Pages: [1]
Author Topic: Diving into Bosch MG1 ECU  (Read 1116 times)
pego_rus
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« on: December 15, 2024, 09:44:23 AM »

Hello everyone!
I`m searching for info and some advices about disassembling Bosch MG1 ECU. Now I`m working on Bosch MG1US008 (chinese cars), Tricore tc277,  and searching for non-trivial maps (f.e. charge air cooling pump control). I have no exprience in disassembling Bosch ME17/MG1 ECUs, but I have some experience in disassembling old Bosch Me7/9 ECU. Main problem is missing documentation for these new MG1 ECU`s.
Now I have 2 primary tasks: to find seed-key alghoritm and to find map offsets.
Where should I start from?

P.S. It`s OK, if I have to pay for some consultation or ready solution.
Logged
pego_rus
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« Reply #1 on: December 15, 2024, 09:47:40 AM »

Original file looks like this in attachment
Logged
gt-innovation
Sr. Member
****

Karma: +60/-92
Offline Offline

Posts: 450


« Reply #2 on: December 15, 2024, 11:21:32 AM »

Hello everyone!
I`m searching for info and some advices about disassembling Bosch MG1 ECU. Now I`m working on Bosch MG1US008 (chinese cars), Tricore tc277,  and searching for non-trivial maps (f.e. charge air cooling pump control). I have no exprience in disassembling Bosch ME17/MG1 ECUs, but I have some experience in disassembling old Bosch Me7/9 ECU. Main problem is missing documentation for these new MG1 ECU`s.
Now I have 2 primary tasks: to find seed-key alghoritm and to find map offsets.
Where should I start from?

P.S. It`s OK, if I have to pay for some consultation or ready solution.

Mg1 is a much more complex ecu to start with, plus Legacy leaked MED17 stuff will help you understand the newer ecus up to one level.Bad choice to jump into tricore without playing around with med17.
Logged
fastboatster
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 81


« Reply #3 on: December 15, 2024, 08:11:13 PM »

Original file looks like this in attachment
Ghidra seems to disassemble it quite well, can't say that about some PowerPC-based MG1 ecus. Just load it using TC29x language at 0x80000000 address.
You might want to set the a0, a1, a8 and a9 registers, the code dealing with that is at 0x80080a82, though a9's real value is not set there, must be same as MED17 where a9 is a cal table pointer.
You have to have at least some map addresses and/or variable addresses, or otherwise it will be very difficult to get anything out of this.
Logged
pego_rus
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« Reply #4 on: December 16, 2024, 04:17:48 AM »

though a9's real value is not set there, must be same as MED17 where a9 is a cal table pointer.

a0, a1, a8 register values successfully found. As regards a9 register, I found some topics about ME17 ECU`s with a9 register searching info. As far as I know in ME17 a9 register value should be set with one of another global registers value (+ offset). I`ve found some subroutines with a9 register occurrences, but I`m surely missing something.

Code:
 
...
ROM:800850F8                 add16.a         a9, a6
ROM:800850FA                 fret16
...
ROM:80086068 loc_80086068:                           ; DATA XREF: sub_800D47DC+CE↓r
ROM:80086068                                         ; sub_800FEF48+56↓r
ROM:80086068                 sub16.a         sp, #0x45 ; 'E'
ROM:8008606A                 nop16
ROM:8008606C                 mov16.a         a9, d13
ROM:8008606E                 fret16
...
ROM:800943F8 loc_800943F8:                           ; DATA XREF: ROM:801F39C6↓o
ROM:800943F8                                         ; ROM:801F39CC↓o ...
ROM:800943F8                 addsc16.a       a15, a9, d15, #0
ROM:800943FA 
...
ROM:8009A948 loc_8009A948:                           ; DATA XREF: sub_80231B72+C↓o
ROM:8009A948                                         ; sub_80231B72+1A↓o ...
ROM:8009A948                 mov16           d0, d0
ROM:8009A94A                 nop16
ROM:8009A94C                 mov16.a         a9, d13
ROM:8009A94E                 fret16
...
ROM:8009AFE0                 mov16.a         a9, #0xC
ROM:8009AFE2                 fret16

You have to have at least some map addresses and/or variable addresses, or otherwise it will be very difficult to get anything out of this.

I have some map addresses, digged out from winOLS. Should I try to find out a9 value using map addresses and offsets?
« Last Edit: December 16, 2024, 06:07:49 AM by pego_rus » Logged
fastboatster
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 81


« Reply #5 on: December 16, 2024, 12:40:32 PM »

a0, a1, a8 register values successfully found. As regards a9 register, I found some topics about ME17 ECU`s with a9 register searching info. As far as I know in ME17 a9 register value should be set with one of another global registers value (+ offset). I`ve found some subroutines with a9 register occurrences, but I`m surely missing something.

Code:
 
...
ROM:800850F8                 add16.a         a9, a6
ROM:800850FA                 fret16
...
ROM:80086068 loc_80086068:                           ; DATA XREF: sub_800D47DC+CE↓r
ROM:80086068                                         ; sub_800FEF48+56↓r
ROM:80086068                 sub16.a         sp, #0x45 ; 'E'
ROM:8008606A                 nop16
ROM:8008606C                 mov16.a         a9, d13
ROM:8008606E                 fret16
...
ROM:800943F8 loc_800943F8:                           ; DATA XREF: ROM:801F39C6↓o
ROM:800943F8                                         ; ROM:801F39CC↓o ...
ROM:800943F8                 addsc16.a       a15, a9, d15, #0
ROM:800943FA 
...
ROM:8009A948 loc_8009A948:                           ; DATA XREF: sub_80231B72+C↓o
ROM:8009A948                                         ; sub_80231B72+1A↓o ...
ROM:8009A948                 mov16           d0, d0
ROM:8009A94A                 nop16
ROM:8009A94C                 mov16.a         a9, d13
ROM:8009A94E                 fret16
...
ROM:8009AFE0                 mov16.a         a9, #0xC
ROM:8009AFE2                 fret16

I have some map addresses, digged out from winOLS. Should I try to find out a9 value using map addresses and offsets?

you can, there has to be a long table of pointers with most of the map addresses, you can probably find the pointers to your map there. 0x80245660 looks like the start of that table, i.e., your a9 reg value
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.029 seconds with 16 queries. (Pretty URLs adds 0.001s, 0q)