MSx70 Flasher - Alpha Release

Download here: https://github.com/terraphantm/MSx70...pha/Release.7z

This is a free application that can be used to read and write to the Siemens MSV70 and MSS70 DMEs found in the E85/6 Z4M, as well as 2006-2007 N52 engined cars including E60, E90, E85/6.

Requirements:

• A computer or virtual machine with .NET Framework 4.5 – I believe this means Windows 7 or newer. There may be hacks to get .NET 4.5 to work on earlier versions of Windows, but I cannot confirm their reliability.

• A functional Ediabas install. Or at the very least, the following files
  • MSV70.prg and/or MSS70.prg
  • If you only have the prg and no ediabas install, you will have to make some changes to the included config file
• An OBDII – USB interface
  • Theoretically all MSV70 and MSS70 cars use K-line for communications, as such the firmware issue effecting D-CAN cars is not a factor.
  • This application assumes the use of an FT232RL equipped interface. The configuration can be modified to use COM communications for plain serial interfaces, however this is untested

Functionality:

• Ability to read and write tunes and program code
  • An RSA bypass must first be flashed to write custom tunes/programs - this requires a full stock binary to be available
• A full backup of the external and internal flash can be made over OBDII.
  • It is not currently known how to backup the SPI data without BDM
• Automatic checksum correction for flashed tunes and programs

Safety:

• Currently only rudimentary checks are implemented to ensure the tune matches the program and program matches the hardware
• Additional safety measures will be implemented in the future.

Performance:

• Backup tune in ~90 seconds
• Full backup ~15 minutes
• Flash tune in approximately 1 minute
• Flash full program in ~15 minutes
• Flash RSA bypass in ~17 minutes

Getting Started:

• The application defaults to assuming you're using an FTDI interface and uses FTDI mode for communications.
• The application assumes your Ediabas PRG files are stored in C:\Ediabas\Ecu
• The application assumes you will be using MSV70.prg
• If you would like to change any of these settings, you can do so in the included .config file

First Time Use:

• Before the application lets you do anything, it has to identify what it is connected to. Connect the cable to your car and computer and hit the "Identify DME button". Now more button and menus should be active
• Read a full dump from your DME. After it is done, full backup as well as a copy of your tune will be saved in a folder with the last 7 digits of your VIN. Keep that backup in a safe location.
  • Full reads are formatted as External + internal. A full dump should be 2MBs in length.
• Click load file, and select the full dump (2048kb) you just made
• Click Advanced and pick the RSA bypass option
• After that process is done, you’ll need to flash back a tune. You could click “flash tune” now to flash back what was already there, or if you already have a modified file you want to flash, you can load that now
• That’s pretty much it, you can now flash tunes and programs to your DME as you please

Frequently Asked Questions:

What is RSA and why do you need to bypass it?
RSA is an asymmetric encryption algorithm that is used in many industries to establish secure exchange of information. BMW uses it to validate tunes and code sent to the DME. Essentially BMW signs a tune or program with an encryption key that only they know. The DME can then decrypt this signature with a decryption key it has stored in memory. If a single bit in the tune or program changes, the signature is no longer valid and the DME will refuse to authenticate the program.

RSA is a secure algorithm, and for the MSV70 and MSS70, BMW uses a large enough key that it is impossible to find the key ourselves with today’s computing power. So instead we have to exploit vulnerabilities in the authentication scheme, which is what the patch this program installs does.


Something messed up and my DME won't boot anymore. Can you help?
Well first of all try to see if you’re able to access it in tool32 at all. If the ident job works, then your DME can most likely be recovered. Get your hands on the proper cable and reflash your DME with WinKFP. Your DME should be recovered and should be okay to go from there

If the DME doesn’t even respond to an ident job in tool32, then unfortunately that most likely means the bootloader on your DME got erased / corrupt. You can recover with the use of a BDM flasher. There are several available out there. You should be able to restore your DME with the full backup that you hopefully made. If you did not make a full backup, then you can probably still recover things reasonably well, but we’ll just have to piece a few different binaries together.


Do you have any map packs or XDFs?
I do not at this time. It is my hope that with the release of a free application compatible with off the shelf hardware, there will be more interested parties looking into these DMEs and trying to figure things out for the sake of improving the state of community knowledge. MartynT of ECUWorx makes some excellent software that help you with some simpler tweaks to your DME.



Acknowledgements:

• This application would not be possible without EdiabasLib by uholeschak; you should check out the project here if you have any interest in BMW communications protocols
• Chris325ix aka Hassmaschine aka nando for helping me get started with DME disassembly
• @Obioban and liam821, without whom this new forum would likely not exist.
• The original M3F DME crew, which got me interested in all this stuff in the first place

Disclosures:

• This application was built using GPL libraries, EdiabasLib in particular, and is therefore also bound by the GPLv3 license. As such, source code is available to binary holder who requests a copy.
• I have no financial interests at this time in relation to ECU tuning, hacking, cracking, development, or disassembly.
• I have no financial relationships with any of the vendors or individuals mentioned in this post

Disclaimer:
This program is inherently invasive, and can render your DME unbootable and unrecoverable, as well as your car undriveable. Engine damage may occur as a result of this application's use. Care must be taken when using this application. In no respect shall nam3forum, m3forum.us, this program's authors or contributors incur any liability for any damages, including, but limited to, direct, indirect, special, or consequential damages arising out of, resulting from, or any way connected to the use of the application, whether or not based upon warranty, contract, tort, or otherwise; whether or not injury was sustained by persons or property or otherwise; and whether or not loss was sustained from, or arose out of, the results of, the item, or any services that may be provided by the authors and contributors.


Github Link: https://github.com/terraphantm/MSx70-Flasher
​