Print Page - ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)

Ok guys...

I present to you the first (beta) of useful code showing how to do all kinds of things with ME7 rom's. The aim is that you will eventually need NO OTHER tools to analyse a ME7 rom. (commercial or otherwise).
Its starting to be possible to do so much that its easier to call it a swiss army knife tool for ME7's ROM's. :)

I've just done a first cut of the map finder. Its very rough (but simple code!) at the moment but I will expand this to pretty much be able to identify ALL MAP's automatically AND label them. I can do this (unlike some commercial software!) because of the unique way this tool approaches it. Its very good at finding them in roms I have never even see before but derived from the same code base.

Q. So how does it work?
The idea is we directly search for 'masked signatures' in the rom in the machine code sub-routines which ACCESS the maps.

Q. What are masked signatures?

They are sinippets of rom code with all of the relocation and segment address information removed. We do this since this is essentially what changes with recompiliation and across different roms. By removing what changes we get a powerful way to identify sub-routines independent of the actual rom file version.

So if the rom accesses the maps for example we can find that specific generic code and then work back from there. After matching it (ignoring all of the relocation and segments) we extract the actual segment information and then re-calcuate the physical addresses from the segments, then mask those addresses to reveal the byte offset form the start of the rom! We can then use this offset to dump the maps... Its a very powerful method because of the way we mask the code. The approach of masking all segment and relocation information out of the signatures means it works on any ME7x rom file compiled for C167x cpu and works right across a huge number of rom variants.

Right now the first version of the Map finder is just showing X-Axis tables (entire set of rom tables will come shortly and then we can easily match them too!)... But ofcourse its quite simple to make this work for ALL the ROM resident tables and then we can start to identify the sub-routines with further signature bytes and automatically label all of those tables too.

...This is a far better way than 'guessing' the maps knowing they reside (as some even commercial tools do) within a certain range in the rom. This guarentee's your actually looking at real tables.

Development wise the next step is to push the table start addresses into a hash table to make it easy to de-duplicate them so you don't find calls to the lookups to the same tables (happens occasionally since we are walking through the rom code and literaly picking up ALL of the accesses to the tables.

Hope this makes sense. Its called ME7RomTool_Ferrari (since that's my main focus) however be assured it does work with many many variants i've been continuing to download and test it with...

https://github.com/360trev/ME7RomTool_Ferrari (https://github.com/360trev/ME7RomTool_Ferrari)

and here's the generic map (X-Axis only for now!) finder in action on the same Ferrari 360 rom file...

-[ Generic X-Axis MAP Table Scanner! ]---------------------------------------------------------------------

>>> Scanning for Map Tables #1 Checking sub-routine [map finder!]

[Map #1] X-Axis Map function found at: offset=0x33eb0 phy:0x1805f, file-offset=0x18060 x-axis=8
   14 19 26 32 3e 4b 58 64

[Map #2] X-Axis Map function found at: offset=0x3fc36 phy:0x18074, file-offset=0x18075 x-axis=5
   40 4d 5b 68 76

[Map #3] X-Axis Map function found at: offset=0x441da phy:0x1810c, file-offset=0x1810d x-axis=16
   14 1e 28 32 3c 46 50 5a 64 6e 78 82 8c 94 9b a3

[Map #4] X-Axis Map function found at: offset=0x441f2 phy:0x18137, file-offset=0x18138 x-axis=4
   34 5d 85 ad

[Map #5] X-Axis Map function found at: offset=0x44434 phy:0x181bc, file-offset=0x181bd x-axis=6
   00 02 14 1e 28 3c

[Map #6] X-Axis Map function found at: offset=0x44482 phy:0x180d5, file-offset=0x180d6 x-axis=8
   0d 19 26 32 4b 64 7d 96

[Map #7] X-Axis Map function found at: offset=0x444ca phy:0x180c0, file-offset=0x180c1 x-axis=5
   23 28 2d 32 37

[Map #8] X-Axis Map function found at: offset=0x444e2 phy:0x180a3, file-offset=0x180a4 x-axis=5
   08 0d 11 18 20

[Map #9] X-Axis Map function found at: offset=0x4452e phy:0x181c3, file-offset=0x181c4 x-axis=8
   1e 3c 5a 78 96 b4 d2 f0

[Map #10] X-Axis Map function found at: offset=0x44546 phy:0x180de, file-offset=0x180df x-axis=8
   26 32 4b 58 64 7d 8a 96

[Map #11] X-Axis Map function found at: offset=0x44576 phy:0x1811d, file-offset=0x1811e x-axis=16
   26 2c 32 38 3f 45 4b 51 58 64 6a 71 76 8a 96 a3

[Map #12] X-Axis Map function found at: offset=0x4458e phy:0x18161, file-offset=0x18162 x-axis=8
   33 40 54 61 90 9d b8 c5

[Map #13] X-Axis Map function found at: offset=0x445c6 phy:0x181e2, file-offset=0x181e3 x-axis=8
   00 03 06 09 0c 0f 12 15

[Map #14] X-Axis Map function found at: offset=0x445de phy:0x181eb, file-offset=0x181ec x-axis=8
   00 03 06 09 0c 0f 12 15

[Map #15] X-Axis Map function found at: offset=0x446aa phy:0x180fb, file-offset=0x180fc x-axis=16
   10 15 19 1f 26 2c 32 38 3f 45 4b 58 64 71 7d 96

[Map #16] X-Axis Map function found at: offset=0x446c2 phy:0x1813c, file-offset=0x1813d x-axis=8
   0a 14 1e 32 46 50 64 78

[Map #17] X-Axis Map function found at: offset=0x446f6 phy:0x180b7, file-offset=0x180b8 x-axis=8
   03 05 08 14 1e 32 50 64

[Map #18] X-Axis Map function found at: offset=0x4470e phy:0x180e7, file-offset=0x180e8 x-axis=8
   14 19 32 3c 4b 64 7d 96

[Map #19] X-Axis Map function found at: offset=0x44726 phy:0x180f0, file-offset=0x180f1 x-axis=10
   0f 16 1e 25 2d 37 41 50 64 82

[Map #20] X-Axis Map function found at: offset=0x4473e phy:0x18080, file-offset=0x18081 x-axis=10
   0a 17 29 40 54 6b 80 a4 cd ff

[Map #21] X-Axis Map function found at: offset=0x44756 phy:0x180a9, file-offset=0x180aa x-axis=6
   05 0d 19 32 64 c8

[Map #22] X-Axis Map function found at: offset=0x4476e phy:0x18092, file-offset=0x18093 x-axis=5
   59 73 80 8c a7

[Map #23] X-Axis Map function found at: offset=0x44786 phy:0x1816f, file-offset=0x18170 x-axis=4
   25 4d 68 ab

[Map #24] X-Axis Map function found at: offset=0x4479e phy:0x1810c, file-offset=0x1810d x-axis=16
   14 1e 28 32 3c 46 50 5a 64 6e 78 82 8c 94 9b a3

[Map #25] X-Axis Map function found at: offset=0x447b6 phy:0x18137, file-offset=0x18138 x-axis=4
   34 5d 85 ad

[Map #26] X-Axis Map function found at: offset=0x447ce phy:0x1e288, file-offset=0x1e289 x-axis=4
   00 1b 00 2f

[Map #27] X-Axis Map function found at: offset=0x447e6 phy:0x180cd, file-offset=0x180ce x-axis=7
   14 1e 2d 3c 50 64 7d

[Map #28] X-Axis Map function found at: offset=0x44816 phy:0x1819a, file-offset=0x1819b x-axis=9
   18 33 40 4d 61 75 90 ab c5

[Map #29] X-Axis Map function found at: offset=0x44868 phy:0x18181, file-offset=0x18182 x-axis=6
   0b 25 40 5b 90 b8

[Map #30] X-Axis Map function found at: offset=0x44880 phy:0x18191, file-offset=0x18192 x-axis=8
   0b 25 33 40 4d 5b 90 b8

[Map #31] X-Axis Map function found at: offset=0x448d8 phy:0x1817a, file-offset=0x1817b x-axis=6
   11 25 40 5b 75 ab

[Map #32] X-Axis Map function found at: offset=0x44978 phy:0x180b0, file-offset=0x180b1 x-axis=6
   02 19 32 4b 64 7d

[Map #33] X-Axis Map function found at: offset=0x44ec6 phy:0x1e382, file-offset=0x1e383 x-axis=4
   00 25 00 40

[Map #34] X-Axis Map function found at: offset=0x48aa2 phy:0x1eb26, file-offset=0x1eb27 x-axis=4
   00 2b 00 2c

... cut ... cut ...

[Map #80] X-Axis Map function found at: offset=0x7f510 phy:0x19d2e, file-offset=0x19d2f x-axis=10
   0a 14 1e 28 32 46 5a 78 96 f0

[Map #81] X-Axis Map function found at: offset=0x81ecc phy:0x23fd6, file-offset=0x23fd7 x-axis=4
   00 00 00 04
No match found

Quote from: prj on September 06, 2018, 05:11:37 AM

That's pretty cool, but I did this like 6 years ago: http://nefariousmotorsports.com/forum/index.php?topic=2703.0 (http://nefariousmotorsports.com/forum/index.php?topic=2703.0)

Just saying :p

Hello prj, I know sir, your a guru on here ;) ...The aim here is a bit different...
I'm going to make it possible to extract and re-insert changed maps and automatically recalc sums. So its trivial to swap maps from one rom to another or make changes and repatch them in with no extra tools... I will do a gui frontend to 'control' this...

Did I mention it does summing too and works with multiple variants of signatures including support for 1Mb files too?

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
main rom dppX byte sequence #1 found at offset=0x246.

dpp0: (seg: 0x0004 phy:0x00010000)
dpp1: (seg: 0x0005 phy:0x00014000)
dpp2: (seg: 0x00c0 phy:0x00300000) ram start address
dpp2: (seg: 0x0003 phy:0x0000c000) cpu registers

Note: dpp3 is always 3, otherwise accessing CPU register area not possible

-[ Main-Rom Checksum Analysis ]----------------------------------------------------------

>>> Scanning for Main ROM Checksum sub-routine #1 [to extract number of entries in table]
main checksum byte sequence #1 found at offset=0xbfb82.
Found #3 Regional Block Entries in table

>>> Scanning for Main ROM Checksum sub-routine #2 [to extract Start/End regions]
main checksum byte sequence #2 found at offset=0xbfb46.

Main Region Block #1:
lo:0x293b4.W hi:0x293b6.W (seg: 0xa phy:0x293b4) : 0xc000
lo:0x293b8.W hi:0x293ba.W (seg: 0xa phy:0x293b8) : 0xdfff sum=43d88af ~sum=fbc27750 : acc_sum=0
Main Region Block #2:
lo:0x293bc.W hi:0x293be.W (seg: 0xa phy:0x293bc) : 0x10900
lo:0x293c0.W hi:0x293c2.W (seg: 0xa phy:0x293c0) : 0x1f7ff sum=1b08c4eb ~sum=e4f73b14 : acc_sum=43d88af
Main Region Block #3:
lo:0x293c4.W hi:0x293c6.W (seg: 0xa phy:0x293c4) : 0x1fc00
lo:0x293c8.W hi:0x293ca.W (seg: 0xa phy:0x293c8) : 0xcffff sum=5279cec5 ~sum=ad86313a : acc_sum=1f464d9a

Final Main ROM Checksum calculation: 0x71c01c5f (after 3 rounds)
Final Main ROM Checksum calculation: ~0x8e3fe3a0

>>> Scanning for Main ROM Checksum sub-routine #3 variant #A [to extract stored checksums and locations in ROM]
main checksum byte sequence #3 block found at offset=0xbfbee.

Stored Main ROM Block Checksum:
lo:0xffff0.W hi:0xffff2.W (seg: 0x3f phy:0xffff0) : 0x71c01c5f
Stored Main ROM Block ~Checksum:
lo:0xffff4.W hi:0xffff6.W (seg: 0x3f phy:0xffff4) : 0x8e3fe3a0

MAIN STORED ROM CHECKSUM: 0x71c01c5f ? 0x71c01c5f : OK! ~CHECKSUM: 0x8e3fe3a0 ? 0x8e3fe3a0 : OK!

-[ Multipoint Checksum Analysis ]--------------------------------------------------------

>>> Scanning for Multipoint Checksum sub-routine #1 Variant A [to extract number entries in stored checksum list in ROM]
Found at offset=0xbe32a.
Found #48 Multipoint Entries in table

>>> Scanning for Multipoint Checksum sub-routine #2 Variant A [to extract address of stored checksum list location in ROM]
Found at offset=0xbe5ac.

Multipoint Block #01 of #48:
lo:0x1f800.L (seg: 0x7 phy:0x1f800) : Start: seg:0x0 phy:0x00000000 (offset: 0x00000000)
lo:0x1f804.L (seg: 0x7 phy:0x1f804) : End: seg:0x0 phy:0x000001ff (offset: 0x000001ff)
lo:0x1f808.L (seg: 0x7 phy:0x1f808) : Block Checksum: 0x00407600 : Calculated: 0x00407600 OK
lo:0x1f80c.L (seg: 0x7 phy:0x1f80c) : ~Block Checksum: 0xffbf89ff : ~Calculated: 0xffbf89ff OK
Multipoint Block #02 of #48:
lo:0x1f810.L (seg: 0x7 phy:0x1f810) : Start: seg:0x0 phy:0x00000000 (offset: 0x00000000)
lo:0x1f814.L (seg: 0x7 phy:0x1f814) : End: seg:0x0 phy:0x000001ff (offset: 0x000001ff)
lo:0x1f818.L (seg: 0x7 phy:0x1f818) : Block Checksum: 0x00407600 : Calculated: 0x00407600 OK
lo:0x1f81c.L (seg: 0x7 phy:0x1f81c) : ~Block Checksum: 0xffbf89ff : ~Calculated: 0xffbf89ff OK
Multipoint Block #03 of #48:
lo:0x1f820.L (seg: 0x7 phy:0x1f820) : Start: seg:0x2 phy:0x00008000 (offset: 0x00008000)
lo:0x1f824.L (seg: 0x7 phy:0x1f824) : End: seg:0x2 phy:0x0000bfff (offset: 0x0000bfff)
lo:0x1f828.L (seg: 0x7 phy:0x1f828) : Block Checksum: 0x0da78c5f : Calculated: 0x0da78c5f OK
lo:0x1f82c.L (seg: 0x7 phy:0x1f82c) : ~Block Checksum: 0xf25873a0 : ~Calculated: 0xf25873a0 OK
Multipoint Block #04 of #48:
lo:0x1f830.L (seg: 0x7 phy:0x1f830) : Start: seg:0x3 phy:0x0000c000 (offset: 0x0000c000)
lo:0x1f834.L (seg: 0x7 phy:0x1f834) : End: seg:0x3 phy:0x0000dfff (offset: 0x0000dfff)
lo:0x1f838.L (seg: 0x7 phy:0x1f838) : Block Checksum: 0x043d88af : Calculated: 0x043d88af OK
lo:0x1f83c.L (seg: 0x7 phy:0x1f83c) : ~Block Checksum: 0xfbc27750 : ~Calculated: 0xfbc27750 OK
Multipoint Block #05 of #48:
lo:0x1f840.L (seg: 0x7 phy:0x1f840) : Start: seg:0x4 phy:0x00010900 (offset: 0x00010900)
lo:0x1f844.L (seg: 0x7 phy:0x1f844) : End: seg:0x4 phy:0x00013fff (offset: 0x00013fff)
lo:0x1f848.L (seg: 0x7 phy:0x1f848) : Block Checksum: 0x07e64140 : Calculated: 0x07e64140 OK
lo:0x1f84c.L (seg: 0x7 phy:0x1f84c) : ~Block Checksum: 0xf819bebf : ~Calculated: 0xf819bebf OK
Multipoint Block #06 of #48:
lo:0x1f850.L (seg: 0x7 phy:0x1f850) : Start: seg:0x5 phy:0x00014000 (offset: 0x00014000)
lo:0x1f854.L (seg: 0x7 phy:0x1f854) : End: seg:0x5 phy:0x00017f67 (offset: 0x00017f67)
lo:0x1f858.L (seg: 0x7 phy:0x1f858) : Block Checksum: 0x082369b2 : Calculated: 0x082369b2 OK
lo:0x1f85c.L (seg: 0x7 phy:0x1f85c) : ~Block Checksum: 0xf7dc964d : ~Calculated: 0xf7dc964d OK
... cut...

For anyone tracking this project, I've just made some updates today to automated map detection routines.
On 1mb roms now its detecting a large number maps without individual signatures. With some more work it should be able to detect 100% of all maps automatically ;)

For example on the rom file "06A906032DS 0261207080 360930" it detects 115 maps...

e.g.;

--- cut --- cut

------------------------------------------------------------------
[Map #113] Multi Axis Map function found at: offset=0x95928

Table : Identification not yet implemented (coming soon!)
X-Axis : 4 rows
Y-Axis : 4 rows

[ 1 ]-- [ 2 ]-- [ 3 ]-- [ 4 ]--
2626 2626 2626 2626 [ 1 ]
2626 2626 2626 2626 [ 2 ]
2626 2626 2626 2626 [ 3 ]
2626 2626 404 755a [ 4 ]

------------------------------------------------------------------
[Map #114] Multi Axis Map function found at: offset=0x99762

Table : Identification not yet implemented (coming soon!)
X-Axis : 8 rows
Y-Axis : 5 rows

[ 1 ]-- [ 2 ]-- [ 3 ]-- [ 4 ]-- [ 5 ]-- [ 6 ]-- [ 7 ]-- [ 8 ]--
201 303 400 404 3 606 305 500 [ 1 ]
404 304 600 506 3 505 305 500 [ 2 ]
606 305 500 505 3 505 305 100 [ 3 ]
505 305 500 505 3 201 303 100 [ 4 ]
505 305 100 302 3 201 303 100 [ 5 ]

------------------------------------------------------------------
[Map #115] Multi Axis Map function found at: offset=0x99bf0

Table : Identification not yet implemented (coming soon!)
X-Axis : 3 rows
Y-Axis : 8 rows

[ 1 ]-- [ 2 ]-- [ 3 ]--
2000 2000 2000 [ 1 ]
2000 2000 2000 [ 2 ]
2900 2600 2300 [ 3 ]
2100 2000 2000 [ 4 ]
2580 2380 2280 [ 5 ]
2000 2000 2000 [ 6 ]
10c 3219 644b [ 7 ]
c8af fae1 ff [ 8 ]

--- cut --- cut

Thanks Nyet,

I havent done enough research on it yet but why are people referring to Absolute addresses in the external RAM range (which is a hardware configuration and NOT the same across all ME7 hardwares) ?
Some of the different ME7 ecu (Volvo, Fiat, Lancia etc.) variants for example don't use the same base addressing for their external ram layout.

Take for instance .. 2001.5 Audi S4 8D0907551M 0261207143(1).bin

Code:

Opening [b]'2001.5 Audi S4 8D0907551M 0261207143(1).bin'[/b] file
Succeded loading file.

Loaded ROM: Tool in 1Mb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
main rom dppX byte sequence #1 found at offset=0xdc08.

dpp0: (seg: 0x0204 phy:0x00810000)
dpp1: (seg: 0x0205 phy:0x00814000)
[b]dpp2: (seg: 0x00e0 phy:0x00380000) ram start address[/b]
dpp3: (seg: 0x0003 phy:0x0000c000) cpu registers

It has the 0x380000 base address for ram

vs VOLVO S60R_AUT 2.5L B5254T4 300HP NoCarPartNo 0261208289 30684626A.bin

Code:

Opening 'VOLVO S60R_AUT 2.5L B5254T4 300HP NoCarPartNo 0261208289 30684626A.bin' file
Succeded loading file.

Loaded ROM: Tool in 1Mb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
main rom dppX byte sequence #1 found at offset=0x246.

dpp0: (seg: 0x0004 phy:0x00010000)
dpp1: (seg: 0x0005 phy:0x00014000)
[b]dpp2: (seg: 0x00c0 phy:0x00300000) ram start address[/b]
dpp3: (seg: 0x0003 phy:0x0000c000) cpu registers

In this case it actually starts at 0x300000 instead...

Why therefore do we hardcode the BASE ADDRESS to $380000 ?

... when actually the value is determined by the project setup and the configuration of the DPP2 segment registers contents in the initial boot strap.

If we search the ROM bootstraip itself (Which is how my ME7RomTool does it) its quite easy to work out the external ram address by then taking the segment value and multiplying it by a page size of 16Kbytes (0x4000), which funny enough is exactly how all of the 16-bit opcodes in the machine code refer to the locations, indirectly from the DPP2 register. This affords a higher compatibility than hardcoding as we do it today and would yield compatibility with 1mb roms and many other vehicle manufacturers like Fiat's, etc, then we could just save Relative offsets from the DPP2 base address rather than directly referencing the direct base address.

Like I said I haven't yet checked if doing this would mean all the ram defines would align up on different memory maps. However really its far better to search for the needles to known functions and pull out all of the ram variables automatically thus having certainty that the correct addresses are used.

Thoughts?

For instance...

me7romtool.exe -romfile LEFT_Eddie_2004_360Spider_EU.bin -seedkey -diss

Code:

Ferrari 360 ME7.3H4 Rom Tool. *BETA TEST* Last Built: Oct 17 2018 12:51:49 v1.6
by 360trev.  Needle lookup function borrowed from nyet (Thanks man!) from
the ME7sum tool development (see github).

..Now fixed and working on 64-bit hosts, Linux, Apple and Android devices ;)

├¥ Opening 'LEFT_Eddie_2004_360Spider_EU.bin' file
Succeded loading file.

Loaded ROM: Tool in 512Kb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
0x000064A6: (+0  )  E6 00 00 00                  mov      DPP0, #0
0x000064AA: (+4  )  E6 01 05 02                  mov      DPP1, #0205h
0x000064AE: (+8  )  E6 02 E0 00                  mov      DPP2, #00E0h
0x000064B2: (+12 )  E6 03 03 00                  mov      DPP3, #3
***

main rom dppX byte sequence #1 found at offset=0x64a6.

dpp0: (seg: 0x0000 phy:0x00000000)
dpp1: (seg: 0x0205 phy:0x00814000)
dpp2: (seg: 0x00e0 phy:0x00380000) ram start address
dpp3: (seg: 0x0003 phy:0x0000c000) cpu registers

Note: dpp3 is always 3, otherwise accessing CPU register area not possible

-[ Basic Firmware information ]-----------------------------------------------------------------

>>> Scanning for ROM String Table Byte Sequence #1 [info]

found needle at offset=0x2e75e
found table at offset=00019B90.

0x0002E75E: (+0  )  F6 F4 42 E2                  mov      word_E242, r4
0x0002E762: (+4  )  F6 F5 44 E2                  mov      word_E244, r5
0x0002E766: (+8  )  9A 23 05 E0                  jnb      word_FD46.14, loc_2E774

0x0002E76A: (+12 )  E7 F8 11 00                  movb     rl4, #0011h
0x0002E76E: (+16 )  F7 F8 0A E2                  movb     byte_E20A, rl4
0x0002E772: (+20 )  0D 04                        jmpr     cc_UC, loc_2E77C

0x0002E774: (+22 )  E7 F8 14 00                  movb     rl4, #0014h
0x0002E778: (+26 )  F7 F8 0A E2                  movb     byte_E20A, rl4
0x0002E77C: (+30 )  E6 F4 22 E9                  mov      r4, #E922h
0x0002E780: (+34 )  E6 F5 82 00                  mov      r5, #0082h
0x0002E784: (+38 )  F6 F4 32 E2                  mov      word_E232, r4
0x0002E788: (+42 )  F6 F5 34 E2                  mov      word_E234, r5
0x0002E78C: (+46 )  DB 00                        rets

0x0002E78E: (+48 )  88 60                        mov      [-r0], r6
0x0002E790: (+50 )  E6 F4 86 2B                  mov      r4, #2B86h
0x0002E794: (+54 )  E6 F5 00 00                  mov      r5, #0
0x0002E798: (+58 )  F6 F4 B2 E1                  mov      word_E1B2, r4
***
Idx=1   { 185392.001              } 0x101ae : VMECUHN [Vehicle Manufacturer ECU Hardware Number SKU]
Idx=2   { 0261204841              } 0x10198 : SSECUHN [Bosch Hardware Number]
Idx=4   { 0000000000              } 0x101a3 : SSECUSN [Bosch Serial Number]
Idx=6   { F131 EU 3 c.m.          } 0x10184 : EROTAN  [Model Description]
Idx=8   { R.BOSCH001              } 0x19b84 : TESTID
Idx=10  { 069117/15L501M2         } 0x10174 : DIF
Idx=11  { 0691175H                } 0x1016b : BRIF

>>> Scanning for EPK information [info]

found needle at offset=0x27902.
EPK: @ 0x10029 { /1/ME7.3/69/117/F131_US//15l50sm2/080501/ }

-[ SeedKey Security Access ]-------------------------------------------------------------

>>> Scanning for SecurityAccessBypass() Variant #1 Checking sub-routine [allow any login seed to pass]
Found at offset=0x4746. Patch at +(0x5d) +93, 0x04 (ret=0, login failed) goes to 0x14 (ret=1, login success)
0x00004746: (+0  )  88 C0                        mov      [-r0], r12
0x00004748: (+2  )  88 90                        mov      [-r0], r9
0x0000474A: (+4  )  88 80                        mov      [-r0], r8
0x0000474C: (+6  )  88 70                        mov      [-r0], r7
0x0000474E: (+8  )  88 60                        mov      [-r0], r6
0x00004750: (+10 )  F0 7D                        mov      r7, r13
0x00004752: (+12 )  F0 8E                        mov      r8, r14
0x00004754: (+14 )  F0 9F                        mov      r9, r15
0x00004756: (+16 )  07 FE 23 00                  addb     rl7, #0023h
0x0000475A: (+20 )  47 FE 23 00                  cmpb     rl7, #0023h
0x0000475E: (+24 )  9D 02                        jmpr     cc_NC, loc_4764

0x00004760: (+26 )  E7 FE FF 00                  movb     rl7, #00FFh
0x00004764: (+30 )  E1 0C                        movb     rl6, #0
0x00004766: (+32 )  0D 12                        jmpr     cc_UC, loc_478C

0x00004768: (+34 )  46 F9 00 80                  cmp      r9, #8000h
0x0000476C: (+38 )  3D 01                        jmpr     cc_NZ, loc_4770

0x0000476E: (+40 )  48 80                        cmp      r8, #0
0x00004770: (+42 )  8D 0A                        jmpr     cc_C, loc_4786

0x00004772: (+44 )  F4 80 08 00                  movb     rl4, [r0+8]
0x00004776: (+48 )  C0 8C                        movbz    r12, rl4
0x00004778: (+50 )  F0 D8                        mov      r13, r8
0x0000477A: (+52 )  F0 E9                        mov      r14, r9
0x0000477C: (+54 )  DA 00 90 60                  calls    0h, loc_6090

0x00004780: (+58 )  F0 84                        mov      r8, r4
0x00004782: (+60 )  F0 95                        mov      r9, r5
0x00004784: (+62 )  0D 02                        jmpr     cc_UC, loc_478A

0x00004786: (+64 )  00 88                        add      r8, r8
0x00004788: (+66 )  10 99                        addc     r9, r9
0x0000478A: (+68 )  09 C1                        addb     rl6, #1
0x0000478C: (+70 )  41 CE                        cmpb     rl6, rl7
0x0000478E: (+72 )  8D EC                        jmpr     cc_C, loc_4968

0x00004790: (+74 )  D4 40 0A 00                  mov      r4, [r0+0Ah]
0x00004794: (+78 )  D4 50 0C 00                  mov      r5, [r0+0Ch]
0x00004798: (+82 )  20 48                        sub      r4, r8
0x0000479A: (+84 )  30 59                        subc     r5, r9
0x0000479C: (+86 )  3D 02                        jmpr     cc_NZ, loc_47A2
0x0000479E: (+88 )  E0 14                        mov      r4, #1
0x000047A0: (+90 )  0D 01                        jmpr     cc_UC, loc_47A4

0x000047A2: (+92 )  E0 04                        mov      r4, #0
0x000047A4: (+94 )  98 60                        mov      r6, [r0+]
0x000047A6: (+96 )  98 70                        mov      r7, [r0+]
0x000047A8: (+98 )  98 80                        mov      r8, [r0+]
0x000047AA: (+100)  98 90                        mov      r9, [r0+]
0x000047AC: (+102)  08 02                        add      r0, #2
0x000047AE: (+104)  DB 00                        rets
... cut ... cut ...

E.g...

0x00067DD0: E6 FC 970B == E6 XX 0000 ; mov : ** MATCH [4] ** 0x00067DD4: E6 FD 0602 == E6 XX 0000 ; mov : ** MATCH [4] ** 0x00067DD8: C2 FE 74F2 == C2 XX 0000 ; movbz : ** MATCH [4] ** 0x00067DDC: D7 40 E100 ~~ C2 00 0000 ; extx ... SKIP OPCODE IN NEEDLE 0x00067DE0: C2 FF 710A ~~ C2 00 0000 ; extx ... SKIP OPCODE IN BUFFER 0x00067DE0: C2 FF 710A == C2 XX 0000 ; extx ... : ** MATCH [4] ** 0x00067DE4: DA 83 DC46 == DA XX 0000 ; calls : ** MATCH [4] ** 0x00067DE8: F1 XX == F1 XX ; movb : ** MATCH [2] ** match #2 at offset 0x00067DD0 (0x2602df0) 0x00067DD0: (+0 ) E6 FC 97 0B mov r12, #0B97h 0x00067DD4: (+4 ) E6 FD 06 02 mov r13, #0206h 0x00067DD8: (+8 ) C2 FE 74 F2 movbz r14, byte_F274 0x00067DDC: (+12 ) D7 40 E1 00 extp #00E1h, #1 0x00067DE0: (+16 ) C2 FF 71 0A movbz r15, byte_A71 0x00067DE4: (+20 ) DA 83 DC 46 calls 83h, loc_646DC ; ------------------------------------------------------------------------------ *** KFAGK @ ROM:0x818b97 RAM:0x25b3bb7 File-Offset:0x18b97 (seg=0x0206 val=0x0B97) KFAGK Long identifier: Characteristic map for exhaust flap changeover. Display identifier: Address: 0x818b97 Value: No. | 0 1 2 3 4 5 6 7 8 9 PHY| 880.00 920.00 1000.00 3320.00 3400.00 4520.00 5840.00 5920.00 6000.00 9000.00 --------------+------------------------------------------------------------------------------------------ 0 PHY| 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 2.0 2.0 10 PHY| 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.0 2.0 2.0 26 PHY| 0.0 0.0 0.0 0.0 1.0 1.0 1.0 1.0 2.0 2.0 50 PHY| 0.0 0.0 0.0 0.0 1.0 2.0 2.0 2.0 2.0 2.0 81 PHY| 0.0 0.0 0.0 0.0 1.0 2.0 2.0 2.0 2.0 2.0 100 PHY| 0.0 0.0 0.0 0.0 1.0 2.0 2.0 2.0 2.0 2.0 Cells: Unit: Conversion name: rel_uw_b200 Conversion formula: f(phys) = 0.0 + 1.000000 * phys Data type: UBYTE X-axis: Unit: Upm Conversion name: nmot_ub_q40 Conversion formula: f(phys) = 0.0 + 0.025000 * phys Data type: UBYTE Y-axis: Unit: % Conversion name: rel_uw_q0p75 Conversion formula: f(phys) = 0.0 + 1.333333 * phys Data type: UBYTE

vs ...

0x0004F0AE: E6 FC EE08 == E6 XX 0000 ; mov : ** MATCH [4] ** 0x0004F0B2: E6 FD 0602 == E6 XX 0000 ; mov : ** MATCH [4] ** 0x0004F0B6: C2 FE 6CF8 == C2 XX 0000 ; movbz : ** MATCH [4] ** 0x0004F0BA: C2 FF 658B ~~ C2 00 0000 ; movbz SKIP OPCODE IN NEEDLE 0x0004F0BA: C2 FF 658B == C2 XX 0000 ; movbz : ** MATCH [4] ** 0x0004F0BE: DA 82 F49F == DA XX 0000 ; calls : ** MATCH [4] ** 0x0004F0C2: F1 XX == F1 XX ; movb : ** MATCH [2] ** match #4 at offset 0x0004F0AE (0x8d90ce) 0x0004F0AE: (+0 ) E6 FC EE 08 mov r12, #08EEh 0x0004F0B2: (+4 ) E6 FD 06 02 mov r13, #0206h 0x0004F0B6: (+8 ) C2 FE 6C F8 movbz r14, byte_F86C 0x0004F0BA: (+12 ) C2 FF 65 8B movbz r15, byte_8B65 0x0004F0BE: (+16 ) DA 82 F4 9F calls 82h, loc_49FF4 ; ------------------------------------------------------------------------------ 0x0004F0C2: (+20 ) F1 E8 movb rl7, r14 *** KFAGK @ ROM:0x8188ee RAM:0x8a290e File-Offset:0x188ee (seg=0x0206 val=0x08EE) KFAGK Long identifier: Characteristic map for exhaust flap changeover. Display identifier: Address: 0x8188ee Value: No. | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 PHY| 520.00 1000.00 1520.00 2000.00 3000.00 5120.00 5320.00 5520.00 6520.00 7520.00 8000.00 9000.00 10000.00 10200.00 --------------+------------------------------------------------------------------------------------------------------------------------------ 0 PHY| 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 35 PHY| 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 40 PHY| 0.0 0.0 0.0 0.0 0.0 0.0 1.0 1.0 0.0 0.0 0.0 0.0 0.0 0.0 47 PHY| 0.0 0.0 0.0 0.0 0.0 0.0 1.0 2.0 1.0 1.0 1.0 1.0 1.0 1.0 50 PHY| 0.0 0.0 0.0 0.0 0.0 0.0 1.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 100 PHY| 0.0 0.0 0.0 0.0 0.0 0.0 1.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 Cells: Unit: Conversion name: rel_uw_b200 Conversion formula: f(phys) = 0.0 + 1.000000 * phys Data type: UBYTE X-axis: Unit: Upm Conversion name: nmot_ub_q40 Conversion formula: f(phys) = 0.0 + 0.025000 * phys Data type: UBYTE Y-axis: Unit: % Conversion name: rel_uw_q0p75 Conversion formula: f(phys) = 0.0 + 1.333333 * phys Data type: UBYTE Fuzzy Matches <4>

Both are matched yet the code is different and the first (from a Ferrari F430) was discovered as well the one above (from a Ferrari 360) yet the 360 used a different version of the ecu on a 1Mb rom and the 360 a 512Kbyte rom.

And tonnes of new features too like ability to auto analyze, discover and decode the pcodes, error classes, etc. and then from the table id's Do a REVERSE LOOKUP and identify the functions (from the direct lookup calls to the DTC functions!)... This is neat as you find all of the functions in one go rather than having to manually do a lot of work... :)

-[ Find Errorclass (Ferrari Diagnostic P-Codes) ]----------------- >>> Scanning for Errorclass Lookup code sequence - Variant #1... found needle at offset=0x38892 CDTAAA @ ROM:0x8135dc RAM:0x8745fc File-Offset:0x135dc (seg=0x0204 val=0x35DC) CDKAAA @ ROM:0x8133ec RAM:0x87440c File-Offset:0x133ec (seg=0x0204 val=0x33EC) Skip Offset 1984 Number of CARB Table Entries: 124 ErrorClass Table Start: ROM:0x812C2C Num Entries = 124 -----[ LH Bank 1 ]----- -----[ RH Bank 2 ]----- min max sig npl min max sig npl 0x00 [000] AAA: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : Dummy Table Start [DFPM_DFPM] 0x01 [001] AAV: P1462,P1462,P1462,P1462 P0449,P0449,P0449,P0449 : Activated Carbon Filter Shut-Off Valve (Function) [DFPM_DTESK] 0x02 [002] AAVE: P0000,P0000,P0000,P0000 P0446,P0448,P0447,P0000 : Activated Carbon Filter Shut-Off Valve (Power Amplifier) [DFPM_DEKON] 0x03 [003] AGKE: P1461,P1461,P1461,P1461 P1448,P1448,P1448,P1448 : Exhaust Bypass Valves [DFPM_DEKON] 0x04 [004] AGRE: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : (Unsupported) Monitoring EGR Power Amplifier [DFPM_DUMMY_D] 0x05 [005] AGRF: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : (Unsupported) Monitoring AGR-FLOW [DFPM_DUMMY_D] 0x06 [006] BM: P0000,P0000,P0000,P0386 P0000,P0000,P0000,P0336 : Engine Revolution Sensing [DFPM_DDG] 0x07 [007] BREMS: P1569,P1569,P1569,P1569 P0571,P0571,P0571,P0571 : Brake Pedal Encoder [DFPM_GGEGAS] 0x08 [008] BWF: P0000,P0000,P0000,P0000 P1639,P1639,P1639,P1639 : PWG Movement [DFPM_GGPED] 0x09 [009] CAS: P1631,P1631,P1631,P1631 P1626,P1626,P1626,P1626 : CAN Interface: Timeout Anti-Slip Control (ABS/ASR ECU) [DFPM_DCAS] 0x0A [010] CINS: P1675,P1675,P1675,P1675 P1674,P1674,P1674,P1674 : CAN Interface: Timeout Instrument (Dashboard ECU) [DFPM_DCINS] 0x0B [011] CKUP: P1632,P1632,P1632,P1632 P1627,P1627,P1627,P1627 : CAN Interface: Timeout Electronic Clutch (TCU ECU) [DFPM_DCKUP] 0x0C [012] DK: P0223,P0222,P0220,P0221 P0123,P0122,P0120,P0121 : DK - Throttle Body Potentiometer [DFPM_DDVE] 0x0D [013] DK1P: P1190,P1191,P1192,P1192 P1173,P1172,P1170,P1170 : DK - Throttle Body 1. Poti [DFPM_DDVE] 0x0E [014] DK2P: P1193,P1194,P1195,P1195 P1177,P1176,P1174,P1174 : DK - Throttle Body 2. Poti [DFPM_DDVE] 0x0F [015] DPL: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : (Unsupported) Continuous plus [DFPM_DUMMY_D] 0x10 [016] DSS: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : (Unsupported) Suction Pipe Pressure Sensor [DFPM_DUMMY_D] 0x11 [017] DST: P0000,P0000,P0000,P0000 P0453,P0452,P0451,P0450 : Pressure Sensor Tank [DFPM_DDST] 0x12 [018] DVEE: P1167,P1167,P1167,P1167 P1184,P1184,P1184,P1184 : DV-E Power Amplifier [DFPM_DDVE] 0x13 [019] DVEF: P1163,P1163,P1163,P1163 P1180,P1180,P1180,P1180 : DV-E Feather Check Error [DFPM_DDVE] 0x14 [020] DVEFO: P1162,P1162,P1162,P1162 P1179,P1179,P1179,P1179 : DV-E Return Spring Failure [DFPM_DDVE] 0x15 [021] DVEL: P1171,P1171,P1171,P1171 P1185,P1185,P1185,P1185 : DV-E Position Deviation [DFPM_DDVE] 0x16 [022] DVEN: P1164,P1164,P1164,P1164 P1181,P1181,P1181,P1181 : DV-E Error Checking Emergency Air Position [DFPM_DDVE] 0x17 [023] DVER: P1175,P1175,P1175,P1175 P1186,P1186,P1186,P1186 : DV-E Control Range [DFPM_DDVE] 0x18 [024] DVET: P1161,P1161,P1161,P1161 P1178,P1178,P1178,P1178 : DV-E Error Undefined [DFPM_DDVE] 0x19 [025] DVEU: P1165,P1165,P1165,P1165 P1182,P1182,P1182,P1182 : DV-E Errors in UMA Learning [DFPM_DDVE] 0x1A [026] DVEUB: P1196,P1196,P1196,P1196 P1187,P1187,P1187,P1187 : DV-E Errors in Motor Driven Throttle [DFPM_DDVE] 0x1B [027] DVEUW: P1197,P1197,P1197,P1197 P1188,P1188,P1188,P1188 : DV-E Errors Undefined [DFPM_DDVE] 0x1C [028] DVEV: P1166,P1166,P1166,P1166 P1183,P1183,P1183,P1183 : DV-E Amplifier Matching Error [DFPM_DDVE] 0x1D [029] EGFE: P1148,P1148,P1148,P1148 P1145,P1145,P1145,P1145 : Load Detection [DFPM_EGFE] 0x1E [030] EPCLE: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : Driving Behavior Error Lamp (Power Amplifier) [DFPM_DEKON] 0x1F [031] ETSE: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : Electric Thermostat Power Amplifier [DFPM_DEKON] 0x20 [032] EV1: P1217,P1229,P1241,P1205 P1213,P1225,P1237,P1201 : EV by Cylinder 1 [DFPM_DEKON] 0x21 [033] EV2: P1218,P1230,P1242,P1206 P1214,P1226,P1238,P1202 : EV by Cylinder 2 [DFPM_DEKON] 0x22 [034] EV3: P1219,P1231,P1243,P1207 P1215,P1227,P1239,P1203 : EV by Cylinder 3 [DFPM_DEKON] 0x23 [035] EV4: P1220,P1232,P1244,P1208 P1216,P1228,P1240,P1204 : EV by Cylinder 4 [DFPM_DEKON] 0x24 [036] FP1P: P0000,P0000,P0000,P0000 P1146,P1147,P1147,P1149 : Throttle Pedal Poti 1 [DFPM_GGPED] 0x25 [037] FP2P: P0000,P0000,P0000,P0000 P1150,P1151,P1151,P1153 : Throttle Pedal Poti 2 [DFPM_GGPED] 0x26 [038] FPP: P0000,P0000,P0000,P0000 P1189,P1189,P1189,P1189 : Gas Pedal [DFPM_GGPED] 0x27 [039] FRAO: P1158,P1157,P1157,P1157 P1156,P1155,P1155,P1155 : LR-Adaption Upper Multiplicative [DFPM_DKVS] 0x28 [040] FRAU: P1154,P1152,P1152,P1152 P1160,P1159,P1159,P1159 : LR Adaption Lower Multiplicative [DFPM_DKVS] 0x29 [041] FRST: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : LR Deviation [DFPM_DKVS] 0x2A [042] GRBH: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : GRA Control Lever Error [DFPM_GGFGRH] 0x2B [043] HSH: P0000,P0000,P0000,P1113 P0000,P0000,P0000,P1144 : Lambda Probe Heater Behind Catalyst [DFPM_DHLSHK] 0x2C [044] HSHE: P1110,P1121,P1122,P0000 P1105,P1117,P1118,P0000 : Power amplifier heating probe behind cat. [DFPM_DEKON] 0x2D [045] HSV: P1107,P1119,P1120,P1114 P1102,P1115,P1116,P1103 : Lambda Probe Heating Before Catalyst [DFPM_DHLSU] 0x2E [046] HSV2: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : Lambda probe heater in front of catalyst; (Bank2) [DFPM_DHLSU] 0x2F [047] HSVSA: P1198,P1198,P1198,P1198 P1135,P1135,P1135,P1135 : Lambda Probe Heating Before Catalyst [DFPM_DHLSU] 0x30 [048] HSVSA2: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : Lambda Probe Heating 2 before Catalyst [DFPM_DHLSU] 0x31 [049] KAS: P1454,P1454,P1454,P1454 P1446,P1446,P1446,P1446 : Catalyst Protection Active [DFPM_SAK] 0x32 [050] KAT: P0432,P0432,P0432,P0432 P0422,P0422,P0422,P0422 : Catalyst Efficiency [DFPM_DKAT] 0x33 [051] KATT: P1449,P1449,P1449,P1449 P1445,P1445,P1445,P1445 : Catalyst Temperature [DFPM_DTKAT] 0x34 [052] KOSE: P0000,P0000,P0000,P0000 P1456,P1457,P1455,P1455 : Air Conditioning Compressor Control Power Amplifier [DFPM_DEKON] 0x35 [053] KPE: P1505,P1504,P1506,P1503 P1502,P1501,P1541,P1500 : EKP relay power amplifier [DFPM_DEKON] 0x36 [054] KRNT: P1387,P1387,P1387,P1387 P1386,P1386,P1386,P1386 : Knock Control Null Test [DFPM_DKRNT] 0x37 [055] KROF: P1390,P1390,P1390,P1390 P1388,P1388,P1388,P1388 : Knock Control Offset [DFPM_DKRNT] 0x38 [056] KRTP: P1394,P1394,P1394,P1394 P1393,P1393,P1393,P1393 : Knock Control Test Pulses [DFPM_DKRTP] 0x39 [057] KS1: P1384,P1383,P1384,P1384 P0328,P0327,P0325,P0326 : Knock Sensor 1 [DFPM_DKRS] 0x3A [058] KS2: P1385,P1382,P1385,P1385 P0333,P0332,P0330,P0331 : Knock Sensor 2 [DFPM_DKRS] 0x3B [059] KS3: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : Knock Sensor 3 [DFPM_DKRS] 0x3C [060] KS4: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : Knock Sensor 4 [DFPM_DKRS] 0x3D [061] LASH: P0159,P0159,P0159,P0159 P0139,P0139,P0139,P0139 : Lambda Probe aging behind cat. [DFPM_DLSAHK] 0x3E [062] LATP: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : (Unsupported) Lambda Probe Aging TP [DFPM_DUMMY_D] 0x3F [063] LATV: P0000,P0000,P0000,P0000 P0000,P0000,P0000,P0000 : (Unsupported) Lambda Probe Aging TV [DFPM_DUMMY_D] .. cut .. cut ... cut

