|
Title: Identify RAM variable Post by: totti on August 04, 2021, 01:40:00 AM Hi,
I started to disassembly binary files. I'm using .ecu file to identify the RAM variables. But I found some which are not listed in the ecu file. Is there any way to identify these? thank you Title: Re: Identify RAM variable Post by: timus on August 04, 2021, 02:21:24 AM You can use damos file for your bin, its contains all important ram variables and maps.
If you don't have damos you can analyze code and read funktionsrahmen and try to find out which variable you are looking at. Title: Re: Identify RAM variable Post by: totti on August 04, 2021, 03:15:44 AM You can use damos file for your bin, its contains all important ram variables and maps. If you don't have damos you can analyze code and read funktionsrahmen and try to find out which variable you are looking at. I dont have damos for 8N0906018BH 0001. The variable is what I'm searching is 0x380AC4. It is somehow related to pops and bangs unique code. The code sets it to 0xFF. Title: Re: Identify RAM variable Post by: fknbrkn on August 04, 2021, 04:11:41 AM Search for crosslinks (x key)
Trace it to known ones Title: Re: Identify RAM variable Post by: timus on August 04, 2021, 04:44:58 AM The variable is what I'm searching is 0x380AC4. It is somehow related to pops and bangs unique code. If it's some unique code all you can do is to analyze what it do and where it come from and come with name for it by yourself.Title: Re: Identify RAM variable Post by: gremlin on August 04, 2021, 12:20:04 PM The variable is what I'm searching is 0x380AC4. 380AC4 - nwe [Wiedereinsetzdrehzahl] Full RAM and BITs list in attachment. Title: Re: Identify RAM variable Post by: totti on August 04, 2021, 12:39:55 PM 380AC4 - nwe [Wiedereinsetzdrehzahl] Full RAM and BITs list in attachment. Thank you very much. I have not found these kind of documents. Do you have it for 06A906032HN 0001? Title: Re: Identify RAM variable Post by: totti on August 04, 2021, 02:15:08 PM Now I'm totally don't understand what happened in the bin file.
Original bin contains: movb byte_8AC4, rl6 The modified bin which contains a function what I would like understand(cruise control switched pops and bangs) The original line replaced with calls 8Ah, 19D0h ; 8A19D0h At 8A19D0 this is the code ROM:000A19D0 jb word_FD10.2, loc_A19E2 ROM:000A19D4 movb rl6, #0FFh ROM:000A19D8 exts #38h, #1 ; '8' ROM:000A19DC movb 0AC4h, rl6 ; 380AC4h ROM:000A19E0 jmpr cc_UC, locret_A19EA ROM:000A19E2 ; --------------------------------------------------------------------------- ROM:000A19E2 ROM:000A19E2 loc_A19E2: ; CODE XREF: ROM:000A19D0↑j ROM:000A19E2 exts #38h, #1 ; '8' ROM:000A19E6 movb 0AC4h, rl6 ; 380AC4h ROM:000A19EA ROM:000A19EA locret_A19EA: ; CODE XREF: ROM:000A19E0↑j ROM:000A19EA rets So for me it seems that the original 8AC4 adress changed to 0AC4. Title: Re: Identify RAM variable Post by: Blazius on August 04, 2021, 03:06:37 PM Post the file.
