Technical => Tuning => Topic started by: mutzicu on August 10, 2019, 09:56:03 AM
Title: LC/NLS ASM help
Post by: mutzicu on August 10, 2019, 09:56:03 AM
Yes, I did... and another 2 40 pages threads... It's just that this ASM and hex is a bit over my head. To be honest, I program c#, asp, asp.net, c#.net, .net core, php... Took me years to master them, it feels weird now to start assembly not that I couldn't do it, but mostly it's the time that lately seems not to be enogh to catch a breath even.... As I was quite passionate about electronics, years ago, I started playing around with atmega controllers and that wa sthe first time I got into ASM. However, I don't know exactly why I stopped, probably family, job, I don't even remember.... However, getting back to my current issue - I figured out that the launch php script doesn't properly do the movb to calls conversion - that part of the code remains intact as you can see in the attached difference.jpg. So I've modified it from the original F3 F8 E8 18 to DA 87 C0 4F considering that DA changes to calls and the address where I asked the script to put the function is 0x74fc0 The script places the function at the proper address and also places the variables starting 0x7a000 as you can see attached. I've tried with FTOMN 00, 01 and 02 with same result - LC not working. I had the impression during first tries that it starts to cut injection but that was just a false positive generated by my pops and bangs settings. Now, there can be only 2 issues - either the variables are not correctly addressed in the function, which I kind of doubt, either reading through some of the posts there might be a problem in the function with the engine temp readings - which I could only test by using a function without the temperature factor, which I don't have and which for the moment is beyond my capabilities to create. Or maybe there's more that I can't even figure out now....
Title: LC/NLS ASM help
Post by: mutzicu on August 10, 2019, 11:31:41 AM
LE: I've tried a manual implementation using Masterj LCmodder which doesn't seem to implement the temperature check... still no success with both FTOMN 00 01 or 02... Am I doing something wrong with addressing?
Title: Re: LC/NLS ASM help
Post by: nyet on August 10, 2019, 01:45:05 PM
Split and moved to tuning since it looks like you are serious about doing actual ASM coding :)
It looks right to me at first glance, but unfortunately I don't have the time to really dig into it since I don't have an IDA project for that ECU. I do know there are a lot of assumptions in the launch.php that make it inappropriate as a general tool.
Hopefully others can chime in.
In general, though, you really want to be doing this work with IDA, and not soley rely on automated tools.
Title: Re: LC/NLS ASM help
Post by: _nameless on August 10, 2019, 02:32:41 PM
What file are you having issues with?
Title: Re: LC/NLS ASM help
Post by: vwaudiguy on August 10, 2019, 03:48:31 PM
Remember hearing/reading about people having issues with the 512 binaries, and implementing LC. This was using the patcher that works fine on the 1028 bins.
Title: Re: LC/NLS ASM help
Post by: mutzicu on August 11, 2019, 02:03:46 AM
Here is the clean bin and the modded bin
Thanks,
Title: Re: LC/NLS ASM help
Post by: SQT on August 12, 2019, 04:56:41 AM
LE: I've tried a manual implementation using Masterj LCmodder which doesn't seem to implement the temperature check... still no success with both FTOMN 00 01 or 02... Am I doing something wrong with addressing?
Hi, if you understand how to change the code, try making a light (check engine) indication of conditions
Title: Re: LC/NLS ASM help
Post by: fknbrkn on August 12, 2019, 06:42:38 AM
this code has many probs
1. why youre called it 2 times? 0x6EA0A looking weird for me..
what is the byte_C881 here in begining of the func? if its tmot, it should be 0x380AB9 or 0x8AB9 in your code or B98A in hex C2 F4 81 C8 -> C2 F4 B9 8A
3. exts of all your params are 81 but you placed them in seg 87 so you should change exts to 87 ( D7 81 00 00 -> D7 87 00 00 everywhere) or place your params to somewhere in 0x1xxxx section
4. word param was placed in A009 wtf.. you should change it to A00A C2 F9 09 A0 -> C2 F9 0A A0
Title: Re: LC/NLS ASM help
Post by: mutzicu on August 12, 2019, 09:07:02 AM
Hi,
Thank you very much for your time looking into this. I guess the problem lays with the scripts generating the function.... I've tried to implement the changes you suggested, but it didn't seem to work. Can I ask you about point: 1. Now that you mentioned, it seems the function is called twice... I think the script places the call wrongly at 0x073f6e while it should be at 0x6ea0a... Isnt's this the correct location? I know it should be the 4 bytes before last D7 40 06 02 03 F8 which in my file is position 0x6ea0a. 2. I think the script was set to use tmotlin (0x384881) instead of tmot - I guess both should work.... 3. variables are set starting 0x7A000 - LaunchSpeedT 2 bytes; 0x7A002 - LaunchRPM - 2 bytes; 0x7A004 - IginitionCutDuration - 2 bytes; 0x7A006 - RPM Threshold - 2 bytes; 0x7A008 - AccPedalThreshold - 1 byte and 0x7A009 - Water Temp Thershold - 1 byte. I am not sure what D7 00 81 00 stands for as it occurs several times in both scripts, but both seem to be static in the scripts, thus not depending on the variable addresses or whichever custom addresses used by the script. 4. sorry, this one I do not understand.
