|
gt-innovation
|
 |
« Reply #30 on: February 08, 2022, 07:13:09 AM »
|
|
|
HI chaps
Is there an easy way to read (and clone) a Simos18.1 on the bench?
What tools are recommended?
I have PCM Flash but S18.1 is not on the supported list
THanks
Use the search button and read... 1. Don`t spoil threads/posts that have to do with technical stuff without even reading them. 2. Pcmflash will soon support most of the simos variants. 3. If you search and look a bit better you will find a free python solution to flash simos ecus made by "d3irb" and hosted on Github Works on windows too... |
|
|
|
|
Logged
|
|
|
|
|
|
|
IamwhoIam
|
|
« Reply #32 on: July 28, 2022, 06:43:08 AM »
|
|
|
Very nice work! Congrats! |
|
|
|
|
Logged
|
I have no logs because I have a boost gauge (makes things easier)
|
|
|
fastboatster
Full Member
Karma: +3/-0
 Offline
Posts: 78
|
|
« Reply #33 on: July 28, 2022, 05:58:17 PM »
|
|
|
Very nice work! Congrats!
Thanks, appreciate the kind words! Wouldn’t be able to do it if d3irb hadn’t described simos18 exploit, though |
|
|
|
|
Logged
|
|
|
|
|
terminator
|
|
« Reply #34 on: November 10, 2022, 12:12:52 PM »
|
|
|
could you please share the file (bin or odx) you have been working on or at least the software id?
Maybe I was inattentive, but I did not find it on the forum.
|
|
|
|
|
Logged
|
|
|
|
d3irb
Full Member
Karma: +134/-1
Offline
Posts: 195
|
|
« Reply #35 on: November 10, 2022, 12:40:09 PM »
|
|
|
In the VW_Flash writeups about CBOOT and patching, the addresses are all from 8V0906259H__0001.frf , for no reason other than this is the file that came on my car. This is SC8 project, E0 CBOOT, O20 ASW. This should be in the documentation somewhere.
In the Simos18_SBOOT write-ups about SBOOT, the addresses are all from a Simos 18.1 SBOOT/TSW. I think the TSW version identifier for this is REGEE5F401E1_TSW--v10. You need a full read to get SBOOT of course, since it isn't in the update container.
|
|
|
|
|
Logged
|
|
|
|
|
terminator
|
|
« Reply #36 on: November 11, 2022, 06:19:40 AM »
|
|
|
|
|
|
|
|
Logged
|
|
|
|
808AWD325xi
Newbie
Karma: +0/-0
Offline
Posts: 4
|
|
« Reply #37 on: February 21, 2024, 05:36:25 PM »
|
|
|
Thank you, d3irb and fastboatster !!
Your findings and knowledge sharing have really helped me to better understand the Siemen's MSD81 ECU (TC1796) in my BMW.
So far I can trigger a jump to SBOOT, but have not yet located the RSA private key needed to satisfy the $65 service response. Needless to say, I am way behind you guys.
I compared a SIMOS 8.5 bin with a MSD80 bin and noticed byte for byte SBOOT code reuse. That being said, it wouldn't surprise me if commercial exploits that upload code to RAM via SBOOT and dump PFLASH, etc. are reusable between platforms.
|
|
|
|
|
Logged
|
|
|
|
fastboatster
Full Member
Karma: +3/-0
Offline
Posts: 78
|
|
« Reply #38 on: February 21, 2024, 11:38:23 PM »
|
|
|
Thank you, d3irb and fastboatster !!
Your findings and knowledge sharing have really helped me to better understand the Siemen's MSD81 ECU (TC1796) in my BMW.
So far I can trigger a jump to SBOOT, but have not yet located the RSA private key needed to satisfy the $65 service response. Needless to say, I am way behind you guys.
I compared a SIMOS 8.5 bin with a MSD80 bin and noticed byte for byte SBOOT code reuse. That being said, it wouldn't surprise me if commercial exploits that upload code to RAM via SBOOT and dump PFLASH, etc. are reusable between platforms.
