|
Title: ME7.5.10 Disassembly tips / help Post by: markus2900 on April 13, 2026, 12:35:19 PM Hello people, as a owner of a succesful VW 1.4 16v stage 2 I wanted to dig deeper into my ECU and retrieve RAM addresses so I can fully log all the values I need with ME7logger. Unfortunately for me. This whole trend ended with the 1.8t ME7.5 and nothing is to be found online past that. My ECU is 036906032G 0261207190 1037363461 SW: 4411 .
My first question is if ME7.5.10 (C167CR_SR) follows the same procedure like other me7 with disassembly. I followed these steps:
After I did this i ran Andys script and it seems like it worked .. kind of. I was able to search for bytes/words and cross reference some addresses which Me7Info provides in the ECU files but alot of them I wasn't able to find. The CPU 32K file which I'm using is the same ECU OE number but it's from the internet and it's a different SW version 4433. But when i created an ECU file with it. The addresses were the same, just one was different. I have a strong feeling i'm doing a wrong step somewhere, because alot of the functions end with empty paths that don't link up properly. I also have a slight suspicion i'm doing segments wrong. Because creating for example the IRAM segment just creates a full block of ?? ?? ?? ?? HEX... so basically empty. I also found out about the AutoIT script but i wasn't able to run any of it as my IDA version is 9.2. I'm currently looking for fr_w, fra_w, gangi(idk if my ecu has it), lamsbg_w, lamsoni_w, ti_b1 If anyone would be nice enough to tell me if i'm going the right track or if i'm doing something wrong / provide some tips. I would really appreciate it as ive been stuck for 14 days already trying to find methods how to do it properly and i'm just stuck browsing empty forums for hours... I will provide my original bin file and the MPC 32K file. (I also have 512b SFR file... idk what to do with it..) Title: Re: ME7.5.10 Disassembly tips / help Post by: fknbrkn on April 17, 2026, 06:10:51 AM in general yes youre on the right track
there are 1.4 a2l available so you have to dissasemble this public file, get a cross-reference of fr_w address for example and search for the similar code flow at your file. the easiest way here is when this variable used by some map so you can find this map at your file and then find this map in ida and in most cases the code looks the same and youll find the or FR page 1555 about diagnostic variables its possible to find some rare variable like mdverl_w and get a place where its listed one by one with formulas so its possible to track it up to yours ( youll see r6 r7 registers with formula values here) not a 5 min job for a novice for sure Title: Re: ME7.5.10 Disassembly tips / help Post by: markus2900 on April 18, 2026, 09:00:58 AM in general yes youre on the right track there are 1.4 a2l available so you have to dissasemble this public file, get a cross-reference of fr_w address for example and search for the similar code flow at your file. the easiest way here is when this variable used by some map so you can find this map at your file and then find this map in ida and in most cases the code looks the same and youll find the or FR page 1555 about diagnostic variables its possible to find some rare variable like mdverl_w and get a place where its listed one by one with formulas so its possible to track it up to yours ( youll see r6 r7 registers with formula values here) not a 5 min job for a novice for sure Thank you for the response and tips!... Basically i've been stuck on this for the past 14 days... hours of my day just stuck on loading in binaries and hitting a dead end ;D I don't know what i am doing wrong, but i've not been able to cross reference any values found in the a2l or the ECU file. As i said i have a strong feeling i'm