I've followed your advice and generated this code:
I've called it at 0x6EA0A as that seems OK to me (please correct me if I'm wrong) .... and still no luck Attached the test bin
Title: Re: LC/NLS ASM help
Post by: nyet on August 12, 2019, 09:30:34 AM
Please post the appropriate IDA code disassembly...
Title: Re: LC/NLS ASM help
Post by: fknbrkn on August 12, 2019, 09:56:24 AM
1 should be called @73f6e only 3 as i said water temp should be @7A00A check it in your xdf 4 long story short - word param takes 16bit and byte is 8bit, this script uses words and you should place them with 16bit step. A006 A008 A00A etc
change FD 40 to CC 00 @74FCE to avoid this tmotlin check for test
Title: Re: LC/NLS ASM help
Post by: mutzicu on August 12, 2019, 10:43:49 AM
Success :) Thank you for this one! I've grabbed IDA and will try again to learn to properly dissasemble it. Maybe I'll get back with a few questions about this if any of you won't mind.
Title: Re: LC/NLS ASM help
Post by: BlackT on November 02, 2019, 09:42:59 AM
I had used Keil compiler in the past for small sections
Can you tell me small notes how to start using it?
Title: Re: LC/NLS ASM help
Post by: armageddon on November 03, 2019, 07:15:38 AM
Long time ago and I did not used it much...
You can not open the hole file so what I have done was cut the hex code needed to a new hex file and export it as 16 bit.
Then you open keil, you have to creat a new project first, select procesor, then open that project and import the hex... Sorry not being more helpfull but I do not have it installed anymore and dont remenber all steps, but if you search a litle bit you will find all you need.
Title: Re: LC/NLS ASM help
Post by: fknbrkn on November 03, 2019, 08:01:58 AM
You can not open the hole file so what I have done was cut the hex code needed to a new hex file and export it as 16 bit.
Then you open keil, you have to creat a new project first, select procesor, then open that project and import the hex... Sorry not being more helpfull but I do not have it installed anymore and dont remenber all steps, but if you search a litle bit you will find all you need.
sorry but can't find any information about importing HEX. Only export, but i will try futher thank you for your help
I published the ASM source code for my LC / NLS patch for ME7.9.10. This published one is a first working version of what I developed later to include all bells and whistles (that beefed up version is for sale only). This published code is loosely based on the disassembly of the Wiki code for VAGs.
Title: Re: LC/NLS ASM help
Post by: armageddon on November 03, 2019, 11:21:44 AM
sorry but can't find any information about importing HEX. Only export, but i will try futher thank you for your help Yes i know, but i want to dissamble it. To see how that thing work ( I have that writen in C, and know how work, but want to see that in ASM)
Iike I said, its been a while since I do not mess with it. Here, read this http://nefariousmotorsports.com/forum/index.php?topic=359.0
Also, theres already a topic or two with the disassembled code, if you just need comparation...
Title: Re: LC/NLS ASM help
Post by: BlackT on November 06, 2019, 04:00:06 AM
I published the ASM source code for my LC / NLS patch for ME7.9.10. This published one is a first working version of what I developed later to include all bells and whistles (that beefed up version is for sale only). This published code is loosely based on the disassembly of the Wiki code for VAGs.
Iike I said, its been a while since I do not mess with it. Here, read this http://nefariousmotorsports.com/forum/index.php?topic=359.0
Also, theres already a topic or two with the disassembled code, if you just need comparation...