Quote from: nyet on June 12, 2019, 08:38:57 AM

AWESOME! good work! Any idea if autodetecting ESKONF is possible? (i.e. correlate it with the various inputs/output on the ECU?)

Yes ESKONF is entirely possible to detect and I already support it!

... however the meanings to decode it are specific to a vehicle model so quite how you'd interpret and visualize that is challenging to understand, config files perhaps?

Here's the way it works on the Ferrari 360 version of ME7 Swiss Army Knife..

Code:

-[ ESKONF Configuration of power stage (actuators) ]-----------------------------
                                                                                 
>>> Scanning for ESKONF Lookup code sequence...                                  
                                                                                 
found needle at offset=0x55da2                                                   
                                                                                 
 1. Configuration of output stages                                               
 =================================                                               
 The configuration is made with the Label ESKONF_R (right bank) & ESKONF_L (left 
                                                                                 
 Every byte is standing for 4 output stages. Therefore every output stage has got
 configuration Bits.                                                             
                                                                                 
 Enable of the output stages diagnosis                                           
 -------------------------------------                                           
 With the configurations-Bytes in ESKONF the functions have to be set active / in
 on the available components in the car. At the same time with the 2 Bits the fun
 diagnosis is set.                                                               
                                                                                 
 Assignment of the Bit pattern:                                                  
 ------------------------------                                                  
 00  Diagnosis active with OBDII-malfunction storage with test of healing        
 01  Diagnosis active without OBDII-malfunction storage with test of healing     
 10  Diagnosis active without OBDII-fault memory without test of healing (EKP)   
 11  Diagnosis not active                                                        
                                                                                 
                                                                                 
ESKONF_L @ ADR:0x810acd (offset 0x10acd) - Left Bank Configuration               
----------+----------------------------------------------------------------------
[i] Hex   |           Bit                                                        
          | 76     54     32     10                                              
----------+----------------------------------------------------------------------
          | EV4    EV3    EV2    EV1                                             
[0] 0x00  | 00     00     00     00                                              
          | M52    M03    M35    M19                                             
          +----------------------------------------------------------------------
          | M52   Cylinder 6 injector control power output                       
          | M03   Cylinder 8 injector control power output                       
          | M35   Cylinder 7 injector control power output                       
          | M19   Cylinder 5 injector control power output                       
----------+----------------------------------------------------------------------
          | LSHVK1 xxxx   TEV    MIL                                             
[1] 0x33  | 00     11     00     11                                              
          | M34    M21    M05    F46                                             
          +----------------------------------------------------------------------
          | M34   LH rear Lambda sensor heater (duty cycle) Power output         
          | M21   Not Used                                                       
          | M05   Control for LH canister purge valve (duty cycle) Power output  
          | F46   Not Used                                                       
----------+----------------------------------------------------------------------
          | EKP    LUE1   LSHVK2 MIL                                             
[2] 0xbf  | 10     11     11     11                                              
          | F30    F50    M02    F02                                             
          +----------------------------------------------------------------------
          | F30   Fuel pump control Digital output                               
          | F50   Not Used                                                       
          | M02   Not Used                                                       
          | F02   Not Used                                                       
----------+----------------------------------------------------------------------
          | --     --     KOS    LUE2                                            
[3] 0xff  | 11     11     11     11                                              
          | Fxx    Fxx    F13    F62                                             
          +----------------------------------------------------------------------
          | Fxx   Not Used                                                       
          | Fxx   Not Used                                                       
          | F13   Not Used                                                       
          | F62   Not Used                                                       
----------+----------------------------------------------------------------------
          | xxxx   SU1    NWS    xxxx                                            
[4] 0xfc  | 11     11     11     00                                              
          | M53    M04    M36    M20                                             
          +----------------------------------------------------------------------
          | M53   Not Used                                                       
          | M04   Not Used                                                       
          | M36   Not Used                                                       
          | M20   Control for LH exhaust by-pass power output                    
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx                                            
[5] 0xff  | 11     11     11     11                                              
          | F18    F33    F34    F01                                             
          +----------------------------------------------------------------------
          | F18   Not Used                                                       
          | F33   Not Used                                                       
          | F34   Not Used                                                       
          | F01   Not Used                                                       
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx                                            
[6] 0xff  | 11     11     11     11                                              
          | M13    M13    M45    M45                                             
          +----------------------------------------------------------------------
          | M13   Not Used                                                       
          | M13   Not Used                                                       
          | M45   Not Used                                                       
          | M45   Not Used                                                       
----------+----------------------------------------------------------------------

.. and also does the same decoding for RHS bank too...

Code:

ESKONF_R @ ADR:0x810ad4 (offset 0x10ad4) - Right Bank Configuration
----------+----------------------------------------------------------------------
[i] Hex   |           Bit
          | 76     54     32     10
----------+----------------------------------------------------------------------
          | EV4    EV3    EV2    EV1
[0] 0x00  | 00     00     00     00
          | M52    M03    M35    M19
          +----------------------------------------------------------------------
          | M52   Cylinder 2 injector control power output
          | M03   Cylinder 4 injector control power output
          | M35   Cylinder 3 injector control power output
          | M19   Cylinder 1 injector control power output
----------+----------------------------------------------------------------------
          | LSHVK1 xxxx   TEV    MIL
[1] 0x33  | 00     11     00     11
          | M34    M21    M05    F46
          +----------------------------------------------------------------------
          | M34   RH rear Lambda sensor heater (duty cycle) power output
          | M21   Not Used
          | M05   Control for RH canister purge valve (duty cycle) power output
          | F46   Not Used
----------+----------------------------------------------------------------------
          | EKP    LUE1   LSHVK2 MIL
[2] 0xbf  | 10     11     11     11
          | F30    F50    M02    F02
          +----------------------------------------------------------------------
          | F30   Fuel pump control digital output
          | F50   Not Used
          | M02   Not Used
          | F02   Not Used
----------+----------------------------------------------------------------------
          | --     --     KOS    LUE2
[3] 0xf3  | 11     11     00     11
          | Fxx    Fxx    F13    F62
          +----------------------------------------------------------------------
          | Fxx   Not Used
          | Fxx   Not Used
          | F13   A/C compressor control digital output
          | F62   Secondary air pump control digital output
----------+----------------------------------------------------------------------
          | xxxx   SU1    NWS    xxxx
[4] 0x00  | 00     00     00     00
          | M53    M04    M36    M20
          +----------------------------------------------------------------------
          | M53   Modular manifolds control power output
          | M04   Compensation throttle control power output
          | M36   Timing variator control  Digital output
          | M20   Control for RH exhaust by-pass power output
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx
[5] 0xff  | 11     11     11     11
          | F18    F33    F34    F01
          +----------------------------------------------------------------------
          | F18   Canister closing control power output
          | F33   Not Used
          | F34   Secondary air valve control digital output
          | F01   Not Used
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx
[6] 0xff  | 11     11     11     11
          | M13    M13    M45    M45
          +----------------------------------------------------------------------
          | M13   Not Used
          | M13   Not Used
          | M45   Not Used
          | M45   Not Used
----------+----------------------------------------------------------------------
Secondary Air Valve Diagnostics are off: This is probably a European spec car
Air Injection Diagnostics are off: This is probably a European spec car
LH Rear O2 Heater is on : Secondary O2 sensor heating is enabled
RH Rear O2 Heater is on : Secondary O2 sensor heating is enabled
LH Canister Purge Valve is: on
RH Canister Purge Valve is: on

On the Ferrari 360 its really easy to detect functions (and even the GPIO bsets) from discovery of the ESKONF..

For example. Here's the segment of code regarding selection of either LHS or RHS banks...

DEKON_Get_ESKONF: 9A 23 09 E0 jnb word_FD46.14, Get_ESKONF_L ; Are we running on LHS or RHS ? Get_ESKONF_R: E6 F4 E6 4F mov r4, #prokon_tbl_RHS F6 F4 F8 A0 mov dekon_v, r4 E6 F5 EB 0A mov r5, #ESKONF_R ; ESKONF_R : Undefined [DEKON] F6 F5 FA A0 mov ram_ESKONF_p, r5 DB 00 rets Get_ESKONF_L: ; ... E6 F4 64 50 mov r4, #prokon_tbl_LHS F6 F4 F8 A0 mov dekon_v, r4 E6 F5 E4 0A mov r5, #ESKONF_L ; ESKONF_L : Undefined [DEKON] F6 F5 FA A0 mov ram_ESKONF_p, r5 DB 00 rets

If you decode the lookup tables you see something like this (after you correctly define the offsets);

ESKONF_R - Right Bank Configuration ----------+---------------------------------------------------------------------- Hex | Bit | 76 54 32 10 ----------+---------------------------------------------------------------------- | EV4 EV3 EV2 EV1 0x00 | 00 00 00 00 | M52 M03 M35 M19 +---------------------------------------------------------------------- | M52 Cylinder 2 injector control power output | M03 Cylinder 4 injector control power output | M35 Cylinder 3 injector control power output | M19 Cylinder 1 injector control power output ----------+---------------------------------------------------------------------- 02 00 prokon_tbl_RHS: dw 2 ; ... 8A C3 dw Process_State_Cylinder2_InjectorControl ; M19 84 00 dw 84h DA C3 dw Process_State_Cylinder4_InjectorControl ; M35 84 00 dw 84h 2A C4 dw Process_State_Cylinder3_InjectorControl ; M03 84 00 dw 84h 7A C4 dw Process_State_Cylinder1_InjectorControl ; M52 84 00 dw 84h ----------+---------------------------------------------------------------------- | LSHVK1 xxxx TEV MIL [1] 0x33 | 00 11 00 11 | M34 M21 M05 F46 +---------------------------------------------------------------------- | M34 RH rear Lambda sensor heater (duty cycle) power output | M21 Not Used | M05 Control for RH canister purge valve (duty cycle) power output | F46 Not Used ----------+---------------------------------------------------------------------- 02 00 dw 2 90 B2 dw Process_State_Unused ; F46 84 00 dw 84h 78 85 dw Process_State_CanisterPurgeValveDutyCycleOutput_Control ; M05 85 00 dw 85h 90 B2 dw Process_State_Unused ; M21 84 00 dw 84h 6C 87 dw Process_State_O2Sensor_Heater_Output ; M34 85 00 dw 85h ----------+---------------------------------------------------------------------- | EKP LUE1 LSHVK2 MIL [2] 0xbf | 10 11 11 11 | F30 F50 M02 F02 +---------------------------------------------------------------------- | F30 Fuel pump control digital output | F50 Not Used | M02 Not Used | F02 Not Used ----------+---------------------------------------------------------------------- 02 00 dw 2 90 B2 dw Process_State_Unused ; F02 84 00 dw 84h 90 B2 dw Process_State_Unused ; M02 84 00 dw 84h 90 B2 dw Process_State_Unused ; F50 84 00 dw 84h D0 87 dw Process_State_FuelPumpControl ; F30 85 00 dw 85h ----------+---------------------------------------------------------------------- | -- -- KOS LUE2 [3] 0xf3 | 11 11 00 11 | Fxx Fxx F13 F62 +---------------------------------------------------------------------- | Fxx Not Used | Fxx Not Used | F13 A/C compressor control digital output | F62 Secondary air pump control digital output ----------+---------------------------------------------------------------------- 02 00 dw 2 F2 85 dw Process_State_SecondaryAirPumpControl ; F62 85 00 dw 85h 9E 87 dw Process_State_AC_CompressorOutput ; F13 85 00 dw 85h 90 B2 dw Process_State_Unused ; Fxx - Not Used 84 00 dw 84h 90 B2 dw Process_State_Unused ; Fxx - Not Used 84 00 dw 84h ----------+---------------------------------------------------------------------- | xxxx SU1 NWS xxxx [4] 0x00 | 00 00 00 ... cut ... cut ... cut ...

And here is the reverse lookup from the DTC table that I explained was possible earlier...

0) MATCHED @ 0x0002B572 : DTC idx= 62 (0x3E) DFPM_DUMMY_D() : (Unsupported) Lambda Probe Aging TP 1) MATCHED @ 0x0002B572 : DTC idx= 63 (0x3F) DFPM_DUMMY_D() : (Unsupported) Lambda Probe Aging TV 2) MATCHED @ 0x0002B572 : DTC idx= 98 (0x62) DFPM_DUMMY_D() : (Unsupported) OBDII Empty Tank Failure 3) MATCHED @ 0x0002B572 : DTC idx=100 (0x64) DFPM_DUMMY_D() : (Unsupported) Tank Low Flow Switch Valve (Power Amplifier) 5) MATCHED @ 0x0002B572 : DTC idx=106 (0x6A) DFPM_DUMMY_D() : (Unsupported) Engine Oil Temperature 6) MATCHED @ 0x0002B572 : DTC idx=107 (0x6B) DFPM_DUMMY_D() : (Unsupported) Ambient (Air) Temperature TUM 7) MATCHED @ 0x0002C554 : DTC idx= 91 (0x5B) DFPM_DSLSLRS() : Secondary Air System 9) MATCHED @ 0x00035A72 : DTC idx=117 (0x75) DFPM_DVKUP() : Engine Off Request from F1 TCU Failure 12) MATCHED @ 0x0003809C : DTC idx= 69 (0x45) DFPM_DMDMIL() : Misfire, Sum Error (Multiple) 14) MATCHED @ 0x0003CB14 : DTC idx= 79 (0x4F) DFPM_DDG() : Speed Sensor 16) MATCHED @ 0x0003D314 : DTC idx= 80 (0x50) DFPM_DNWKW() : Assignment Camshaft to Crankshaft 17) MATCHED @ 0x0003D5D8 : DTC idx= 84 (0x54) DFPM_DPH() : Phase Sensor 18) MATCHED @ 0x00040000 : DTC idx= 61 (0x3D) DFPM_DLSAHK() : Lambda Probe aging behind cat. 19) MATCHED @ 0x000408FA : DTC idx= 48 (0x30) DFPM_DHLSU() : Lambda Probe Heating 2 before Catalyst 20) MATCHED @ 0x000408FA : DTC idx= 46 (0x2E) DFPM_DHLSU() : Lambda probe heater in front of catalyst; (Bank2) 21) MATCHED @ 0x00042C64 : DTC idx= 67 (0x43) DFPM_DLSU() : Lambda Probe before Cat 22) MATCHED @ 0x000431A4 : DTC idx=116 (0x74) DFPM_DVFZ() : Vehicle Speed 24) MATCHED @ 0x00044642 : DTC idx= 36 (0x24) DFPM_GGPED() : Throttle Pedal Poti 1 25) MATCHED @ 0x000472D2 : DTC idx= 24 (0x18) DFPM_DDVE_ERR() : DV-E Error Undefined 26) MATCHED @ 0x00047628 : DTC idx= 19 (0x13) DFPM_DDVE_FAULT() : DV-E Feather Check Error 27) MATCHED @ 0x00047628 : DTC idx= 28 (0x1C) DFPM_DDVE_FAULT() : DV-E Amplifier Matching Error 28) MATCHED @ 0x00047628 : DTC idx= 20 (0x14) DFPM_DDVE_FAULT() : DV-E Return Spring Failure 29) MATCHED @ 0x00047628 : DTC idx= 26 (0x1A) DFPM_DDVE_FAULT() : DV-E Errors in Motor Driven Throttle 30) MATCHED @ 0x00047628 : DTC idx= 23 (0x17) DFPM_DDVE_FAULT() : DV-E Control Range 33) MATCHED @ 0x0004BE5C : DTC idx= 32 (0x20) DFPM_DEKON_EV() : EV by Cylinder 1 34) MATCHED @ 0x0004BE5C : DTC idx= 33 (0x21) DFPM_DEKON_EV() : EV by Cylinder 2 35) MATCHED @ 0x0004BE5C : DTC idx= 34 (0x22) DFPM_DEKON_EV() : EV by Cylinder 3 39) MATCHED @ 0x0004C2C8 : DTC idx= 44 (0x2C) DFPM_DEKON_PWR() : Power amplifier heating probe behind cat. 40) MATCHED @ 0x0004C2C8 : DTC idx= 44 (0x2C) DFPM_DEKON_PWR() : Power amplifier heating probe behind cat. 41) MATCHED @ 0x0004C556 : DTC idx= 83 (0x53) DFPM_DEKON_CAM() : Camshaft Control Valve Power Amplifier 42) MATCHED @ 0x0004C71C : DTC idx= 94 (0x5E) DFPM_DEKON_CHG1() : End Stage Suction Tube Changeover 43) MATCHED @ 0x0004C7A8 : DTC idx= 95 (0x5F) DFPM_DEKON_CHG2() : Circuit intake manifold Bank 2 44) MATCHED @ 0x0004CA60 : DTC idx= 88 (0x58) DFPM_SGA() : Switch Control Selector 45) MATCHED @ 0x0005117E : DTC idx= 81 (0x51) DFPM_DNWS() : Camshaft Control 46) MATCHED @ 0x00051206 : DTC idx= 82 (0x52) DFPM_DNWS() : Camshaft Control Bank2 47) MATCHED @ 0x00055E50 : DTC idx= 39 (0x27) DFPM_DKVS_UPR() : LR-Adaption Upper Multiplicative 48) MATCHED @ 0x00055E50 : DTC idx= 86 (0x56) DFPM_DKVS_UPR() : LR adaptation QL additive 49) MATCHED @ 0x00055F34 : DTC idx= 40 (0x28) DFPM_DKVS_LWR() : LR Adaption Lower Multiplicative 50) MATCHED @ 0x00055F34 : DTC idx= 87 (0x57) DFPM_DKVS_LWR() : LR adaptation ti-additive 51) MATCHED @ 0x000576B2 : DTC idx= 97 (0x61) DFPM_GGTFA() : (IAT) Intake Air Temperature Sensor (Airflow Meters) 52) MATCHED @ 0x00057AA4 : DTC idx=105 (0x69) DFPM_GGTFM() : Engine Temperature TMOT 53) MATCHED @ 0x000597BC : DTC idx= 51 (0x33) DFPM_DTKAT() : Catalyst Temperature 54) MATCHED @ 0x000597BC : DTC idx= 51 (0x33) DFPM_DTKAT() : Catalyst Temperature 55) MATCHED @ 0x000597BC : DTC idx= 51 (0x33) DFPM_DTKAT() : Catalyst Temperature 56) MATCHED @ 0x00059AC4 : DTC idx= 49 (0x31) DFPM_SAK() : Catalyst Protection Active 57) MATCHED @ 0x0005B414 : DTC idx= 54 (0x36) DFPM_DKRNT() : Knock Control Null Test 58) MATCHED @ 0x0005B414 : DTC idx= 55 (0x37) DFPM_DKRNT() : Knock Control Offset 59) MATCHED @ 0x0005BD90 : DTC idx= 56 (0x38) DFPM_DKRTP() : Knock Control Test Pulses 60) MATCHED @ 0x00064F7C : DTC idx=111 (0x6F) DFPM_DUF() : Function Monitoring : Safety Fuel Cutoff 61) MATCHED @ 0x00064F7C : DTC idx=110 (0x6E) DFPM_DUF() : Function Monitoring : Moment Comparison 62) MATCHED @ 0x00064F7C : DTC idx=109 (0x6D) DFPM_DUF() : Function Monitoring : Other ME Data 63) MATCHED @ 0x00064FEA : DTC idx=111 (0x6F) DFPM_DUF_CUT() : Function Monitoring : Safety Fuel Cutoff 64) MATCHED @ 0x0006520A : DTC idx=113 (0x71) DFPM_DUR() : Computer Monitoring : ROM 65) MATCHED @ 0x0006A696 : DTC idx= 96 (0x60) DFPM_BGRBS() : Bad Path Detection Acceleration Sensor 66) MATCHED @ 0x0006BDAE : DTC idx= 17 (0x11) DFPM_DDST() : Pressure Sensor Tank 67) MATCHED @ 0x0006C134 : DTC idx=102 (0x66) DFPM_DTESK() : Tank Bleeding System Grobleck 68) MATCHED @ 0x0006C134 : DTC idx=103 (0x67) DFPM_DTESK() : Tank detoxification system Kleinstleck

Its discovered all of these diagnostic function entry points from the original DTC's. It does this by deriving the ID from the table and then searching for the opcode where the ID calls the DTC function. Once it finds a hit it walks backwards until it finds the start of the function. This makes it very easy (even for DTC's you haven't yet reversed) to lookup their function from workshop manuals or the web and then find the function entry point directly. From this I could now generate a IDC script to use MakeName() on the entries. You could for example use this to automatically label very rapidly all of the DTC functions AND for functions you know their variables in a new rom you've just dumped. That's why this approach is very powerful and rapidly accelerates the reversing of a rom...

I didn't think people cared about ME7 anymore.. Every time I seemed to post anything related to ME7 it felt like I was getting flamed!

I've done a huge amount actually just never checked anything in to the public repo's (for my ME7 C167 variant) and now i am upgrading it to work on ME9.x (PowerPC) and subsequently MED17.x (Tricore) too. So it will span across all 3 different generations.

The last thing I implement was a reverse KWP2000 protocol analysis and detection feature. It works by looking for the emit code function (return codes) and just from that alone it can work out exactly all the addresses of the individual functions in any ME7 roms.

E.g. Trying it on '8E0910560G 0030 - Stock.bin' rom file from nyet's server...

Code:

Opening 'Release\other_roms\8E0910560G  0030 - Stock.bin' file
Succeeded loading romfile #1 (0x100000 bytes).

SHA-256 of romfile #1: 39427bd5dcd454d197e01deb79e8d0ff4bebcb651ad7283f3faf037ae4e6795d

Loaded Primary ROM in 1Mb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]

Searching for DPPx ..
1) found reference to sig @ byte_offset=0xdb28
2) found reference to sig @ byte_offset=0xd93dc

dpp0: (seg: 0x0204 phy:0x00810000) calibration data segment 0, constants
dpp1: (seg: 0x0205 phy:0x00814000) calibration data segment 1, constants
dpp2: (seg: 0x00e0 phy:0x00380000) external RAM
dpp3: (seg: 0x0003 phy:0x0000c000) Int. RAM, XRAM, SFR

Note: dpp3 is always 3, otherwise accessing Int. RAM, XRAM, SFR is not possible

-[ EEPROM Analysis ]-----------------------------------------------------------------

>>> Scanning for basic EEPROM extraction parameters
EEPROM Number of Pages: 64 (1024 Bytes)
EEPROM Chip Select Pin: P6.3

-[ Basic Firmware information (Primary ROM) ]-----------------------------------

>>> Scanning for ROM String Table Byte Sequence #1 [info]

found kwp2000 needle @ offset:0x00001DF4  (val=0005,seg=0204).
EPK: @ 0x10005 -> 0x10055 (41 bytes) { /1/ME7.1.1/5/C1105B//25F9/L5f9bh3/080807/ }
{
    "rominfo": {
        "SSECUHN": "0261207997",
        "SSECUSN ": "1037392093",
        "DIF": "8E0910560G  ",
        "BRIF": "0030",
        "OTHERID": "4.2L V8\/5V     ",
        "EPK": "\/1\/ME7.1.1\/5\/C1105B\/\/25F9\/L5f9bh3\/080807\/"
    }
}

KWP2000 Service Identifier (SID)
--------------------------------
    The following chart indicates the different ranges of service identifier values, which are defined in
    SAE J1979, Keyword Protocol 2000 or by the vehicle manufacturer.

