Announcement

Collapse
No announcement yet.

MSS60 Research

Collapse
X
Collapse
 
  • Page of 10
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 4 10 template Next
  • MpowerE36
    replied
    Everything I am talking about is for the 240E program.

    I find the address of the SK (0x7948) in the 4B0E18 subroutine and just before and after this instruction, the 475334 subroutine is call (picture 1). In this 475334 subroutine there are several references to 2FC800 and 2FC808 (picture 2). So when terra says that after a SK writing, the injection CPU locked itself, this maybe due to this piece of code. I don’t know yet what is done in this subroutine but I will work on it. Just another subroutine makes references to 2FC800 : this is the 47549C one (picture 3). It is call in the 4BEAF0 subroutine but I don’t know yet what they do.

    PS : Does someone know a software which can execute assembler PowerPc instruction sets or know how to execute some pieces of code in IDA pro ? It helps me a lot.

    Click image for larger version Name: image_26550.png Views: 9 Size: 97.5 KB ID: 121144 Click image for larger version Name: image_26551.png Views: 4 Size: 89.1 KB ID: 121145 Click image for larger version Name: image_26552.png Views: 4 Size: 82.4 KB ID: 121146
    Last edited by MpowerE36; 08-16-2021, 03:43 PM.
    • Likes 1

    Leave a comment:

  • MpowerE36
    replied
    Originally posted by terra View Post
    So interestingly, my DME managed to relock itself.

    What I had done: Wrote ignition side's shadow memory to injection side, wrote a "virgin" flash to me DME (blank SK, blank AIF), wrote a new AIF entry with WinKFP, wrote and locked a new SK with tool32. I suspect that last bit triggered a lock routine, but it's hard to say for sure.

    Edit: Pretty sure it's writing (or more likely locking) the SK via tool32 command that locked the CPU. Makes some sense that they'd be delivered to BMW in an unlocked state and only lock themselves after the SK is burned in. With the ability to read full dumps and unlock it doesn't really matter, but I'd say just write the SK at the time of the BDM programming instead of waiting to do it in tool32.
    If the DME succeeds to lock the injection CPU, it means there is a subroutine in the program which can modify the censor bits from 01 to 11. This subroutine seems to be in the writing SK one. If we succeed to locate it in the program space, would not it be possible to modifiy the program in order to modify censor bits from 11 to 00 then 01 ? Or at least try to understand how do the program to modify the censor bits ?
    Last edited by MpowerE36; 08-16-2021, 03:38 PM.
    • Likes 1

    Leave a comment:

  • terra
    replied
    Originally posted by hobbit382 View Post
    terra

    I know you’re super busy lately, but could you make a post with a “how to” on unlocking the censor? I know most of the info has been posted already, but a few things aren’t in great detail. Which version of OCDcommander did you end up using? How do you set the IMMR?
    also you mentioned special code to read the registers? I’m sure there are a few other things I missed. I ordered a wiggler in hopes to be able to follow your footsteps 🙏🏻
    Not today, but I'll see if I could write down a concrete set of steps. Last couple times I did it, it took a bit of trial and error.

    Currently don't have my parallel port card in my PC (upgraded video cards and added an extra PCIe SSD, so my PCIe slots aren't as accessible as they were... I'll figure something out)
    • Likes 1

    Leave a comment:

  • hobbit382
    replied
    terra

    I know you’re super busy lately, but could you make a post with a “how to” on unlocking the censor? I know most of the info has been posted already, but a few things aren’t in great detail. Which version of OCDcommander did you end up using? How do you set the IMMR?
    also you mentioned special code to read the registers? I’m sure there are a few other things I missed. I ordered a wiggler in hopes to be able to follow your footsteps 🙏🏻

    Leave a comment:

  • mik325tds
    replied
    Awesome work, guys! What an impressive thread. I really appreciate your research.
    Unfortunately, I managed to corrupt my MSS60 without a prior backup. I do have an EPIC tune original read but I don't know if that would contain the ISN.
    Would any of you who have managed to unlock the BDM be willing to help recover my MSS60?
    If I BDM read the IGN processor at which address would I find the ISN/SK?
    Has anyone gotten a USB Wiggler to work yet or is the parallel port one the one to go for?

