|
aef
|
 |
« Reply #195 on: December 17, 2015, 06:10:31 AM »
|
|
|
i love the winter months...  |
|
|
|
|
Logged
|
|
|
|
john9357
Full Member
Karma: +10/-1
 Offline
Posts: 54
|
|
« Reply #196 on: December 17, 2015, 06:40:39 AM »
|
|
|
Jfis
|
|
|
|
|
Logged
|
|
|
|
|
aef
|
|
« Reply #197 on: December 17, 2015, 06:48:39 AM »
|
|
|
Would recommend to create a own topic for jfis. Looks nice  Back to topic: which tool to read haldex via kline? |
|
|
|
|
Logged
|
|
|
|
DT
Full Member
Karma: +20/-1
Offline
Posts: 184
|
|
« Reply #198 on: December 18, 2015, 05:14:41 PM »
|
|
|
less than 30min to fully disassemble in IDA. |
|
|
|
|
Logged
|
|
|
|
john9357
Full Member
Karma: +10/-1
Offline
Posts: 54
|
|
« Reply #199 on: December 18, 2015, 06:00:43 PM »
|
|
|
So simple!!
|
|
|
|
|
Logged
|
|
|
|
|
aef
|
|
« Reply #200 on: December 19, 2015, 04:02:40 AM »
|
|
|
So as i said before i like the winter months were all the nerds sit infront of their computers. Thumbs up to all the new users for the informations on the last pages of this thread.  Just a little summary: @ccyberwing is able to read the flash via kline and will hopefully share how he did this @john9357 was able to read and write the eeprom with the login of 5207 ans his command line tools @DT and john already disassembled the whole flash in IDA Looks like john has a spare "race" haldex and once he was able to read it one can compare the stock and race flash? Hopefully there is a way to write to the flash too.  |
|
|
|
|
Logged
|
|
|
|
|
vwaudiguy
|
|
« Reply #201 on: December 19, 2015, 08:54:59 AM »
|
|
|
Great work, guys. I haven't seen much progress on this thread for some time, kind of lost hope. I have an orange controller we could read (mounted in the car). Let me know how I can do it, and I'll post it up. If the controller needs to be removed to read it, I won't be able to do this for a couple of weeks. I could do a read over the next couple of days though if I can read it in the car.
|
|
|
|
|
Logged
|
"If you have a chinese turbo, that you are worried is going to blow up when you floor it, then LOL."
|
|
|
|
sonique
|
|
« Reply #202 on: December 28, 2015, 07:13:42 PM »
|
|
|
Nice Thread, you are very close to read this Controller. If you want i can write a little guide how to read this controllers (in christmas holidays). About flash sizes: there exist both variants, 29F100 and F200. In the meantime a small christmas present as attachment. full readout,flash & eeprom.  best regards Tom yes plz write little guide thanks |
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #203 on: December 30, 2015, 07:48:14 PM »
|
|
|
Good progress guys. It will be possible to write via kline I'm sure. At least the calibration blocks...
|
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #204 on: December 30, 2015, 07:53:22 PM »
|
|
|
less than 30min to fully disassemble in IDA. Slow pc lol? Did you get all of the registers setup? The code is weird I think compared to bosch c167. The SBL for Volvo is one gigantic function. Meh. Does it follow kwp? |
|
|
|
|
Logged
|
|
|
|
DT
Full Member
Karma: +20/-1
Offline
Posts: 184
|
|
« Reply #205 on: January 05, 2016, 08:58:28 PM »
|
|
|
ROMEN=0 in syscon (1204h) indicate that internal ROM i disabled
BUSCON0 #48eh
BTYP=10 16bit demultiplexed
P0H.4-3 (SALSEL) is probably 11 at startup/reset , hence 256Kb (default without pull-downs)
From what I can see from absolute addressing the flash file is located at 0x0 to 0x20000
flash gets hidden by cpu at following locations. A feature of c16x.
0x0e000 - 0x0e7ff
and
0x0ef00 - 0x0ffff
but in the file these only contain ff.
I might miss something but there are some things I cannot understand.
My problem is that there are also absolute addressing to a handful addresses that does not contain code but rather data or ascii and since DPP doesn't affect absolute addressing I am stuck.
example: (perfectly ok code, and not data that could be interpreted as code)
ROM:8000 ; =============== S U B R O U T I N E =======================================
ROM:8000
ROM:8000
ROM:8000 sub_8000: ; CODE XREF: ROM:8048�P
ROM:8000 ; ROM:8148�P ...
ROM:8000 movb byte_E152, ZEROS
ROM:8004 movb rl4, #8
ROM:8006 movb byte_E153, rl4
ROM:800A mov word_E154, ZEROS
ROM:800E mov word_E156, ZEROS F6 8E 56 E1
ROM:8012 mov word_E158, ZEROS F6 8E 58 E1
ROM:8016 mov word_E15A, ZEROS F6 8E 5A E1
ROM:801A mov word_E15C, ZEROS F6 8E 5C E1
ROM:801E mov r12, #6054h E6 FC 54 60
ROM:8022 calls 0, loc_6E8C DA 00 8C 6E
ROM:8026 calls 0, unk_6D94 DA 00 94 6D
ROM:802A calls 0, unk_6FAE DA 00 AE 6F
ROM:802E rets DB 00
ROM:802E ; End of function sub_8000
I've not had time to look for specific functions like communication yet.
|
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #206 on: January 05, 2016, 11:13:05 PM »
|
|
|
ROMEN=0 in syscon (1204h) indicate that internal ROM i disabled
BUSCON0 #48eh
BTYP=10 16bit demultiplexed
P0H.4-3 (SALSEL) is probably 11 at startup/reset , hence 256Kb (default without pull-downs)
From what I can see from absolute addressing the flash file is located at 0x0 to 0x20000
flash gets hidden by cpu at following locations. A feature of c16x.