Now we speak same language :D thank you this make all much easier
Yes but somethimes search this forum is really hard, it hides so many diamants,every day I acidently come across some thread witch contain a gold worhtwhile information
Title: Re: LC/NLS ASM help
Post by: BlackT on December 13, 2019, 01:32:08 PM
Could somebody help me little with this, I want to make LC without NLS
Code:
9A 80 13 90 F2 F4 00 9E D7 00 81 00 F2 F9 D0 7E 40 49 9D 0B F2 F4 9E F8 D7 00 81 00 F2 F9 D2 7E 40 49 FD 03 F7 8E EC 8B 0D 2F DB 00
It could be done with the rpm settings And no its a raw hextoasm translation without any analysis https://github.com/AndyWhittaker/IDAProBoschMe7x
What you mean it could be done with RPM setings? Unfortunately i don't have IDA pro full version, so I cant load that helper :'( . I am using Keil uVision
9A 26 13 60 F2 F4 00 9E D7 00 81 00 F2 F9 D0 7E 40 49 9D 0B F2 F4 9E F8 D7 00 81 00 F2 F9 D2 7E 40 49 FD 03 F7 8E EC 8B
In coments I will translate how i figure out this
Code:
9A261360 JNB 0xFD4C.6,0x00002A // if 0x00FD4C 0x0040(clutch condition adress) is different from zero, go to next instruction F2F4009E MOV R4,DPP2:0x1E00 // some sorf of move 0x381E00 (V-fill or kmh value) to R4 D7008100 EXTS #0x0081,#1 //didn't figure out what this stands for, some sort of disable interupts in MCU F2F9D07E MOV R9,DPP1:0x3ED0 // move 0x17ED0 (my threshold km/h) to R9 4049 CMP R4,R9 //compare 9D0B JMPR CC_NC,0x00002A //didn't figure out what this stands for F2F49EF8 MOV R4,DPP3:0x389E //again same process for RPM threshold D7008100 EXTS #0x0081,#1 F2F9D27E MOV R9,DPP1:0x3ED2 4049 CMP R4,R9 FD03 JMPR CC_ULE,0x00002A F78EEC8B MOVB DPP2:0x0BEC,ZEROS //if all conditions are meth, set 0 in 0x380BEC( what is tsrldyn) DB00 RETS // end of function
Title: Re: LC/NLS ASM help
Post by: fknbrkn on December 14, 2019, 05:41:11 AM
The floating here routine has few settings Set min rpm for nls higher than redline and this path will be disabled As for ida, I can not recommend you russian bt tracker rutracker.org It's illegal you know so dont do it
Title: Re: LC/NLS ASM help
Post by: BlackT on December 14, 2019, 05:57:36 AM
The floating here routine has few settings Set min rpm for nls higher than redline and this path will be disabled As for ida, I can not recommend you russian bt tracker rutracker.org It's illegal you know so dont do it
Yes that will be easy path, but I really want to learn more about ASM in this MCU
How hard will be to add to this function to move ignition after TDC when LC is active?
Title: Re: LC/NLS ASM help
Post by: prj on December 14, 2019, 10:06:32 AM
Real men write straight hex on c167 ;D
Title: Re: LC/NLS ASM help
Post by: woj on December 14, 2019, 10:54:17 AM
Yes that will be easy path, but I really want to learn more about ASM in this MCU
How hard will be to add to this function to move ignition after TDC when LC is active?
You cannot learn about asm wo dissasembled flash code As for the ignition personally im using another hook for my brakeboost routine. Just right above ZWGRU calculation c167 super friendly for begginers, just replace some code with calls to your routine, do your thing, keep in mind about registers if they has been write above your code and read after, do the code that you replaced with calls and then rets get ida, load original file and the same with implemented als/nls and youve see what im talkin bout
ive done once some routine with customer (it guy) on the back and i just write some hook like an DA 8B 00 10 etc in hex editor (rare file, one-time job) and hes like wtf
Title: Re: LC/NLS ASM help
Post by: BlackT on December 16, 2019, 02:23:57 PM
You cannot learn about asm wo dissasembled flash code As for the ignition personally im using another hook for my brakeboost routine. Just right above ZWGRU calculation c167 super friendly for begginers, just replace some code with calls to your routine, do your thing, keep in mind about registers if they has been write above your code and read after, do the code that you replaced with calls and then rets get ida, load original file and the same with implemented als/nls and youve see what im talkin bout oh common, get the masterj me7 tuning wizard excel sheet from 2007
Thank you for your help, I will try to get some progress now
Title: Re: LC/NLS ASM help
Post by: armaan on February 02, 2020, 03:29:40 PM
Hi all, hope you all are well. :)
Followed the instructions for 2Step LC in the attached document (Except for NLS, only for 2Step). Didn't move code (the addresses Setzi originally used are different from the ones I used, but I think I applied the principle correctly, especially the part for DA (calls) & used Setzi's standard example which is:
"A6 01 50 46 0A 00 F0 55 E6 FF FF FF FF FF FF FF" atleast, according to the Document. Definitely DID NOT use Eduu's 2StepScript. Checksummed one file with MTX's ME7-2002 plugin for TunerPro RT V5 & the other with ME7Sum.
So far, ME7Sum has been working for all my Map files, but I'm not so certain it would work on this one since I had to toy around with Hex addresses which brings me to my question:
Have I implemented 2Step correctly and which checksummed file should I test flash onto my Polo GTI 9n3?
