Results 1 to 22 of 22

Thread: Getting Started with Disassembly MS45 ECU

              
   
  1. #1
    Join Date
    Apr 2013
    Location
    New York
    Posts
    64
    Rep Points
    132.7
    Mentioned
    0 Post(s)
    Rep Power
    2


    1 out of 1 members liked this post. Reputation: Yes | No

    Getting Started with Disassembly MS45 ECU

    I've been reading over a few threads on various boards, trying to get my head around where i should go to get what I want moving.

    It's clear I'm going to have to buy a copy of IDA Pro. (Yuck, that's not inexpensive.)

    The problem is, I have no idea what CPU the Siemens MS45 even uses.

    On one forum ecuconnections and chiptuners boards were mentioned. Anyone know what's a good resource / community for doing this sort of thing? Or anyone here aside from Nick doing this sort of thing?

    I'm looking into some physical hardware swap that will require modification of the actual control code in the MS45. Any helpful pointers or information is appreciated.

    -Matt

  2. #ADS

  3. #2
    Sticky's Avatar
    Sticky is offline Regular User
    Status: Meh
     

    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    98,033
    Rep Points
    23,254.9
    Mentioned
    1435 Post(s)
    Rep Power
    233


    Reputation: Yes | No
    I don't really understand what you are trying to do.

    You are working on an M54 I take it?
    Click here to enlarge Originally Posted by Twinturbom3
    This quote is hidden because you are ignoring this member. Show Quote
    You look like a retarded teenager discovering internet.

  4. #3
    Join Date
    Apr 2013
    Location
    New York
    Posts
    64
    Rep Points
    132.7
    Mentioned
    0 Post(s)
    Rep Power
    2


    Reputation: Yes | No

    Hah. I don't want to give away too many details right now. Click here to enlarge

    If I can pull off what I want to do, it will take my car from a uncommon configuration to a likely one-off configuration.

    Yes, this is sticking with the M54 engine.

    Finding processor information for the MS45 (thus being able to search for docs on instruction set, initial program load location, etc) has not been a simple task so far. Thus I was hoping someone had some idea of where and how to get started.

    -Matt

    EDIT: Sticky - maybe a better title would be "Getting Started with ECU Instruction Dissasembly" ?

  5. #4
    Sticky's Avatar
    Sticky is offline Regular User
    Status: Meh
     

    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    98,033
    Rep Points
    23,254.9
    Mentioned
    1435 Post(s)
    Rep Power
    233


    Reputation: Yes | No
    Click here to enlarge Originally Posted by mdrobnak Click here to enlarge
    This quote is hidden because you are ignoring this member. Show Quote
    EDIT: Sticky - maybe a better title would be "Getting Started with ECU Instruction Dissasembly" ?
    Perhaps but don't you feel the M54 forum would be a better place for this then?
    Click here to enlarge Originally Posted by Twinturbom3
    This quote is hidden because you are ignoring this member. Show Quote
    You look like a retarded teenager discovering internet.

  6. #5
    Join Date
    Apr 2013
    Location
    New York
    Posts
    64
    Rep Points
    132.7
    Mentioned
    0 Post(s)
    Rep Power
    2


    1 out of 1 members liked this post. Reputation: Yes | No

    Oops. Sorry, wasn't quite getting what you meant earlier.

    So, the question was more of a 'where do I go' more then something that's M54 specific. That's why I posted it in advanced tuning. Not many people go down this route. As I am less concerned with actual values and am looking for control algorithms, dissasembly is the only way.

    As it turns out, I did find some more information out from Jim Conforti from a post on bf.c:

    BMW's have used the following families of processors:

    8051
    80196
    80c166/167
    Motorola CPU32
    Motorola MPC55x (aka Green Oak and Golden Oak)
    Infineon TC1796

    This is from memory and it's late of course here.

    Which is used in which ECU is left as an exercise to the reader
    So I got the Infineon TC1796 datasheets, instruction sets, etc, and now know it's one of two possible locations for where booting starts. The problem is I don't know how that interacts with IDA, nor if the ROM dump I have actually has all of the program code.

    I'm fine with the thread in either spot.

    -Matt

  7. #6
    Sticky's Avatar
    Sticky is offline Regular User
    Status: Meh
     

    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    98,033
    Rep Points
    23,254.9
    Mentioned
    1435 Post(s)
    Rep Power
    233


    Reputation: Yes | No
    I have to admit, what you are attempting to do is way beyond me and I'm not even sure which direction to point you in.
    Click here to enlarge Originally Posted by Twinturbom3
    This quote is hidden because you are ignoring this member. Show Quote
    You look like a retarded teenager discovering internet.