doing a wrong step somewhere because every single script or tutorial online is made for the 1MB files 29f800bb reads, and mine is a 29f400bb. Would you happen to know the right memory layout for this 512kb version?. It's also a huuge pain in the butt with IDA and loading multiple files and segmenting them. Its such a hassle. I've made a connected CPU+FLASH file that i use so it's easier to segment but then again none of the scrips work if i use that bigger file. I had better splitting options in Ghirda... IDA just doesnt allow you to split segments easily. Also i noticed IDA for some reason loads the memory segments of C167 right one every 3 loads or such. Once it puts the RAM at 0x38000 and once it doesnt even create that. My brain has been filled with letters and numbers and load binary file :D And do you have any idea what could be a 284kb file made from the full BDM read? I have 512kb flash, 32kb CPU, 512byte EEPROM and some weird no extension 284kb file thats filled with bytes till 46Cxx. I wasn't able to find this whole segment in my FLASH so dont think it's a mirror. What component makes a 284kb file on the BDM.... weird. Title: Re: ME7.5.10 Disassembly tips / help Post by: fknbrkn on April 20, 2026, 12:51:11 PM use cpu project
save as - new project load - addi.. binary (segment 0x80000; leave 0x0 for other fields) script file - andys 512kb options - general - number of opcode bytes = 4 search xrefs for fr_w with a rare code patterns (you can use bintools ida plugin for sure but personally i dont like it) or this one is good: 'shl shl shr' seg087:81D4 5C C4 shl r4, #12 seg087:81D6 5C C5 shl r5, #12 seg087:81D8 7C 42 shr r2, #4 seg087:81DA 70 52 or r5, r2 seg087:81DC B8 40 mov [r0], r4 seg087:81DE C4 50 02 00 mov [r0+2], r5 seg087:81E2 F2 F2 54 9A mov r2, fr_w seg087:81E6 F2 F3 FE 96 mov r3, lamsbg_w get its hex instructions: 5C C4 5C C5 7C 42 search it in your project and you get yours fr_w;lamsbg_w you can also check xref to kwp1281 diagnostic routine as i mentioned before and check FR page 1555 seg089:1DCC E6 F8 14 00 mov r8, #14h seg089:1DD0 E7 FE 64 00 movb rl7, #64h ; 'd' seg089:1DD4 F2 F4 54 9A mov r4, fr_w seg089:1DD8 7C 84 shr r4, #8 seg089:1DDA F1 C8 movb rl6, rl4 seg089:1DDC EA 00 12 8E jmpa cc_UC, loc_898E12 or xref to FRMAX map and easily trace frm_w, fr_w https://disk.yandex.ru/d/Toc5BV4zvCWFPg Title: Re: ME7.5.10 Disassembly tips / help Post by: markus2900 on April 20, 2026, 08:16:30 PM use cpu project save as - new project load - addi.. binary (segment 0x80000; leave 0x0 for other fields) script file - andys 512kb options - general - number of opcode bytes = 4 search xrefs for fr_w with a rare code patterns (you can use bintools ida plugin for sure but personally i dont like it) or this one is good: 'shl shl shr' seg087:81D4 5C C4 shl r4, #12 seg087:81D6 5C C5 shl r5, #12 seg087:81D8 7C 42 shr r2, #4 seg087:81DA 70 52 or r5, r2 seg087:81DC B8 40 mov [r0], r4 seg087:81DE C4 50 02 00 mov [r0+2], r5 seg087:81E2 F2 F2 54 9A mov r2, fr_w seg087:81E6 F2 F3 FE 96 mov r3, lamsbg_w get its hex instructions: 5C C4 5C C5 7C 42 search it in your project and you get yours fr_w;lamsbg_w you can also check xref to kwp1281 diagnostic routine as i mentioned before and check FR page 1555 seg089:1DCC E6 F8 14 00 mov r8, #14h seg089:1DD0 E7 FE 64 00 movb rl7, #64h ; 'd' seg089:1DD4 F2 F4 54 9A mov r4, fr_w seg089:1DD8 7C 84 shr r4, #8 seg089:1DDA F1 C8 movb rl6, rl4 seg089:1DDC EA 00 12 8E jmpa cc_UC, loc_898E12 or xref to FRMAX map and easily trace frm_w, fr_w https://disk.yandex.ru/d/Toc5BV4zvCWFPg Wow, Thank you so much for taking your time to explain it in steps for me and even send the files. This really helped me alot. I learn the best when it's given like this. If i get a better defined file I will be sure to test and post it here afterwards. |