|
|
|
|
|
|
BMW Garage | BMW Meets | Register | Today's Posts | Search |
|
BMW 3-Series (E90 E92) Forum
>
I cloned my MSV70 DME
|
|
12-05-2016, 03:41 PM | #1079 | |
Major General
3978
Rep 7,212
Posts |
Quote:
it looks like what that code does is load the RSA key pointer (0x20 on MSV70 for 1024 bits), and at that branch condition it compares it to 0x20 (and it would also match if it were 0x10 for the 512bit keys). If it matches, it goes to the right which is the actual RSA key verification. Assuming r3 = 0 is what I want, then I don't see why it wouldn't work. I don't think the MS45 way works on MSV70 because r3 wasn't neccesarily being set to 0 (or whatever it is that it needs to be on MS45). So even though it was skipping the RSA check, it was still failing security authorization.. |
|
Appreciate
0
|
12-05-2016, 03:44 PM | #1080 |
Major General
3978
Rep 7,212
Posts |
Maybe I just forgot to reboot it, but when I pulled a RAM dump it was all set to 0, and I don't think it would talk to INPA - it was late though, and I was tired, so I decided to stop and try something new.
|
Appreciate
0
|
12-05-2016, 04:25 PM | #1081 |
Colonel
1000
Rep 2,287
Posts |
Are you using winfkp for both the program and calibration file? Or did you use a BDM for the program?
|
Appreciate
0
|
12-05-2016, 04:44 PM | #1082 |
Major General
3978
Rep 7,212
Posts |
BDM for now - I think the patch I sent you worked (that's the one I got the coding/version error on), but again, you can't really change that via OBD. So instead, I need something that modifies the boot sector where we can actually write to it.
|
Appreciate
0
|
12-05-2016, 06:08 PM | #1083 | |
Colonel
1000
Rep 2,287
Posts |
Quote:
I did about 4 flashes and for some reason one took 8 minutes. No idea why. Could be battery voltage but I'm testing for speed without a charger. Battery is close to three years old and not too good but I don't think that is the problem. Of course a 4 minute flash without removing the DME is not really that bad. one could call us "picky" |
|
Appreciate
0
|
12-05-2016, 06:56 PM | #1085 |
Colonel
1000
Rep 2,287
Posts |
Frankly I don't remember. I bought on eBay like four years ago. Never had any driver or latency issues so I've stuck with it
Edit: this is the Same cable I use to bench flash an 0PA file in 45 seconds. |
Appreciate
0
|
12-05-2016, 07:28 PM | #1086 |
Banned
2472
Rep 9,004
Posts |
|
Appreciate
0
|
12-05-2016, 07:39 PM | #1087 |
Major General
3978
Rep 7,212
Posts |
I'm using a dcan cable with the green pcb.. 0da writes are definitely under a minute.
Well, modified 0da writes are working with the new patch, but the modified 0pa failed with the key references changed. Going to try one more time, and then work on some other ideas. |
Appreciate
0
|
12-05-2016, 07:42 PM | #1088 | |
Colonel
1000
Rep 2,287
Posts |
Quote:
I have few ideas to help but I'm done for the evening. Edit: are you using my tool to create the 0da files? |
|
Appreciate
0
|
12-05-2016, 07:52 PM | #1089 |
Major General
3978
Rep 7,212
Posts |
Bench. Dont want to do a car test until i have it working 100%.
I have the same cable as you BTW. The label is even peeling off just like that. Trying the 0pa at normal speed. If that doesnt work, i might need to make up my own segments, its still looking for 5 in the code even if the header only says there are two.. Last edited by hassmaschine; 12-05-2016 at 10:26 PM.. |
Appreciate
0
|
12-05-2016, 10:36 PM | #1090 | |
Captain
253
Rep 775
Posts |
Quote:
Also, I found myself an MSV70 for $30 on eBay, so soon I'll be able to get in on some of the fun |
|
Appreciate
0
|
12-05-2016, 11:00 PM | #1091 |
Major General
3978
Rep 7,212
Posts |
Yeah. I think my mistake was changing the number of segments. Made a new file with it set to 5.
