Pages: [1] 2
Author Topic: Bosch MG1 (bmw) and can bus  (Read 6407 times)
MegaZu
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 10


« on: September 15, 2022, 05:50:31 AM »

Hey guys, I'm trying to talk with mg1 unit on bench, but don't have success with response from it.
After start the ecu sends messages for a few seconds to can bus at 500kbits, after that silence. Messages depend in what mode is my can device - listening only or normal. If it's silence - the same message couple hundreds times, in normal - different messages are being sent.
When I try to send general commands to it, like ID or anything else - it doesn't respond. Tried different speeds - no luck. Maybe it requires some "wake-up" sequence ?
Logged
prj
Hero Member
*****

Karma: +904/-420
Offline Offline

Posts: 5790


« Reply #1 on: September 15, 2022, 06:55:07 AM »

The ECU is flexray, CAN is only for SBOOT pretty much.
If you want to communicate in normal mode with the ASW or the CBOOT, then you need the gateway.
Logged

PM's will not be answered, so don't even try.
Log your car properly.
MegaZu
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 10


« Reply #2 on: September 15, 2022, 08:47:17 AM »

Thanks ! May you advice any gateway for that ?
PS. So they use the same pins for can and flexray ?
Logged
MegaZu
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 10


« Reply #3 on: September 15, 2022, 11:21:45 AM »

btw, on what speed flexray is working in that ecu ?
Logged
prj
Hero Member
*****

Karma: +904/-420
Offline Offline

Posts: 5790


« Reply #4 on: September 15, 2022, 12:35:45 PM »

What does it matter what speed it is?
You need the GW anyway to wrap and unwrap the data.
For pinout look at wiring diagrams on ISTA and see what is connected to GW.
Logged

PM's will not be answered, so don't even try.
Log your car properly.
MegaZu
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 10


« Reply #5 on: September 20, 2022, 01:23:22 AM »

To communicate via OBD\ENET cable - FEM\BDC module is required. But what about direct connection to CAN bus, pins 41\42, like bench flashers do ?
I clearly can see CAN packets from flasher and dme, but before that flasher sends some non CAN packets data to the line, so maybe someone knows what is that ? Wakeup sequence ? Logic analyzer doesn't recognize them as flexray packets.
Logged
prj
Hero Member
*****

Karma: +904/-420
Offline Offline

Posts: 5790


« Reply #6 on: September 20, 2022, 03:32:49 AM »

What do you want to communicate with?
If SBOOT, then yes you can communicate with it. This is useful only for flashing the ECU, and this is what the "bench flashers" communicate with.
It is available at boot of ECU until the CBOOT has started.

As I said before the CBOOT and ASW do not have any CAN communication on those pins, only through the flexray wrapper, and for that you need GW, yes FEM/BDC provides the GW function.
Same goes for VAG in MQB Evo and MLB Evo.

You want to communicate over UDS right? The CBOOT and the ASW are what implement this, and neither of them gives a fuck about the CAN pins.
« Last Edit: September 20, 2022, 03:37:38 AM by prj » Logged

PM's will not be answered, so don't even try.
Log your car properly.
MegaZu
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 10


« Reply #7 on: September 20, 2022, 06:22:44 AM »

I want to communicate with it for flashing\diagnostic purpose.
I think that bench flasher turns ECU to SBOOT using PWM(will verify with analyzer later) or\and specific data on CAN bus.
Yes UDS over CAN(for SBOOT, as you said), at least that is what I see during reading\writing to ECU. I believe ENET will encapsulate UDS into FlexRay.
Another option is to build test environment and use ENET
Logged
jcsbanks
Full Member
***

Karma: +15/-3
Online Online

Posts: 125


« Reply #8 on: September 20, 2022, 08:13:58 AM »

With BMW MEVD17, ZGW and DME (from different cars) had to have the same VIN (it was done through E-Sys, I don't have a guide) so that UDS on CAN or ethernet with the ZGW would allow a conversation with the DME CBOOT or ASW. Whether this helps in your MG1 quest I do not know.
« Last Edit: September 20, 2022, 08:16:08 AM by jcsbanks » Logged
prj
Hero Member
*****

Karma: +904/-420
Offline Offline

Posts: 5790


« Reply #9 on: September 20, 2022, 08:49:15 AM »

I want to communicate with it for flashing\diagnostic purpose.
I think that bench flasher turns ECU to SBOOT using PWM(will verify with analyzer later) or\and specific data on CAN bus.
Yes UDS over CAN(for SBOOT, as you said), at least that is what I see during reading\writing to ECU. I believe ENET will encapsulate UDS into FlexRay.
Another option is to build test environment and use ENET
I don't think you understand what you are talking about whatsoever. Learn what the building blocks of the ECU are.

Diagnostics over CAN are not supported by this ECU (ASW).
OBD flashing is done in CBOOT, this also does not support CAN.
Flashing over CAN is supported only on bench in SBOOT.

There is no CAN tester communication with the ECU outside of SBOOT.

Even if you send CAN frames to the gateway, they get encapsulated into flexray and only then sent to the ECU.
They are not forwarded, the ECU does not listen to CAN at all when it has moved on from SBOOT.

You're trying to run before you learned to walk. I already answered your question in my first reply. It contained everything needed.
Why are you continuing this?
It doesn't matter what you use to talk to GW. ENET or CAN. In the end it's the same. It is converted to flexray encapsulated CAN frames and sent to ECU.
The GW is not optional, there is no "option to build test environment". And if you repeat it another 100x it won't become true. No, it is a requirement to communicate in normal mode.
« Last Edit: September 20, 2022, 09:01:22 AM by prj » Logged

PM's will not be answered, so don't even try.
Log your car properly.
prj
Hero Member
*****

Karma: +904/-420
Offline Offline

Posts: 5790


« Reply #10 on: September 20, 2022, 08:57:48 AM »

With BMW MEVD17, ZGW and DME (from different cars) had to have the same VIN (it was done through E-Sys, I don't have a guide) so that UDS on CAN or ethernet with the ZGW would allow a conversation with the DME CBOOT or ASW. Whether this helps in your MG1 quest I do not know.
Same thing, BMW went flexray with F series.
Logged

PM's will not be answered, so don't even try.
Log your car properly.
MegaZu
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 10


« Reply #11 on: September 20, 2022, 09:07:28 AM »

I don't think you understand what you are talking about whatsoever. Learn what the building blocks of the ECU are.

Diagnostics over CAN are not supported by this ECU (ASW).
OBD flashing is done in CBOOT, this also does not support CAN.
Flashing over CAN is supported only on bench in SBOOT.

There is no CAN tester communication with the ECU outside of SBOOT.

Even if you send CAN frames to the gateway, they get encapsulated into flexray and only then sent to the ECU.
They are not forwarded, the ECU does not listen to CAN at all when it has moved on from SBOOT.

You're trying to run before you learned to walk. I already answered your question in my first reply. It contained everything needed.
Why are you continuing this?
It doesn't matter what you use to talk to GW. ENET or CAN. In the end it's the same. It is converted to flexray encapsulated CAN frames and sent to ECU.


This ECU is new for me, that's why I started this topic. Right now I have ECU on bench and my very first goal is to get boot loader version and ID over the CAN, like flasher does and read backup. So my main question is how to turn ECU into SBOOT mode on bench to talk with it.

I asked few times about data I see before CAN packets on the bus, as well I mentioned about PWM and wakeup sequence. But you didn't replied on any of that.



Logged
prj
Hero Member
*****

Karma: +904/-420
Offline Offline

Posts: 5790


« Reply #12 on: September 20, 2022, 09:11:57 AM »

This ECU is new for me
I don't think only this ECU is new for you.
Quote
Right now I have ECU on bench and my very first goal is to get boot loader version and ID over the CAN, like flasher does and read backup. So my main question is how to turn ECU into SBOOT mode on bench to talk with it.

I asked few times about data I see before CAN packets on the bus, as well I mentioned about PWM and wakeup sequence. But you didn't replied on any of that.
Nobody is going to tell you how to make a bench loader for MG1.
Sniff a tool and figure it out is your only option.

Btw, the method involves multiple exploits to gain RCE. The SBOOT is RSA protected.
Logged

PM's will not be answered, so don't even try.
Log your car properly.
MegaZu
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 10


« Reply #13 on: September 20, 2022, 09:33:56 AM »

@prj, nice, thank you for the help Cheesy You could let me know that you won't share anything instead of blaming Smiley

PS. I'm ready to pay for a useful information.
Logged
prj
Hero Member
*****

Karma: +904/-420
Offline Offline

Posts: 5790


« Reply #14 on: September 20, 2022, 09:56:59 AM »

@prj, nice, thank you for the help Cheesy You could let me know that you won't share anything instead of blaming Smiley
You don't even know what you want.
Quote
PS. I'm ready to pay for a useful information.
For what information?
Seems like you don't even know what SBOOT is. You already have your Aurix and SPC5777 custom loader programmed?
Probably not.

All you are making here is hot air.
For solution on silver platter you will probably have to pay 5 digits.

Just so others are on the same page, here's an excerpt from PM:
Quote
Do you know how to communicate with that ecu ? First of all, I'd like to get ID from it, for that is command 22 f1 01, but I can't send it
That's not even how you get full ID on BMW, nor is it applicable in any way to SBOOT.

You talk like you're tough shit, but your level of understanding is below beginner.
« Last Edit: September 20, 2022, 10:01:37 AM by prj » Logged

PM's will not be answered, so don't even try.
Log your car properly.
Pages: [1] 2
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.094 seconds with 16 queries. (Pretty URLs adds 0s, 0q)