BMW M5 Forum and M6 Forums banner

1 - 20 of 57 Posts

·
Registered
Joined
·
354 Posts
Discussion Starter #1
I had posted in the DCT thread, but I think a new thread is appropriate

MSS6xFlasher.png

(Picture is slightly outdated now)


Supports MSS60 and MSS65. On the MSS65 I can defeat RSA in the tune itself. No long read/write required (however you'll still have to flash a complete RSA bypass if you want to make program modifications).

Looking for beta testers. Currently I've only tested on the bench using the 160E software for the MSS65 and 241E on an MSS65 running MSS60 software.

04/14/2020

Updated the software:
Safety changes:
  • Added sanity checks for loaded files.
  • Tunes
    • Check that SW reference is compatible with installed program
    • Check that injection and ignition tunes are of the same version
    • Check that injection and ignition tunes are in the correct order
  • Full writes:
    • Check that Program Reference is compatible with DME hardware
    • Check that injection and ignition programs are of the same version
    • Check that a tune is loaded in the binary and passes above tune checks
  • Added a warning if you attempt to close the application in the middle of a flash process
    • This SHOULD allow the application to keep running while the warning shows, but I did have one instance where the flash got interrupted anyway. Maybe I knocked my cable or something. YMMV
  • Disabled all buttons (ident/read/write) during active flash process
New Features:
  • Ram dumping - hold shift while you click Read DME, and the software will dump the RAM and save each side as two different files
  • EWS4 SK Reading (MSS60 Only) - Reads the injection RAM, searches for the EWS4 SK using a pattern search.
    • If successful, the key is displayed in the application and a file with the SK is saved (file will include the appropriate header to be pasted in directly at 0x7948 of the injection dump)
    • When doing a full read on the MSS60, the DME will search for the SK at the end and add it to the dump before saving the file (I did not thoroughly test this due to the nature of how long full reads take, but I expect it will work fine).
The previous link I shared with everyone should point to the latest version of the app
 

·
Registered
Joined
·
269 Posts
Love it. Nice one bro.
 

·
Registered
Joined
·
243 Posts
Does it mean people can share “proprietary” tunes? Considering bmw doesn’t make E60 M5’s anymore, along with their incredibly depreciated value... tuners are no longer updating software yet all of them are still selling the same old thing at the same old high price.... heh.
 

·
Registered
Joined
·
354 Posts
Discussion Starter #5
Does it mean people can share “proprietary” tunes? Considering bmw doesn’t make E60 M5’s anymore, along with their incredibly depreciated value... tuners are no longer updating software yet all of them are still selling the same old thing at the same old high price.... heh.
While I can't condone such a thing, this application doesn't lock itself to a VIN or anything like that. If the file matches your hardware/software, it will flash it.

There are ways to prevent tunes from being read out by OBD. I don't know if any tuners actually do so.
 

·
Registered
Joined
·
243 Posts
While I can't condone such a thing, this application doesn't lock itself to a VIN or anything like that. If the file matches your hardware/software, it will flash it.

There are ways to prevent tunes from being read out by OBD. I don't know if any tuners actually do so.
that would be pretty impossible for them to do so just by design
 

·
Registered
Joined
·
354 Posts
Discussion Starter #7
that would be pretty impossible for them to do so just by design
No it's plenty possible. I accidentally figured out how to make the DME just return FFs for any read inquiry when I was working on how to dump the ISN. It is also quite feasible to restrict the blocked range to just where the tune is held.
 

·
Registered
Joined
·
354 Posts
Discussion Starter #8
I believe the app has been sufficiently proven itself to be safe at this point and am comfortable releasing it now. You can grab it here: MSS6x Flasher - Now released! - NA M3 Forums

MSS6x Flasher.png


Functionality:
  • Ability to read and write tunes and program code
    • An RSA bypass must be flashed to write custom tunes/programs on the MSS60 and custom programs on the MSS5
  • Ability to read the ISN (MSS65) / EWS Secret Key (MSS60) over OBDII
    • ISN requires an RSA Bypass to be written first
    • This means a full backup can be made entirely over OBDII
  • Ability to dump RAM
Safety:
  • The software will verify that binaries loaded are in the correct format and order
  • The software will verify that programs being written match the hardware you’re trying to flash, and will verify all tunes being written match the software you’re trying to flash
  • If the tune or program are not stock, the program will make sure you have an RSA delete before continuing (you can override this warning, but the flash will likely fail if you don’t have an RSA delete that I couldn’t detect
  • The program will not let you flash an RSA bypass if the binary being loaded doesn’t match the software variant you are currently on
Performance:
  • Backup tune in < 5 minutes
  • Full backup 45-60 minutes
    • 2 hours in long mode
  • Flash tune in approximately 1 minute
  • Flash full program in ~10 minutes
  • Flash RSA bypass in ~15 minutes
 

·
Registered
Joined
·
119 Posts
Taking a full DME read with MSS6x Flasher


I / we are not liable if you break your car by incorrectly flashing your ECU/DME. You do so at your own risk!

You will require the following:
  • A Windows laptop with .Net Framework 4.5 installed
  • A copy of MSS6x Flasher, available here
  • A copy of the MSS6x Flasher prerequisites, available here (not required if you have a working EDIABAS install)
  • All E9x M3s and 2008+ M5s will require a K+D-CAN cable that is flashed with the EdiabasLib firmware. Bimmergeeks sells preflashed cables for a reasonable price. Without this type of cable, a DME brick is guaranteed. 2006-2007 M5s should work with a standard K-line interface, however this has not been thoroughly tested.
  • A trickle charger that can supply 10A to your car whilst flashing. I use a CTEK MXS 10 (Recommended, but not always required if your battery is good).
Before proceeding any further, please pay attention to the FAQ on the MSS6x Flasher page

First things first, hook your car up to the trickle charger, and your laptop up to its charger.

Plug your OBD2 cable in to the laptop and to your vehicle. The OBD2 port is usually located by the drivers footwell, by the hood release.

Download MSS6x Flasher and extract it to a directory of your chosing.

Download the appropriate ECUWorx Binary Modification tool and extract it to a directory of your choosing.

Download the MSS6x prerequisits zip file and extract it to the root of your C:\ drive.

The zip file should then create the following directory structure:

ediabas_files


Now open up Windows ‘Device Manager’, this can be accessed via ‘Control Pane’ > ‘Hardware and Sound’ > ‘Device Manager’ or by clicking ‘Start’ then typing ‘devmgmt.msc’.

device_manager


Once in ‘Device Manager’ locate the ‘Ports (COM & LPT) section and expand it out. Check to see what COM port your USB diagnostic cable has adopted. In the screenshot below mine had adopted COM5.

Your COM port number may differ from mine.

device_manager_2


We must now change the COM port used by the USB diagnostic cable to COM1, we must also change the latency settings.

Double click your USB Serial Port, then click the ‘Port Settings’ tab, then the ‘Advanced…’ button.



Change the ‘COM Port Number’ to ‘COM1’ via the drop down, and then change the ‘Latency Timer (msec)’ to 1, as per below.



Once the COM Port Number and Latency Timer are set click ‘OK’, if you receive a warning regarding the name being used by another device ensure you have no other devices using COM1 and then click ‘Yes’, followed by ‘OK’.

Close Device Manager.

Place the key in the ignition and press start but do not start the vehicle. Turn off your lights, heater, radio etc to minimise the current drawn whilst reading/writing to the DME.

Load up ‘MSS6x Flasher’ and click ‘Identify DME’



MSS6x Flasher should return the DME Type, VIN, HW Reference, Program Version, Software Version and DME Status.

If it returns ‘Unknown / Unsupported’ then please double check you have completed all of the above steps correctly.

If all is identified correctly then proceed to click ‘Read Full Flash’.

The ‘Full Flash’ read will take around 45-60 mins.



Once the read completes an explorer window will pop up with your full read.



The tool will also return to its idle state:



At this stage, I would also recommend that you backup your ISN/Secret key in case your DME becomes corrupt at any stage.

To perform the ISN/Secrete key backup simply click ‘Advanced’ > ‘Read ISN / Secret Key’.