Here's the full log of ME7Sum:
Code:
Attempting to open firmware file 'image.bin'
Step #1: Reading ROM info .. Searching for EPK signature...OK Searching for ECUID table...OK EPK : '39/1/ME7.5/3/X505R//24C/SP24C91/270705/' Part Number : '06A906032TL ' Engine ID : '1.8l R4/5VT ' SW Version : '0040' HW Number : '0261208950' SW Number : '1037378104'
Step #2: Reading ROMSYS .. Startup section: word[0x008000]+word[0x00FFFE] @08038 Add=0x000106FF CalcAdd=0x000106FF ADD OK All param page: word[0x010000]+word[0x01FFFE] @01bf98 Add=0x00971D CalcAdd=0x00971D ADD OK
Step #4: Finding CRC table(s) .. Searching for CRC table(s)...OK CRC table(s) OK
Step #5: Reading Main Data Checksums .. Searching for main data CRC pre block...missing Searching for main data CRC/csum blocks...OK Searching for main data CRC offsets...missing Searching for main data checksum offsets...OK Main Checksums: 1) 0x010002-0x013FFE CalcCSM: 001398C5 2) 0x014252-0x017F4E CalcCSM: 0026055E 3) 0x018192-0x01FBDC CalcCSM: 00441514 4) 0x026A00-0x02FFFC CalcCSM: 00BFEF41 @8ffb6 CSM: 00BFE857 CalcCSM: 00BFEF41 ** FIXED **
Step #6: ROMSYS Program Pages Program pages: 8k page first+last in 0x0000-0xFFFF and 0x20000-0xFFFFF @00803c Add=0xA19B73 CalcAdd=0xA19B73 ADD OK
Step #7: Reading Main Program Checksums .. Searching for main program checksum..OK ROM Checksum Block Offset Table @1fb72 [16 bytes]: 1) 0x000000-0x00FBFF CalcChk: 48D09FE4 0x00FC00-0x01FFFF CalcChk: 20D987EB CalcCRC: CB1C2009 SKIPPED 2) 0x020000-0x0FFFFF CalcChk: 2B10DB2A @fffe0 Chk: 2B08E592 CalcChk: 2B10DB2A ** FIXED **
Step #8: Reading Multipoint Checksum Blocks .. Searching for multipoint block descriptor #1...missing Searching for multipoint block descriptor #2...OK 1) <1fbde> 0x000000-0x003FFF Chk: 0FA0F5CF Boot: (whitelisted) OK 2) <1fbee> 0x004000-0x007FFF Chk: 0F4716B3 Boot: (whitelisted) OK 3) <1fbfe> 0x000000-0x003FFF Chk: 0FA0F5CF CalcChk: 0FA0F5CF OK .......... 64) <1ffce> 0x0F4000-0x0F7FFF Chk: 1FFFE000 CalcChk: 1FFFE000 OK 65) <1ffde> 0x0F8000-0x0FBFFF Chk: 1FFFE000 CalcChk: 1FFFE000 OK 66) <1ffee> 0x0FC000-0x0FFFFF Chk: 1FFDE002 CalcChk: 1FFDE002 OK Multipoint #2: [66 blocks x <16> = 1056 bytes]
Step #9: Looking for rechecks .. <1fc6e> 0x01C000-0x01FFFF Chk: 062978B8 CalcChk: 062978B8 OK (recheck)
*** Found 70 checksums in image.bin
Attempting to output corrected firmware file 'out.bin' þ Opening 'out.bin' file for writing þ Writing to file þ Validating size correct 1048576=1048576 þ All OK, closing file
*** DONE! 5/5 error(s) in image.bin corrected in out.bin! ***
The document I used is this one: ME7.x_LC_NLS_rev003.pdf (Shows Setzis method) Doesnt seem to want to upload, but I got it off this forum.
Title: Re: LC/NLS ASM help
Post by: BlackT on August 10, 2020, 08:03:57 AM
Yes is working ;D, next step is to retard ignition...
You should really add in some flags there that you can use to say "when" to retard ignition. then you wont have to do all that magic in one piece of code.
Title: Re: LC/NLS ASM help
Post by: BlackT on September 25, 2020, 12:05:32 AM
You should really add in some flags there that you can use to say "when" to retard ignition. then you wont have to do all that magic in one piece of code.
Yes, that will be a easy part Hard part for me, would be to find in flash ZWGRU calculation
Title: Re: LC/NLS ASM help
Post by: BlackT on June 16, 2021, 02:12:32 AM
Can someone please explain me (With example) what EXTS function does
Code:
The extension instructions EXTP, EXTPR, EXTS, and EXTSR override the standard DPP addressing scheme, using immediate addresses instead.
what is difference between EXTS #0x0081,#1 and EXTS #0x0038,#1 ?
Everything is described in the instruction set manual, EXT functions do exactly what they say, they override the standart c167 dpp adressing scheme for a certain amount of commands, thats what the number after represents.
Take a look at prjs recent boost controller release:
EXTS tells that you gonna override the standart adressing for 4 commands. In this case exts 38 hex means RAM access basically. ps_w is moved into R4 and then it is used to set/store ps_w_prev values for the controller.
CC flags are used to create conditional jumps and such,each command sets the cc flags differently:
MOV R4, fixdcflag JMP CC_z, standard
This is used to determine if the controller is gonna run on fix DC or PID mode.
