NefMoto

I have .OLS for european G-box but can't find similar region in M-box that would host this 1byte variable.

I have a suspicion that this little variable is the ticket for no lift shift.

And if you have .OLS for M-box.... please please please share :)

my guess is 113AC

Try addr 113ACh

That's not the spot, I really compared the values etc, the region is a bit different around the area with some stuff appearing as missing in comparison to "G" OLS. Apparently this variable as well as some other stuff got compiled into different region (edit:*idea here, search for missing stuff in M box and I might find the stuff I need*)

I don't know if that's the spot but I am wondering how you arrived at this conclusion? I assume you just guessed based on the fact that following region is the same as "G" bin.

Anybody has "M" and "G" box in IDA and could check address references and see what address same code in "M" box accesses?

Thanks.

Otherwise I will have to advance to Yoda level and start IDA dis-assembly, ahha.

Yup. Blind ass guess :)

I was hoping spen would pipe up here and show us how its done!

I use a tool called bgrep (binary grep) to search for occurrences of hex patterns,
find attached the executable and source of bgrep.
This tool is quite handy when searching for matching code fragments in different images.

Here is how you can find the location of TDMLSDS if you have the disassembled code
and some basic knowledge about the C167 opcodes available:

1. Search for references to TDMLSDS in the assembler code of an image
with known symbol addresses (here F-Box is shown):
  ...
  87'FDA6: 8A2D06B0       JB      [B_kuppl], L_87FDB6 (87'FDB6)
  87'FDAA: 9A540460       JNB     [00FDA8h].6, L_87FDB6 (87'FDB6)
  87'FDAE: F3F81513       MOVB    RL4, [TDMLSDS]
  87'FDB2: F7F80DA8       MOVB    [38280Dh], RL4
  ...

2. Select a hex search pattern matching this code sequence,
verify that this search pattern is found only once:
  bash-3.2$ bgrep "8A2DxxB09AxxxxxxF3F8xxxxF7F8xxxxF3F8xxxx" fbox.bin
  fbox.bin: 0007FDA6 -> 8A2D06B09A540460F3F81513F7F80DA8F3F80DA8
-> found only once, see that address (0007FDA6) matches with assembler code (87'FDA6).

3. Have to know that the bit "B_kuppl" is at FD56.8 for M-Box (FD5A.11 for F-Box),
so the instruction  "JB [B_kuppl], address"
has pattern "8A2Bxx80" in M-Box compared to "8A2DxxB0" in F-Box
(need to read the C167 documentation to know how opcodes are encoded  :P).

4. Search the corresponding pattern in the M-Box image:
  bash-3.2$ bgrep "8A2Bxx809AxxxxxxF3F8xxxxF7F8xxxx" mbox.bin
  mbox.bin: 0007544A -> 8A2B06809A510400F3F8AC13F7F83BA9
-> also found only once at address 87'544A

5. Check this address in the assembler code of M-box:
  ...
  87'544A: 8A2B0680       JB      [B_kuppl], L_87545A (87'545A)
  87'544E: 9A510400       JNB     [00FDA2h].0, L_87545A (87'545A)
  87'5452: F3F8AC13       MOVB    RL4, [8113ACh]
  87'5456: F7F83BA9       MOVB    [38293Bh], RL4
  ...

-> TDMLSDS is at offset 0x113AC in M-Box as stated by nyet and gremlin (has value 0x33).

Thanks for all your help, I am starting IDA disassemble though so wish me luck and not many head aches :)

anybody has info as to what entry point for IDA should be for m-box.... thatnks!

I use the info posted in the below thread and Andy Whittakers site. I am pretty lost when it comes to IDA though. It would be great if someone skilled did a DIY thread or posted a properly disassembled file, maybe even commented.

http://www.nefariousmotorsports.com/forum/index.php/topic,35.0title,.html

make any progress on this?

Well, yes and no. This one was a blind valley.

However :):):)

Eurodyne has this working in their Maestro software so I figured it is just a matter of finding how. Eurodyne's stuff is encrypted though so it would be hard to look at actual tune file and my attempts to Galletto it out in BOOT also didn't work for some strange reason.... They naturally disabled normal flash access to the ROM.

I found a loophole though. Comes out hooking up windbg and dumping the content of Maestro memory space yields a cool tune file since they don't encrypt memory (duh) that is nothing else than M-box binary with usual maps changed plus a very interesting piece of assembly code that provides anti-lag facilities. Basically they altered one of standard code's jumps to their custom piece of code located just before end of binaries. I am not sure what the standard code does but it looks like it must be controlling actual spark event. In the custom code they compare couple of EEPROM space values (where the tune keeps mph for launch control, RPMS and how long to interrupt spark event for no-lift-shift) to current car running values and amount of time lapsed for no-shift-lift.

I will need some help with altering this code to go to alternate memory space location somewhere in standard maps range where I will set up the three new scalars (DWORDS) to control the thing.


I will post the code I see later on.

Thanks.