GS7 program code disassembly project

[Olza]

Hallo. I have some experience in reverse engineering just to be in condition - have good projects for ms41,42,43, mss50, mss54hp, GS20 (5L40E - made XDF, can generate 0DA from modified bins and flash via winkfp) and GDSMG2 (also can see all main stuff, change and write).

Now im starting to dive into GS40. Already combined 7844978A.0pa and A7848443.0DA (GTS) and started disassembing.
It seems damn thing is Infineon TriCore chip and program was written not in pure assembler (good old days), maybe C and has huge and excess code. Plus Infineon mnemonic is new to me, so its just started

Already found found CAN, KWP2K, RSA, CRC, DTC, final drive and wheel size factors constants... more to come.

Goal is to made XDF for calibration bins, tune and then convert, crc and write back with winkfp.
Maybe convert stock maps for gts, or use m3 gws on 335 without recoding or complete reflash. Of course change or enable LC, burnout mode.

For that i need to see how program and data is protected and made some crc fixer. If anyone have full dumps of entire chip and share, it helps a lot.

 

[aus335iguy]

I’d like to help but only have an OBD>USB and standard tools. If there are software tools that are easily available then I can help but I’ll need some guidance on what and how.
May car is 2009 335i DCT and I have flashed the TCU before so I can flash any of the standard bins and read back(if I have a tool to do so)

 

[doublespaces]

Hallo. I have some experience in reverse engineering just to be in condition - have good projects for ms41,42,43, mss50, mss54hp, GS20 (5L40E - made XDF, can generate 0DA from modified bins and flash via winkfp) and GDSMG2 (also can see all main stuff, change and write).

Now im starting to dive into GS40. Already combined 7844978A.0pa and A7848443.0DA (GTS) and started disassembing.
It seems damn thing is Infineon TriCore chip and program was written not in pure assembler (good old days), maybe C and has huge and excess code. Plus Infineon mnemonic is new to me, so its just started

Already found found CAN, KWP2K, RSA, CRC, DTC, final drive and wheel size factors constants... more to come.

Goal is to made XDF for calibration bins, tune and then convert, crc and write back with winkfp.
Maybe convert stock maps for gts, or use m3 gws on 335 without recoding or complete reflash. Of course change or enable LC, burnout mode.

For that i need to see how program and data is protected and made some crc fixer. If anyone have full dumps of entire chip and share, it helps a lot.

Good start. I think the issue is related to the rsa signature and the flashing process. The bootloader isn't going to be available unless someone dumps it from the chip directly. I tried to get a Valvebody so I could try but was unsuccessful in obtaining one for a reasonable price.

Once someone has the bootloader we can look for an exploit of some kind to enable obd flashing.

Perhaps it would be helpful if we could get some instructions for dumping the chip and someone with the Valvebody out of the car could make the connections.

My dct unit is in my garage currently.

 

[aus335iguy]

I have a valve body as you know and I can send it wherever. I’m home looking after our baby for the next few months... hopefully that means more spare time

 

[doublespaces]

What about this: http://www.obd-express.com/product/ds17-infineon-tricore-boot-reader-ecu-programmer/

 

[aus335iguy]

@Olza @jyamona
Will that do the trick ?
will it be quicker easier for me to send the valve body? i have pretty good solder and computer skilz??

 

[amg6975]

I'm an EE with a lab and all sorts of things at my disposal if I can be of any help at all. I'm absolutely useless at assembly, and right now I'm [slowly] working on reverse engineering the PT-CAN but this project is awesome. I think just being able to change the diff ratio and use either GWS would send the popularity of the DCT into space.

 

[DirtKurt]

Hallo. I have some experience in reverse engineering just to be in condition - have good projects for ms41,42,43, mss50, mss54hp, GS20 (5L40E - made XDF, can generate 0DA from modified bins and flash via winkfp) and GDSMG2 (also can see all main stuff, change and write).

Now im starting to dive into GS40. Already combined 7844978A.0pa and A7848443.0DA (GTS) and started disassembing.
It seems damn thing is Infineon TriCore chip and program was written not in pure assembler (good old days), maybe C and has huge and excess code. Plus Infineon mnemonic is new to me, so its just started

Already found found CAN, KWP2K, RSA, CRC, DTC, final drive and wheel size factors constants... more to come.

Goal is to made XDF for calibration bins, tune and then convert, crc and write back with winkfp.
Maybe convert stock maps for gts, or use m3 gws on 335 without recoding or complete reflash. Of course change or enable LC, burnout mode.

For that i need to see how program and data is protected and made some crc fixer. If anyone have full dumps of entire chip and share, it helps a lot.

Let us know what we can do to help, hardware or funding im sure we can pull together.