  8. #7
    Join Date
    Apr 2011
    Posts
    113
    Rep Points
    147.2
    Mentioned
    2 Post(s)
    Rep Power
    2


    Reputation: Yes | No
    The problem with the MS45 DME is that it is not very widely used and presents a lot hurdles. The way that the dme applies adaptations seems to be a tough nut to crack. Might want to look at going with an MS43 or stand alone.

    if on off is the goal...good luck!

  9. #8
    Join Date
    Apr 2012
    Posts
    12
    Rep Points
    38.3
    Mentioned
    0 Post(s)
    Rep Power
    0


    1 out of 1 members liked this post. Reputation: Yes | No
    hello,

    let me get this right: you want to modify an engine which uses MS45(.0 or .1?) and so you want to be able to change its mapping?

    if so, get yourself winols and the correct damos file.

    iŽll attach the readout from my ms45.1

    happy disassembling
    Attached Files Attached Files

  10. #9
    Join Date
    Apr 2013
    Location
    New York
    Posts
    64
    Rep Points
    132.7
    Mentioned
    0 Post(s)
    Rep Power
    2


    1 out of 1 members liked this post. Reputation: Yes | No

    As it turns out, I was a dummy, and made a connection that I shouldn't have.

    So, as per @NickG (thanks!), It's an MPC555 processor, which is PowerPC based.

    I got the MPC555 datasheets now, and at least know what RAM locations for certain peripherals are.

    I must have some idea as to what I'm doing, as I picked a location which after turning just 2 sections to code, was enough to allow IDA to follow all the rest of the subroutines.

    So now I have two things:

    1. Read up a bit on PPC instructions, so I can see what it's doing.
    2. Figure out the correct loading location of the ROM so that relative jumps / load locations make sense.

    Oh, and there's like 1848 subroutines. This will definitely take some time.

    -Matt

  11. #10
    Join Date
    Apr 2013
    Location
    New York
    Posts
    64
    Rep Points
    132.7
    Mentioned
    0 Post(s)
    Rep Power
    2


    Reputation: Yes | No

    Click here to enlarge Originally Posted by Leinad78 Click here to enlarge
    This quote is hidden because you are ignoring this member. Show Quote
    hello,

    let me get this right: you want to modify an engine which uses MS45(.0 or .1?) and so you want to be able to change its mapping?

    if so, get yourself winols and the correct damos file.

    iŽll attach the readout from my ms45.1

    happy disassembling
    Thanks for another example of an MS45.

    No, I'm looking to trace program code, and possibly modify it if necessary.

    -Matt

  12. #11
    Sticky's Avatar
    Sticky is offline Regular User
    Status: Meh
     

    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    98,033
    Rep Points
    23,254.9
    Mentioned
    1435 Post(s)
    Rep Power
    233


    Reputation: Yes | No
    Click here to enlarge Originally Posted by Leinad78 Click here to enlarge
    This quote is hidden because you are ignoring this member. Show Quote
    hello,

    let me get this right: you want to modify an engine which uses MS45(.0 or .1?) and so you want to be able to change its mapping?

    if so, get yourself winols and the correct damos file.

    iŽll attach the readout from my ms45.1

    happy disassembling
    That's a good post man. I'm amazed at some of our guys who just browse and what they know.
    Click here to enlarge Originally Posted by Twinturbom3
    This quote is hidden because you are ignoring this member. Show Quote
    You look like a retarded teenager discovering internet.

  13. #12
    Join Date
    Apr 2013
    Location
    New York
    Posts
    64
    Rep Points
    132.7
    Mentioned
    0 Post(s)
    Rep Power
    2


    Reputation: Yes | No

    Click here to enlarge Originally Posted by Leinad78 Click here to enlarge
    This quote is hidden because you are ignoring this member. Show Quote
    hello,

    let me get this right: you want to modify an engine which uses MS45(.0 or .1?) and so you want to be able to change its mapping?

    if so, get yourself winols and the correct damos file.

    iŽll attach the readout from my ms45.1

    happy disassembling
    Wow I tried loading this into IDA, and it disassembled quite differently then my 330's MS45.1.

    What car is this from, and is this a US car?

    -Matt

  14. #13
    Join Date
    Apr 2012
    Posts
    12
    Rep Points
    38.3
    Mentioned
    0 Post(s)
    Rep Power
    0


    1 out of 1 members liked this post. Reputation: Yes | No
    Hello Matt,

    youŽre right, it was from a US car. To be precise, it was: KX09903_e46_325i_m54_2004_LHD

    i have another one, again MS45.1 and again US:

    KX11398_e46_325i_m54_2004_LHD

    i hope you let us know about further progress as iŽm trying to convert my 330 from MS43 to MS45.1 Click here to enlarge
    Attached Files Attached Files

  15. #14
    Join Date
    Apr 2013
    Location
    New York
    Posts
    64
    Rep Points
    132.7
    Mentioned
    0 Post(s)
    Rep Power
    2


    Reputation: Yes | No

    There are so many instructions to learn in PPC assembly, and I get the feeling I'm missing something important, as I'm having a really hard time grasping the overall purpose of the actual subroutines. It's hard without knowing certain values - ie inputs to the functions, to figure out what is going on. There's a lot of "read from this memory location" that's a derivative of these inputs, thus I have no clue as to what they are.

    I'm not giving up quite yet though. I'm giving myself about 5 more weeks to try and make some decent progress before I decide the whole thing was a bad idea, and I'll come up with a plan b.

    -Matt

  16. #15
    Join Date
    Apr 2012
    Posts
    12
    Rep Points
    38.3
    Mentioned
    0 Post(s)
    Rep Power
    0


    Reputation: Yes | No
    WouldnŽt it be clever to get some more people to "help" you? so wouldnŽt it be also clever to tell what you are doing? just my opinion

  17. #16
    Join Date
    Apr 2013
    Location
    New York
    Posts
    64
    Rep Points
    132.7
    Mentioned
    0 Post(s)
    Rep Power
    2


    Reputation: Yes | No

    Click here to enlarge Originally Posted by Leinad78 Click here to enlarge
    This quote is hidden because you are ignoring this member. Show Quote
    WouldnŽt it be clever to get some more people to "help" you? so wouldnŽt it be also clever to tell what you are doing? just my opinion
    A couple things.

    First - are these stock BMW files you've posted up here?

    Second - I haven't given too many specifics because the idea I have may actually be something I can work with an already known tuner to market to those interested, and I don't want to ruffle any feathers here on the board when it comes to advertising.

    The overall goal of the project was to trace the overall flow of the code enough to determine where transmission related information is exchanged, and see what messages are being sent to the transmission control unit. I could then determine if there was a chance to swap it with a similar, but stronger, transmission.

    -Matt

  18. #17
    Join Date
    Apr 2012
    Posts
    12
    Rep Points
    38.3
    Mentioned
    0 Post(s)
    Rep Power
    0


    Reputation: Yes | No
    So you want to earn money with it or is it just for your hobby?

  19. #18
    Join Date
    Apr 2013
    Location
    New York
    Posts
    64
    Rep Points
    132.7
    Mentioned
    0 Post(s)
    Rep Power
    2


    Reputation: Yes | No

    I have a day job that let's me do fairly well. So its not so much the monetary aspect that's the issue.

    I used to do calibrations for modified Mustangs. I got out if that business because it was a lot of work without a lot to show for it.

    It will take a lot of work to do what I'm trying to do, so , if I can get some sort of compensation out of it, that'd be awesome. I am certainly planning on sharing some info as I discover it, but perhaps not everything.

    You also didn't answer my question about the source of those files.

  20. #19
    Sticky's Avatar
    Sticky is offline Regular User
    Status: Meh
     

    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    98,033
    Rep Points
    23,254.9
    Mentioned
    1435 Post(s)
    Rep Power
    233


    Reputation: Yes | No
    Click here to enlarge Originally Posted by Leinad78 Click here to enlarge
    This quote is hidden because you are ignoring this member. Show Quote
    So you want to earn money with it or is it just for your hobby?
    I think he is concerned about work getting ripped off and for whomever is responsible not getting credit if that is the case here.
    Click here to enlarge Originally Posted by Twinturbom3
    This quote is hidden because you are ignoring this member. Show Quote
    You look like a retarded teenager discovering internet.

  21. #20
    Join Date
    Apr 2012
    Posts
    12
    Rep Points
    38.3
    Mentioned
    0 Post(s)
    Rep Power
    0


    Reputation: Yes | No
    Hows it going? Any hints on IDA Pro? I would like to start to disassemble C167CR File Click here to enlarge

  22. #21
    Join Date
    Sep 2012
    Posts
    17
    Rep Points
    33.6
    Mentioned
    0 Post(s)
    Rep Power
    0


    Reputation: Yes | No
    He-he, I tried to dissamble PPC at my MS45.0 and make decision to go with Parallel ECU configuration - more easier. Because of my turbo build I need to rewrite code from two banks 1-3 and 4-6 for single lambda and it's painfull.
    Also MS45 has torque system control - if torque more than expected it will go in limp mode.

  23. #22
    Join Date
    Apr 2012
    Posts
    12
    Rep Points
    38.3
    Mentioned
    0 Post(s)
    Rep Power
    0


    Reputation: Yes | No
    well, even MS43 had torque expectation and control Click here to enlarge did you had any luck with ms45.0?

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •