Title: ME7.1.x Reading and Writing to the Serial EEPROM and RAM Mirror Post by: nubcake on November 01, 2015, 08:46:20 AM Necro bump!
Don't you hate it when someone asks a question and then posts something like "fixed" or "solved" without describing the actual fix? I surely do! ;D Anyway, I wanted to play with EEPROM in my ME7.1.1 ECU. Since I already have the R-box disassembled and defined, I went to take a look at it (thanks, sweegie!). I then cheated and did a very "ghetto" thing (not proud): simply found the similar pattern in my BIN (well, looking in approx the same memory region). Then I went and read it with ME7L in my car and it indeed was spot on! With one minor exception: EEPROM is mapped not in a direct or raw way. What I mean by that is: RAM image starts from the second EEPROM page (first one is skipped), there are no "backup" pages either. Here's the pic of the "reference" structure from IDA (for ME7.1.1 anyway): (http://i.imgur.com/rWp1FwA.jpg) Title: ME7.1.x Reading and Writing to the Serial EEPROM and RAM Mirror Post by: TijnCU on January 20, 2017, 04:13:17 AM I can confirm what nubcake has written above, I found in my ecu (4B0906018CA) that the EEPROM is mirrored in RAM from 383B3C (eeprom 0x0010). I also just looked for the same pattern in IDA from 383000 up ;D
* I am playing with the eeprom now, I came up with this idea to write and correct checksum in 1 routine. For example, checksum in word 0xfe is for example something like FFFC, I write the byte I use in this page and then do a subtraction of all byte adresses 0xf0 up to 0xfd from FFFC and write that value back to word 0xfe. Can anyone confirm I can get away with this auto checksumming of the eeprom? Title: ME7.1.x Reading and Writing to the Serial EEPROM and RAM Mirror Post by: nubcake on January 21, 2017, 02:46:45 PM I have since found out that it's quite easy to find the reference to start of ME7 EEPROM memory mirror by looking around "VARCODE" functions. They are quite easy to backtrack by looking where "vkASRantrieb" (picked up by me7info) is written to. Then you go couple of function X-REFs back, scroll to the bottom and find:
Code: mov r2, #eeprom_start That reference is usually picked up by IDA as just a hex offset, you have to press "o" to get it to display like a memory var. RE: the checksum - didn't really play with it, but there already should be a function to correct it. So it's much easier to find and call it, than write your own routine. We're also a bit offtopic here, since the thread title says "MED9". :P Title: ME7.1.x Reading and Writing to the Serial EEPROM and RAM Mirror Post by: gman86 on January 21, 2017, 07:51:20 PM Smashing. I get excited when I see MED9 threads get updated. This is the ultimate cock tease. Could we split it off?
Title: ME7.1.x Reading and Writing to the Serial EEPROM and RAM Mirror Post by: TijnCU on January 22, 2017, 03:47:14 AM I agree, but great info! Nyet, can you split this to a new me7 eeprom thread?
I have found out that it is not possible to write the eeprom by altering the ram mirror. It seems to be a slave of the eeprom, after power off it copies those values again. I am currently trying to disassemble lemmiwinks to find out how they get their program to find the adaption blocks. I have never used that program before, but it works okay for quick placing of odd values in the eeprom ::) Title: ME7.1.x Reading and Writing to the Serial EEPROM and RAM Mirror Post by: eliotroyano on January 22, 2017, 07:14:12 PM I am impress that Bosch still uses old strategies in new ECUs. M38x and M592 eeprom is located in RAM memory when ECU starts up too.
Title: Re: ME7.1.x Reading and Writing to the Serial EEPROM and RAM Mirror Post by: Teitek on January 29, 2018, 04:53:00 PM I can confirm what nubcake has written above, I found in my ecu (4B0906018CA) that the EEPROM is mirrored in RAM from 383B3C (eeprom 0x0010). I also just looked for the same pattern in IDA from 383000 up ;D * I am playing with the eeprom now, I came up with this idea to write and correct checksum in 1 routine. For example, checksum in word 0xfe is for example something like FFFC, I write the byte I use in this page and then do a subtraction of all byte adresses 0xf0 up to 0xfd from FFFC and write that value back to word 0xfe. Can anyone confirm I can get away with this auto checksumming of the eeprom? Have you tried to fix the checksum after modify a position of the mirror? Work of similar way than MED9 ?? Title: Re: ME7.1.x Reading and Writing to the Serial EEPROM and RAM Mirror Post by: BWF on April 11, 2020, 07:13:19 AM Good afternoon, I would also like to find the mirror of the eeprom in my Me7.5.
Following the information of "nubcake" I find the address of vkASRAntrieb, and I look for the XRef, but I don't find anything similar to what he says. Is there any other way to find it? In EDC15 the eeprom is from C800, but this is not the case. |