NefMoto

Hey guys, I'm trying to talk with mg1 unit on bench, but don't have success with response from it.
After start the ecu sends messages for a few seconds to can bus at 500kbits, after that silence. Messages depend in what mode is my can device - listening only or normal. If it's silence - the same message couple hundreds times, in normal - different messages are being sent.
When I try to send general commands to it, like ID or anything else - it doesn't respond. Tried different speeds - no luck. Maybe it requires some "wake-up" sequence ?

The ECU is flexray, CAN is only for SBOOT pretty much.
If you want to communicate in normal mode with the ASW or the CBOOT, then you need the gateway.

Thanks ! May you advice any gateway for that ?
PS. So they use the same pins for can and flexray ?

btw, on what speed flexray is working in that ecu ?

What does it matter what speed it is?
You need the GW anyway to wrap and unwrap the data.
For pinout look at wiring diagrams on ISTA and see what is connected to GW.

To communicate via OBD\ENET cable - FEM\BDC module is required. But what about direct connection to CAN bus, pins 41\42, like bench flashers do ?
I clearly can see CAN packets from flasher and dme, but before that flasher sends some non CAN packets data to the line, so maybe someone knows what is that ? Wakeup sequence ? Logic analyzer doesn't recognize them as flexray packets.

What do you want to communicate with?
If SBOOT, then yes you can communicate with it. This is useful only for flashing the ECU, and this is what the "bench flashers" communicate with.
It is available at boot of ECU until the CBOOT has started.

As I said before the CBOOT and ASW do not have any CAN communication on those pins, only through the flexray wrapper, and for that you need GW, yes FEM/BDC provides the GW function.
Same goes for VAG in MQB Evo and MLB Evo.

You want to communicate over UDS right? The CBOOT and the ASW are what implement this, and neither of them gives a fuck about the CAN pins.

I want to communicate with it for flashing\diagnostic purpose.
I think that bench flasher turns ECU to SBOOT using PWM(will verify with analyzer later) or\and specific data on CAN bus.
Yes UDS over CAN(for SBOOT, as you said), at least that is what I see during reading\writing to ECU. I believe ENET will encapsulate UDS into FlexRay.
Another option is to build test environment and use ENET

With BMW MEVD17, ZGW and DME (from different cars) had to have the same VIN (it was done through E-Sys, I don't have a guide) so that UDS on CAN or ethernet with the ZGW would allow a conversation with the DME CBOOT or ASW. Whether this helps in your MG1 quest I do not know.

I don't think you understand what you are talking about whatsoever. Learn what the building blocks of the ECU are.

Diagnostics over CAN are not supported by this ECU (ASW).
OBD flashing is done in CBOOT, this also does not support CAN.
Flashing over CAN is supported only on bench in SBOOT.

There is no CAN tester communication with the ECU outside of SBOOT.

Even if you send CAN frames to the gateway, they get encapsulated into flexray and only then sent to the ECU.
They are not forwarded, the ECU does not listen to CAN at all when it has moved on from SBOOT.

You're trying to run before you learned to walk. I already answered your question in my first reply. It contained everything needed.
Why are you continuing this?
It doesn't matter what you use to talk to GW. ENET or CAN. In the end it's the same. It is converted to flexray encapsulated CAN frames and sent to ECU.
The GW is not optional, there is no "option to build test environment". And if you repeat it another 100x it won't become true. No, it is a requirement to communicate in normal mode.

Same thing, BMW went flexray with F series.

This ECU is new for me, that's why I started this topic. Right now I have ECU on bench and my very first goal is to get boot loader version and ID over the CAN, like flasher does and read backup. So my main question is how to turn ECU into SBOOT mode on bench to talk with it.

I asked few times about data I see before CAN packets on the bus, as well I mentioned about PWM and wakeup sequence. But you didn't replied on any of that.

I don't think only this ECU is new for you.
Nobody is going to tell you how to make a bench loader for MG1.
Sniff a tool and figure it out is your only option.

Btw, the method involves multiple exploits to gain RCE. The SBOOT is RSA protected.

@prj, nice, thank you for the help :D You could let me know that you won't share anything instead of blaming :)

PS. I'm ready to pay for a useful information.

You don't even know what you want.
For what information?
Seems like you don't even know what SBOOT is. You already have your Aurix and SPC5777 custom loader programmed?
Probably not.

All you are making here is hot air.
For solution on silver platter you will probably have to pay 5 digits.

Just so others are on the same page, here's an excerpt from PM:
That's not even how you get full ID on BMW, nor is it applicable in any way to SBOOT.

You talk like you're tough shit, but your level of understanding is below beginner.

You are super arrogant, what I noticed is that you like to say here something like "bla bla bla you don't know even what is SBOOT, CBOOT, ASW bla bla" ... slow down because your chair will blow

But you don't. You do not understand the structure of the ECU, it is clear to anyone that does.

So, more hot air?

"hot air" comes only from you. Pick the medal from box for the most clever person in the universe who knows what SBOOT is :)
PS. Why you are still here ? Trying to assert yourself ?

I am here as long or as little as I want to be.
But you're just a passing phenomenon, like many before and after.

Your level of intelligence can be summed up with one picture:
(https://i.kym-cdn.com/entries/icons/original/000/000/266/no_u_for_knowyourmeme.jpg)

:D

BTW your MSD81 also has SBOOT, CBOOT and ASW.
Just like any other ECU in existence.

Are you sure it goes over CAN? I tried to sniff so called bench mode without any luck. I'm not talking about BMW but in general about all Bosch ECUs.
Have you sniffed it? I will be grateful for a short guide. Because I tried any speed settings and nothing. Could it be ASC?

It's done over the CAN transceiver. Whether it's CAN or some other protocol it's a different story.

So who has any progress outside femto, also anyone play with DAP over CAN Physical Layer (DXCPL) Converter function, i realize its being a debug password/key for PRJ looking to call it a stupid idea.

What is discussed here has nothing to do with femto.

I realize there method isn't this, but unless you have been welcomed you into the office and showed there process, you couldn't say forsure. I do realize that companies solution is something else all together (edited for monetary reasons) but i expect you all will have a smoother solution soon.

actually looks like they use either bootctrl or tsw to flash ECU. Since they never erased ALL sectors of BMW CBoot (0x80028000 - 0x80060000).