NefMoto

ME7idatool is a bit more than a fancy way to name variables. Some of you have asked about it after I posted some mysterious IDA screen dumps of files for which there are no public a2l/dam files available.

@nyet, since it is not compiled code anyone can see it in it's full glory(?) and anyone with a lot of patience can modify it as they wish. Github? I've never worked with it.

@prj, some lines might still be a carbon copy of your short IDA code snippets which can be found here on the forum. Thank you, those got me interested in IDApython.

@fluke9, a line or two of your python code might also be found, I don't remember, but thank you.

I dedicate this script or rather what it can achieve to my father who passed away earlier this year. Please have mercy, the script is really ugly but it is quite capable. I had zero knowledge of Python or similar coding when I started on this project. Therefore some (most?) things are really ugly and not written in a Pythonic way while other parts are quite smart and heavily optimized to keep all often used functions responding quick enough. I never thought it finally would become this automated, therefore it is based on routines meant for manual CLI work. To begin with my plan was to import dam/a2l and nothing else. At some places code are added to fix something instead of fixing the original faulty code.

Some things could have been done much more easily if I would have used more external libraries (eg. pandas) but until I needed to use the pywin32 for clipboard I tried to work with plain Python and IDA idc. It is developed on a borrowed laptop with genuine IDA pro 7.2 32-bit. (thank you Mr Z)

============================

What can it help you with?

* Primarily it can help you save tens or even hundreds of hours of work depending of what your goal is.

* Can import .ecu, .dam and .a2l files although with .ecu you are very limited. Always start with a fresh .idb.  Handles german umlauten correctly (at least on the system I used). .dam and .a2l needs to be directly from VAG without any change of file format for this to work.
These imported files help you achieve a nice IDA file.

* Show a list of what was not automatically named from a2l/dam. Can be easily clicked on and then if address look like a match it can manually be set by pressing p on keyboard. It can label the routines according to a threshold. Those who do not reach threshold can be handled manually and it gives the most probable names as suggestions depending on what it find.

* Can create patches that can easily be pasted directly into TunerPro. Very nice when working with code patches and an emulator like Roadrunner. For example while hacking hex code directly in ida without Keil. Unfortunately it does not handle faulty variables that can be found in certain .ecu files. Eg. some dual bank wideband lambda files. Avoid using .ecu if not absolutely needed.

Now on to the more fancy stuff...

* Makes most of the nice idb portable(!?). It does this by up/down search and ability to copy/paste naming from one idb to another. Almost zero knowledge needed to find similar code in another bin. Select what you need to find in another plain idb.

* It can export .dam and .a2l after you have ported from one idb to another. If you use a correctly matching file from similar year/version/family of ECU it will probably output what you need.
 
Avoid adding your own comments if you care for the portability to other similar binaries. Keep a copy of your original ME7idatool prepared .idb when you start working manually in the file. Some parts of this tool rely heavily on clipboard, be sure not to mess with it while working with the tool.


PS. If you feel an urge to help me buy my own copy of IDApro you can make a paypal donation. Email can be found in profile. ME7idatool can easily save you countless hours of work.

Requirements:
pywin32 v228 for Python 2
If I recall correctly it could be installed with this command: pip install pywin32
but it was some time ago since I did it.

TODO
* fix a long list of annoying bugs (from what I know those does not affect the quality/integrity of the naming)
* some other features I've thought of like using info available in a2l/dam to correctly import bin in IDA
* find all jumplists(correct name?) to fix them automatically. UPDATE! (will probably be fixed within a few days, the logic is simple)
* Create a list of suitable matching a2l/dam/binary for common files which do not have a2l/dam. Though I've not planned to do this myself but rather hope the community will do this.
* Remove too eager auto naming scheme and alter too eager tresholds. Though I'm yet to find any problem myself but will happen when more users work with the tool.
* Automatically name functions that are called, like filters and similar. Hopefully the knowledge of the community can help.
* Some commands cannot identify if you are working in source or destination IDA.
* make sure that there is nothing transferred back to source via clipboard, 95% usage of clipboard data is only to be used in destination ida.
* Let me7identfunc() set function name to same as previous and next if they both are the same. (regardless of name hits matching FKT)
* possibly name 10ms, 100ms synchro usw...
* me7help() is not showing what it is supposed to?

