Bosch MED9.1.1

[lgtmelo]

Hello everyone. I've been trying to disassemble my MED9.1.1 using ghidra. I know this ecu is MPC563 based. I was following guides written for the MED9.1 but I just learned last week that mine is .5mb bigger. Since all I have is a MPPS read (flash only, 2mb, instead of the 2.5mb required), I'm missing code. So I got some random full read online, but I still can't make it work. Anyone willing to help me with my first steps? Not looking to be spoon fed, just need some guidance.

Attached are a memory map I found for the mpc563, my incomplete read, and the full read I found online. Also some PDFs that might be useful. The MPC563 Reference Manual was too big to attach, but can be easily googled.

Thanks in advance!

[kur4o]

Just a general info that might get you started, based on similar ME9.6 layout and some a2l floating on the web

The memory layout of calibration data starts at 5c2000 in disassembly [in bin it starts at 1c2000]

The smaller bin should go at 400000 .
The bigger bin goes to 0

It should be close enough. And there will be still some code missing for sure.

You either need to load different files with correct offset, or make some huge file with proper data layout and than make a diss.

Ram is around 600000-a00000, need to trace it in disassembly,
You will need to set some r2 and r13 registers too.

[lgtmelo]

Just a general info that might get you started, based on similar ME9.6 layout and some a2l floating on the web

The memory layout of calibration data starts at 5c2000 in disassembly [in bin it starts at 1c2000]

The smaller bin should go at 400000 .
The bigger bin goes to 0

It should be close enough. And there will be still some code missing for sure.

You either need to load different files with correct offset, or make some huge file with proper data layout and than make a diss.

Ram is around 600000-a00000, need to trace it in disassembly,
You will need to set some r2 and r13 registers too.

thats basically how i did. bin to 400000, ram at 600000 with 300000 size. r2 set as 0x5C9FF0 and r13 as 0x7FFFF0 (from med9.1).

[kur4o]

Smaller bin goes to 400000
Main bin to 0
calibration 5c2000

And you are good to go.

[lgtmelo]

first of all thank you. this is the furthest ive got. my mistake was always setting main bin to 400000. would you mind educating me on WHY are they disposed like this? main to 0 and smaller to 400000? i feel this is trivial but i honestly still dont understand, even after looking at the memory map pdf.

now if i may, just wanted to double check I did it accordingly:

[lgtmelo]

for what its worth it seems IDA handled it better. or is it a me problem?

[kur4o]

These are the built in offsets how cpu sees code in memory. Not sure why it is configured that way.

I do like IDA and never used ghidra so can`t speak which one works best, Both have pros and cons.

Before final analysis you need to specify r2,r13 and manually convert into code vectors, at start of 400000 and at 0.
And likely map all referenced addresses you find in code.

I was having troubles with some me9.6 same layout, and still have some issues with calls to not mapped memory regions.
The best approach is to dump full memory map from a running pcm, how cpu sees it.

[lgtmelo]

i set r2 and r13 at the begining, when i open the file, as i select ppc big, then under processor options. do i still need to do it again later?

[kur4o]

Sometimes if code is not disassembled in correct order, you get weird result and need to start all over a fresh disassembly, following exact steps so IDA can setup internal registers first. In code various registers are repurposed in the code flow and program needs to track them.

Usually you will need to start all over again until all looks good.

[lgtmelo]

step by step how i did:
1-open file MPC as powerpc, under processor options set TOC address: 0x5C9FF0 and SDA: 0x7FFFF0.

a.png (12.2 KiB) Viewed 1221 times

on the next window, set RAM to start at 0x600000, size 0x300000; ROM at 0x400000, size 0x81000 (left as filled); input file loading address 0x400000, offset 0x0, size 0x81000 (left as filled). click ok and select 32bit mode. as device, select mpc5xx.

b.png (7.95 KiB) Viewed 1221 times

i get this message about vle=1, which i dont think is necessary. any harm in it?

b.png (9.11 KiB) Viewed 1221 times

now to file -> load -> additional binary -> bigger bin (2mb). everything left as 0x0:

b.png (13.5 KiB) Viewed 1221 times

now again file -> load -> additional binary -> bigger bin again. this time, addresses as follows:

b.png (13.9 KiB) Viewed 1221 times

this is what i got so far under segments:

b.png (20.75 KiB) Viewed 1221 times

now i select all and hit C to analyze: