Yeah I've written modified programs with no issue. RSA bypass needs to be done first

Nice. Are you open to doing similar RSA bypass for other BMW ECUs as paid work? Tried to PM you, won’t let me.

This similar to SBOOT on newer ECUs?

pshoey Do you know what version of SP-DATEN had the 080E? I have a half BDM read of one, but no full OBD read. Want to flash an mss60 with it from WinKFP and do some testing on it.

Z08E is an update released in Jul2008
Hardware 7841981 and soft EU 7841976 (ZB 7841975) US 7841978 (ZB 7841977)
If you need I could send

i read this Thread in the end i find lot infos but nothing what Helps me i search Backup BDM (KTAG) for MSS60 most interessed on MPC maybe anone can help me here ??ß

You will need tool created by Vincent to unlock the processor. Contact MpowerE36 .

So there is no way to unbrick MSS60 in BDM with Ktag after Flashing RSA Bypass with cheap cable?

MpowerE36

You'd probably know this. Am I correct in assuming that setting the censorship mode while IWS = 0 means the MCU is forever stuck in censored mode?

If so... oops

As far as I can remember, there’s nothing irreversible about this MCU but I haven't worked on this MCU for a long time.

Got it. Well unfortunately I think this is a scenario.

Basically I was messing with the censorship states on my MSS65 which by default has its UC3FCFIG as 00000000 instead of 20410000. The clear censor operation requires being able to do an interlock write, which with IWS 0 means writing to the main UC3F array. And if that's in a censored state, the DME is stuck. And interestingly this seems to have also made it that I can't even trigger an erase or write while the DME is operating. So this thing is basically stuck in stasis.

The reference manual glosses over it, but freescale's extra documentation does support this.

​

Oh well. Maybe I'll try to take a crack at replacing the CPU. Good thing I don't actually depend on this thing for anything and I still have my MSS60

But on that note, I can confirm I have been able to clear censorship mode using the USBJtag NT device. Just need that IWS bit to be set to 15 if erasing the censor registers while in censored mode. I'll write that up and some scripts soon​

So this whole fiasco made me look into the DME's censor routines a little closer. If I'm reading this correclty, the MSS60 won't censor itself if IWS is set to 0 -- presumably to avoid the issue I ran into above. Could explain why early MSS60s weren't censored despite the code being present as far back as 060E. If the shadow block on the early ones was set to 00000000 like the M5, that would skip the censor routine. Risky to test though since if wrong, then the DME is theoretically permanently stuck in censored mode.

​
​


That said, I still don't quite understand why my MSS65 isn't able to trigger erases of its internal flash anymore. Doesn't seem like being stuck in censorship mode should make it behave any differently than if it were censored and IWS=1.