Title: Re: LC/NLS ASM help
Post by: BlackT on June 18, 2021, 12:59:00 AM
Thank You :) :) ;)
DDP1 ROM DDP2 RAM DPP3 Fast RAM
Code:
9A261360 JNB 0xFD4C.6,0x00002A // if 0x00FD4C 0x0040(clutch condition adress) is different from zero, go to next instruction F2F4009E MOV R4,DPP2:0x1E00 // move 0x381E00 (V-fill or kmh value) to R4 D7008100 EXTS #0x0081,#1 // F2F9D07E MOV R9,DPP1:0x3ED0 // move 0x17ED0 (my threshold km/h) to R9
This part I don't understand, why before coping 0x1E00 to R4 there is no EXTS function before? Why it is when copying 0x3ED0 to R9 there is?
4049 CMP R4,R9 //compare 9D0B JMPR CC_NC,0x00002A //Jump to 0x2A if R4 and R9 are not same F2F49EF8 MOV R4,DPP3:0x389E //again same process for RPM threshold D7008100 EXTS #0x0081,#1 F2F9D27E MOV R9,DPP1:0x3ED2 4049 CMP R4,R9 FD03 JMPR CC_ULE,0x00002A //Jump to 0x2A if R4 Less Than or Equal to R9 F78EEC8B MOVB DPP2:0x0BEC,ZEROS //if all conditions are meth, set 0 in 0x380BEC( what is tsrldyn) DB00 RETS // end of function
Why this function use only R4 and R9, why not R4 and R5?
Title: Re: LC/NLS ASM help
Post by: fknbrkn on June 20, 2021, 01:10:29 PM
You could use any (with some restrictions on byte adressing see c167 docs) Be careful to avoid using registers which stores some data from main code flow i.e.
Mov r4, #22h // r4 22h for now Calls 8Bh, #your_subroutine // where you used r4 to store zeros ... Movb tsrldyn, rl4 // stock code expecting 22h here but youve replaced r4 with zeros and get a blown coils
Your_subroutine: Movb rl4, zeros Rets
Title: Re: LC/NLS ASM help
Post by: prj on June 20, 2021, 01:16:40 PM
To understand why which registers are used and especially their volatility, it is a good idea to read the EABI for the processor.
Title: Re: LC/NLS ASM help
Post by: gt-innovation on June 21, 2021, 06:02:23 AM
You could use any (with some restrictions on byte adressing see c167 docs) Be careful to avoid using registers which stores some data from main code flow i.e.
Mov r4, #22h // r4 22h for now Calls 8Bh, #your_subroutine // where you used r4 to store zeros ... Movb tsrldyn, rl4 // stock code expecting 22h here but youve replaced r4 with zeros and get a blown coils
Your_subroutine: Movb rl4, zeros Rets
Everything that forces 0 to tsrldyn is not optimal and for some older ecus not even safe. you can retard ignition with 2-3 different ways and manipulate ignition fade in/out stat bits.
Title: Re: LC/NLS ASM help
Post by: fknbrkn on June 21, 2021, 10:55:31 AM
Just a sample of typical newbie reverser trap
Title: Re: LC/NLS ASM help
Post by: BlackT on July 06, 2021, 03:24:52 AM
Thank you all I am going to dig more around, and try to figure out more. I didn't install any plug in to IDA, would that be any of help for this beginner level?
Title: Re: LC/NLS ASM help
Post by: Praga on July 21, 2021, 05:23:43 AM
Thank you all I am going to dig more around, and try to figure out more. I didn't install any plug in to IDA, would that be any of help for this beginner level?
The Boschme7 plugin is helpful
Title: Re: LC/NLS ASM help
Post by: BlackT on July 23, 2021, 12:44:58 AM
This one?
Also, how hard is to make function that turn on MIL? Can someone give me some push to do it on this file? From where to start?
From Me7logger I see B-mil is at B_mil , {} , 0x00FD22, 2, 0x0001, {}
Now first how to find it in flash where it set MIL on/off so I can make there jump to my function?
Title: Re: LC/NLS ASM help
Post by: BlackT on July 26, 2021, 03:23:50 AM
I think i found something -Could be this function to set MIL on/off? -If it is, how to find in flash when ECU call this routine? -Next step will be to bypass it, and make my own function for MIL?
Title: Re: LC/NLS ASM help
Post by: _nameless on July 26, 2021, 06:25:18 AM
example of your file patched with ignition retard, knock and lambda disabled during routine and hard cut rev lim all in one patched file ;)
Title: Re: LC/NLS ASM help
Post by: BlackT on July 26, 2021, 10:02:17 AM
Thank you very much. You gave me a lot of homework.
I am just curios, Is this file generated by some script, beacuse I have one tune from US tuner and functions are similar.
Title: Re: LC/NLS ASM help
Post by: Blazius on July 26, 2021, 12:15:29 PM
I think i found something -Could be this function to set MIL on/off? -If it is, how to find in flash when ECU call this routine? -Next step will be to bypass it, and make my own function for MIL?
Why is your file all messed up, seg015? and such, that is not a proper defined and disassembled file. Use a combination of prj's scripts, .ecu file load script / a2l and andy's plugin to produce decent idb.