Title: Re: Identify RAM variable Post by: gremlin on August 04, 2021, 03:37:39 PM Now I'm totally don't understand what happened in the bin file. It's simple. If the CCS key is pressed (flag FFD0.2 = 1), we set the fuel supply resumption engine speed to unrealistically high 256 * 40 = 10240rpm It actually means that fuel is switch off. Not pressed - leave the value as was in the original code. Title: Re: Identify RAM variable Post by: totti on August 04, 2021, 11:30:14 PM It's simple. If the CCS key is pressed (flag FFD0.2 = 1), we set the fuel supply resumption engine speed to unrealistically high 256 * 40 = 10240rpm It actually means that fuel is switch off. Not pressed - leave the value as was in the original code. The first part is ok. My problem is that in the original file the 8AC4 value get the rl6 register value, in the custom code the 0AC4. Title: Re: Identify RAM variable Post by: fknbrkn on August 05, 2021, 12:04:25 AM 8AC4 is the short adressing for 380AC4
program flow looks sooo nooby Title: Re: Identify RAM variable Post by: totti on August 05, 2021, 12:52:48 AM 8AC4 is the short adressing for 380AC4 program flow looks sooo nooby Ahh ok. Thanks for the info. I just received the bin with the function and try to understand what is implemented inside. Title: Re: Identify RAM variable Post by: totti on August 06, 2021, 05:34:30 AM Title: Re: Identify RAM variable Post by: Blazius on August 06, 2021, 12:50:03 PM Here is the cutted part of the bin Its basically: if(FD10.2 == 1(S_fgrhs - Main switch on the FGR control lever)) { movb RAM:380AC4 ( nwe - Wiedereinsetzdrehzahl) , whatever is in rl6) } else FF rl6 FF'd RAM:380AC4 with rl6 unconditional jump to A19EA -> return Title: Re: Identify RAM variable Post by: totti on August 06, 2021, 02:20:25 PM Its basically: if(FD10.2 == 1(S_fgrhs - Main switch on the FGR control lever)) { movb RAM:380AC4 ( nwe - Wiedereinsetzdrehzahl) , whatever is in rl6) } else FF rl6 FF'd RAM:380AC4 with rl6 unconditional jump to A19EA -> return I understand the code, the problem was with the variables. But thank you to described it Title: Re: Identify RAM variable Post by: totti on August 13, 2021, 02:07:28 PM 8AC4 is the short adressing for 380AC4 program flow looks sooo nooby I've modified it Code: ROM:000A592A jb word_FD10.4, loc_A5932 Title: Re: Identify RAM variable Post by: totti on September 14, 2021, 01:46:16 PM I would like to modify lamfa when the different conditions are true.
I have HN 0001 ECU. This is my ecu file lamfa_w , {TargetAFRDriverRequest} , 0x384ACE, 2, 0x0000, {-} , 0, 0, 0.000244141, 0, {Lambdasoll Fahrerwunsch (word)} lamfaw_w , {} , 0x384ACC, 2, 0x0000, {-} , 0, 0, 0.000244141, 0, {Lambdasoll Fahrerwunsch Anteil aus Kennfeld LAMFA} I searched for lamfa and lamfaw but I could not find any movb functions to them. How can I find where these variables are written in the code? Thank you Title: Re: Identify RAM variable Post by: fknbrkn on September 14, 2021, 11:46:58 PM After the lamfa map as usual
Screenshot from another file but its the same as yours any movb its a word so.. Title: Re: Identify RAM variable Post by: DT on September 15, 2021, 01:39:13 PM I searched for lamfa and lamfaw but I could not find any movb functions to them. How can I find where these variables are written in the code? As fukenbroken said, they are words.With me7idatool the following pictures show what you can produce in IDA in less than 10min without an a2l/dam for your specific revision. :o ;D There are 5+2 positions for lamfa_w and lamfaw_w respectively. Title: Re: Identify RAM variable Post by: totti on September 16, 2021, 12:36:00 AM Thank you for all of you. I just start with IDA and I don't know which plugin, tool is needed. Currently I just loaded the bin and try to manually find the code and variables. Can you tell me where can I fond the me7idatool?
Thank you Title: Re: Identify RAM variable Post by: totti on September 16, 2021, 06:55:07 AM As fukenbroken said, they are words. With me7idatool the following pictures show what you can produce in IDA in less than 10min without an a2l/dam for your specific revision. :o ;D There are 5+2 positions for lamfa_w and lamfaw_w respectively. I found where I can modify lamfaw_w. What I don't know is what to do with extp command. Change it to calls and the mov command to NOP or the extp can stay and change mov to calls? Title: Re: Identify RAM variable Post by: fknbrkn on September 16, 2021, 07:12:00 AM Nop extp and change mov with calls
Title: Re: Identify RAM variable Post by: totti on September 16, 2021, 09:41:46 AM 8AC4 is the short adressing for 380AC4 program flow looks sooo nooby Is there any benefit to use short or long address? Title: Re: Identify RAM variable Post by: fknbrkn on September 16, 2021, 10:37:50 AM Less operations = les cpu load
Pretty sure unnecessary in that case but optimization skill is always counts Title: Re: Identify RAM variable Post by: totti on September 16, 2021, 12:51:35 PM Less operations = les cpu load Pretty sure unnecessary in that case but optimization skill is always counts Thank you. I will read about the C166 to understand why ram is mapped into 2 space. |