Pages: 1 [2]
Author Topic: Reversing Siemens MSS60/MSS65 Ida Pro  (Read 23988 times)
dream3R
Hero Member
*****

Karma: +18/-8
Offline Offline

Posts: 1194


« Reply #15 on: December 13, 2015, 08:29:14 AM »

SDA I think is 0x7FFF8
Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
Dave205t
Newbie
*

Karma: +3/-0
Offline Offline

Posts: 11


« Reply #16 on: December 13, 2015, 08:57:36 AM »

0x78280, thats strange that would be right in the middle of the calibration data section (that section does not have any program code 0x70000-0x7ffff), it is however referenced as one of the first values from the APP_ENTRY (my label) which is executed after the initial boot and init checks, (through branch to link reg) interesting.
« Last Edit: December 13, 2015, 10:53:13 AM by Dave205t » Logged
dream3R
Hero Member
*****

Karma: +18/-8
Offline Offline

Posts: 1194


« Reply #17 on: December 13, 2015, 08:59:44 AM »

You should see in what I sent maybe offset issue I loaded it @ 0x0 took 20 mins lol
Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
Dave205t
Newbie
*

Karma: +3/-0
Offline Offline

Posts: 11


« Reply #18 on: December 18, 2015, 11:59:51 AM »

More progress (champagne moment Smiley ):

* am able to write to changed files back mss6x on bench (without increasing flash counter), should also work with all other modules attached but have so far only tested on bench (i do however disable all other network comms so in theory should work in car also)

Best regards, Dave
Logged
dream3R
Hero Member
*****

Karma: +18/-8
Offline Offline

Posts: 1194


« Reply #19 on: December 19, 2015, 01:28:46 AM »

NICE
Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
Dave205t
Newbie
*

Karma: +3/-0
Offline Offline

Posts: 11


« Reply #20 on: January 12, 2016, 12:14:51 PM »

Small update from my side, had some fun decoding the mss60/65 can etc/idle messages and am happy to report i cracked it, tested on bench using the actual actuators (both idle and etc actuators).

Best regards, Dave
Logged
siado
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #21 on: January 21, 2016, 10:55:19 AM »

Tagging along here. Good emailing with you Dave, I don't know what help I can be, but this platform is pretty much my only focus so happy to help and learn.
Logged
dream3R
Hero Member
*****

Karma: +18/-8
Offline Offline

Posts: 1194


« Reply #22 on: January 21, 2016, 11:21:06 AM »

Well done Dave Smiley
Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
airmax
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 1


« Reply #23 on: February 12, 2016, 10:47:23 AM »

Very interesting research. A lot of work done.
I have MPC564. Any ideas how to load it in IDA?
Tried as you described but i did something wrong, since i have only section "ROM" with binary data (no ASM).
Logged
demos
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 1


« Reply #24 on: February 17, 2016, 04:23:45 AM »

Hi Guys,

I have been working on a pet project to reverse the MSS60/MSS65 Siemens ecu binaries (both have MPC563 inside).

Unfortunately i do not have a2l or functions rahmen for either of them just some partial read ols project for mss65 (ign and inj) that was floating around the net, therefore my information is based on datasheet reading, looking at other peoples partial/full BDM/Obd reads, the stock BMW (0pa/0da) files for mss65 and reducing/deducting with some common sense (might have applied it badly Wink )

According to my research the memory map of mss60/65 should look like this:

MSS65 ignition:


ROM/Flash sections:
  • boot: 0-0xffff (has checksum) also seems to have VIN and some other diffs to mss65 injection bootloader
  • application code: 0x10000-0x6db8e
  • calibration code: 0x70000-0x7ffff (has checksum)
  • application code: 0x450000-0x4a5580 (has checksum which covers total application area)

RAM sections:
  • BCC_DECRAM: 0x2f8000-0x2f8800
  • CALRAM: 0x3f8000-0x400000

I split and combined some binaries and was able to get (almost) a full set imported into Ida, i am however not sure about what section might be missing? It seems other similar ecu's (like msd80) deployed some shadowing of ROM and/or EEPROM in SRAM.  

I followed the following procedure in case anyone would like to replicate:

Step 1 : Open ida and press work on your own
setp 2 : Drag and drop mssXX boot binary -> mss65_ign_boot-0x0-0xffff.bin
step 3 : click select PowerPc big-endian (ppc) cpu
step 4 : Set button
Step 5 : Click processor options
step 6 : Click and enter toc & Sda Address
    Toc address : 0x5c9ff0
    Sda address : 0x7ffff0
    Mmio base: 0x0   
step 7 : Click ok and ok
Step 8 : On the memory organization window insert ram and rom values
    Ram : 0x2f8000 Size : 0x800 (BCC_DECRAM)
    Rom : 0x000000 Size : 0x80000
    Loading address : 0x000000 size : 0x10000
Step 9 : Choose device name: mpc5xx, Press ok and ok
Step 10: Click on file -> Load file -> load additional binary -> mss65_ign_appl-0x10000-0x6db8e.bin
Step 11: Insert Load segment : 0x0 (in paragraphs)
      Loading offset : 0x10000
      File offset in bytes : 0x0
      Number of bytes : 0x0 (max load)
Step 12: Click on file -> Load file -> load additional binary -> mss65_ign_calibr-0x7000-0x7ffff.bin
Step 13: Insert Load segment : 0x0 (in paragraphs)
      Loading offset : 0x70000
      File offset in bytes : 0x0
      Number of bytes : 0x0 (max load)
Step 14: Click on file -> Load file -> load additional binary -> mss65_ign_appl-0x450000-0x4a5580.bin
Step 15: Insert Load segment : 0x45000 (in paragraphs)
      Loading offset : 0x0
      File offset in bytes : 0x0
      Number of bytes : 0x0 (max load)
Step 16: Add another segment RAM (CALRAM):
    Ram : 0x3f8000 - end 0x400000
step 17: Reanalyze program

I have attached my mss65_ign_total_wip.idb hopefully you guys can point out what i have missed.

I am currently unsure about the addresses of:
  • Toc address : 0x5c9ff0
  • Sda address : 0x7ffff0
  • Mmio base: 0x0

I would be very thankful if some Ida master could tell me if i am on the right track or if not educate me (and the group) on how todo it better.
Thanks in advance for any feedback you can provide,

Best regards, Dave


I'm trying to follow your amazing path. The MSS65 has 2 mpc563. One at the DME's Large Connector side (injector) and one at the small connector side  (ignition).
For each mpc563 dump there are 2 generated files. I'm trying to map the names of my files to the ones in your post. I'd like to know if my mapping is correct.
Below is what I assumed, corrections are appreciated and welcomed.

mpc563-Large_Connector_Side.bin (size 516Kb)             ---> mss65_ign_boot-0x0-0xffff.bin     
29BDD160GB-Large_Connector_Side.bin (size 2Mb)          ---> mss65_ign_appl-0x10000-0x6db8e.bin

mpc563-Small_Connector_Side.bin (size 516Kb)             ---> mss65_ign_calibr-0x7000-0x7ffff.bin
29BDD160GB-Small_Connector_Side.bin (size 2Mb)          ---> mss65_ign_appl-0x450000-0x4a5580.bin

Am I correct?
I'm also stuck at step 16. How do I add another segment? I see the segments automatically generated on the left side of the screen, yet can't figure out how to add one.

Thank you.
Logged
Dave205t
Newbie
*

Karma: +3/-0
Offline Offline

Posts: 11


« Reply #25 on: February 18, 2016, 08:59:21 AM »

I'm also stuck at step 16. How do I add another segment? I see the segments automatically generated on the left side of the screen, yet can't figure out how to add one.
SHIFT+F7 (or view ->open subview-> segments) right-click, add new segment.

Best regards, Dave
Logged
marrakech
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 30


« Reply #26 on: October 22, 2016, 02:34:03 AM »

Some help to Dave Smiley

Code:
ECU "MSS65-INJ" 
   /begin MEMORY_SEGMENT CODESEG1
    "Program"
    CODE FLASH INTERN 0x10000 0x60000 -1 -1 -1 -1 -1
   /end MEMORY_SEGMENT
   /begin MEMORY_SEGMENT CODESEG2
    "Program"
    CODE FLASH EXTERN 0x450000 0x1B0000 -1 -1 -1 -1 -1
   /end MEMORY_SEGMENT
   /begin MEMORY_SEGMENT DATASEG1
    "Appl.-DATA"
    DATA FLASH INTERN 0x70000 0x10000 -1 -1 -1 -1 -1
   /end MEMORY_SEGMENT
   /begin MEMORY_SEGMENT VARSEG
    "Variablen"
    VARIABLES RAM INTERN 0x3F8000 0x8000 -1 -1 -1 -1 -1
   /end MEMORY_SEGMENT
   /begin CALIBRATION_METHOD  DSERAP 1
    /begin CALIBRATION_HANDLE
     458752 65532
     
    /end CALIBRATION_HANDLE
   /end CALIBRATION_METHOD
  /end MOD_PAR
Logged
siado
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #27 on: January 07, 2017, 05:59:16 PM »

You should see in what I sent maybe offset issue I loaded it @ 0x0 took 20 mins lol

Curious if you two settled on this answer.  I have loaded things up as per Dave's guidance on an mss60 for both inj and ign sides.  My source files were intelhex, converted with hex2bin, chopped into separate files following Dave's method, then loaded into IDA.  Following all that, both the SDA and TOC would be in the calibration area. 

I'm looking for R13 info, but still not exactly sure what I'm looking for aside from first usage?
Logged
siado
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #28 on: November 24, 2017, 07:02:17 PM »

Picking back up on this now that I have access to IDA for real and PPC disassembler.

I have loaded an mss60 with A2L (please do not ask, can not share this one), an mss65 of two versions and it's starting to make some sense.

My limited knowledge and google-fu leads me to agree that:

TOC= 0x78280
SDA= 0x7fff0
Logged
Pages: 1 [2]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.025 seconds with 17 queries. (Pretty URLs adds 0s, 0q)