Title: Re: LC/NLS ASM help
Post by: BlackT on July 27, 2021, 03:31:06 AM
Why is your file all messed up, seg015? and such, that is not a proper defined and disassembled file. Use a combination of prj's scripts, .ecu file load script / a2l and andy's plugin to produce decent idb.
I don't know I just loaded bin in IDa, set procesor to C167 and that it is.
About script and plugins, I still didn't find way how to load them, install, use or whatsoever. I have IDA 5.5 maybe that is a problem?
Title: Re: LC/NLS ASM help
Post by: fknbrkn on July 27, 2021, 06:09:25 AM
Iirc there is a reverse logic ie bclr b_mil turns on mil and bset turns off
Title: Re: LC/NLS ASM help
Post by: Blazius on July 27, 2021, 06:18:06 AM
I don't know I just loaded bin in IDa, set procesor to C167 and that it is.
About script and plugins, I still didn't find way how to load them, install, use or whatsoever. I have IDA 5.5 maybe that is a problem?
Aight. Here is how I do it.
1. Download the pack of scripts and stuff I included, since you already have Andy's plugin install I didnt include that. 2. Check what CPU you have if you dont know, just use the included CPU rom which is the most generic one. 3. Open loadbin_idaq autoit script , ofcourse you need autoit installed. Then start IDA, this script is for the idaq with the new qt stuff, instead of idag.exe which is an older version I am not sure which one is 5.5.
Click on Go, "work on your own", click load rom in the script -> select the cpu bin. It will automatically set the processor, set the segments such as IRAM and RAM. After click load flash , which will be your binary file that you wanna disassemble.
4.Go to file-> Run script -> select import.ecu file script. Ofcourse you should generate an ECU file for your binary if you dont have an a2l , if you do you can load the a2l instead using a different script from prj's helper scripts. Find your .ecu file, it should load, then click on OK to load them. I like to save and restart at this point.
5. Open IDA, start up the project which you just created, then go to Edit-Plugins-BoschME7 plugin , Andy's plugin which you should have installed properly. Select all boxes except the 2 at the top, so it does not mess up your project. Let it do its thing ofcourse. Save again.
6.Open loadbin autoit script again, then start IDA, open your project. Go to File->Run script, select processrom.py, then at the bottom in the console type processrom(0x80000, 0x8FFFFF) this process the flash again.
7.Navigate to 0x80000 and click Start cleanup in the autoit script which will remove any unreferenced code which might have been created accidentaly etc.
This should produce a pretty decent and cohesive dissassembly project. I dont know if anyone got a better method feel free to share ;) Hope I didnt make any mistakes in writing this as I gotta go work right now, so will recheck in a few hours. Good luck.
Title: Re: LC/NLS ASM help
Post by: BlackT on July 27, 2021, 01:41:21 PM
Thank you very much :) what IDA version do you use? Script doesn't work with 5.5, I instaled 6.8 but I can only load ROM, nothing hapen when I click load flash
Title: Re: LC/NLS ASM help
Post by: Blazius on July 27, 2021, 01:59:09 PM
Thank you very much :) what IDA version do you use? Script doesn't work with 5.5, I instaled 6.8 but I can only load ROM, nothing hapen when I click load flash
6.1 32 bit ofcourse.
Title: Re: LC/NLS ASM help
Post by: BlackT on June 08, 2022, 03:05:32 PM
You could use any (with some restrictions on byte adressing see c167 docs) Be careful to avoid using registers which stores some data from main code flow i.e.
Mov r4, #22h // r4 22h for now Calls 8Bh, #your_subroutine // where you used r4 to store zeros ... Movb tsrldyn, rl4 // stock code expecting 22h here but youve replaced r4 with zeros and get a blown coils
Your_subroutine: Movb rl4, zeros Rets
Soo the most secure metod is to copy this registers to some unused memory, and after my function to reverse tham back
Let say 1. My custom function start 2. Copy r4 to 81400, copy r5 to 8140A... 3. I use that r4 and r5 in my function so I can play with them 4. Before end of my function 5. Copy 81400 to r4, copy 8140A to r5 6. Return to main code
This will take a little more work but will make sure It safe
Title: Re: LC/NLS ASM help
Post by: fknbrkn on June 10, 2022, 09:30:45 AM
What is the 81400 ? Just use any others which written next to your CALLS
I.e
Mov r4, mem Calls <your routine> Mov mem, r4 // r4 consist some data which was written before your routine and inspected after so you cannot use it here Mov r6, mem // r6 written here so it wont consist any useful data, use it
Another way is to use system stack
Title: Re: LC/NLS ASM help
Post by: BlackT on June 10, 2022, 10:30:09 AM
What is the 81400 ? Just use any others which written next to your CALLS
I.e
Mov r4, mem Calls <your routine> Mov mem, r4 // r4 consist some data which was written before your routine and inspected after so you cannot use it here Mov r6, mem // r6 written here so it wont consist any useful data, use it
Another way is to use system stack
81400 forget it, I yust put that number I mean some free RAM space
How can I be sure that r6 is not used somewere else. Let say 60 program code lines before my call. Or I need to watch only that subroutine?