Good thing is its way easier to modify that than go through the hell of recalculating the boot sector checksums fo the smallest tweak.. |
Appreciate
0
|
12-06-2016, 01:38 AM | #1092 |
Captain
253
Rep 775
Posts |
Having fewer segments should work okay, as long as the extra ones are zero'd out (particularly the lengths). Can you post what you changed the pointers to?
|
Appreciate
0
|
12-06-2016, 08:37 AM | #1093 |
Major General
3978
Rep 7,212
Posts |
yeah it does reference the # of segments - anyway, after I gave up and went to bed, a light went on in my head..
in the program segments, they are referenced by their memory locations like they are in the file - ie 0x80000 - except for the MPC563 internal flash which is 0x400000. But the data segments are referenced by their internal memory locations, which are all offset by 0x400000 - so 0x840000, 0x85EAFF, etc. When I copied them over, I left them as internal memory references, rather than external file references, and I think that's why it's failing - because it's looking in the wrong locations.. All I have to do is change it from (00840000 - 008400FF, 00840240 - 0085EAFF) to (00040000 - 000400FF, 00040240 - 0005EAFF). |
Appreciate
0
|
12-06-2016, 09:27 AM | #1094 | |
Colonel
1000
Rep 2,287
Posts |
Quote:
|
|
Appreciate
0
|
12-06-2016, 10:18 AM | #1095 | |
Captain
253
Rep 775
Posts |
Quote:
When you're using WinKFP, are you using comfort mode or expert mode? With the MS45, I was using expert mode. I wonder if comfort mode erases both sections before starting the program write. |
|
Appreciate
0
|
12-06-2016, 10:22 AM | #1096 |
Major General
3978
Rep 7,212
Posts |
Well, yes, but why else would they reference them differently if it doesn't matter? I think the program references are different because of the internal flash segment - if it didn't use the differing offsets, it could get confused with writing over parts of the external flash. And anyway, it definitely didn't work with them set to the internal memory references.
I'm using expert mode. I'm importing my custom files and selecting them manually. It doesn't look like it erases anything, after a flash fails I can reboot the DME and it will try again. Actually, experimenting a bit I think it would be very difficult to brick the DME. I even powered it down in the middle of a flash to see what would happen. basically, unless you did it at the very moment it is copying the new boot code over the original boot code, you can't brick it. and 0da writes are extremely safe, you could probably write a file full of garbage and you could still get it to flash again. |
Appreciate
0
|
12-06-2016, 10:25 AM | #1097 |
Captain
253
Rep 775
Posts |
If you're using expert mode it shouldn't be an issue, maybe it is the memory map. Or there is an extra layer of protection somewhere. I was just thinking if the data section was erased before starting the program write, that would explain why an RSA check wouldn't work there (since you'd be hashing a bunch of FFs). But even if that was the case, that would only apply in comfort mode (and I'm not convinced that's the case anyway)
|
Appreciate
0
|
12-06-2016, 10:27 AM | #1098 |
Major General
3978
Rep 7,212
Posts |
ah. no I don't think it touches the data section at all unless you write an 0da. I also made sure I wrote a stock 0da file just to make sure the RSA hash would be right. I'm convinced it's my references that were wrong, either that or it's not going to work at all.
|
Appreciate
0
|
12-06-2016, 10:32 AM | #1099 | |
Colonel
1000
Rep 2,287
Posts |
Quote:
|
|
Appreciate
0
|
12-06-2016, 10:37 AM | #1100 |
Captain
253
Rep 775
Posts |
I was just double checking my MS45 program RSA bypass, and my format is essentially equivalent to what I posted earlier:
Code:
00000002 00840000 008400FF 00840240 0085EAFF 00000000 00000000 00000000 00000000 00000000 00000000 00000100 0001E8C0 00000000 00000000 00000000 |
Appreciate
0
|
Bookmarks |
|
|