Hi Guys,
I have been working on a pet project to reverse the MSS60/MSS65 Siemens ecu binaries (both have MPC563 inside).
Unfortunately i do not have a2l or functions rahmen for either of them just some partial read ols project for mss65 (ign and inj) that was floating around the net, therefore my information is based on datasheet reading, looking at other peoples partial/full BDM/Obd reads, the stock BMW (0pa/0da) files for mss65 and reducing/deducting with some common sense (might have applied it badly
)
According to my research the memory map of mss60/65 should look like this:
MSS65 ignition:ROM/Flash sections:- boot: 0-0xffff (has checksum) also seems to have VIN and some other diffs to mss65 injection bootloader
- application code: 0x10000-0x6db8e
- calibration code: 0x70000-0x7ffff (has checksum)
- application code: 0x450000-0x4a5580 (has checksum which covers total application area)
RAM sections:- BCC_DECRAM: 0x2f8000-0x2f8800
- CALRAM: 0x3f8000-0x400000
I split and combined some binaries and was able to get (almost) a full set imported into Ida, i am however not sure about what section might be missing? It seems other similar ecu's (like msd80) deployed some shadowing of ROM and/or EEPROM in SRAM.
I followed the following procedure in case anyone would like to replicate:
Step 1 : Open ida and press work on your own
setp 2 : Drag and drop mssXX boot binary -> mss65_ign_boot-0x0-0xffff.bin
step 3 : click select PowerPc big-endian (ppc) cpu
step 4 : Set button
Step 5 : Click processor options
step 6 : Click and enter toc & Sda Address
Toc address : 0x5c9ff0
Sda address : 0x7ffff0
Mmio base: 0x0
step 7 : Click ok and ok
Step 8 : On the memory organization window insert ram and rom values
Ram : 0x2f8000 Size : 0x800 (BCC_DECRAM)
Rom : 0x000000 Size : 0x80000
Loading address : 0x000000 size : 0x10000
Step 9 : Choose device name: mpc5xx, Press ok and ok
Step 10: Click on file -> Load file -> load additional binary -> mss65_ign_appl-0x10000-0x6db8e.bin
Step 11: Insert Load segment : 0x0 (in paragraphs)
Loading offset : 0x10000
File offset in bytes : 0x0
Number of bytes : 0x0 (max load)
Step 12: Click on file -> Load file -> load additional binary -> mss65_ign_calibr-0x7000-0x7ffff.bin
Step 13: Insert Load segment : 0x0 (in paragraphs)
Loading offset : 0x70000
File offset in bytes : 0x0
Number of bytes : 0x0 (max load)
Step 14: Click on file -> Load file -> load additional binary -> mss65_ign_appl-0x450000-0x4a5580.bin
Step 15: Insert Load segment : 0x45000 (in paragraphs)
Loading offset : 0x0
File offset in bytes : 0x0
Number of bytes : 0x0 (max load)
Step 16: Add another segment RAM (CALRAM):
Ram : 0x3f8000 - end 0x400000
step 17: Reanalyze program
I have attached my mss65_ign_total_wip.idb hopefully you guys can point out what i have missed.
I am currently unsure about the addresses of:- Toc address : 0x5c9ff0
- Sda address : 0x7ffff0
- Mmio base: 0x0
I would be very thankful if some Ida master could tell me if i am on the right track or if not educate me (and the group) on how todo it better.
Thanks in advance for any feedback you can provide,
Best regards, Dave
I'm trying to follow your amazing path. The MSS65 has 2 mpc563. One at the DME's Large Connector side (injector) and one at the small connector side (ignition).
For each mpc563 dump there are 2 generated files. I'm trying to map the names of my files to the ones in your post. I'd like to know if my mapping is correct.
Below is what I assumed, corrections are appreciated and welcomed.
mpc563-Large_Connector_Side.bin (size 516Kb) ---> mss65_ign_boot-0x0-0xffff.bin
29BDD160GB-Large_Connector_Side.bin (size 2Mb) ---> mss65_ign_appl-0x10000-0x6db8e.bin
mpc563-Small_Connector_Side.bin (size 516Kb) ---> mss65_ign_calibr-0x7000-0x7ffff.bin
29BDD160GB-Small_Connector_Side.bin (size 2Mb) ---> mss65_ign_appl-0x450000-0x4a5580.bin
Am I correct?
I'm also stuck at step 16. How do I add another segment? I see the segments automatically generated on the left side of the screen, yet can't figure out how to add one.
Thank you.