Maybe best that I put example what I mean
Title: Re: LC/NLS ASM help
Post by: fknbrkn on June 10, 2022, 01:43:19 PM
Again Registers are global ! That means if r6 was written in main thread, it stores same data when cpu jumps to your subroutine, do rhings in it and rets back. So just avoid using registers which first instruction after your custom call are reading from register and feel free if its write to register Its just a simple logic idk how to say
Title: Re: LC/NLS ASM help
Post by: BlackT on June 10, 2022, 03:15:42 PM
Again Registers are global ! That means if r6 was written in main thread, it stores same data when cpu jumps to your subroutine, do rhings in it and rets back. So just avoid using registers which first instruction after your custom call are reading from register and feel free if its write to register Its just a simple logic idk how to say
I understand they are global
And this is all I need to hear, I was assume that but only need confirmation Thank you
Title: Re: LC/NLS ASM help
Post by: BlackT on July 09, 2022, 11:28:21 AM
After that I put this thing two things like was original (still don't know what this [r0+] mean )
After some rest I will check if I forget something in code or if something is wrong .
Only question I want to know did I made jump and return from and to original function?
Don't have car here to test it
Title: Re: LC/NLS ASM help
Post by: fknbrkn on July 09, 2022, 01:56:26 PM
Its ok But why are you not hooking at the loc_8B89B2 ? All others are obviously min/max caps so just replacing movb zwgru, rl4 would be a bit easier imo, just remember that r4 consists original zwgru value and dont touch it in your routine, just use r5 instead
cmpb rl4, #0 are unecessary. Z flag triggered even at movb operation
Title: Re: LC/NLS ASM help
Post by: BlackT on July 09, 2022, 02:33:46 PM
Its ok But why are you not hooking at the loc_8B89B2 ? All others are obviously min/max caps so just replacing movb zwgru, rl4 would be a bit easier imo, just remember that r4 consists original zwgru value and dont touch it in your routine, just use r5 instead
cmpb rl4, #0 are unecessary. Z flag triggered even at movb operation
I am still exploring how all this works. I know I can do that way, but I want to find more ways so I can understand it better.
RL4 or R4? I know that RL4 is low byte of R4, so touching RL4 will change value of R4. But general speaking zwgru is uint_8 value? If after: movb zwgru, rl4 ... XXXX ... I have DB 00 (like in this case) does that mean, that in most case rl4 value is no longer needed(it will be most likely overwriten in some next function) so I am free to use it XXXX area
Tnx for shortcout about Z flag and all other help
Title: Re: LC/NLS ASM help
Post by: BlackT on July 12, 2022, 04:51:24 PM
This look nicer (https://i.postimg.cc/FzydN53J/idazwgrucheck.png) (https://postimages.org/)
I take a look and didn't find that FDDA is used anywhere in code. So I will use it to set my flags
Title: Re: LC/NLS ASM help
Post by: fknbrkn on July 15, 2022, 06:03:49 AM
RL4 or R4? I know that RL4 is low byte of R4, so touching RL4 will change value of R4.
This is code of my LC, called from loc_8B89B2 (in your case). new fucntion called in place where rl4 moved to zwgru. so rl4 contain zwgru value and you want to touch it in your routine, rl5 used for conditional checks
Quote
But general speaking zwgru is uint_8 value?
8bytes signed int8_t
Quote
If after: movb zwgru, rl4 ... XXXX ... I have DB 00 (like in this case) does that mean, that in most case rl4 value is no longer needed(it will be most likely overwriten in some next function) so I am free to use it XXXX area
absolutely no. check how map calculations are done. in most cases they writes calculated value into r4 and rets to main code general rule here - look at the main code flow after your routine (even after rets) if you see some register reading first, then you cannot use it. just imagine this situation
mov r5, rl_w mov r4, plsol_w shr r4, #8 calls #8Ah, myRoutine ; < r4 contain plsol value! mov rlkh_w, r5 ; r5 goes through your routine, do not use it! mov r7, rkat_w ; r7 only written here, so in your routine its not contain any useful data, could be used
<myRoutine:>
mov r4, nmot_w ; < and now you changed it to nmot_w cmp r4, myNmotLimit jmpr cc_ule, loc_end .... loc_end: movb plsol, rl4 ;< feeding plsol with part of nmot (bad idea) rets
as of the last screen - this wont work you overwrite zwgru with stock value anyway
Title: Re: LC/NLS ASM help
Post by: BlackT on July 17, 2022, 02:08:27 AM
Yes you are right, ah that speed and tired head... In attachment is correction( I made this cpr twice beacuse I still don't know how to put NOP I play safe before I get everything sorted in head)
So store registers in some unused space to save them, like a safe copy. Than before exit of function pull values from safe copy to that registers
Title: Re: LC/NLS ASM help
Post by: BlackT on February 28, 2023, 03:44:51 PM
I assume this is not possible but can I make call function after I already make call
Working example: at 8A000 I make Call 8E540 At 8E540 my function .... ... Rets (this will return to 8A004)
But If I make something like this
at 8A000 I make Call 8E540 At 8E540 my function .... Call 8E640 Rets
At 8E640 my function#2 .... Rets
this will return to next array where I called 8E640, but after that I will again have rets. Will after that rets send to 8A004?