    SID    Service type                     Described in
    --------------------------------------- ---------------------------------
    00-0F  Request                          SAE J1979
    10-1F  Request (bit 6 = 0)              KWP 2000 Part 3
    20-2F  Request (bit 6 = 0)              KWP 2000 Part 3
    30-3E  Request (bit 6 = 0)              KWP 2000 Part 3
    3F     Not Applicable                   Reserved
    40-4F  Response                         SAE J1979
    50-5F  Positive Response                KWP 2000 Part 3
    60-6F  to Services ($10 - $3E)          KWP 2000 Part 3
    70-7E  (bit 6 = 1)                      KWP 2000 Part 3
    7F     Negative Response                KWP 2000 Part 3
    80     Request 'ESC' - Code             KWP 2000 Part 3
    81-8F  Request (bit 6 = 0)              KWP 2000 Part 2
    90-9F  Request (bit 6 = 0)              Reserved for future exp. as needed
    A0-BF  Request (bit 6 = 0)              Defined by vehicle manufacturer
    C0     Positive Resp. 'ESC' - Code      KWP 2000 Part 3
    C1-CF  Positive Response (bit 6 = 1)    KWP 2000 Part 2
    D0-DF  Positive Response (bit 6 = 1)    Reserved for future exp. as needed
    E0-FF  Positive Response (bit 6 = 1)    Defined by vehicle manufacturer
    --------------------------------------- ---------------------------------

        entrypoint BOOT:00008C8E SID: 0x81 : kwp2000_service_startCommunication_rom()
        entrypoint ROM :00035A76 SID: 0x81 : kwp2000_service_startCommunication_fw()

        entrypoint ROM :00008F14 SID: 0x10 : kwp2000_service_startDiagnosticSession_fw()
        entrypoint ROM :0000B8D2 SID: 0x36 : kwp2000_service_transferData_fw()
        entrypoint ROM :00026878 SID: 0x38 : kwp2000_service_startRoutineByAddress_fw()
        entrypoint ROM :00026896 SID: 0x39 : kwp2000_service_stopRoutineByAddress_fw()
        entrypoint ROM :000268EC SID: 0x3A : kwp2000_service_requestRoutineResultsByAddress_fw()
        entrypoint ROM :00036AA2 SID: 0x27 : kwp2000_service_securityAccess_fw()
        entrypoint ROM :000383F0 SID: 0x2C : kwp2000_service_dynamicallyDefineLocalIdentifier_fw()
        entrypoint ROM :00038A58 SID: 0x23 : kwp2000_service_readMemoryByAddress_fw()
        entrypoint ROM :00038D88 SID: 0x3D : kwp2000_service_writeMemoryByAddress_fw()
        entrypoint ROM :0003923E SID: 0x21 : kwp2000_service_readDataByLocalIdentifier_fw()
        entrypoint ROM :000396EA SID: 0x3B : kwp2000_service_writeDataByLocalIdentifier_fw()
        entrypoint ROM :0003AF80 SID: 0x31 : kwp2000_service_startRoutinebyLocalIdentifier_fw()
        entrypoint ROM :0003CFE0 SID: 0x14 : kwp2000_service_clearDiagnosticsInformation_fw()
        entrypoint ROM :0003D260 SID: 0x18 : kwp2000_service_readDiagnosticTroubleCodesByStatus_fw()
        entrypoint ROM :0003D5A6 SID: 0x12 : kwp2000_service_readFreezeFrameData_fw()
        entrypoint ROM :00008E0E SID: 0x10 : kwp2000_service_startDiagnosticSession_fw()
        entrypoint ROM :000092C2 SID: 0x82 : kwp2000_service_stopCommunication_fw()
        entrypoint ROM :0000957E SID: 0x1A : kwp2000_service_readECUIdentification_fw()
        entrypoint ROM :00009762 SID: 0x27 : kwp2000_service_securityAccess_fw()
        entrypoint ROM :0000A2D2 SID: 0x31 : kwp2000_service_startRoutinebyLocalIdentifier_fw()
        entrypoint ROM :0000A40A SID: 0x33 : kwp2000_service_requestRoutineResultByLocalIdentifier_fw()
        entrypoint ROM :0000A60A SID: 0x34 : kwp2000_service_requestDownload_fw()
        entrypoint ROM :0000A7F6 SID: 0x35 : kwp2000_service_requestUpload_fw()
        entrypoint ROM :0000A992 SID: 0x36 : kwp2000_service_transferData_fw()
        entrypoint ROM :0000AA72 SID: 0x37 : kwp2000_service_requestTransferExit_fw()
        entrypoint ROM :0000BD1E SID: 0x20 : kwp2000_service_stopDiagnosticSession_fw()
        entrypoint ROM :0000BDD0 SID: 0x83 : kwp2000_service_accessTimingParameter_fw()
        entrypoint ROM :00035C2E SID: 0xA0 : kwp2000_service_startCommunicationMcMess_fw()
        entrypoint ROM :00035CDA SID: 0x11 : kwp2000_service_resetECU_fw()
        entrypoint ROM :00038290 SID: 0x21 : kwp2000_service_readDataByLocalIdentifier_fw()
        entrypoint ROM :0003834C SID: 0x3B : kwp2000_service_writeDataByLocalIdentifier_fw()
        entrypoint ROM :00038966 SID: 0x22 : kwp2000_service_readDataByCommonIdentifier_fw()
        entrypoint ROM :0003CE62 SID: 0x32 : kwp2000_service_stopRoutineByLocalIdentifier_fw()
        entrypoint ROM :0003D526 SID: 0x17 : kwp2000_service_readStatusOfDiagnosticTroubleCodes_fw()
        entrypoint ROM :0003DFB8 SID: 0x14 : kwp2000_service_clearDiagnosticsInformation_fw()

ReadDataByLocalIdentifier() : 0x21 @ 038290
Address of subfunc() : 0x0083923E : seg=0x020C)

SEGC            @ ROM:0X83923E RAM:0X81E25E File-Offset:0X3923E (seg=0x020C [segadr=0x830000] val=0x923E)
1) found reference to sig @ byte_offset=0x39298
Note: This firmware doesn't contain a LIT table

KWP2000 automatic detection of all the protocol functions in the rom (with full tracing enabled )

Code:

        entrypoint BOOT:00008C8E SID: 0x81 : kwp2000_service_startCommunication_rom()
        entrypoint ROM :00035A76 SID: 0x81 : kwp2000_service_startCommunication_fw()
                (1) found reference to kwp2000_emit() @ byte_offset=0x90d2 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
        entrypoint ROM :00008F14 SID: 0x10 : kwp2000_service_startDiagnosticSession_fw()
                (2) found reference to kwp2000_emit() @ byte_offset=0x912a : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (3) found reference to kwp2000_emit() @ byte_offset=0xba92 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
        entrypoint ROM :0000B8D2 SID: 0x36 : kwp2000_service_transferData_fw()
                (4) found reference to kwp2000_emit() @ byte_offset=0xbaba : fault_id=0x10 <generalReject>
                (5) found reference to kwp2000_emit() @ byte_offset=0x2687c : fault_id=0x11 <serviceNotSupported>
        entrypoint ROM :00026878 SID: 0x38 : kwp2000_service_startRoutineByAddress_fw()
                (6) found reference to kwp2000_emit() @ byte_offset=0x2689a : fault_id=0x11 <serviceNotSupported>
        entrypoint ROM :00026896 SID: 0x39 : kwp2000_service_stopRoutineByAddress_fw()
                (7) found reference to kwp2000_emit() @ byte_offset=0x268f0 : fault_id=0x11 <serviceNotSupported>
        entrypoint ROM :000268EC SID: 0x3A : kwp2000_service_requestRoutineResultsByAddress_fw()
                (8) found reference to kwp2000_emit() @ byte_offset=0x35ed4 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (9) found reference to kwp2000_emit() @ byte_offset=0x36078 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (10) found reference to kwp2000_emit() @ byte_offset=0x36230 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (11) found reference to kwp2000_emit() @ byte_offset=0x36b38 : fault_id=0x37 <requiredTimeDelayNotExpired>
        entrypoint ROM :00036AA2 SID: 0x27 : kwp2000_service_securityAccess_fw()
                (12) found reference to kwp2000_emit() @ byte_offset=0x36c4e : fault_id=0x37 <requiredTimeDelayNotExpired>
                (13) found reference to kwp2000_emit() @ byte_offset=0x36d26 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (14) found reference to kwp2000_emit() @ byte_offset=0x36dfe : fault_id=0x37 <requiredTimeDelayNotExpired>
                (15) found reference to kwp2000_emit() @ byte_offset=0x36ede : fault_id=0x35 <invalidKey>
                (16) found reference to kwp2000_emit() @ byte_offset=0x36fca : fault_id=0x35 <invalidKey>
                (17) found reference to kwp2000_emit() @ byte_offset=0x36fe6 : fault_id=0x37 <requiredTimeDelayNotExpired>
                (18) found reference to kwp2000_emit() @ byte_offset=0x36ffa : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (19) found reference to kwp2000_emit() @ byte_offset=0x3700e : fault_id=0x10 <generalReject>
                (20) found reference to kwp2000_emit() @ byte_offset=0x371f8 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (21) found reference to kwp2000_emit() @ byte_offset=0x3720c : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (22) found reference to kwp2000_emit() @ byte_offset=0x3723e : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (23) found reference to kwp2000_emit() @ byte_offset=0x38910 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
        entrypoint ROM :000383F0 SID: 0x2C : kwp2000_service_dynamicallyDefineLocalIdentifier_fw()
                (24) found reference to kwp2000_emit() @ byte_offset=0x38c5e : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
        entrypoint ROM :00038A58 SID: 0x23 : kwp2000_service_readMemoryByAddress_fw()
                (25) found reference to kwp2000_emit() @ byte_offset=0x38c80 : fault_id=0x21 <busyRepeatRequest>
                (26) found reference to kwp2000_emit() @ byte_offset=0x38d42 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (27) found reference to kwp2000_emit() @ byte_offset=0x38d64 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (28) found reference to kwp2000_emit() @ byte_offset=0x39118 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
        entrypoint ROM :00038D88 SID: 0x3D : kwp2000_service_writeMemoryByAddress_fw()
                (29) found reference to kwp2000_emit() @ byte_offset=0x3913a : fault_id=0x21 <busyRepeatRequest>
                (30) found reference to kwp2000_emit() @ byte_offset=0x391f6 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (31) found reference to kwp2000_emit() @ byte_offset=0x3921a : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (32) found reference to kwp2000_emit() @ byte_offset=0x3927c : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
        entrypoint ROM :0003923E SID: 0x21 : kwp2000_service_readDataByLocalIdentifier_fw()
                (33) found reference to kwp2000_emit() @ byte_offset=0x393ba : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (34) found reference to kwp2000_emit() @ byte_offset=0x39512 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (35) found reference to kwp2000_emit() @ byte_offset=0x396b4 : fault_id=0x10 <generalReject>
                (36) found reference to kwp2000_emit() @ byte_offset=0x396c8 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (37) found reference to kwp2000_emit() @ byte_offset=0x39820 : fault_id=0x10 <generalReject>
        entrypoint ROM :000396EA SID: 0x3B : kwp2000_service_writeDataByLocalIdentifier_fw()
                (38) found reference to kwp2000_emit() @ byte_offset=0x39834 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (39) found reference to kwp2000_emit() @ byte_offset=0x3a60c : fault_id=0x10 <generalReject>
                (40) found reference to kwp2000_emit() @ byte_offset=0x3aa30 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (41) found reference to kwp2000_emit() @ byte_offset=0x3aa5a : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (42) found reference to kwp2000_emit() @ byte_offset=0x3aa96 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (43) found reference to kwp2000_emit() @ byte_offset=0x3aafe : fault_id=0x10 <generalReject>
                (44) found reference to kwp2000_emit() @ byte_offset=0x3abae : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (45) found reference to kwp2000_emit() @ byte_offset=0x3abc2 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (46) found reference to kwp2000_emit() @ byte_offset=0x3abd6 : fault_id=0x10 <generalReject>
                (47) found reference to kwp2000_emit() @ byte_offset=0x3b040 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
        entrypoint ROM :0003AF80 SID: 0x31 : kwp2000_service_startRoutinebyLocalIdentifier_fw()
                (48) found reference to kwp2000_emit() @ byte_offset=0x3b18e : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (49) found reference to kwp2000_emit() @ byte_offset=0x3b1a2 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (50) found reference to kwp2000_emit() @ byte_offset=0x3b2a0 : fault_id=0x31 <requestOutOfRange>
                (51) found reference to kwp2000_emit() @ byte_offset=0x3b2b4 : fault_id=0x31 <requestOutOfRange>
                (52) found reference to kwp2000_emit() @ byte_offset=0x3b2c8 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (53) found reference to kwp2000_emit() @ byte_offset=0x3b33e : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (54) found reference to kwp2000_emit() @ byte_offset=0x3b474 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (55) found reference to kwp2000_emit() @ byte_offset=0x3b5da : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
... cut ...

I've had to cut the output as the generated file far exceeds the size limitations of a post, but you get the idea :)

If anyone's interested to kick the tires on this let me know and I'll clean it up and github it..

Also worked out a completely rom independent 'generic' way to detect all the exact locations of the CDxxx booleans used.

For example the CDLSH configuration of secondary o2's for example...
The way it works is a little complicated but its all automated in my tool.

Here's a breakdown summary of how it works...

We search for reference to generic lookup's in the PROKON_ini function, the machine code signature mask with all the rom/compiler specific data removed looks something like "E6FxXXXX,64FxXXXX,C2FxXXXX,68XX".
The PROKON, is "Project Configuration" and its used to extract the boolean bytes out of the calibration area of rom and place them into bit positions in the 'cd_bits1_w' 16-bits variable.

Here we only care to discover address of 'cd_bits1_w' variable itself to ensure we get perfect signature matches on exactly what we want. so ..
e.g.

Code:

0x00022ED2:seg002: (+0   )  E6 F4 FD FF                  mov      rY, #XXXXh
0x00022ED6:seg002: (+4   )  64 F4 32 8D                  and      word_XXXX, rY <--------------- 328D   this finds us "cd_bits1_w"
0x00022EDA:seg002: (+8   )  C2 F4 19 00                  movbz    rY, byte_XXXX
0x00022EDE:seg002: (+12  )  68 41                        and      rY, #XX
0x00022EE0:seg002: (+14  )  2D 04                        jmpr     cc_Y, loc_XXXX

+6 = 328D  ( cw_bits1_w )

After discovering cd_bits1_w, now find start by looking for a reference the CDLSH bit setting. A good generic case is the Secondary Lambda function DLSH_20ms() with cd_bits1_w.
So we mask (substitute **** with 328D which is different in every rom ). Hence why we looked it up in the first step...

--

Code:

DLSH_20ms+0    F2 F4 ** **                              mov     r4, cd_bits1_w  ; cd_bits1_w :  [PROKON DDST DHLSHK DIMC DKATLRS DKVS DLSH DLSU DMDLU DSWEC]
DLSH_20ms+4    66 F4 XX XX                              and     r4, #XXXXh      ; bit 4 : B_CDLSH
DLSH_20ms+8    EA .. .. ..                              jmpa    cc_X, locret_XXXX
DLSH_20ms+C    9A .. .. ..                              jnb     XXXX.Y, loc_ZZZZ
DLSH_20ms+10   E0 ..                                    mov     rX, #YY
DLSH_20ms+12   74 .. .. ..                              or      .., rY ; DLSHintbits :  [DLSH]

Here's we are searching for "f2fx****,66fxXXXX,ea20XXXX,9aXXXXXX,e0XX,74FxXXXX"

But first substitute **** for 328D then search for;

So we actually search for "f2fx328d,66fxXXXX,ea20XXXX,9aXXXXXX,e0XX,74FxXXXX"

This will match something like ;

Code:

0x0003F0A8:seg003: (+0   )  F2 F4 32 8D                  mov      r4, word_8D32
0x0003F0AC:seg003: (+4   )  66 F4 10 00                  and      r4, #0010h    <-------------- 1000  +6
0x0003F0B0:seg003: (+8   )  EA 20 88 F2                  jmpa     cc_UC, .loc_3F288
0x0003F0B4:seg003: (+12  )  9A 18 03 20                  jnb      word_FD30.2, loc_3F0BE
0x0003F0B8:seg003: (+16  )  E0 14                        mov      r4, #1
0x0003F0BA:seg003: (+18  )  74 F4 18 9B                  or       word_9B18, r4

where +6 = 0010h <-----------
ZZZZ = 0010 (hex value). This is the bit value assigned by PROKON for the CDLSH variable. Again it varies across roms, hence why we are having to do this dance..

