NefMoto

Hello.
I`m new in dissasembly ecu (yesterday first day :P ).
I Work with IDA Pro and 032AF file.
I know C167 has internal ROM and flash and is connected to 29F400BB / 29F800BB.

Firstly, i`m curious the IMMO check routine is stored in external flash or in internal processor`s flash?
Secondly, On C167 datasheet i`ve didn`t found the way processor boots-up. Wich routine is called. If Reset is performed first, wich routine is next?
And how maps are called from software?
For example i have the KFMIRL map starting at 0x123DC but didn`t found that part in dissasembled flash image.

Could you please help me understand where map selection routine begins and how is made?

Thank you in advance.

Where is your CPU read ?

as i know, there are 2 types of dump.

For example, how to find map address and entry point from attached dump?

I don't think you can use C167 from RS4/S4 to disassemble 1.8T file.

I'm not sure about the memory mapping for 29F400 file but I would do the following :

A_ Load your IROM C167 binary first to defaut value
B_ Create your IRAM segment 0xE000 length 0x10000
C_ Load your ROM 06A906032AF file at 0x800000 length defaut value ( file size )
D_ Create your RAM segment at 0x380000 length 0x20000

The code and data follow that structure :

CODE1 0x800000 - 0x80FFFF , length 0x0000FFFF
DATA1 0x810000 - 0x81FFFF , length 0x0000FFFF
CODE2 0x820000 - 0x87FFFF , length 0x0005FFFF

At first, select whole code1 and press C, ignore error. Same for code 2.

Then go to map adress ( don't forget there is a 0x800000 offset compared to winols ), give the right shape ( create array ) and follow xref.
Good luck.

ok, so let me understand. I need to load default IROM (32K) inside Ida Pro. After this i need to load the 512K (my dump from ECU)?
But how ca i find the boot sequenc and where maps are loaded?
I want this mainly because i want to know how is selected KLBTS and where is located TABGBTS in my file.

Yes.

You maps will be in the data area :

DATA1 0x810000 - 0x81FFFF , length 0x0000FFFF

Go in winols and look for KFLBTS, go to that adress ( + offset 0x800000 ) in IDA and follow XREF, there should only have 1 subroutine.

This subroutine will tell you how it works after you analyse it. You will also find map axis and other LBTS related maps.

do my kfmirl address that i should search for is 0x800000 + 0x123dc ?
that means 0x8123dc ?

Yes, KFMIRL Z data will be at 0x8123DC in that case.  ;)

searched all refs to 0x123dc, 0x123dc and nothing found. Did i miss something?

Yes. How map is referenced.

Look for KFLDRL, it's easier. If you find a reference to that map, you are doing it right.

i can`t find anything related to 812C94h wich is address of KFLDRL.

It will be offset my DPP so try masking more off

How can i read my C167 dump? i have a Galleto and VCDS and bench setup for it.
I`ve made the 10x16 array of KFLDR and looks like on WinOLS, but how do i find xrefs? http://screencast.com/t/ZAwDhocKgsR

Bump!

Not to create new topic can I ask here?
Now Im trying to dig into c167 disassembly. How can I find where is addressing to a particular map? Found a map address in the a2l but there is no direct link from code section to this map. So I guess its some kind of indirect addressing. Could someone give me a tip where to search?