Title: Re: LC/NLS ASM help
Post by: BlackT on March 01, 2023, 04:28:03 AM
To make better visual what I want to achieve So I have good well known call before tsrldyn (https://i.postimg.cc/BQJkpd9Z/call1.png) (https://postimages.org/)
After that call again in my function I have call to another sub ( take close look at bottom left)
Title: Re: LC/NLS ASM help
Post by: prj on March 01, 2023, 04:42:01 AM
Reading the user manual helps. Every time a call is made the PC is pushed onto the stack and popped off with RET. In case of CALLS also the segment is pushed onto the stack and then both the segment and the address get popped off. As long as you don't exceed the stack size you can chain as many calls as you like, obviously the amount of calls and returns has to be balanced.
If you are patching an already existing call, you can also just jump to the original call location after you're done with your code. This is becomes a lot more important on TriCore where calls automagically save and restore a bunch of registers.
Title: Re: LC/NLS ASM help
Post by: BlackT on March 01, 2023, 05:04:48 AM
Thank you, I will work with JMPS from now on.
Title: Re: LC/NLS ASM help
Post by: fknbrkn on March 01, 2023, 09:08:15 AM
You can safely use few calls Personally ive never faced with stack overflow with 1-2 incapsulated calls and map calculation (vars pushed in stack)
Title: Re: LC/NLS ASM help
Post by: prj on March 01, 2023, 11:07:19 AM
On C16x no need, you can just spam calls. But hey, if you ever move to TriCore it's good to not make it a habit.
But then again, if you just want to execute some code and then go to the original routine, then you can also just use JMPS, it makes no practical difference.
Title: Re: LC/NLS ASM help
Post by: BlackT on March 02, 2023, 12:53:02 AM
Thank you that is really helpfull
Title: Re: LC/NLS ASM help
Post by: BlackT on September 14, 2023, 01:52:15 PM
EDIT: solved, I see I move R4 to byte. But let it stay for other users if someone make this silly mistake
I am trying to make rolling LC, and i have problem with this code section
FDDA and FDDB variables are free, as I am manage to see
maybe this is problem?
ROM:008C003C F2 F4 9E F8 mov r4, nmot_w ROM:008C0040 F6 F4 DB F8 mov byte_F8DB, r4
Is this okay to do?
Title: Re: LC/NLS ASM help
Post by: BlackT on September 24, 2023, 03:25:31 AM
Can someone explain me what is this whit this function with zwout? Is this mean that zwout is stored in stack in four places?
Title: Re: LC/NLS ASM help
Post by: fknbrkn on September 24, 2023, 06:46:13 AM
For each cylinder
Title: Re: LC/NLS ASM help
Post by: BlackT on November 23, 2023, 04:10:57 PM
In this file KFZW load axis should be at 0x132E6 And table look like it, but when I change that load values nothing happen? It always follow same load. Let say 40% is original load in 3th column. If I multiply whole load table with 2, ECU still get that value from 3th column when load is 40% ???
Title: Re: LC/NLS ASM help
Post by: BlackT on December 09, 2024, 07:45:09 AM
Let say at 06A906032HS SW: 1037363908
FPWDKAPP is at 0x14F72
How to find that in IDA?
Title: Re: LC/NLS ASM help
Post by: fknbrkn on December 09, 2024, 10:15:31 AM
check axis size before map axis, easiest way if its cross-referenced try to search '4F72' as map start or similar for axis size offset before map, should look like like 'mov r12, #4F72h' , or r4,r5 if both ways not give you any results, check FR for a program flow, if its generates some variable or 1x1 map nearby trace where it written in this case WKDSAPP / WDKSOFS easily gets you in the right place
Title: Re: LC/NLS ASM help
Post by: Blazius on December 09, 2024, 04:39:37 PM
First, you should check what kind of map it is 2D or 3D, as the function will differ. FPWDKAPP being a 2D map , it will use a 2D lookup, which generally uses a offset, page number, and the value for the axis. The offset is the start of the map where it actually sets the size, not the start of the values of the axis itself.
In this case of rather the C167 based hardware or code , the lookup only contains the offset, and the axis value in this the wped_w, because the page is default at 204.
For example in M box, FPWDKAPP is at 813EB6 or rather 813ED8 if going only by the values and winols representation. The offset is 3EB6 hex, the page is default 204 which means 4000*204 = 810000 , and the axis is wped_w. 810000 + 3EB6 = 813EB6
Title: Re: LC/NLS ASM help
Post by: BlackT on January 24, 2025, 02:47:40 AM
Thank you guys for explenation everything is clear now.