Announcement

Collapse
No announcement yet.

MSS60 Research

Collapse
X
Collapse
 
  • Page of 10
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 7 10 template Next
    #91
    Of the interfaces they currently sell, the multilink FX, Cyclone LC Universal, and Cyclone FX Universal should support the MPC 5xx/8xx. I have an old cyclone max which also supports the microcontrollers. Cyclone devices are more meant for the production environment / mass programming, but they do function as debuggers too. Cyclone devices include the license for the programming application; for the multilink devices it's a separate purchase.

    This is the thread I made there a while ago - http://www.pemicro.com/forums/forum...._topic_id=7230

    I do have to say, after messing with all this, I totally get why all the manufacturers have switched to Infineon / tricore. The debugging hardware is built in, and you just need any off the shelf TTL or CAN interface to talk to program the device, and can do debugging with jtag

    Comment

      #92
      terra for the parallel wiggler setup - you use VMWare running Windows 7? then pass parallel port through to VM - in the debugger, what speed works?

      Comment

        #93
        In my case, host is Windows 10 x64, guest is Windows XP x32. Pass the parallel port to the VM. And in the VM bios settings, the parallel port should be set to "output only". 380 KHz seems to work fine for me, but you can slow it down if it's unstable.

        This is the parallel port card I'm using: https://www.amazon.com/gp/product/B0...?ie=UTF8&psc=1 (granted I bought it in 2013, so I have no clue if anything has changed since then)

        Comment

          #94
          Awesome work, guys! What an impressive thread. I really appreciate your research.
          Unfortunately, I managed to corrupt my MSS60 without a prior backup. I do have an EPIC tune original read but I don't know if that would contain the ISN.
          Would any of you who have managed to unlock the BDM be willing to help recover my MSS60?
          If I BDM read the IGN processor at which address would I find the ISN/SK?
          Has anyone gotten a USB Wiggler to work yet or is the parallel port one the one to go for?

          Comment

            #95
            terra

            I know you’re super busy lately, but could you make a post with a “how to” on unlocking the censor? I know most of the info has been posted already, but a few things aren’t in great detail. Which version of OCDcommander did you end up using? How do you set the IMMR?
            also you mentioned special code to read the registers? I’m sure there are a few other things I missed. I ordered a wiggler in hopes to be able to follow your footsteps 🙏🏻

            Comment

              #96
              Originally posted by hobbit382 View Post
              terra

              I know you’re super busy lately, but could you make a post with a “how to” on unlocking the censor? I know most of the info has been posted already, but a few things aren’t in great detail. Which version of OCDcommander did you end up using? How do you set the IMMR?
              also you mentioned special code to read the registers? I’m sure there are a few other things I missed. I ordered a wiggler in hopes to be able to follow your footsteps 🙏🏻
              Not today, but I'll see if I could write down a concrete set of steps. Last couple times I did it, it took a bit of trial and error.

              Currently don't have my parallel port card in my PC (upgraded video cards and added an extra PCIe SSD, so my PCIe slots aren't as accessible as they were... I'll figure something out)
              • Likes 1

              Comment

                #97
                Originally posted by terra View Post
                So interestingly, my DME managed to relock itself.

                What I had done: Wrote ignition side's shadow memory to injection side, wrote a "virgin" flash to me DME (blank SK, blank AIF), wrote a new AIF entry with WinKFP, wrote and locked a new SK with tool32. I suspect that last bit triggered a lock routine, but it's hard to say for sure.

                Edit: Pretty sure it's writing (or more likely locking) the SK via tool32 command that locked the CPU. Makes some sense that they'd be delivered to BMW in an unlocked state and only lock themselves after the SK is burned in. With the ability to read full dumps and unlock it doesn't really matter, but I'd say just write the SK at the time of the BDM programming instead of waiting to do it in tool32.
                If the DME succeeds to lock the injection CPU, it means there is a subroutine in the program which can modify the censor bits from 01 to 11. This subroutine seems to be in the writing SK one. If we succeed to locate it in the program space, would not it be possible to modifiy the program in order to modify censor bits from 11 to 00 then 01 ? Or at least try to understand how do the program to modify the censor bits ?
                Last edited by MpowerE36; 08-16-2021, 04:38 PM.
                https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA
                • Likes 1

                Comment

                  #98
                  Everything I am talking about is for the 240E program.

                  I find the address of the SK (0x7948) in the 4B0E18 subroutine and just before and after this instruction, the 475334 subroutine is call (picture 1). In this 475334 subroutine there are several references to 2FC800 and 2FC808 (picture 2). So when terra says that after a SK writing, the injection CPU locked itself, this maybe due to this piece of code. I don’t know yet what is done in this subroutine but I will work on it. Just another subroutine makes references to 2FC800 : this is the 47549C one (picture 3). It is call in the 4BEAF0 subroutine but I don’t know yet what they do.