me7getmnem()   (in source ida window after marking text)

me7findcode()   (possible to use startaddress. eg 0x810000, ommit to use cursor position)

me7findcodereverse()

me7nameit()

me7prereq() (needed if closing ida and starting over again later, loads dam or a2l)

me7makeit_stage1()

me7makeit_stage2()

me7makeit_stage3()

me7identfunc()  (me7prereq() needed if IDA has been closed since last working with the file)

me7identfunc(nosfp)

me7setfuncname() (use this after me7identfunc() )

me7setfuncname()

me7list_names_wo_ref()

me7jumptable()

me7addresscmt()

me7cleancmt()

me7export()

me7tppatch()

me7patchbytes()

me7makefunc()

Open .bin 0x800000 , size 0x100000 or 0x80000
Load additional file 0x0  ,  size 0x8000 no segments
alt-F7 to load script first time
alt-F9 Show recent scripts
me7makeit_stage1()
me7makeit_stage2()
in the list in output window double click on address you think might be something the script didn't handle
press p on keyboard and continue to next in list which seems to be of interest.

me7makeit_stage3()

manual work after stage 3, place the cursor within code that has no name. Why not start in 100ms, 10ms or a jumptable, go to code without name and try
me7identfunc() ,either it will autoname code or present some suggestions, then me7setfuncname(x) where x is the number of one of the suggested names.
(there might be some problem with this in some situations, but me7makeit_stage3() auto naming works quite well)

me7jumptable() fix the format of table including references if you know where tables are


mark some lines of code or even a few pages if you're feeling lucky, then
me7getmnem()
which place information in clipboard. move over to the destination .idb in another IDA pro session.(make sure it is a clean import of the .bin)
in the destination window use (where you have imported a bin and opened script followed by me7makeit_stage1()  )
me7findcode() which start at cursor or eg. me7findcode(0x810000) to define start address
there is also me7findcodereverse()

If code is found, use
me7nameit()
followed by me7setfuncname() if source had functionname.

if you want address on each comment
me7addresscmt()
to clean these, use
me7cleancmt()

me7export() export to a2l/dam using a template file. Those in template which were not exported get a SKIPA1_ or SKIPD1_ prepended to their name and also 0x100000 added to their address. Which allows for easy filtering in Winols.

mark edited code and try
me7tppatch()
it puts the patch on clipboard, you can paste this directly in TunerProRT which create a patch FromIDApro. Very quick when working with custom code in emulator.


me7patchbytes() (either let cursor sit or mark a few lines)
I don't remember if this was useful or redundant to functions in IDApro.

me7makefunc()
search for next code out of function with rets/reti before

v0.9.8

Awesome work! I will definately test that with ME7 BMW :D

Good :)

Anything I've posted here is fair game, have at it.

Could You share IDA SDK here or via pm?

This script makes code even more understandable after using ME7idatool on C25ea01g.bin . Though it might break some features of ME7idatool, i've not tested me7findcode() and me7nameit() afterwords yet.
Unfortunately I need to fix some things before it works well on an ST10 file like C25ea01g.bin.

btw. If someone source the IROM of 022906032CA this particular bin/a2l with addition would make a highly useful idb for working with any ME7.

edit 221013:
I posted a bit too early. I forgot that I had not fixed a few names in the attached file. Will post a better version later.

New version. Works better with some ST10 variants
Please edit me7makeit_stage1() and me7makeit_stage1()  for other variants of memory setup in ecu
those two commands now take option 1 or 2 (which relate to c16x or st10) eg. me7makeit_stage1(2)

me7jumptable() is improved

I know, crappy Versioning

Thanks for this tool, DT!!!

