Announcement

Collapse
No announcement yet.

MSS60 Research

Collapse
X
Collapse
 
  • Page of 10
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 10 template Next
    #136
    Yeah I've written modified programs with no issue. RSA bypass needs to be done first
    • Likes 1

    Comment

      #137
      Originally posted by terra View Post
      Yeah I've written modified programs with no issue. RSA bypass needs to be done first
      Nice. Are you open to doing similar RSA bypass for other BMW ECUs as paid work? Tried to PM you, won’t let me.

      Comment

        #138
        Originally posted by terra View Post
        That resistor to boot from external SRAM could be useful for recovering complete bricks.
        This similar to SBOOT on newer ECUs?

        GitHub - bri3d/Simos18_SBOOT: Documentation and tools about Simos18 SBOOT (Supplier Bootloader), including a Seed/Key bypass and Tricore boot password recovery tool.
        https://github.com/bri3d/Simos18_SBOOT
        Documentation and tools about Simos18 SBOOT (Supplier Bootloader), including a Seed/Key bypass and Tricore boot password recovery tool. - bri3d/Simos18_SBOOT


        Comment

          #139
          Originally posted by pshoey View Post
          terra do you remember what OCD Speed setting you used with your Wiggler?

          Also, seems my 5KW9586 ECU is BDM locked. I borrowed a Yanhua ACDP adapter that can read out either side - worked perfectly on my MSS65 but on the MSS60s I have, works on right side (obviously) but not on left side.

          Interestingly, on 2 of the later ECU units, the error on the left side was CPU Encrypted but on the 9586 the error was "wrong model" (related to cpu identity).

          I have one unit left to try, a 5KW9588 with 080E version of software. I'll open it up tomorrow if I get time.

          It would seem to me that the "BDM lock" was introduced by a software update, given that the lock is software activated - I know you (@terra) disagree with that general opinion.
          pshoey Do you know what version of SP-DATEN had the 080E? I have a half BDM read of one, but no full OBD read. Want to flash an mss60 with it from WinKFP and do some testing on it.

          Comment

            #140
            Originally posted by adrianj73 View Post

            pshoey Do you know what version of SP-DATEN had the 080E? I have a half BDM read of one, but no full OBD read. Want to flash an mss60 with it from WinKFP and do some testing on it.
            Z08E is an update released in Jul2008
            Hardware 7841981 and soft EU 7841976 (ZB 7841975) US 7841978 (ZB 7841977)
            If you need I could send

            Comment

              #141
              i read this Thread in the end i find lot infos but nothing what Helps me i search Backup BDM (KTAG) for MSS60 most interessed on MPC maybe anone can help me here ??ß

              Comment

                #142
                Originally posted by obdshop View Post
                i read this Thread in the end i find lot infos but nothing what Helps me i search Backup BDM (KTAG) for MSS60 most interessed on MPC maybe anone can help me here ??ß
                You will need tool created by Vincent to unlock the processor. Contact MpowerE36 .

                Last edited by Tomba; 09-10-2024, 04:43 AM.

                Comment

                  #143
                  So there is no way to unbrick MSS60 in BDM with Ktag after Flashing RSA Bypass with cheap cable?

                  Comment

                    #144
                    MpowerE36

                    You'd probably know this. Am I correct in assuming that setting the censorship mode while IWS = 0 means the MCU is forever stuck in censored mode?

                    If so... oops

                    Comment

                      #145
                      As far as I can remember, there’s nothing irreversible about this MCU but I haven't worked on this MCU for a long time.
                      https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA

                      Comment

                        #146
                        Got it. Well unfortunately I think this is a scenario.

                        Basically I was messing with the censorship states on my MSS65 which by default has its UC3FCFIG as 00000000 instead of 20410000. The clear censor operation requires being able to do an interlock write, which with IWS 0 means writing to the main UC3F array. And if that's in a censored state, the DME is stuck. And interestingly this seems to have also made it that I can't even trigger an erase or write while the DME is operating. So this thing is basically stuck in stasis.

                        The reference manual glosses over it, but freescale's extra documentation does support this.

                        Click image for larger version Name: image.png Views: 14 Size: 127.9 KB ID: 347360

                        Oh well. Maybe I'll try to take a crack at replacing the CPU. Good thing I don't actually depend on this thing for anything and I still have my MSS60

                        But on that note, I can confirm I have been able to clear censorship mode using the USBJtag NT device. Just need that IWS bit to be set to 15 if erasing the censor registers while in censored mode. I'll write that up and some scripts soon​
                        • Likes 1

                        Comment

                        Previous 1 10 template Next
                        Working...
                        X