    Leave a comment:

  • terra
    replied
    In my case, host is Windows 10 x64, guest is Windows XP x32. Pass the parallel port to the VM. And in the VM bios settings, the parallel port should be set to "output only". 380 KHz seems to work fine for me, but you can slow it down if it's unstable.

    This is the parallel port card I'm using: https://www.amazon.com/gp/product/B0...?ie=UTF8&psc=1 (granted I bought it in 2013, so I have no clue if anything has changed since then)

    Leave a comment:

  • pshoey
    replied
    terra for the parallel wiggler setup - you use VMWare running Windows 7? then pass parallel port through to VM - in the debugger, what speed works?

    Leave a comment:

  • terra
    replied
    Of the interfaces they currently sell, the multilink FX, Cyclone LC Universal, and Cyclone FX Universal should support the MPC 5xx/8xx. I have an old cyclone max which also supports the microcontrollers. Cyclone devices are more meant for the production environment / mass programming, but they do function as debuggers too. Cyclone devices include the license for the programming application; for the multilink devices it's a separate purchase.

    This is the thread I made there a while ago - http://www.pemicro.com/forums/forum...._topic_id=7230

    I do have to say, after messing with all this, I totally get why all the manufacturers have switched to Infineon / tricore. The debugging hardware is built in, and you just need any off the shelf TTL or CAN interface to talk to program the device, and can do debugging with jtag

    Leave a comment:

  • pshoey
    replied
    Which specific PEMicro device is required? I'll contact sales @ PEMicro and see if they have anything to say about it - i recall you said you posted on their forum? Any chance you can send the link to you post/thread?

    Already wasted $250 on the USBWiggler it seems - what's another couple of hundred !!

    Leave a comment:

  • terra
    replied
    So for what it's worth, I tested the parallel port interface again and it works fine (need a native or PCI/PCIe parallel port - usb won't work). I suspect the debugger for the PEMicro interfaces would also work and certainly would be more convenient than passing a parallel port into a virtual machine and doing things that way. But I don't really want to spend the $200. The programming / flashing application is advertised to be able to clear the censor, but the function is broken. And PEMicro stopped responding to my support requests

    Leave a comment:

  • pshoey
    replied
    Originally posted by terra View Post
    Yeah sorry - master = injection = left.
    This makes sense as the left side, i.e. master is the CPU that gets BDM locked!!

    I'll try with my parallel port wiggler again also - like you i was assuming USB would be more "reliable" than the parallel port version.

    Leave a comment:

  • terra
    replied
    Yeah sorry - master = injection = left.

    Still not having luck connecting to that CPU. I know it is possible since I did so with the parallel port interface.. You'd think a USB interface that retails for $750 would be more reliable lol. My headers are directly soldered. I doubt any of those joints broke over the last year, especially since this DME has been in storage rather than in an actual car.

    Leave a comment:

  • pshoey
    replied
    I'm using POGO pins and not having great luck either - I was thinking I'll try and solder some pins to the pads.

    Master is the right side and slave the left?

    Leave a comment:

  • terra
    replied
    So far no luck on my end with the USBDemon. Though I only tried for a little bit today. Dunno if it's a hardware issue or a java issue.

    Might try the linux version of OCDCommander, but that looks like a royal pain to setup.

    Edit: Actually I can get it to communicate with the slave. Master errors on reset. I wonder if it's a cable issue? Even on the slave, I'm having to use the lowest speed possible. Maybe I need to build a better adapter for the 2.5 -> 1.27mm spacing.

    Also I had the wrong command above to reset the watchdog. Try
    Code:
    reset
word 0x2FC004 = 0x0000FF80
    • Likes 1

    Leave a comment:

  • pshoey
    replied
    Nice find and at a great price (assuming it works !!)

    If you can outline the steps - I'm pretty sure I can put together a program using their interface API to make it easily repeatable.

    Leave a comment:

Previous 1 4 10 template Next
Working...
X