Hi!
I recently jumped into GDSMG2 and desoldered the AM29F400BB flash chip to hook up my emulator and read the content off the flash.
Here is a picture of the flash how I was expecting it for the C167 CPU to interpret the code conectly:
But here is what I got:
The flash chip was read with a clone TL866 that works great on every other ECU that I used it with, but here, the adress or data lines seem to be shuffled.
The good thing is, it works with the CobraRTP flash emulator, the bad thing is, I dont understand how the data lines are twisted on the PCB.
If someone could help me out with this, I'd be very thankful! In return I will show you my first approach of a checksum delete.
Thankfully I got a corrected read from Martyn(?) the other day that I could use to start my disassembly on.
After comparing the code to some better known BMW ECUs, I figured out, that many routines are hardcopies from MS43. This makes sense, because its both Siemens and the same development time.
So it was kind of easy to figure out how the DS2 communication works, how the checksums are calculated and where they are stored. They even kept the bypass for the calibration data area that was used by BMW during pre-production time.
So to disable the checksum check for calibration data in both boot and program code execution you need to change the following two constants:
Set lc_swi_cal_cks_1 at 0x3209E to FFFFh
Set lc_swi_cal_cks_2 at 0xC0E8 to A8h
This way has been proven to work on MS43 and was confirmed by looking at some earlier development firmwares that BMW used for testing purposes. Meanwhile we also found a way to correct all the checksums, but reading and writing to it is still outstanding.
lc_swi_cal_cks_1 is located in the calibration data, but lc_swi_cal_cks_2 is located in program code, so its a bit more difficult to change.
Maybe there are some people interested in going forward with this, my biggest pain point is to get the binary right, so please take a look at the content in the upper half of this post.
Regards,
Rob
I recently jumped into GDSMG2 and desoldered the AM29F400BB flash chip to hook up my emulator and read the content off the flash.
Here is a picture of the flash how I was expecting it for the C167 CPU to interpret the code conectly:
But here is what I got:
The flash chip was read with a clone TL866 that works great on every other ECU that I used it with, but here, the adress or data lines seem to be shuffled.
The good thing is, it works with the CobraRTP flash emulator, the bad thing is, I dont understand how the data lines are twisted on the PCB.
If someone could help me out with this, I'd be very thankful! In return I will show you my first approach of a checksum delete.
Thankfully I got a corrected read from Martyn(?) the other day that I could use to start my disassembly on.
After comparing the code to some better known BMW ECUs, I figured out, that many routines are hardcopies from MS43. This makes sense, because its both Siemens and the same development time.
So it was kind of easy to figure out how the DS2 communication works, how the checksums are calculated and where they are stored. They even kept the bypass for the calibration data area that was used by BMW during pre-production time.
So to disable the checksum check for calibration data in both boot and program code execution you need to change the following two constants:
Set lc_swi_cal_cks_1 at 0x3209E to FFFFh
Set lc_swi_cal_cks_2 at 0xC0E8 to A8h
This way has been proven to work on MS43 and was confirmed by looking at some earlier development firmwares that BMW used for testing purposes. Meanwhile we also found a way to correct all the checksums, but reading and writing to it is still outstanding.
lc_swi_cal_cks_1 is located in the calibration data, but lc_swi_cal_cks_2 is located in program code, so its a bit more difficult to change.
Maybe there are some people interested in going forward with this, my biggest pain point is to get the binary right, so please take a look at the content in the upper half of this post.
Regards,
Rob
Comment