NefMoto

Some time back I embarked on a mission to study the Magneti Marelli 1.3 MJD which is in my other car. As I could not find much resources on it I decided to study the MED9 ecu which is based on the same processor mpc5XX and has similarity with ME7 and lot more resources available. So after months of reversing I have now acquired some understanding of the ECU as to how it refers to maps, RAM variables etc. As of now I am writing a routine to switch maps the same way I did for ME7. Also have plans to add other functions. Now my main question is can the NLS/LC be ported for this ECU, if so how will it be different from the one for ME7. I have identified all the required variables. Will it work if I convert the exact code into this ECU. My knowledge is limited to only the ecu and not the car, what other problems are likely...

This will be a great project, I would like to help

My own car I drive is a 2005 golf gti

I have two ecus for the car so it is easy to test code for you

And using BDM to write is easy for me, as well as having OBD2 tools

I also have vagcom VCDS

Let me know if I can help

Thanks very much , I will send you the  files very soon. I am making a map switch to start with. So ones its confirmed my RAM variables are correct , we will proceed with other . ;D.

Also is your car Manual gear.

My car is DSG

I'm working on something similar currently.

My first attempt at ldrxn switch, 5 maps. Switched by brk/acc but not tested. The second map is a valet map. The three ldrxns in stock location is disabled.
If this works then lc/nls will follow. One file is cksmcorrected the other one is not corrected. Hope somebody can test it for me. ;D

Edit: Removed as I found some mistakes.

Nice work.

What chip does the me9 have? Do you still use idapro to disassemble?

mpc5xx (mpc563 i think). yes idapro always

Very nice work indeed! How did you set up your memory regions?

Load the file at 0x400000 and ram from 0x600000 to 0x900000, not accurate but will work.

Also in >options>general>Analysis>processor specific analysis options>
TOC address = 0x5C9FF0
SDA(r13)..... = 0x7FFFF0
Thats the key to finding map references, took me sometime to find it.

I never managed to get the TOC correct before, so this was very nice info. Thanks a lot :)

You are welcome :).

Good info, but I have a question, maybe someone can help:

On ME7 C16x MCUs there is an 32K IROM section, which contains a boot ROM etc.

Is there anything similar on MPC MCUs as used in MED9?
Or is all the code needed for disassembly stored in the external flash?

Thanks!

It depends.

On MED9.1 ( 2.0 TFSI, MPC562 ) everything you need is in da flash !

OK, so ME(D)9, I can see how maps are referenced and also how ram is accessed, that is fairly simple.  What I can't see is how, for example rl_w, is set in ram from it's parent function, there's no code like mov rl_w r4; (like C167).

I'm assuming it's using a stack and I need to read more but any prod in the right direction would be helpful.

:)

Look for sth.

+1 for you my friend, thank you, it was staring me right in the face :)

Is there a particular version of IDApro needed to disassemble the MEd9? I have version 6.2 and its not listing the MPC562 processor.. Excuse my ignorance but is it labelled as something else?

Look for powerpc.

Hey -- i'm JUST getting started with dissasembly.  Can you offer some clarification on the SDA thing and how you found map references?  I found the TOC address setting, but couldn't find SDA in options anywhere?  I can't seem to find any references to maps.

Thanks for any input!
-Jordan

I usually look into damos/a2l file.
For example i took a binary and a2l file from here
http://nefariousmotorsports.com/forum/index.php?topic=467.msg74873#msg74873
(These files came with WinOls in damos folder).
In the file clearly see memory structure, all segments & addresses.
Also if you scroll down the file you will find proper addresses of all variables for the bin.
So I think a2l file is very useful as reference for disassembling.
For example, here is clear description of segment structure, you can make same segments in IDA:
    ECU "MED91"
    /begin MEMORY_SEGMENT Pst20000 "" CODE EPROM EXTERN 0x20000 0x1A0000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x20000 /*mapping_adr:*/0x20000 /*length:*/0x1A0000 /end IF_DATA
    /begin IF_DATA ASAP1B_CCP ADDRESS_MAPPING /*orig_adr:*/0x20000 /*mapping_adr:*/0x20000 /*length:*/0x1A0000 /end IF_DATA
    /begin IF_DATA ASAP1B_KWP2000 ADDRESS_MAPPING /*orig_adr:*/0x20000 /*mapping_adr:*/0x20000 /*length:*/0x1A0000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst1F0000 "" CODE EPROM EXTERN 0x1F0000 0x10000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x1F0000 /*mapping_adr:*/0x1F0000 /*length:*/0x10000 /end IF_DATA
    /begin IF_DATA ASAP1B_CCP ADDRESS_MAPPING /*orig_adr:*/0x1F0000 /*mapping_adr:*/0x1F0000 /*length:*/0x10000 /end IF_DATA
    /begin IF_DATA ASAP1B_KWP2000 ADDRESS_MAPPING /*orig_adr:*/0x1F0000 /*mapping_adr:*/0x1F0000 /*length:*/0x10000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst0 "" CODE EPROM EXTERN 0x0 0x20000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x20000 /end IF_DATA
    /begin IF_DATA ASAP1B_CCP ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x20000 /end IF_DATA
    /begin IF_DATA ASAP1B_KWP2000 ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x20000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Dst1C2000 "" DATA EPROM EXTERN 0x1C2000 0x2E000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x1C2000 /*mapping_adr:*/0x902000 /*length:*/0x2E000 /end IF_DATA
    /begin IF_DATA ASAP1B_CCP ADDRESS_MAPPING /*orig_adr:*/0x1C2000 /*mapping_adr:*/0x5C2000 /*length:*/0x2E000 /end IF_DATA
    /begin IF_DATA ASAP1B_KWP2000 ADDRESS_MAPPING /*orig_adr:*/0x1C2000 /*mapping_adr:*/0x5C2000 /*length:*/0x2E000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT ExtRam900000 "" VARIABLES RAM EXTERN 0x900000 0x2000 -1 -1 -1 -1 -1
        /* AsapMLXFm - CCP_V2_1 */
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x900000 /*mapping_adr:*/0x900000 /*length:*/0x2000 /end IF_DATA
        /* AsapMLXFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Ram7F8000 "" VARIABLES RAM INTERN 0x7F8000 0x8000 -1 -1 -1 -1 -1
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Ram800000 "" VARIABLES RAM INTERN 0x800000 0x8000 -1 -1 -1 -1 -1
    /end MEMORY_SEGMENT

