NefMoto

Hi Guys. i'm new to reverse ECU frimware and i trying to  find a seed/key algorithm.
in a part of the file i saw a variable that located in XRAM mov to accumulator registers and finally xor with other registers. as below:

mov     r1, word_E1C4
mov     r2, word_E1C6
cpl     r1
cpl     r2
xor     r12, r1
xor     r13, r2


i guess this value (word_E1C4 and word_E1C6) create the required constant value(public Key) for Seed/Key algorithm.
so i search this values in dump(file) and i found this instructions :

mov     r4, #0
mov     r5, #0Fh
calls   0Fh, 428Ch ; 0F428Ch
mov     word_E1C4, r10
mov     word_E1C6, r11


so it seems r10 and r11 have the constant value inside them and these values are created in calls   0Fh, 428Ch ; 0F428Ch !!!!
But what is Call's instruction? this instruction refer to incorrect address 
How can I find these values?
any body can help me about this ?

On my ME7.9.10 Fxxxx is the external RAM area. If there are procedure calls to RAM (not uncommon, especially for boot code) then you have to find the piece of code that copies the procedure(s) from Flash to RAM. Not exactly 100% trivial... ;)

Hi woj.
how i can find this area? it would be very hard. do you help me?

maybe this will help you, post #9 by 360trev?
http://nefariousmotorsports.com/forum/index.php?topic=13572.0title=

Awesome. But my question was about memory reference issue,
As you see two variable call from RAM. I found them but there are not related to these addresses.