                  PS : Does someone know a software which can execute assembler PowerPc instruction sets or know how to execute some pieces of code in IDA pro ? It helps me a lot.

                  Click image for larger version Name: image_26550.png Views: 9 Size: 97.5 KB ID: 121144 Click image for larger version Name: image_26551.png Views: 4 Size: 89.1 KB ID: 121145 Click image for larger version Name: image_26552.png Views: 4 Size: 82.4 KB ID: 121146
                  Last edited by MpowerE36; 08-16-2021, 04:43 PM.
                  https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA
                  • Likes 1

                  Comment

                    #99
                    In subroutines 475334 and 47549C, three addresses are used : 2FC00E, 2FC800 and 2FC808.

                    Click image for larger version Name: UC3F register programming model.png Views: 0 Size: 57.5 KB ID: 121162

                    Click image for larger version Name: Software service register.png Views: 0 Size: 75.1 KB ID: 121161
                    Last edited by MpowerE36; 08-16-2021, 04:30 PM.
                    https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA
                    • Likes 1

                    Comment

                      #100
                      The lock of the CPU seems to be in the 47594C subroutine. Indeed, the content of the 2FC800 address is ORed with (0x0300||0x0000). In binary, it is : 00000011 00000000 00000000 00000000

                      Click image for larger version Name: CPU locked.png Views: 0 Size: 85.9 KB ID: 121207
                      Last edited by MpowerE36; 08-16-2021, 04:44 PM.
                      https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA
                      • Likes 2

                      Comment

                        #101
                        The censor can be set without erasing the contents of the flash memory, but it cannot be cleared without erasing the flash memory. In theory it might be possible to write a program that runs in RAM and then restores the flash, but that's beyond my skillset.

                        In other news, I ended up just spending the money to buy PEMicro's debugging software. Syntax is a little different than macraigor's, but overall has the same capabilities (really more). Once I verify I have the right sequence of commands down pat, I'll post them here.
                        • Likes 2

                        Comment

                          #102
                          Originally posted by terra View Post
                          The censor can be set without erasing the contents of the flash memory, but it cannot be cleared without erasing the flash memory. In theory it might be possible to write a program that runs in RAM and then restores the flash, but that's beyond my skillset.

                          In other news, I ended up just spending the money to buy PEMicro's debugging software. Syntax is a little different than macraigor's, but overall has the same capabilities (really more). Once I verify I have the right sequence of commands down pat, I'll post them here.
                          Could we not flash with bdm once the censor is cleared?

                          Comment

                            #103
                            Originally posted by hobbit382 View Post

                            Could we not flash with bdm once the censor is cleared?
                            Well clearing the censor sets the status byte to 40. It needs to be then set to 41 or 42 to be uncensored. I’ve also found that the internal flash disables itself when resetting the censor and that you have to set the special registers to reenable it.

                            I don’t think it’s impossible to do all that with a program running in ram. But at that point it’d make sense to have the program restore a backup.
                            • Likes 1

                            Comment

                              #104
                              Originally posted by terra View Post
                              The censor can be set without erasing the contents of the flash memory, but it cannot be cleared without erasing the flash memory. In theory it might be possible to write a program that runs in RAM and then restores the flash, but that's beyond my skillset.

                              In other news, I ended up just spending the money to buy PEMicro's debugging software. Syntax is a little different than macraigor's, but overall has the same capabilities (really more). Once I verify I have the right sequence of commands down pat, I'll post them here.
                              Would it not be easiest to directly set the ACCESS bit (status byte 47 for the injection processor) ? It is the same result as a status byte 41 or 42 whatever are the FIC and CENSOR bits : “No censorship, UC3F array accesses allowed”. Would it be possible to set it without erasing the contents of the flash memory ?

                              Click image for larger version Name: Access.png Views: 0 Size: 31.6 KB ID: 121324
                              https://www.youtube.com/channel/UCwN...zf45mXp6PDOCzA
                              • Likes 1

                              Comment

                                #105
                                Originally posted by MpowerE36 View Post

                                Would it not be easiest to directly set the ACCESS bit (status byte 47 for the injection processor) ? It is the same result as a status byte 41 or 42 whatever are the FIC and CENSOR bits : “No censorship, UC3F array accesses allowed”. Would it be possible to set it without erasing the contents of the flash memory ?

                                Click image for larger version Name: Access.png Views: 0 Size: 31.6 KB ID: 121324
                                read the text below the table. Access can only be set while the professor is uncensored mode. It can only be cleared in censored mode.

                                Comment

                                Previous 1 7 10 template Next
                                Working...
                                X