Your ISN / Secret key will be saved in the same location as your DME reads.

Turn your ignition off and remove the OBD2 cable from the diagnostic port.

If you have an e9x M3 you will be to use the ‘Flash RSA Bypass’ option, as per the MSS6x Flasher FAQ.



Once the flash completes, you will need to cycle the ignition to clear any codes / warnings left on your dash.
 

·
Registered
Joined
·
354 Posts
Discussion Starter #10
Thanks for the great instructions Martyn.

One thing I would like to note is that unfortunately on the MSS65, the ISN / Secret Key requires a full RSA bypass to be flashed. If I ever figure out how to read it without doing so I'll update the application.

Flashing tunes on the MSS65 is not all that invasive though, so an ISN backup is less critical
 

·
Registered
Joined
·
22 Posts
wow, thanks Terra and Martin for this work...I followed along from e46 to e90 and now e60.

Question, i have a 2007 m5 and can I still flash with non patched clone K+DCAN cable? Can I also flash with my ICOM A2 if the clone doesn't work?

thanks!!!
 

·
Registered
Joined
·
354 Posts
Discussion Starter #12
wow, thanks Terra and Martin for this work...I followed along from e46 to e90 and now e60.

Question, i have a 2007 m5 and can I still flash with non patched clone K+DCAN cable? Can I also flash with my ICOM A2 if the clone doesn't work?

thanks!!!
If your car is K-line, which a 2007 should be, it should be fine. ICOM can be used to recover your DME, but this application doesn't support ICOM. If EdiabasLib ever adds support for the ICOM, then I'll add support to the applicatio.

That said, in case the model year convention in the US is different than the rest of the world, when I say MY2008, I am specifically referring to September 2007 or newer builds. I think that would be LCI cars only now that I think of it.
 

·
Registered
Joined
·
22 Posts
If your car is K-line, which a 2007 should be, it should be fine. ICOM can be used to recover your DME, but this application doesn't support ICOM. If EdiabasLib ever adds support for the ICOM, then I'll add support to the applicatio.

That said, in case the model year convention in the US is different than the rest of the world, when I say MY2008, I am specifically referring to September 2007 or newer builds. I think that would be LCI cars only now that I think of it.
Thanks for the quick reply, yes my car is a 2007 and my friend also have a 2008 once I got mine going.

From reading your flasher FAQ, I thought your program communicated through ediabus which the connection setting can be changed via remote.ini and ediabus.ini?
 

·
Registered
Joined
·
354 Posts
Discussion Starter #15
Thanks for the quick reply, yes my car is a 2007 and my friend also have a 2008 once I got mine going.

From reading your flasher FAQ, I thought your program communicated through ediabus which the connection setting can be changed via remote.ini and ediabus.ini?
Your 2007 should be fine. Your friend's car will need the cable

It uses EdiabasLib for communication. In theory Ediabas itself doesn't need to be installed as long as you have the right prg files, though it makes things easier if it is (especially if you end up having to use winkfp to recover or something).
 

·
Registered
Joined
·
22 Posts
Your 2007 should be fine. Your friend's car will need the cable

It uses EdiabasLib for communication. In theory Ediabas itself doesn't need to be installed as long as you have the right prg files, though it makes things easier if it is (especially if you end up having to use winkfp to recover or something).
I guess I was confused with EdiasbusLib; I thought they were just an opensource for patching the K+DCAN cable. Thanks for the clarification. Will try flashing my 07 with non modified K+DCAN cable sometimes this week to report back.
 

·
Registered
Joined
·
22 Posts
Just flashed my 07 with non modified cable. Everything seems working. After I flashed program, it asked to flash tune.
 

·
Registered
Joined
·
22 Posts
Just went for a test drive and engine light came on with limp mode. Will try to flash back with the original to determine whether it was the modified file or the cable.
 

·
Registered
Joined
·
22 Posts
Just flashed back the original, no problem. Perhaps something to do with the adjustment I made via the binary tool from ecuworx. I changed the warm up rpm, cold start delete and vmax.
 
1 - 20 of 57 Posts
Top