i've researched a bit about motronic debugging, something for make life easier debugging the assembly code and make things easier than just IDA Pro without breakpoints and all functionallity that they comes on windows.

i've been reversing during 5 years on windows apps, but on windows is too easy to do things since we can do breakpoints, browse memory and that stuff.


for what i see, Ostrich 2.0 emulates a bin into a own memory
TunerPro RT connects to that external memory, and all the memory address loaded in the list as maps, the ostrich looks who read those address and show it real time, the same as Ollydbg function called "find who memory access on this address"

i'm not thinking on breakpointing an offset, just wanted to do some memory search for look some offsets.

with that we could do live modifications on the injected code, for test if it works or not without having to read-write process that takes time.

if people were able to do map switching through the cruise control. with memory search we could find the turn signal lights for do some shift lights at 6000 rpm code injection, find the immobilizer code and add a code cave for compare it if its for the specified car let the ecu run or not. and a tons of things.

if its compatible with ME9 we could be able to do launch control to Golf 2.0 T maybe, i dont know what processor they use.

http://www.youtube.com/watch?v=aaiCZKp0w6Y

thats a video of a s6 2.2t, i didn't searched if its using me7 but i read somewhere that ostrich is compatible with the processor that me7 uses.

just someone with knowledges and time for build an app in .net or c++ could make a memory editor / browser and searcher, like cheat engine.

happy reverse engineering 

thats right, its 8 bits emu the ostrich, i didnt find out in the wiki of nefmoto yet where says the eeprom specs of me 7.5

the same moates websites offer something called roadrunner, that works with tunerpro RT running the app emutility.

in roadrunner specs says: (http://support.moates.net/roadrunner/)

"Other Applications / Technical Specifications

The RoadRunner has been used successfully as a general purpose 16 bit data bus emulator for applications other than GM LS1.  (Bosch Motronic ME7.1 and Nissan 16 bit are the first two that come to mind.)  "

Me7.1, i think its around the same for ME 7.5 

here sells the DIY gut kit http://www.moates.net/roadrunnerdiy-guts-kit-p-118.html


this + TunerPro RT license is around 500 usd, compared to 2300 € that its ols300 looks fine for me, sadly looks too complicated to install, someone did it already?

this could be interesting for do live code injections, debuging the injected code fastly and such. awesome.

They have made it clear they don't want my business. No clue why they won't see me a product I am willing to pay for.

I'm not in the habit of playing games with people to convince them to take my money. I'm not about to start.

my point was, if you dont supply the right answer the first time then they dont deal with you. 

Roadrunner, tunerprort the nefmoto version and endian swap board.. Gives live emulation .. I use it all the time

Luckily you where told wrong! I worked with mark mansur to enable 16bit emulation on tuner pro rt..

Roadrunner is a f400/800 emulator.. You remove the original chip, solder on a header and then the roadrunner emulator attaches to the header.. This then connects to the laptop running tunerpro via USB.

The original RR is an endian swap emulator, and so either the flash has to endurance swap written to the emulator, but then causes issues with road runner, or you use an endurance swap board , which I helped Moates develop which locates between the header and emulator which does the swap for you..

Read here as it's relevant

http://nefariousmotorsports.com/forum/index.php?topic=3149.0title=

Someone found my old channel, cool...

Keep in mind, Ostrich or Roadrunner will not allow you to do what you see in that video.
I actually created some custom code which reads a point in memory + offset from RAM (in case of RPM) to show RPM real time on a map.

There is no "breakpoints" or "what accesses what" this is not a debugger, this is just an emulator.
Ostrich can not be used with ME7, it is a 8 bit emu, you would need two of them and some REALLY creating wiring to make it work. Easier to just buy RoadRunner.
Actually the easiest is buy OLS300, but considering OLS300 is basically obsolete by now (most new cars you can emulate by moving some maps to RAM and using WriteMemoryByAddress) then I don't see the point of dropping a load of cash on it.
6-7 years ago it was a great idea, nowadays not so much, but it is still nice to have.

What the RoadRunner will allow you to do is to modify maps while the engine is running.
Same for the OLS300 - in this way they do not differ much.
However, ME7 has live checksums, which sould be turned off, as well as the FLASH system won't be started with incorrect checksum (CW_NOCHKRESET, which is disabled by default). And if you don't want to risk the ECU rebooting while you change things or storing "the code of death" in EEPROM it is better to disable all this functionality.
This applies to both OLS300 and RoadRunner.

That said, for a Stage 1 tune, it will take you longer to install the emulator in the ECU than it will take you to flash, so it's pointless. It is only useful for advanced tuning where you actually need to visit the dyno or spend time dialing in custom components.
If you need to flash the ECU less than 10 times do not bother installing an emulator. I can't think of any Stage 1 where this would be the case if you even remotely know what you are doing.

If you want to know how the ECU works and what it accesses, an emulator will not help you much, the best idea is to read the FR and use IDA Pro to track the code. A LOT faster than trying to find random maps and trying to trace and screw with them. These days ME7 is basically open source.
I have never used the RoadRunner to trace, and I gave up on tracing with the Ostrich as well as soon as I wrote proper datalogging for the 2.2T ECU - no point to trace when you can setup AXDX in TunerPro on every axis, which works a LOT better.