pego_rus
Newbie
Karma: +0/-1
 Offline
Posts: 6
|
 |
« on: December 15, 2024, 09:44:23 AM »
|
|
|
Hello everyone!
I`m searching for info and some advices about disassembling Bosch MG1 ECU. Now I`m working on Bosch MG1US008 (chinese cars), Tricore tc277, and searching for non-trivial maps (f.e. charge air cooling pump control). I have no exprience in disassembling Bosch ME17/MG1 ECUs, but I have some experience in disassembling old Bosch Me7/9 ECU. Main problem is missing documentation for these new MG1 ECU`s.
Now I have 2 primary tasks: to find seed-key alghoritm and to find map offsets.
Where should I start from?
P.S. It`s OK, if I have to pay for some consultation or ready solution.
|
|
|
|
|
Logged
|
|
|
|
pego_rus
Newbie
Karma: +0/-1
Offline
Posts: 6
|
|
« Reply #1 on: December 15, 2024, 09:47:40 AM »
|
|
|
Original file looks like this in attachment
|
|
|
|
|
Logged
|
|
|
|
|
gt-innovation
|
|
« Reply #2 on: December 15, 2024, 11:21:32 AM »
|
|
|
Hello everyone!
I`m searching for info and some advices about disassembling Bosch MG1 ECU. Now I`m working on Bosch MG1US008 (chinese cars), Tricore tc277, and searching for non-trivial maps (f.e. charge air cooling pump control). I have no exprience in disassembling Bosch ME17/MG1 ECUs, but I have some experience in disassembling old Bosch Me7/9 ECU. Main problem is missing documentation for these new MG1 ECU`s.
Now I have 2 primary tasks: to find seed-key alghoritm and to find map offsets.
Where should I start from?
P.S. It`s OK, if I have to pay for some consultation or ready solution.
Mg1 is a much more complex ecu to start with, plus Legacy leaked MED17 stuff will help you understand the newer ecus up to one level.Bad choice to jump into tricore without playing around with med17. |
|
|
|
|
Logged
|
|
|
|
fastboatster
Full Member
Karma: +3/-0
Offline
Posts: 81
|
|
« Reply #3 on: December 15, 2024, 08:11:13 PM »
|
|
|
Original file looks like this in attachment
Ghidra seems to disassemble it quite well, can't say that about some PowerPC-based MG1 ecus. Just load it using TC29x language at 0x80000000 address. You might want to set the a0, a1, a8 and a9 registers, the code dealing with that is at 0x80080a82, though a9's real value is not set there, must be same as MED17 where a9 is a cal table pointer. You have to have at least some map addresses and/or variable addresses, or otherwise it will be very difficult to get anything out of this. |
|
|
|
|
Logged
|
|
|
|
pego_rus
Newbie
Karma: +0/-1
Offline
Posts: 6
|
|
« Reply #4 on: December 16, 2024, 04:17:48 AM »
|
|
|
though a9's real value is not set there, must be same as MED17 where a9 is a cal table pointer.
a0, a1, a8 register values successfully found. As regards a9 register, I found some topics about ME17 ECU`s with a9 register searching info. As far as I know in ME17 a9 register value should be set with one of another global registers value (+ offset). I`ve found some subroutines with a9 register occurrences, but I`m surely missing something.
...
ROM:800850F8 add16.a a9, a6
ROM:800850FA fret16
...
ROM:80086068 loc_80086068: ; DATA XREF: sub_800D47DC+CE↓r
ROM:80086068 ; sub_800FEF48+56↓r
ROM:80086068 sub16.a sp, #0x45 ; 'E'
ROM:8008606A nop16
ROM:8008606C mov16.a a9, d13
ROM:8008606E fret16
...
ROM:800943F8 loc_800943F8: ; DATA XREF: ROM:801F39C6↓o
ROM:800943F8 ; ROM:801F39CC↓o ...
ROM:800943F8 addsc16.a a15, a9, d15, #0
ROM:800943FA
...
ROM:8009A948 loc_8009A948: ; DATA XREF: sub_80231B72+C↓o
ROM:8009A948 ; sub_80231B72+1A↓o ...
ROM:8009A948 mov16 d0, d0
ROM:8009A94A nop16
ROM:8009A94C mov16.a a9, d13
ROM:8009A94E fret16
...
ROM:8009AFE0 mov16.a a9, #0xC
ROM:8009AFE2 fret16 You have to have at least some map addresses and/or variable addresses, or otherwise it will be very difficult to get anything out of this.
I have some map addresses, digged out from winOLS. Should I try to find out a9 value using map addresses and offsets? |
|
|
|
« Last Edit: December 16, 2024, 06:07:49 AM by pego_rus »
|
Logged
|
|
|
|
fastboatster
Full Member
Karma: +3/-0
Offline
Posts: 81
|
|
« Reply #5 on: December 16, 2024, 12:40:32 PM »
|
|
|
a0, a1, a8 register values successfully found. As regards a9 register, I found some topics about ME17 ECU`s with a9 register searching info. As far as I know in ME17 a9 register value should be set with one of another global registers value (+ offset). I`ve found some subroutines with a9 register occurrences, but I`m surely missing something.
...
ROM:800850F8 add16.a a9, a6
ROM:800850FA fret16
...
ROM:80086068 loc_80086068: ; DATA XREF: sub_800D47DC+CE↓r
ROM:80086068 ; sub_800FEF48+56↓r
ROM:80086068 sub16.a sp, #0x45 ; 'E'
ROM:8008606A nop16
ROM:8008606C mov16.a a9, d13
ROM:8008606E fret16
...
ROM:800943F8 loc_800943F8: ; DATA XREF: ROM:801F39C6↓o
ROM:800943F8 ; ROM:801F39CC↓o ...
ROM:800943F8 addsc16.a a15, a9, d15, #0
ROM:800943FA
...
ROM:8009A948 loc_8009A948: ; DATA XREF: sub_80231B72+C↓o
ROM:8009A948 ; sub_80231B72+1A↓o ...
ROM:8009A948 mov16 d0, d0
ROM:8009A94A nop16
ROM:8009A94C mov16.a a9, d13
ROM:8009A94E fret16
...
ROM:8009AFE0 mov16.a a9, #0xC
ROM:8009AFE2 fret16 I have some map addresses, digged out from winOLS. Should I try to find out a9 value using map addresses and offsets? you can, there has to be a long table of pointers with most of the map addresses, you can probably find the pointers to your map there. 0x80245660 looks like the start of that table, i.e., your a9 reg value |
|
|
|
|
Logged
|
|
|
|
pego_rus
Newbie
Karma: +0/-1
Offline
Posts: 6
|
|
« Reply #6 on: Yesterday at 01:22:48 PM »
|
|
|
After repeating register searching on a few MG1 binaries with the same CPU (I used MG1CS002 binary and a2l for research) I`ve found some necessary maps and functions using BinDiff. Next step is searching comms stack and seed key alghoritm inside my original binary. I`ve tried to search some "0x27" and "0x56" occurrences to find any "traces" of seed-key alghoritm and found smth similar to stack. Moreover, code jumps to some switch-case statements, that I found very promising. But the question stays, what could it actually be? Other reason I found this code interesting is, that there is very similar code snippet in other MG1 binary (although it is 3.0 VAG engine). LAB_800fa4fc XREF[1]: 800fa2e8(j)
800fa4fc 82 14 mov d4,#0x1
800fa4fe 1d 00 84 00 j LAB_800fa606
LAB_800fa502 XREF[1]: 800fa2ec(j)
800fa502 82 24 mov d4,#0x2
800fa504 1d 00 81 00 j LAB_800fa606
LAB_800fa508 XREF[2]: 800fa300(j), 800fa304(j)
800fa508 82 04 mov d4,#0x0
800fa50a 3c 56 j LAB_800fa5b6
LAB_800fa50c XREF[1]: 800fa308(j)
800fa50c 3b c0 00 40 mov d4,#0xc
800fa510 3c 53 j LAB_800fa5b6
LAB_800fa512 XREF[1]: 800fa30c(j)
800fa512 3b d0 00 40 mov d4,#0xd
800fa516 3c 50 j LAB_800fa5b6
...
LAB_800fa5a0 XREF[1]: 800fa3b0(j)
800fa5a0 3b 50 02 40 mov d4,#0x25
800fa5a4 3c 09 j LAB_800fa5b6
LAB_800fa5a6 XREF[1]: 800fa3b4(j)
800fa5a6 3b 60 02 40 mov d4,#0x26
800fa5aa 3c 06 j LAB_800fa5b6
LAB_800fa5ac XREF[1]: 800fa3b8(j)
800fa5ac 3b 70 02 40 mov d4,#0x27
800fa5b0 3c 03 j LAB_800fa5b6
LAB_800fa5b2 XREF[1]: 800fa3c0(j)
800fa5b2 3b 80 02 40 mov d4,#0x28
switchD_800fa640::switchD
800fa640 dc 0f ji a15
800fa642 00 00 nop
switchD_800fa640::caseD_13 XREF[1]: 800fa640(j)
800fa644 1d 00 e4 00 j LAB_800fa80c
switchD_800fa640::caseD_14 XREF[1]: 800fa640(j)
800fa648 1d 00 ef 00 j LAB_800fa826
switchD_800fa640::caseD_15 XREF[1]: 800fa640(j)
800fa64c 1d 00 c7 01 j switchD_800fa640::caseD_72
switchD_800fa640::caseD_16 XREF[1]: 800fa640(j)
800fa650 1d 00 c5 01 j switchD_800fa640::caseD_72
...
switchD_800fa640::caseD_7f XREF[1]: 800fa640(j)
800fa7f4 1d 00 de 00 j LAB_800fa9b0
switchD_800fa640::caseD_80 XREF[1]: 800fa640(j)
800fa7f8 1d 00 dc 00 j LAB_800fa9b0
switchD_800fa640::caseD_81 XREF[1]: 800fa640(j)
800fa7fc 1d 00 ef 00 j switchD_800fa640::caseD_72
switchD_800fa640::caseD_82 XREF[1]: 800fa640(j)
800fa800 1d 00 d8 00 j LAB_800fa9b0
switchD_800fa640::caseD_83 XREF[1]: 800fa640(j)
800fa804 1d 00 d6 00 j LAB_800fa9b0
switchD_800fa640::caseD_84 XREF[1]: 800fa640(j)
800fa808 1d 00 e0 00 j LAB_800fa9c8
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #7 on: Yesterday at 03:31:09 PM »
|
|
|
Seed key for what?
For flashing on VAG it's SA2, there are implementations on github and the SA2 string is in every single FRF/ODX.
This is manufacturer specific.
|
|
|
|
|
Logged
|
|
|
|
pego_rus
Newbie
Karma: +0/-1
Offline
Posts: 6
|
|
« Reply #8 on: Today at 03:46:33 AM »
|
|
|
The reason I search for seed key alghoritm is need to protect tunes I do against being stealed by 'professional tuning companies'. Last year I made some stage2 tunes at chinese cars with other ECU, that were later read by another "specialists". Now these tunes are sold as their own without any changes. Moreover some tunes I do contain non-typical solutions, like charge air cooling maps modifications, that I don`t want to share involuntarily with big companies, who don`t want to cooperate and compete with me on the market.
Also this may sound mercantile, but I don`t like to provide competitors with free ready-made solutions. That`s the reason I willing to pay for ready obd-lock solution or for training dedicated to this.
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #9 on: Today at 08:07:07 AM »
|
|
|
Ahh, the XY problem again. Your ECU most likely can always be read on the bench, so changing OBD shit will not accomplish anything, and you can't change the sboot because it's protected by the HSM. Duplicate the module table, relocate certain modules in the duplicate table and make the function that loads the module table address dependent on mcuid. Then salt the function using mcuid in some sort of calculation. If calculation out of bounds load original module table (or crash). If the tune is copied as-is the car will be stock. Still possible to find the relocated modules though and match them up, then copy the changes. But probably people who can do that will not try to copy your shit. If you want to take it a step further, use the realtime emulation functions to load encrypted data on boot. Probably too much work though. |
|
|
|
|
Logged
|
|
|
|
pego_rus
Newbie
Karma: +0/-1
Offline
Posts: 6
|
|
« Reply #10 on: Today at 10:43:27 AM »
|
|
|
Thanks! A lot of ideas for thinking through, I`ll try smth of this.
|
|
|
|
|
Logged
|
|
|
|
|