 

[aus335iguy]

@Olza Any update and What can we do to help ?

 

[aus335iguy]

In the meantime, there’s a way to create BINs from the files in the standard toolset. It’s been attempted unsuccessfully by @bradsm87...
ill post up shortly with some further detail see if any of it helps

 

[Olza]

What toolset? We can generate bins from standard 0da files via some free intel hex to bin tools.
Ok the progress... i found LIN and CAN GWS interchange routines. there are some config constants for gws type, so i guess we can change them and use stock 335 gws with m3 gts program and data. Also final drive and wheel size constants seems simply deal Gearbox modes like XE, S, A0 and other founded, so making xdf with gearchange speed will be possible in near future. Pressure later. So i can define almost everything.
Now main target is crc fix inside data and code area. I found routines and investigating... KWP2000 interchange also discovered

I am still searching for fulldump. And someone brave who can flash my test gts 0da and 0pa with Winkfp (don’t worry you can immediately revert back to stock if something goes wrong).

 

[doublespaces]

In the meantime, there’s a way to create BINs from the files in the standard toolset. It’s been attempted unsuccessfully by @bradsm87...
ill post up shortly with some further detail see if any of it helps

I'd like to see that information, but as Olza said, I've seen @jyamona do something similar, I think he said he wrote a script of some kind that did the work.

Now main target is crc fix inside data and code area. I found routines and investigating... KWP2000 interchange also discovered

I am still searching for fulldump. And someone brave who can flash my test gts 0da and 0pa with Winkfp (don’t worry you can immediately revert back to stock if something goes wrong).

This is really good news, however I was told there was a 1024 bit RSA signature which prevents the TCU from exiting programming mode? So you have a 128 byte cryptographic hash which cannot be changed.

On MSD81(tricore), I believe the program data and code data have separate hashes, but changing the CRCs in either area will invalidate one or both of the signatures and this will prevent the TCU from exiting programming mode after flashing with WinKFP. So although you can fix the CRC(which is fantastic and I want to hear more about this) we still need to trick the TCU to accept the bad RSA hash, right? Some of this may not actually apply to the DCT TCU, I'm just borrowing the logic from my understanding of the MSD81 flashing process.

Perhaps this is why you want the full bin dump with the bootloader? Please let me know if I am correct in my thinking.

 

[aus335iguy]

Sorry guys bit busy with the baby. I’ll post up in a little while when she’s asleep.

 

[Olza]

Im not familiar with rsa structure yet but I think I should. At first look there are signatures at end of data and af start of code. Inside code there are two 256 bytes “hashes” which complicated xored with 20 bytes keys. Which filled with some data from here and here at start. Including boot area as i can see. So i cant make base key to start decrypt.
But its on a first sight, im started looking just today haha... too much interesting information while sailing on disassembled project - im combine information like mosaic step by step.

 

[Olza]

In bad way we can try to brute force code to skip that checks

 

[doublespaces]

In bad way we can try to brute force code to skip that checks

Ah yes, very simple:

NOP
NOP
NOP

right?

 

[Olza]

Sure

 

[aus335iguy]

This information is relevant but not important. Just thought id bring it in in case someone needs it or could use it. I cant comment of the accuracy of the information it was provided to me by @bradsm87 and others on another forum a while back.
The full firmware version string is: 0549QB0F980G
PABD for the GS40 is 06DKG436.ipo and the P-SGBD is 10FLASH.prg
You can use dsk90.prg to read the files.
These are some of the utilities required from the BMW standard tools to flash the GS40.

 

[doublespaces]

We need someone capable of doing this:

https://nissanecu.miraheze.org/wiki/AUD_debug_tool
http://www.romraider.com/forum/viewtopic.php?f=45&t=12821
https://nissanecu.miraheze.org/wiki/Bootmode

How can we hire @LamboLover

 

[aus335iguy]

Hmmm Getrag DCTs aren't just in BMWs could we look to other forums to see if they've managed it and possibly apply some of their knowledge ?

Also I found this on a Mitsubishi EVO forum- its a list of simulators that we could potentially try new code on?? Or am I wrong ?

http://www2.lauterbach.com/pdf/simulator_tricore.pdf

http://www.infineon.com/cms/en/prod...=db3a304326c2768b0126c28019610002#FreeTriCore

http://gec.di.uminho.pt/discip/minf/ac0203/ICCA03/TriCore_Architecture.pdf

http://www.datasheetarchive.com/tricore instruction set-datasheet.html

http://www.testech-elect.com/ashling/tricore_tools.htm

http://www.qtronic.com/en/index_news_12_04_infineon.html

http://www.qtronic.com/en/silver.html
https://resources.qtronic.de/