Announcement

Collapse
No announcement yet.

MSS60 Research

Collapse
X
Collapse
 
  • Page of 11
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 4 11 template Next
  • MpowerE36
    replied
    Originally posted by terra View Post

    read the text below the table. Access can only be set while the professor is uncensored mode. It can only be cleared in censored mode.
    Yes I've just seen that
    Last edited by MpowerE36; 08-17-2021, 08:39 AM.

    Leave a comment:

  • terra
    replied
    Originally posted by MpowerE36 View Post

    Would it not be easiest to directly set the ACCESS bit (status byte 47 for the injection processor) ? It is the same result as a status byte 41 or 42 whatever are the FIC and CENSOR bits : “No censorship, UC3F array accesses allowed”. Would it be possible to set it without erasing the contents of the flash memory ?

    Click image for larger version Name: Access.png Views: 0 Size: 31.6 KB ID: 121324
    read the text below the table. Access can only be set while the professor is uncensored mode. It can only be cleared in censored mode.

    Leave a comment:

  • MpowerE36
    replied
    Originally posted by terra View Post
    The censor can be set without erasing the contents of the flash memory, but it cannot be cleared without erasing the flash memory. In theory it might be possible to write a program that runs in RAM and then restores the flash, but that's beyond my skillset.

    In other news, I ended up just spending the money to buy PEMicro's debugging software. Syntax is a little different than macraigor's, but overall has the same capabilities (really more). Once I verify I have the right sequence of commands down pat, I'll post them here.
    Would it not be easiest to directly set the ACCESS bit (status byte 47 for the injection processor) ? It is the same result as a status byte 41 or 42 whatever are the FIC and CENSOR bits : “No censorship, UC3F array accesses allowed”. Would it be possible to set it without erasing the contents of the flash memory ?

    Click image for larger version Name: Access.png Views: 0 Size: 31.6 KB ID: 121324
    • Likes 1

    Leave a comment:

  • terra
    replied
    Originally posted by hobbit382 View Post

    Could we not flash with bdm once the censor is cleared?
    Well clearing the censor sets the status byte to 40. It needs to be then set to 41 or 42 to be uncensored. I’ve also found that the internal flash disables itself when resetting the censor and that you have to set the special registers to reenable it.

    I don’t think it’s impossible to do all that with a program running in ram. But at that point it’d make sense to have the program restore a backup.
    • Likes 1

    Leave a comment:

  • hobbit382
    replied
    Originally posted by terra View Post
    The censor can be set without erasing the contents of the flash memory, but it cannot be cleared without erasing the flash memory. In theory it might be possible to write a program that runs in RAM and then restores the flash, but that's beyond my skillset.

    In other news, I ended up just spending the money to buy PEMicro's debugging software. Syntax is a little different than macraigor's, but overall has the same capabilities (really more). Once I verify I have the right sequence of commands down pat, I'll post them here.
    Could we not flash with bdm once the censor is cleared?

    Leave a comment:

  • terra
    replied
    The censor can be set without erasing the contents of the flash memory, but it cannot be cleared without erasing the flash memory. In theory it might be possible to write a program that runs in RAM and then restores the flash, but that's beyond my skillset.

    In other news, I ended up just spending the money to buy PEMicro's debugging software. Syntax is a little different than macraigor's, but overall has the same capabilities (really more). Once I verify I have the right sequence of commands down pat, I'll post them here.
    • Likes 2

    Leave a comment:

  • MpowerE36
    replied
    The lock of the CPU seems to be in the 47594C subroutine. Indeed, the content of the 2FC800 address is ORed with (0x0300||0x0000). In binary, it is : 00000011 00000000 00000000 00000000

    Click image for larger version Name: CPU locked.png Views: 0 Size: 85.9 KB ID: 121207
    Last edited by MpowerE36; 08-16-2021, 03:44 PM.
    • Likes 2

    Leave a comment:

  • MpowerE36
    replied
    In subroutines 475334 and 47549C, three addresses are used : 2FC00E, 2FC800 and 2FC808.

    Click image for larger version Name: UC3F register programming model.png Views: 0 Size: 57.5 KB ID: 121162

    Click image for larger version Name: Software service register.png Views: 0 Size: 75.1 KB ID: 121161
    Last edited by MpowerE36; 08-16-2021, 03:30 PM.
    • Likes 1

    Leave a comment:

  • MpowerE36
    replied
    Everything I am talking about is for the 240E program.