Here how it worked for me on a x64 machine using Windows 11 and IDA Pro 7.2
1.) Install Python 2.7.18 (Get it here: https://www.python.org/ftp/python/2.7.18/python-2.7.18.amd64.msi)
2.) Add "C:\Python27" and "C:\Python27\Scripts" to environment variable PATH
3.) Execute "pip install pywin32" from commandline
4.) Run IDA Pro, open/start project and add script via Alt+F7
5.) Call functions listed above.

Previously, I tried to run it on a x86 machine using Windows 10 and IDA Pro 6.6, but that didn't work.
Python and pywin32 were installed correctly and running fine, but IDA Pro trew an error message while importing the modules "win32clipboard" and "win32api".

Please delete this post.

Well, yes. But they do look a bit funky and does not match what is addressed from flash.

Though the first 32kb from one of these line up perfectly.
022906032bg
022906032cn
022906032cs
022906032ge


btw. nice python explanation

As promised, a fixed version of C25ea01g_additional_names.py

steps
1. c25ea01g.bin  (022906032CA)
2. additional 32kb from one of above mentioned files @0x0
3. me7idatool + c25ea01g.a2l (though it is not perfect for this version of me7.1.1 yet)
4. apply C25ea01g_additional_names.py

I don't think a naturally aspirated me7.1.1 will ever be more easy to understand/patch/hack.

I have seen this in various threads where you posted, nice of you to finally release it, looks great.

Might give it a go sometime, see how is it vs the conventional scripts on this site.

Any idea why i get this?

Awesome work DT, when you think you are done with the c25ea01g can you please upload the finished ida file? Im working on the same , but manually, and it will be interesting to see how well they match up!

Why would you work manually when you can fix almost everything within a few minutes with me7idatool?  ???

Try going to line 1231 of DT’s script an change:

to:

to use spaces instead of tabs for identation.
Please give feedback afterwards whether it works, or not.

It helped at line 1231 and 1222 i have no programming skill whatsoever, but its interesting topic and i'm motivated to learn.
Another EDIT: line 1230 also solved.
Now i get this, i see you had it also, will try to solve it. Did your steps but still have message.

I think your problem is that you are running Python 3. When I started working on this. I looked at python examples in various threads and from what I recall those where python 2.x. Hence I continued on that path and now I think there is way to much work to port it to Python3. Random use of Global  variables is not in a pythonic way and are likely to break in Python3.
I can't understand what your problem were with line 1222 and 1230, there are no \t there.


btw. line 1231 is fixed for next release. There were three \t there that should have been spaces. Though fix is not needed for Python 2.x

I havent used the tool yet as I need to install python on another pc.
Does your tool add functions such as check_mirror, wnwra_5ms for example?

Well I gave this a go on Ida 6.1 and 7.0 with python 3 latest and python 2.7 too, but does not seem to work.

I hope these file can help you. MPC-file should be the IROM. A2L-file also attached.

How can i force IDA to use python 2.7? So far i uninstalled all python 3, run pip install pywin32 again, but now, i cant even import .py scripts

Uninstall Python completely an install this one:

Done all that, IDA still looking for idapython3_64.dll
In cfg file i have // IDAPYTHON_VERSION_MAJOR = 2 ,when uncomment it says "illegal keyword in the configuration file". Still fighting :P

v0.9.89

Serious DPP error which was introduced in 0.9.81 is now fixed.

check out what me7jumptable() can accomplish now, it outputs an address to to timTab1 which you can click on in Output window.

Also included a new smarter version of C25ea01g_additional_names.py. Now it includes all KWP2000 labels. (only for c25ea01g.bin like mentioned above in another post)

@nyet, perhaps you can move all python questions to a new "python questions" thread?

I have a 022906032CA_8087 bin. Still need it?