NefMoto

Hi Guys,

I have been working on a pet project to reverse the MSS60/MSS65 Siemens ecu binaries (both have MPC563 inside).

Unfortunately i do not have a2l or functions rahmen for either of them just some partial read ols project for mss65 (ign and inj) that was floating around the net, therefore my information is based on datasheet reading, looking at other peoples partial/full BDM/Obd reads, the stock BMW (0pa/0da) files for mss65 and reducing/deducting with some common sense (might have applied it badly ;) )

According to my research the memory map of mss60/65 should look like this:

MSS65 ignition:

ROM/Flash sections:

• boot: 0-0xffff (has checksum) also seems to have VIN and some other diffs to mss65 injection bootloader
• application code: 0x10000-0x6db8e
• calibration code: 0x70000-0x7ffff (has checksum)
• application code: 0x450000-0x4a5580 (has checksum which covers total application area)

RAM sections:

• BCC_DECRAM: 0x2f8000-0x2f8800
• CALRAM: 0x3f8000-0x400000

I split and combined some binaries and was able to get (almost) a full set imported into Ida, i am however not sure about what section might be missing? It seems other similar ecu's (like msd80) deployed some shadowing of ROM and/or EEPROM in SRAM.  

I followed the following procedure in case anyone would like to replicate:

Step 1 : Open ida and press work on your own
setp 2 : Drag and drop mssXX boot binary -> mss65_ign_boot-0x0-0xffff.bin
step 3 : click select PowerPc big-endian (ppc) cpu
step 4 : Set button
Step 5 : Click processor options
step 6 : Click and enter toc & Sda Address
    Toc address : 0x5c9ff0
    Sda address : 0x7ffff0
    Mmio base: 0x0   
step 7 : Click ok and ok
Step 8 : On the memory organization window insert ram and rom values
    Ram : 0x2f8000 Size : 0x800 (BCC_DECRAM)
    Rom : 0x000000 Size : 0x80000
    Loading address : 0x000000 size : 0x10000
Step 9 : Choose device name: mpc5xx, Press ok and ok
Step 10: Click on file -> Load file -> load additional binary -> mss65_ign_appl-0x10000-0x6db8e.bin
Step 11: Insert Load segment : 0x0 (in paragraphs)
      Loading offset : 0x10000
      File offset in bytes : 0x0
      Number of bytes : 0x0 (max load)
Step 12: Click on file -> Load file -> load additional binary -> mss65_ign_calibr-0x7000-0x7ffff.bin
Step 13: Insert Load segment : 0x0 (in paragraphs)
      Loading offset : 0x70000
      File offset in bytes : 0x0
      Number of bytes : 0x0 (max load)
Step 14: Click on file -> Load file -> load additional binary -> mss65_ign_appl-0x450000-0x4a5580.bin
Step 15: Insert Load segment : 0x45000 (in paragraphs)
      Loading offset : 0x0
      File offset in bytes : 0x0
      Number of bytes : 0x0 (max load)
Step 16: Add another segment RAM (CALRAM):
    Ram : 0x3f8000 - end 0x400000
step 17: Reanalyze program

I have attached my mss65_ign_total_wip.idb hopefully you guys can point out what i have missed.

I am currently unsure about the addresses of:

• Toc address : 0x5c9ff0
• Sda address : 0x7ffff0
• Mmio base: 0x0

I would be very thankful if some Ida master could tell me if i am on the right track or if not educate me (and the group) on how todo it better.
Thanks in advance for any feedback you can provide,

Best regards, Dave

Progress updates from my side, so far so good:

* my spare test ecu mss60 arrived for on bench testing, huuray!
* wrote a program to dump both MPC563 (ignition and injection) processors memories (internal and external flash)
* corrected the memory segments a bit in Ida, located and analyzed all checksum related code and wrote a program to correct those in all sections

Todo:

* disable EWS on the bench ecu to have full functionality
* extend my mss6x flash reader to also be able to write back the changes (without increasing flash counter)
* should be able to solve both after some more code analysis.

Best regards, Dave

Well done, and thanks for sharing!

Thanks!

Some more updates:

* my checksum program was missing RSA/md5 signature correction functionality after some head scratching am now able to verify and correct those.
* untangled the seed/key algorithm, have auth level 3 access for all seeds on both mss60 and mss65.
* updated IDA ppc.cfg with a specific configuration for the mpc563 covering all the peripherals, memory mapped io registers and peripheral ram buffers (in separate sections) also auto adds some common Reset and ISR entry points.