Yes that's right. I always use a2l files to get info about memory map for IDA )

OK all is clear about RAM ROM settings but how can I find correct TOC and SDA settings ?

I usually do it like that and this serves my purpose..


Step 1 : Open ida and press work on your own
setp 2 : Drag and drop med9.1 binary
step 3 : click select powerpc(ppc) cpu
step 4 : Set button
Step 5 : Click processor options
step 6 : Click and enter toc & Sda Address
    Toc address : 0x5c9ff0
    Sda address : 0x7ffff0
step 7 : Click ok and ok
Step 8 : On the memory organization window insert ram and rom values
    Ram : 0x600000 Size : 0x300000
    Rom : 0x000000 Size : 0x200000
    Loading address : 0x000000 size : 0x200000
Step 9 : Press ok and ok
Step 10: Click on file -> Load file -> load additional binary
Step 11: Insert Load segment : 0x0
      Loading offset : 0x5c0000
      File offset in bytes : 0x1c0000
      Number of bytes : 0x40000
step 12: Click ok & Done

i worte this to send to a friend some time ago so i think it will help anyone who needs to start reversing med9.1

Nice work, remember the SDA/TOC are platform independant

GT-Innovation thanks for a reply . in MED9 is clear ... but take a look on memory organisation in EDC16C35 in BMW ,  addresses of RAM INT are mixed with DATA FLASH . I cannot organise in simple way RAM and ROM :/

 /begin MEMORY_SEGMENT Pst8000 "" CODE FLASH INTERN 0x8000 0xB8000 -1 -1 -1 -1 -1
            ADDRESS_MAPPING
                /* origin addr  */ 0x8000
                /* mapping addr */ 0x8000
                /* length       */ 0xB8000

    /begin MEMORY_SEGMENT Pst100000 "" CODE FLASH INTERN 0x100000 0x100000 -1 -1 -1 -1 -1
 
            ADDRESS_MAPPING
                /* origin addr  */ 0x100000
                /* mapping addr */ 0x100000
                /* length       */ 0x100000

    /begin MEMORY_SEGMENT DstC0000 "" DATA FLASH INTERN 0xC0000 0x3DF78 -1 -1 -1 -1 -1
     
            ADDRESS_MAPPING
                /* origin addr  */ 0xC0000
                /* mapping addr */ 0x8C0000
                /* length       */ 0x3DF78

    /begin MEMORY_SEGMENT DstFDF78 "" RESERVED FLASH INTERN 0xFDF78 0x88 -1 -1 -1 -1 -1

            ADDRESS_MAPPING
                /* origin addr  */ 0xFDF78
                /* mapping addr */ 0x8FDF78
                /* length       */ 0x88
     
    /begin MEMORY_SEGMENT ExtRam8FE000 "" VARIABLES RAM EXTERN 0x8FE000 0x2000 -1 -1 -1 -1 -1
   
            ADDRESS_MAPPING
                /* origin addr  */ 0x8FE000
                /* mapping addr */ 0x8FE000
                /* length       */ 0x2000

    /begin MEMORY_SEGMENT Ram7F8000 "" VARIABLES RAM INTERN 0x7F8000 0x8000 -1 -1 -1 -1 -1
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Ram6F8000 "" VARIABLES RAM INTERN 0x6F8000 0x800 -1 -1 -1 -1 -1
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Ram800000 "" VARIABLES RAM INTERN 0x800000 0x8000 -1 -1 -1 -1 -1
    /end MEMORY_SEGMENT
 

i did not see that you were talking about edc16c35 in the previous posts...Never tried to disassemble this one.But when you cross reference the sections you are interested in with a damos i am sure you will be able to find the correct toc/sda addresses.

R13 - read the cpu book

sorry for the noob question but how will i get back a bin file ?