This is the bit hex value we now need to discover the address of...

---
So knowing that cd_bits1_w is 328D ,... call it YYYY

Search for the Prokon again but this time to match again to find actual address... but this time with hex value we are interested in, in this case 1000 () which was discovered in the DLSH function...

Code:

PROKON_IniVariablesFromControlWords+198  C2 FX XX XX                             movbz   r4, CDLSH       ; CDLSH : Codewort Sondendiagnose hinter Kat im OBDII-Mode (invers: Europa-Mode) [PROKON]
PROKON_IniVariablesFromControlWords+19C  68 XX                                   and     r4, #1
PROKON_IniVariablesFromControlWords+19E  2D XX                                   jmpr    cc_Z, _not_set
PROKON_IniVariablesFromControlWords+1A0  E6 FX YY YY                             mov     r4, #10h
PROKON_IniVariablesFromControlWords+1A4  74 FX ZZ ZZ                             or      cd_bits1_w, r4  ; cd_bits1_w :  [PROKON DDST DHLSHK DIMC DKATLRS DKVS DLSH DLSU DMDLU DSWEC]
PROKON_IniVariablesFromControlWords+1A8  0D XX                                   jmpr    cc_UC, _prk6

-------------------------------------------------
Search for "C2FxXXXX,68XX,2Dxx,E6FxZZZZ,74FxYYYY"

becomes.. "C2FxXXXX,68XX,2Dxx,E6Fx1000,74Fx328D"

Finally we find the correct entry in PROKON reference...

Code:

PROKON_IniVariablesFromControlWords+198  C2 F4 12 00                             movbz   r4, CDLSH       ; <------------- CDLSH 1200h
PROKON_IniVariablesFromControlWords+19C  68 41                                   and     r4, #1
PROKON_IniVariablesFromControlWords+19E  2D 05                                   jmpr    cc_Z, _prk5
PROKON_IniVariablesFromControlWords+1A0  E6 F4 10 00                             mov     r4, #10h
PROKON_IniVariablesFromControlWords+1A4  74 F4 32 8D                             or      cd_bits1_w, r4  ; cd_bits1_w :  [PROKON DDST DHLSHK DIMC DKATLRS DKVS DLSH DLSU DMDLU DSWEC]
PROKON_IniVariablesFromControlWords+1A8  0D 04                                   jmpr    cc_UC, _prk6

so... at offset +4, i.e. 1200 is CDLSH

0x204 (calibration start segment) * 0x4000 (segment size)
== 0x810000 + CDLSH
== 0x810000 + 0012
== 0x810012

so rom file offset is 0x10012 <=========== final offset to CDLSH in rom file in this specific case.

offset 0x10012 in the file is the boolean for CDLSH, this determines if Codeword for LSH (Secondary O2 is active or not)

It may seem long but it always automatically can discover any of the CDxxx variables if you approach it like this and you never need an original DAMOS / A2L .

And here it is running 'in action'...

Code:

-[ PROKON Codewords for Diagnostics (CEL) ]-------------------------------------

>>> Scanning for 'PO2' Post O2 Cat Sensor disable
CDHSH   : From 1 to 0 @ offset=0x10007 : 'O2 Sensor Heating Diagnosis' Downstream of cat (after CAT) (OBDII Mode)
CDHSHE  : From 1 to 0 @ offset=0x10008 : 'O2 Sensor Heating Diagnosis' Downstream of cat (after CAT) (EU-coding)
CDKAT   : From 1 to 0 @ offset=0x1000B : 'Catalyst Diagnosis' (OBDII Mode)
CDLASH  : From 1 to 0 @ offset=0x1000D : 'O2 Sensor Aging Diagnosis' (SHK) (OBDII Mode)
CDLSH   : From 1 to 0 @ offset=0x10012 : 'Readiness' of O2 Sensor downstream of cat (after CAT) (OBDII Mode)

>>> Scanning for CWKONLS [Codeword for configuration of Lambda sensors]

found at offset=0x22d72 CWKONLS @ ADR:0x810020

[Forced PO2 Disable]
                   7 6 5 4 3 2 1 0  bits
                   ---------------
CWKONLS:     0X03  0 0 0 0 0 0 1 1
                   | | | | | | | |
                   | | | | | | | +--- b_lsv       Bit 0 : (Bank 1) Condition [1]. Lambda sensor installed upstream of cat downstream of outlet
                   | | | | | | +----- b_lsh       Bit 1 : (Bank 1) Condition [2]. Lambda sensor installed downstream of cat downstream of outlet
                   | | | | | +------- b_ls3       Bit 2 : (Bank 1) Condition [3]. Lambda sensor installed downstream of outlet
                   | | | | +--------- b_ls4       Bit 3 : (Bank 1) Condition [4]. Lambda sensor installed downstream of outlet
                   | | | +----------- b_lsv2      Bit 4 : (Bank 2) Condition [1]. Lambda sensor installed upstream of cat downstream of outlet
                   | | +------------- b_lsh2      Bit 5 : (Bank 2) Condition [2]. Lambda sensor installed downstream of cat downstream of outlet
                   | +--------------- b_ls32      Bit 6 : (Bank 2) Condition [3]. Lambda sensor installed downstream of outlet
                   +----------------- b_ls42      Bit 7 : (Bank 2) Condition [4]. Lambda sensor installed downstream of outlet

                   7 6 5 4 3 2 1 0  bits
                   ---------------
CWKONLS:     0X01  0 0 0 0 0 0 0 1
                   | | | | | | | |
                   | | | | | | | +--- b_lsv       Bit 0 : (Bank 1) Condition [1]. Lambda sensor installed upstream of cat downstream of outlet
                   | | | | | | +----- b_lsh       Bit 1 : (Bank 1) Condition [2]. Lambda sensor installed downstream of cat downstream of outlet
                   | | | | | +------- b_ls3       Bit 2 : (Bank 1) Condition [3]. Lambda sensor installed downstream of outlet
                   | | | | +--------- b_ls4       Bit 3 : (Bank 1) Condition [4]. Lambda sensor installed downstream of outlet
                   | | | +----------- b_lsv2      Bit 4 : (Bank 2) Condition [1]. Lambda sensor installed upstream of cat downstream of outlet
                   | | +------------- b_lsh2      Bit 5 : (Bank 2) Condition [2]. Lambda sensor installed downstream of cat downstream of outlet
                   | +--------------- b_ls32      Bit 6 : (Bank 2) Condition [3]. Lambda sensor installed downstream of outlet
                   +----------------- b_ls42      Bit 7 : (Bank 2) Condition [4]. Lambda sensor installed downstream of outlet



*before* : val=0x01
*after* .0: state=TRUE  & 01    PROKON_FD02.4  b_lsv  : Condition 1. Lambda sensor installed upstream   of cat (Bank1)
*after* .1: state=false & 02    PROKON_FD02.2  b_lsh  : Condition 2. Lambda sensor installed downstream of cat (Bank1)
*after* .2: state=false & 04    PROKON_FD00.14 b_ls3  : Condition 3. Lambda sensor installed downstream of cat (Bank1)
*after* .3: state=false & 08    PROKON_FD02.0  b_ls4  : Condition 4. Lambda sensor installed downstream of cat (Bank1)
*after* .4: state=false & 10    PROKON_FD02.5  b_lsv2 : Condition 1. Lambda sensor installed upstream   of cat (Bank2)
*after* .5: state=false & 20    PROKON_FD02.3  b_lsh2 : Condition 2. Lambda sensor installed downstream of cat (Bank2)
*after* .6: state=false & 40    PROKON_FD00.15 b_ls32 : Condition 3. Lambda sensor installed downstream of cat (Bank2)
*after* .7: state=false & 80    PROKON_FD02.1  b_ls42 : Condition 4. Lambda sensor installed downstream of cat (Bank2)

---------[ ROM #1 ]----------------------

-[ ESKONF Configuration of power stage (actuators) ]-------------------------------------------

>>> Scanning for ESKONF Lookup code sequence...

found needle at offset=0x58336
*** Deactivating ESKONF_L : LH Rear O2 heater output        ***, orig = 0x33
*** Deactivating ESKONF_L : LH Rear O2 heater output        ***, new  = 0xf3

*** Deactivating ESKONF_R : RH Rear O2 heater output        ***, orig = 0x33
*** Deactivating ESKONF_R : RH Rear O2 heater output        ***, new  = 0xf3

And here's the ME9 version (still WIP!) dumping the Errorclass and p-codes table from a Ferrari 458 (PowerPC) rom. I guess people will be more interested when I release my Tricore version :)

0) [search=1] All Buffer Start:00000000 Length:00200000 2048.0 KBytes
(1) found reference to sig @ byte_offset=0x47CC0

00047CC0: 88 8D AD 66 lbz r4, -0x529A (r13) ; + 0 (0x0000)
00047CC4: 3D 80 00 5E lis r12, 0x005E ; + 4 (0x0004)
00047CC8: 39 8C 90 F3 subi r12, r12, 0x6F0D ; + 8 (0x0008)
00047CCC: 3D 60 00 5E lis r11, 0x005E ; + 12 (0x000C)
00047CD0: 7D 8C 22 14 add r12, r12, r4 ; + 16 (0x0010)
00047CD4: 3C 60 00 5E lis r3, 0x005E ; + 20 (0x0014)
00047CD8: 39 6B A4 38 subi r11, r11, 0x5BC8 ; + 24 (0x0018)
00047CDC: 7D 44 22 14 add r10, r4, r4 ; + 28 (0x001C)
00047CE0: 38 63 93 18 subi r3, r3, 0x6CE8 ; + 32 (0x0020)
00047CE4: 54 84 18 38 rlwinm r4, r4, 3, 0, 28 ; + 36 (0x0024)

CLAAAA: seg=0x1D valu=0x90F3 file-offset=0x1D90F3 phy=0x5D90F3

--(Dumped Error Class Table [548 bytes] )
(001) 0x1D90F3:00 0x1D90F4:00
(002) 0x1D90F5:06 0x1D90F6:06
(003) 0x1D90F7:00 0x1D90F8:00
(004) 0x1D90F9:00 0x1D90FA:06
(005) 0x1D90FB:03 0x1D90FC:03
(006) 0x1D90FD:03 0x1D90FE:03
(007) 0x1D90FF:03 0x1D9100:03
(008) 0x1D9101:03 0x1D9102:03
(009) 0x1D9103:06 0x1D9104:06

.. cut ..

(273) 0x1D9313:03 0x1D9314:03
(274) 0x1D9315:00 0x1D9316:00
--
CDCAAA: seg=0x1D valu=0x9318 file-offset=0x1D9318 phy=0x5D9318

--(Dumped Fault Code PID Table [4384 bytes] )
1D9318: (001) P0000 P0000 P0000 P0000 P0000 P0000 P0000 P0000 # + 0 (0x0000)
1D9320: (002) P0478 P0477 P0475 P0000 P1460 P1462 P1461 P0000 # + 8 (0x0008)
1D9328: (003) P0000 P0000 P0000 P0000 P0000 P0000 P0000 P0000 # + 16 (0x0010)
1D9330: (004) P0000 P0000 P0000 P0000 P145D P145E P145F P0000 # + 24 (0x0018)
1D9338: (005) P0000 P0000 P0000 P102E P0000 P0000 P0000 P102F # + 32 (0x0020)
1D9340: (006) P0000 P0000 P0014 P000B P0000 P0000 P0024 P000D # + 40 (0x0028)
1D9348: (007) P1526 P1527 P1528 P0000 P1534 P1535 P1536 P0000 # + 48 (0x0030)
1D9350: (008) P0338 P0000 P0339 P0336 P0388 P0000 P0389 P0386 # + 56 (0x0038)
1D9358: (009) P0000 P0000 P0000 P0571 P0000 P0000 P0000 P1569 # + 64 (0x0040)

.. cut ..

1D9B90: (272) P0000 P0000 P0000 P0000 P0000 P0000 P0000 P0000 # +2168 (0x0878)
1D9B98: (273) P1607 P160C P060A P0000 P1608 P160D P160A P0000 # +2176 (0x0880)
1D9BA0: (274) P0000 P0000 P0000 P0000 P0000 P0000 P0000 P0000 # +2184 (0x0888)
--
(2) found reference to sig @ byte_offset=0x177A8C

00177A8C: 88 8D AD 66 lbz r4, -0x529A (r13) ; + 0 (0x0000)
00177A90: 3D 80 00 5E lis r12, 0x005E ; + 4 (0x0004)
00177A94: 39 8C 90 F3 subi r12, r12, 0x6F0D ; + 8 (0x0008)
00177A98: 3D 60 00 5E lis r11, 0x005E ; + 12 (0x000C)
00177A9C: 7D 8C 22 14 add r12, r12, r4 ; + 16 (0x0010)
00177AA0: 3C 60 00 5E lis r3, 0x005E ; + 20 (0x0014)
00177AA4: 39 6B A4 38 subi r11, r11, 0x5BC8 ; + 24 (0x0018)
00177AA8: 7D 44 22 14 add r10, r4, r4 ; + 28 (0x001C)
00177AAC: 38 63 93 18 subi r3, r3, 0x6CE8 ; + 32 (0x0020)
00177AB0: 54 84 18 38 rlwinm r4, r4, 3, 0, 28 ; + 36 (0x0024)

Quote from: IamwhoIam on April 19, 2021, 03:34:52 AM

Very nice work, Trev!

I'd forgotten just how much I'd done actually. For instance, I just downloaded a random ME7 file for test purposes, in this case '06A906032HN.bin'.
Ran it on it and found 'free' space for code injection purposes (fully automatically)..