Still working on disabling EWS so i can do some more tests on bench, if anyone has any information on hints on this how to proceed i would be very grateful. Untangled a great deal of the ppc asm but have so far not been able to pinpoint the EWS related bit.

Best regards, Dave

Applause mate, how did you figure out the TOC?  I'll take a look but does R13 stuff line up?

RSA can you expand on that as this will of interest?

Meh can't open IDB, which version do you use?

I'm using some cracked version: Version 6.6.141224 (32-bit) simply cannot afford the real thing, this is merely a hobby for me.

Best regards, Dave

ok you have pm

I don't see any TOC instructions slightly different CPU to MED9/ME9? where is it set?

Edit:  TOC looks messed up

I have not looked into the SDA and TOC setup any more, they are still setup improperly. Any hints from your side on how to set them up ?
Edit: So far have not needed to have them absolutely correct to find all the current references (RAM/ROM).

I think the binary is incomplete as you mentioned.  I'll try and find something.

RE RSA where did you find that about?

Do you mean the RSA signatures blocks themselves or the code the calculate/check (take care it is split over a zillion subroutines) ? It was a lot of work to figure everything out (since i only had the disasm to work with).

The latter, the code, I've been there to lol

PM sent.

I got hold of a bin and believe the TOC to be 0x78280

SDA I think is 0x7FFF8

0x78280, thats strange that would be right in the middle of the calibration data section (that section does not have any program code 0x70000-0x7ffff), it is however referenced as one of the first values from the APP_ENTRY (my label) which is executed after the initial boot and init checks, (through branch to link reg) interesting.

You should see in what I sent maybe offset issue I loaded it @ 0x0 took 20 mins lol

More progress (champagne moment :) ):

* am able to write to changed files back mss6x on bench (without increasing flash counter), should also work with all other modules attached but have so far only tested on bench (i do however disable all other network comms so in theory should work in car also)

Best regards, Dave

NICE

Small update from my side, had some fun decoding the mss60/65 can etc/idle messages and am happy to report i cracked it, tested on bench using the actual actuators (both idle and etc actuators).

Best regards, Dave

Tagging along here. Good emailing with you Dave, I don't know what help I can be, but this platform is pretty much my only focus so happy to help and learn.

Well done Dave :)

Very interesting research. A lot of work done.
I have MPC564. Any ideas how to load it in IDA?
Tried as you described but i did something wrong, since i have only section "ROM" with binary data (no ASM).

I'm trying to follow your amazing path. The MSS65 has 2 mpc563. One at the DME's Large Connector side (injector) and one at the small connector side  (ignition).
For each mpc563 dump there are 2 generated files. I'm trying to map the names of my files to the ones in your post. I'd like to know if my mapping is correct.
Below is what I assumed, corrections are appreciated and welcomed.

mpc563-Large_Connector_Side.bin (size 516Kb)             ---> mss65_ign_boot-0x0-0xffff.bin     
29BDD160GB-Large_Connector_Side.bin (size 2Mb)          ---> mss65_ign_appl-0x10000-0x6db8e.bin

mpc563-Small_Connector_Side.bin (size 516Kb)             ---> mss65_ign_calibr-0x7000-0x7ffff.bin
29BDD160GB-Small_Connector_Side.bin (size 2Mb)          ---> mss65_ign_appl-0x450000-0x4a5580.bin

Am I correct?
I'm also stuck at step 16. How do I add another segment? I see the segments automatically generated on the left side of the screen, yet can't figure out how to add one.

Thank you.

SHIFT+F7 (or view ->open subview-> segments) right-click, add new segment.

Best regards, Dave

Some help to Dave :)

Curious if you two settled on this answer.  I have loaded things up as per Dave's guidance on an mss60 for both inj and ign sides.  My source files were intelhex, converted with hex2bin, chopped into separate files following Dave's method, then loaded into IDA.  Following all that, both the SDA and TOC would be in the calibration area. 

I'm looking for R13 info, but still not exactly sure what I'm looking for aside from first usage?

Picking back up on this now that I have access to IDA for real and PPC disassembler.

I have loaded an mss60 with A2L (please do not ask, can not share this one), an mss65 of two versions and it's starting to make some sense.

My limited knowledge and google-fu leads me to agree that:

TOC= 0x78280
SDA= 0x7fff0