    I find the address of the SK (0x7948) in the 4B0E18 subroutine and just before and after this instruction, the 475334 subroutine is call (picture 1). In this 475334 subroutine there are several references to 2FC800 and 2FC808 (picture 2). So when terra says that after a SK writing, the injection CPU locked itself, this maybe due to this piece of code. I don’t know yet what is done in this subroutine but I will work on it. Just another subroutine makes references to 2FC800 : this is the 47549C one (picture 3). It is call in the 4BEAF0 subroutine but I don’t know yet what they do.

    PS : Does someone know a software which can execute assembler PowerPc instruction sets or know how to execute some pieces of code in IDA pro ? It helps me a lot.

    Click image for larger version Name: image_26550.png Views: 9 Size: 97.5 KB ID: 121144 Click image for larger version Name: image_26551.png Views: 4 Size: 89.1 KB ID: 121145 Click image for larger version Name: image_26552.png Views: 4 Size: 82.4 KB ID: 121146
    Last edited by MpowerE36; 08-16-2021, 03:43 PM.
    • Likes 1

    Leave a comment:

  • MpowerE36
    replied
    Originally posted by terra View Post
    So interestingly, my DME managed to relock itself.

    What I had done: Wrote ignition side's shadow memory to injection side, wrote a "virgin" flash to me DME (blank SK, blank AIF), wrote a new AIF entry with WinKFP, wrote and locked a new SK with tool32. I suspect that last bit triggered a lock routine, but it's hard to say for sure.

    Edit: Pretty sure it's writing (or more likely locking) the SK via tool32 command that locked the CPU. Makes some sense that they'd be delivered to BMW in an unlocked state and only lock themselves after the SK is burned in. With the ability to read full dumps and unlock it doesn't really matter, but I'd say just write the SK at the time of the BDM programming instead of waiting to do it in tool32.
    If the DME succeeds to lock the injection CPU, it means there is a subroutine in the program which can modify the censor bits from 01 to 11. This subroutine seems to be in the writing SK one. If we succeed to locate it in the program space, would not it be possible to modifiy the program in order to modify censor bits from 11 to 00 then 01 ? Or at least try to understand how do the program to modify the censor bits ?
    Last edited by MpowerE36; 08-16-2021, 03:38 PM.
    • Likes 1

    Leave a comment:

  • terra
    replied
    Originally posted by hobbit382 View Post
    terra

    I know you’re super busy lately, but could you make a post with a “how to” on unlocking the censor? I know most of the info has been posted already, but a few things aren’t in great detail. Which version of OCDcommander did you end up using? How do you set the IMMR?
    also you mentioned special code to read the registers? I’m sure there are a few other things I missed. I ordered a wiggler in hopes to be able to follow your footsteps 🙏🏻
    Not today, but I'll see if I could write down a concrete set of steps. Last couple times I did it, it took a bit of trial and error.

    Currently don't have my parallel port card in my PC (upgraded video cards and added an extra PCIe SSD, so my PCIe slots aren't as accessible as they were... I'll figure something out)
    • Likes 1

    Leave a comment:

  • hobbit382
    replied
    terra

    I know you’re super busy lately, but could you make a post with a “how to” on unlocking the censor? I know most of the info has been posted already, but a few things aren’t in great detail. Which version of OCDcommander did you end up using? How do you set the IMMR?
    also you mentioned special code to read the registers? I’m sure there are a few other things I missed. I ordered a wiggler in hopes to be able to follow your footsteps 🙏🏻

    Leave a comment:

  • mik325tds
    replied
    Awesome work, guys! What an impressive thread. I really appreciate your research.
    Unfortunately, I managed to corrupt my MSS60 without a prior backup. I do have an EPIC tune original read but I don't know if that would contain the ISN.
    Would any of you who have managed to unlock the BDM be willing to help recover my MSS60?
    If I BDM read the IGN processor at which address would I find the ISN/SK?
    Has anyone gotten a USB Wiggler to work yet or is the parallel port one the one to go for?

    Leave a comment:

  • terra
    replied
    In my case, host is Windows 10 x64, guest is Windows XP x32. Pass the parallel port to the VM. And in the VM bios settings, the parallel port should be set to "output only". 380 KHz seems to work fine for me, but you can slow it down if it's unstable.

    This is the parallel port card I'm using: https://www.amazon.com/gp/product/B0...?ie=UTF8&psc=1 (granted I bought it in 2013, so I have no clue if anything has changed since then)

    Leave a comment:

  • pshoey
    replied
    terra for the parallel wiggler setup - you use VMWare running Windows 7? then pass parallel port through to VM - in the debugger, what speed works?

    Leave a comment:

Previous 1 4 11 template Next
Working...
X