SSECUHN : 0261207440 : systemSupplierECUHardwareNumber SSECUSN : 1037360646 : systemSupplierECUSoftwareNumber DIF : 06A906032HN : .. BRIF : 0001 : .. OTHERID : 1.8L R4/5VT : .. >>> Scanning for McMess EPK String information [info] found KWP2000 needle @ offset:0x0002374A (val=0005,seg=0204). EPK: @ 0x10005 -> 0x10057 (39 bytes) { /1/ME7.5/5/4019.02//24b/Dst01o/210201// } { "readECUIdentification": { "SSECUHN": "0261207440", "SSECUSN ": "1037360646", "DIF": "06A906032HN ", "BRIF": "0001", "OTHERID": "1.8L R4\/5VT ", "EPK": "\/1\/ME7.5\/5\/4019.02\/\/24b\/Dst01o\/210201\/\/" } } Serialize readECUIdentification to file 'readECUIdentification.json' ..
-[ Free Space Analysis ]----------------------------------- Searching for free space in firmware... 1 ) Unused bytes @ 0x008040 - 0x008318 : length 728 (0x2D8 ) bytes 2 ) Unused bytes @ 0x009A92 - 0x009DE6 : length 852 (0x354 ) bytes 3 ) Unused bytes @ 0x00CB34 - 0x00DB00 : length 4,044 (0xFCC ) bytes 4 ) Unused bytes @ 0x00DF50 - 0x00F002 : length 4,274 (0x10B2 ) bytes 5 ) Unused bytes @ 0x00F380 - 0x00FC00 : length 2,176 (0x880 ) bytes 6 ) Unused bytes @ 0x00FC2E - 0x00FFFE : length 976 (0x3D0 ) bytes 7 ) Unused bytes @ 0x0202E2 - 0x021B00 : length 6,174 (0x181E ) bytes 8 ) Unused bytes @ 0x028ABA - 0x030000 : length 30,022 (0x7546 ) bytes 9 ) Unused bytes @ 0x032EA0 - 0x033A00 : length 2,912 (0xB60 ) bytes 10 ) Unused bytes @ 0x0A5848 - 0x0FFFE0 : length 370,584 (0x5A798 ) bytes Discovered 422,742 bytes (412.0 KBytes) unused in firmware [40.3%]. Largest free chunk region : 0xA5848, length 370,584 bytes.
--
Yes easy stuff but useful..

Or how about detecting VSV?

>>> Scanning for ROM VerstellSystem Variables table...

Num of entries: 17 VSV @ ROM:0X813282 RAM:0X6E32A2 File-Offset:0X13282 (seg=0x0204 [segadr=0x810000] val=0x3282) 1 ) vszw | 0x3808A5 | Ignition timing | 0 KW | Byte |-96..95.25 KW | 0.75 KW | ZUE 2 ) vsfrk | 0x38089E | Mixture factor | 1,0 | Byte | 0.75..1.25 | 0.001953 | ESGRU 3 ) vsvw | 0x3808A3 | Advancement angle | 0 KW | Byte | -768...762 | 6 KW | ESVW 4 ) vsns | 0x3808A1 | Nominal speed | 0 RPM | Byte | 0..2550/min | 10 RPM | LLRNS 5 ) vszwkr_0_A | 0x3808A6 | Ignition timing firing 1 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 6 ) vszwkr_1_A | 0x3808A7 | Ignition timing firing 2 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 7 ) vszwkr_2_A | 0x3808A8 | Ignition timing firing 3 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 8 ) vszwkr_3_A | 0x3808A9 | Ignition timing firing 4 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 9 ) vszwkr_4_A | 0x3808AA | Ignition timing firing 5 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 10 ) vszwkr_5_A | 0x3808AB | Ignition timing firing 6 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 11 ) vszwkr_6_A | 0x3808AC | Ignition timing firing 7 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 12 ) vszwkr_7_A | 0x3808AD | Ignition timing firing 8 | 0 | Byte |-96..95.25 KW | 0.75 KW | KRRA 13 ) vske | 0x38089F | Knock detection threshold | 0 | Byte | -8..8 | 0,0627 | KRKE 14 ) vsdmr | 0x38089C | Torque reserve | 0 % | Byte | 0..99.6% | 0.3906% | MDKOL 15 ) vsfpses | 0x38089D | Manifold air pressure | 1 | Byte | 0..2 | 0,0078 | AES 16 ) vsrlmx | 0x3808A2 | max.rl for LDR | 0% | Byte | rel sb q0p75 | LDRLMX ** Note: This is a SY_Turbo=true Application** 17 ) vsldtv | 0x3808A0 | TV LDR for appl. control | 0% | Byte | tv ub q0p64 | LDTVMA ** Note: This is a SY_Turbo=true Application**

The list of things it can do is quite extensive these days...

Or if thats a bit 'meh'... what about this feature? Automated CAN analysis.

Code:

Discovered 1 CAN node transmission function:
        CAN_A @ 0x34280

CAN Signature matches: 24
CAN Receive Ids
------------------------------------------------------------------------------------

can_msgobj[00]: type RX, RxCount= 1 { 0x0316 (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] miist_b  : Indexed engine torque high-pressure phase value
        [ 1    ] mifa_b   : Indexed engine torque driver request
        [ 2    ] mrfa_b   : Relative driver's wish torque from FGR and Pedal
        [ 3    ] mdverl_b : Engine loss moment
        [ 4    ] mimax_b  : Maximum reachable indexed moment
        [ 5    ] mdnorm_b : Maximum indexed engine torque for moment normalization
        [ 6    ] .0 : word_FD4A.11  **FIXME**
                 .1 : word_FD76.12  **FIXME**
                 .2 : word_FD76.8   **FIXME**
                 .3 : word_FD52.14  **FIXME**
                 .4 : word_FD52.11  **FIXME**
                 .5 : word_FD5C.11  **FIXME**
                 .6 : sfpbrems     : Sfpbrems: Status Error Path Brake: Brake Switch
                 .7 : word_FD5C.5   **FIXME**
        [ 7    ] unused
 };
can_msgobj[01]: type RX, RxCount= 1 { 0x0329 (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0- 1 ] mdverl_w: Motor torque loss
        [ 2- 3 ] dmllri_w: Required change in torque from the LLR (I component)
        [ 4    ] unused
        [ 5    ] unused
        [ 6    ] unused
        [ 7    ] unused
 };
can_msgobj[02]: type RX, RxCount= 1 { 0x051F (8) @ CAN_A };
can_msgobj[03]: type RX, RxCount= 1 { 0x034A (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] mist_w    : Indexed engine torque high pressure phase
        [ 1    ] mifa_w    : Indexed engine torque driver request
        [ 2    ] mrfa_w    : Relative driver's wish torque from FGG and pedal
        [ 3    ] mdlover_w : Engine loss moment
        [ 4    ] mimax_w   : Maximum reachable indexed moment
        [ 5    ] mdnorm    : Maximum indexed engine torque for moment normalization
        [ 6    ] _bits_    : Various bits **FIXME**
        [ 7    ] unused
 };
can_msgobj[04]: type RX, RxCount= 1 { 0x037C (8) @ CAN_A };
can_msgobj[05]: type RX, RxCount= 1 { 0x058F (8) @ CAN_A };
can_msgobj[06]: type RX, RxCount= 1 { 0x0153 (8) @ CAN_A        ASR Anti-Slip };
can_msgobj[07]: type RX, RxCount= 1 { 0x0613 (8) @ CAN_A
        *** Dashboard/Body ECU ***
        [ 0    ] unused
        [ 1    ] unused
        [ 2    ] unused
        [ 3    ] tankfst   : Fuel Tank Level
        [ 4    ] unused
        [ 5    ] unused
        [ 6    ] unused
        [ 7    ] unused
 };
can_msgobj[08]: type RX, RxCount= 1 { 0x045F (8) @ CAN_A
        *** Transmission Control Unit (NCR) ***
        [ 0    ] mdnorm
        [ 1    ] mdnorm
        [ 2    ] .0 \
                 .1  + gang_kup       : From F1 gearbox NCR Received current gear (3 bits)
                 .2 /
                 .3 CAN_bits1_FD10.2  : **FIXME**
                 .4 word_FD14.13      : **FIXME**
                 .5 CAN_FLAGS_ERR.5   : **FIXME**
                 .6 word_FD14.15      : **FIXME**
                 .7 CAN_FLAGS_ERR.1   : **FIXME**
        [ 3    ] mdindkuc_w : Indexed engine torque Request from F1 gearbox
        [ 4    ] nsoll_kup  : Setpoint speed from F1 gearbox
        [ 5    ] unused
        [ 6    ] unused
        [ 7    ] .0 CAN_bits2_FD18.6  : **FIXME**
 };
can_msgobj[09]: type RX, RxCount= 1 { 0x05AF (8) @ CAN_A };
can_msgobj[10]: type RX, RxCount= 1 { 0x05CF (8) @ CAN_A        Secondary Air Mass };
can_msgobj[11]: type RX, RxCount= 1 { 0x01F0 (8) @ CAN_A
        *** ABS Wheel Speeds: Message Populated/Generated/Sent by ABS ECU *** ;
        [ 0 -1 ] vrad_vl_w  : Wheel speed Front left
        [ 2 -3 ] vrad_vr_w  : Wheel speed Front right
        [ 4 -5 ] vrad_hl_w  : Wheel speed Rear left
        [ 6 -7 ] vrad_hr_w  : Wheel speed Rear right
 };
can_msgobj[12]: type RX, RxCount= 1 { 0x05BF (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] unused
        [ 1    ] unused
        [ 2    ] unused
        [ 3    ] unused
        [ 4    ] unused
        [ 5    ] _bits_    : Various bits **FIXME**
        [ 6 -7 ] wpedc_w   : Pedal value shared between ME7 ECU's
 };
can_msgobj[13]: type RX, RxCount= 1 { 0x05D5 (8) @ CAN_A };
can_msgobj[14]: Unused
can_msgobj[15]: Unused

CAN Transmit Ids
------------------------------------------------------------------------------------

can_msgobj[00]: type TX, RxCount= 1 { 0x0316 (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] miist_b  : Indexed engine torque high-pressure phase value
        [ 1    ] mifa_b   : Indexed engine torque driver request
        [ 2    ] mrfa_b   : Relative driver's wish torque from FGR and Pedal
        [ 3    ] mdverl_b : Engine loss moment
        [ 4    ] mimax_b  : Maximum reachable indexed moment
        [ 5    ] mdnorm_b : Maximum indexed engine torque for moment normalization
        [ 6    ] .0 : word_FD4A.11  **FIXME**
                 .1 : word_FD76.12  **FIXME**
                 .2 : word_FD76.8   **FIXME**
                 .3 : word_FD52.14  **FIXME**
                 .4 : word_FD52.11  **FIXME**
                 .5 : word_FD5C.11  **FIXME**
                 .6 : sfpbrems     : Sfpbrems: Status Error Path Brake: Brake Switch
                 .7 : word_FD5C.5   **FIXME**
        [ 7    ] unused
 };
can_msgobj[01]: type TX, RxCount= 1 { 0x0329 (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0- 1 ] mdverl_w: Motor torque loss
        [ 2- 3 ] dmllri_w: Required change in torque from the LLR (I component)
        [ 4    ] unused
        [ 5    ] unused
        [ 6    ] unused
        [ 7    ] unused
 };
can_msgobj[02]: type TX, RxCount= 1 { 0x051F (8) @ CAN_A };
can_msgobj[03]: type TX, RxCount= 1 { 0x034A (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] mist_w    : Indexed engine torque high pressure phase
        [ 1    ] mifa_w    : Indexed engine torque driver request
        [ 2    ] mrfa_w    : Relative driver's wish torque from FGG and pedal
        [ 3    ] mdlover_w : Engine loss moment
        [ 4    ] mimax_w   : Maximum reachable indexed moment
        [ 5    ] mdnorm    : Maximum indexed engine torque for moment normalization
        [ 6    ] _bits_    : Various bits **FIXME**
        [ 7    ] unused
 };
can_msgobj[04]: type TX, RxCount= 1 { 0x037C (8) @ CAN_A };
can_msgobj[05]: type TX, RxCount= 1 { 0x058F (8) @ CAN_A };
can_msgobj[06]: Unused
can_msgobj[07]: Unused
can_msgobj[08]: Unused
can_msgobj[09]: type TX, RxCount= 1 { 0x05AF (8) @ CAN_A };
can_msgobj[10]: type TX, RxCount= 1 { 0x05CF (8) @ CAN_A        Secondary Air Mass };
can_msgobj[11]: Unused
can_msgobj[12]: type TX, RxCount= 1 { 0x05BF (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] unused
        [ 1    ] unused
        [ 2    ] unused
        [ 3    ] unused
        [ 4    ] unused
        [ 5    ] _bits_    : Various bits **FIXME**
        [ 6 -7 ] wpedc_w   : Pedal value shared between ME7 ECU's
 };
can_msgobj[13]: type TX, RxCount= 1 { 0x05D5 (8) @ CAN_A };
can_msgobj[14]: Unused
can_msgobj[15]: Unused

Quote from: geo22 on November 16, 2022, 01:26:42 PM

Yes, sir! I've tried and it showed me the list of options which I can't manage to use

Try typing help at the command prompt followed by the return key...This thing here. C:\Users\NOOOOOB>. This will list all the commands currently supported in by Microsoft. There are more commands not listed, but let's just not go there at the moment. The two commands that will help you the most are CD and Dir. If you type any command listed in the help menu followed by /? you will see the arguments to pass to that specific command. For example CD /? This is used for changing directory or folder and will give you options on what to do with it. Or Dir /? Dir is used to find out what is in that directory or folder. You can use Google for more information for the commands too. Typically speaking you want your command prompt to be showing the directory your program is in and any associated files that came with the program should be in the same directory. Programs and files can be done using different directories, but it's a bit more typing. And a lot more explaining. So for example C:\Users\NOOOOOB\Desktop\myfolder\Myprogram.exe associatedfile.bin Some 3rd party programs allow for /? at the end depending who built the program. And some if you just type in Myprogram without passing an argument the window will list all the arguments that can be passed into the program. Some programs have readme files that come with it. ALWAYS read those first. If you still getting nowhere Google example of running commands in the command window.

NefMoto

Technical => Reverse Engineering => Topic started by: 360trev on September 06, 2018, 05:04:36 AM