04-21-2020, 11:15 PM

Originally posted by Martyn View Post

Great progress Mirza, so the register is now set to 41FF00FF the same as both processors like the factory MSS65?

Basically yep. BDM flash finished, and I confirmed the DME is responsive now.

I think I'm the first to successfully unlock one of these DMEs. Publicly anyway

You have a factory unlocked MSS60 right? When you get the chance do you think you'd be able to read the shadow memory from it? CMDFlash just tacks it onto the end of the internal flash, not sure about others. I made the assumption that the shadow memory from the MSS65 is good enough (and it probably is), but I just want to be sure there isn't anything different.

**dpaul** · 04-22-2020, 03:03 AM

Originally posted by terra View Post

Basically yep. BDM flash finished, and I confirmed the DME is responsive now.

I think I'm the first to successfully unlock one of these DMEs. Publicly anyway

You have a factory unlocked MSS60 right? When you get the chance do you think you'd be able to read the shadow memory from it? CMDFlash just tacks it onto the end of the internal flash, not sure about others. I made the assumption that the shadow memory from the MSS65 is good enough (and it probably is), but I just want to be sure there isn't anything different.

You are first.

I feel I have searched exhaustively and PM'd everyone who seemed to have even a shred of relevant information. There are few comments out there from people who thought they knew how to do it or even claim to have done it. But no one sharing any useful information or proof of the accomplishment.

Again, awesome.

**Martyn** · 04-22-2020, 03:05 AM

Originally posted by terra View Post

Basically yep. BDM flash finished, and I confirmed the DME is responsive now.

I think I'm the first to successfully unlock one of these DMEs. Publicly anyway

You have a factory unlocked MSS60 right? When you get the chance do you think you'd be able to read the shadow memory from it? CMDFlash just tacks it onto the end of the internal flash, not sure about others. I made the assumption that the shadow memory from the MSS65 is good enough (and it probably is), but I just want to be sure there isn't anything different.

My bench MSS60 is dead unfortunately

Announcement

MSS60 Research

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment