Title: Diving into Bosch MG1 ECU Post by: pego_rus on December 15, 2024, 09:44:23 AM Hello everyone!
I`m searching for info and some advices about disassembling Bosch MG1 ECU. Now I`m working on Bosch MG1US008 (chinese cars), Tricore tc277, and searching for non-trivial maps (f.e. charge air cooling pump control). I have no exprience in disassembling Bosch ME17/MG1 ECUs, but I have some experience in disassembling old Bosch Me7/9 ECU. Main problem is missing documentation for these new MG1 ECU`s. Now I have 2 primary tasks: to find seed-key alghoritm and to find map offsets. Where should I start from? P.S. It`s OK, if I have to pay for some consultation or ready solution. Title: Re: Diving into Bosch MG1 ECU Post by: pego_rus on December 15, 2024, 09:47:40 AM Original file looks like this in attachment
Title: Re: Diving into Bosch MG1 ECU Post by: gt-innovation on December 15, 2024, 11:21:32 AM Hello everyone! I`m searching for info and some advices about disassembling Bosch MG1 ECU. Now I`m working on Bosch MG1US008 (chinese cars), Tricore tc277, and searching for non-trivial maps (f.e. charge air cooling pump control). I have no exprience in disassembling Bosch ME17/MG1 ECUs, but I have some experience in disassembling old Bosch Me7/9 ECU. Main problem is missing documentation for these new MG1 ECU`s. Now I have 2 primary tasks: to find seed-key alghoritm and to find map offsets. Where should I start from? P.S. It`s OK, if I have to pay for some consultation or ready solution. Mg1 is a much more complex ecu to start with, plus Legacy leaked MED17 stuff will help you understand the newer ecus up to one level.Bad choice to jump into tricore without playing around with med17. Title: Re: Diving into Bosch MG1 ECU Post by: fastboatster on December 15, 2024, 08:11:13 PM Original file looks like this in attachment Ghidra seems to disassemble it quite well, can't say that about some PowerPC-based MG1 ecus. Just load it using TC29x language at 0x80000000 address.You might want to set the a0, a1, a8 and a9 registers, the code dealing with that is at 0x80080a82, though a9's real value is not set there, must be same as MED17 where a9 is a cal table pointer. You have to have at least some map addresses and/or variable addresses, or otherwise it will be very difficult to get anything out of this. Title: Re: Diving into Bosch MG1 ECU Post by: pego_rus on December 16, 2024, 04:17:48 AM though a9's real value is not set there, must be same as MED17 where a9 is a cal table pointer. a0, a1, a8 register values successfully found. As regards a9 register, I found some topics about ME17 ECU`s with a9 register searching info. As far as I know in ME17 a9 register value should be set with one of another global registers value (+ offset). I`ve found some subroutines with a9 register occurrences, but I`m surely missing something. Code:
You have to have at least some map addresses and/or variable addresses, or otherwise it will be very difficult to get anything out of this. I have some map addresses, digged out from winOLS. Should I try to find out a9 value using map addresses and offsets? Title: Re: Diving into Bosch MG1 ECU Post by: fastboatster on December 16, 2024, 12:40:32 PM a0, a1, a8 register values successfully found. As regards a9 register, I found some topics about ME17 ECU`s with a9 register searching info. As far as I know in ME17 a9 register value should be set with one of another global registers value (+ offset). I`ve found some subroutines with a9 register occurrences, but I`m surely missing something. you can, there has to be a long table of pointers with most of the map addresses, you can probably find the pointers to your map there. 0x80245660 looks like the start of that table, i.e., your a9 reg valueCode:
I have some map addresses, digged out from winOLS. Should I try to find out a9 value using map addresses and offsets? Title: Re: Diving into Bosch MG1 ECU Post by: pego_rus on December 24, 2024, 01:22:48 PM After repeating register searching on a few MG1 binaries with the same CPU (I used MG1CS002 binary and a2l for research) I`ve found some necessary maps and functions using BinDiff. Next step is searching comms stack and seed key alghoritm inside my original binary.
I`ve tried to search some "0x27" and "0x56" occurrences to find any "traces" of seed-key alghoritm and found smth similar to stack. Moreover, code jumps to some switch-case statements, that I found very promising. But the question stays, what could it actually be? Other reason I found this code interesting is, that there is very similar code snippet in other MG1 binary (although it is 3.0 VAG engine). Code: LAB_800fa4fc XREF[1]: 800fa2e8(j) Code: switchD_800fa640::switchD Title: Re: Diving into Bosch MG1 ECU Post by: prj on December 24, 2024, 03:31:09 PM Seed key for what?
For flashing on VAG it's SA2, there are implementations on github and the SA2 string is in every single FRF/ODX. This is manufacturer specific. |