0x0e000 - 0x0e7ff
and
0x0ef00 - 0x0ffff
but in the file these only contain ff.
I might miss something but there are some things I cannot understand.
My problem is that there are also absolute addressing to a handful addresses that does not contain code but rather data or ascii and since DPP doesn't affect absolute addressing I am stuck.
example: (perfectly ok code, and not data that could be interpreted as code)
ROM:8000 ; =============== S U B R O U T I N E =======================================
ROM:8000
ROM:8000
ROM:8000 sub_8000: ; CODE XREF: ROM:8048�P
ROM:8000 ; ROM:8148�P ...
ROM:8000 movb byte_E152, ZEROS
ROM:8004 movb rl4, #8
ROM:8006 movb byte_E153, rl4
ROM:800A mov word_E154, ZEROS
ROM:800E mov word_E156, ZEROS F6 8E 56 E1
ROM:8012 mov word_E158, ZEROS F6 8E 58 E1
ROM:8016 mov word_E15A, ZEROS F6 8E 5A E1
ROM:801A mov word_E15C, ZEROS F6 8E 5C E1
ROM:801E mov r12, #6054h E6 FC 54 60
ROM:8022 calls 0, loc_6E8C DA 00 8C 6E
ROM:8026 calls 0, unk_6D94 DA 00 94 6D
ROM:802A calls 0, unk_6FAE DA 00 AE 6F
ROM:802E rets DB 00
ROM:802E ; End of function sub_8000
I've not had time to look for specific functions like communication yet.
That's interesting. Did you find the Dpp settings? To me it looks like the segment DPP is wrong. |
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #207 on: January 05, 2016, 11:20:46 PM »
|
|
|
Dpp's lol 0, 1, 2 + 3 IDA default as well so easy.
|
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #208 on: January 06, 2016, 12:30:28 AM »
|
|
|
byte 8000h is added to a register in the STUTRAP_handler, how odd, it's definitely code though?
Also MEM_EXT:8F98 location calls a function, look it's ASCII lol
edit I don't think 0x8000 is a function it's a struct/table.........................
|
|
|
|
« Last Edit: January 06, 2016, 12:53:10 AM by dream3R »
|
Logged
|
|
|
|
john9357
Full Member
Karma: +10/-1
Offline
Posts: 54
|
|
« Reply #209 on: January 06, 2016, 09:34:19 AM »
|
|
|
i find the different id use for can : seg009:0006 ; sub_12766+40�P
seg009:0006 calls 1, sub_10356
seg009:000A mov r12, #6000h
seg009:000E calls 1, sub_14314
seg009:0012 calls 1, sub_1442A
seg009:0016 mov r12, #1
seg009:0018 mov r13, #280h ; id can motor1
seg009:001C calls 1, sub_1463C
seg009:0020 mov r12, #2
seg009:0022 mov r13, #288h ; id can motor2
seg009:0026 calls 1, sub_1463C
seg009:002A mov r12, #3
seg009:002C mov r13, #480h ; id can motor3
seg009:0030 calls 1, sub_1463C
seg009:0034 mov r12, #7
seg009:0036 mov r13, #320h ; id can instrument
seg009:003A calls 1, sub_1463C
seg009:003E mov r12, #4
seg009:0040 mov r13, #1A0h ; id can abs1
seg009:0044 calls 1, sub_1463C
seg009:0048 mov r12, #5
seg009:004A mov r13, #4A0h ; id can abs2
seg009:004E calls 1, sub_1463C
seg009:0052 mov r12, #6
seg009:0054 mov r13, #2A0h ; id can abs3
seg009:0058 calls 1, sub_1463C
seg009:005C mov r12, #8
seg009:005E mov r13, #6C0h ; id can ?
seg009:0062 calls 1, sub_1463C
seg009:0066 mov r12, #0Ah
seg009:0068 mov r13, #6C1h ; id can ?
seg009:006C calls 1, sub_1463C
seg009:0070 mov r12, #0Eh
seg009:0072 mov r13, #2C0h ; id can allroad
seg009:0076 calls 1, sub_1463C
seg009:007A mov r12, #0Bh
seg009:007C mov r13, #6C2h ; id can ?
seg009:0080 calls 1, sub_1463C
seg009:0084 mov r12, #0Ch
seg009:0086 mov r13, #6C3h ; id can ?
seg009:008A calls 1, sub_1463C
seg009:008E mov r12, #0Dh
seg009:0090 mov r13, #6C4h ; id can ?
seg009:0094 calls 1, sub_1463C
seg009:0098 calls 1, sub_143E8
seg009:009C rets |
|
|
|
|
Logged
|
|
|
|
|