You know, I was looking at IKMOS MSD81 firmware very recently, too, and noticed a lot of very similar things in general, not just in terms of boot firmware. I haven't looked for an RSA key yet, and haven't tried to put an MSD81/80 into SBOOT mode since I don't have any of these on hand - my guess is it just needs to have PWM voltage applied to some cam sensor or Vanos solenoid pins, right? I sort of put this on the back burner for now since I'm busy with my job search, and just don't feel like working on this DME right now and desoldering and retracing boot pins on PCB. I might get to it eventually, but by that time, I think you will figure it out already. I am just lazily looking at e9x MEVD17, but not spending too much time on that, either |
|
|
|
|
Logged
|
|
|
|
808AWD325xi
Newbie
Karma: +0/-0
Offline
Posts: 4
|
|
« Reply #39 on: February 22, 2024, 12:36:53 AM »
|
|
|
You know, I was looking at IKMOS MSD81 firmware very recently, too, and noticed a lot of very similar things in general, not just in terms of boot firmware. I haven't looked for an RSA key yet, and haven't tried to put an MSD81/80 into SBOOT mode since I don't have any of these on hand - my guess is it just needs to have PWM voltage applied to some cam sensor or Vanos solenoid pins, right? I sort of put this on the back burner for now since I'm busy with my job search, and just don't feel like working on this DME right now and desoldering and retracing boot pins on PCB. I might get to it eventually, but by that time, I think you will figure it out already. I am just lazily looking at e9x MEVD17, but not spending too much time on that, either
I'm sorry to hear that. I wish you the best of luck! I gave up on my job search quite a while ago. You can jump to SBOOT via CAN, no PWM required. I compared a MSD80 dump to the SIMOS 8.5 SBOOT bin you posted in the thread below (example attached): https://nefariousmotorsports.com/forum/index.php?topic=14906.msg153252#msg153252I ordered a SIMOS 8.4 from eBay to check it out. |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #40 on: February 22, 2024, 01:12:55 AM »
|
|
|
For the Simos8.5/8.4/12/MSD81/MSD85/ etc SBOOT there is an exploit without having to jump into BSL mode to examine memory.
This was closed in the newer ECU's.
Since there is a ton of tools that can do it, it probably is easiest to just sniff an existing tool rather than reinvent the wheel.
|
|
|
|
|
Logged
|
|
|
|
808AWD325xi
Newbie
Karma: +0/-0
Offline
Posts: 4
|
|
« Reply #41 on: February 22, 2024, 12:21:55 PM »
|
|
|
I came across this KWP2000 reset payload for SIMOS 18 in some ETAS ProF files... "52 73 74 4B". It might be the jump from ASW to SBOOT. The expected response is "44 6F 6E 65".
|
|
|
|
|
Logged
|
|
|
|
fastboatster
Full Member
Karma: +3/-0
Offline
Posts: 78
|
|
« Reply #42 on: February 22, 2024, 12:32:34 PM »
|
|
|
For the Simos8.5/8.4/12/MSD81/MSD85/ etc SBOOT there is an exploit without having to jump into BSL mode to examine memory.
This was closed in the newer ECU's.
Since there is a ton of tools that can do it, it probably is easiest to just sniff an existing tool rather than reinvent the wheel.
well, at least for me, this was a moderately difficult but somewhat useful *exercise*. not too difficult as the general workflow had been described, but challenging enough for somebody who had never looked into any DME/ECU firmware before. It did provide something I could use as an alternative to some commercial tools. I have a general idea of what's going on with commercial exploit - i.e., likely, something like Nintendo 3ds bootloader hack. I'm not really inclined to spend more time on this as these are 2 very old and increasingly irrelevant ECU/DMEs, but if there's some low-hanging fruit and some free time then maybe why not - i.e., commercial tool sniff etc. @808AWD325xi - there're no bootloader differences between the 8.5 and 8.4 aside from the RSA keys. When I was saying that msd is closer to 8.4, I meant to say that both have their eeproms on the external chips, while 8.5 stores it in the internal d flash. |
|
|
|
|
Logged
|
|
|
|
K2d33
Newbie
Karma: +0/-0
Offline
Posts: 7
|
|
« Reply #43 on: April 09, 2024, 05:33:46 AM »
|
|
|
I came across this KWP2000 reset payload for SIMOS 18 in some ETAS ProF files... "52 73 74 4B". It might be the jump from ASW to SBOOT. The expected response is "44 6F 6E 65".
In some gearboxes is sequence started at BC xx xx xx xx ;-) |
|
|
|
|
Logged
|
|
|
|
|
