NefMoto

Hi everybody,

I was reading the 'Bosch Me7 IDA plugin' topic very thoroughly starting from here http://nefariousmotorsports.com/forum/index.php/topic,35.msg976.html#msg976 (http://nefariousmotorsports.com/forum/index.php/topic,35.msg976.html#msg976) and got confused about who is right.

So, Andy's  suggestion is (http://www.andywhittaker.com/en-us/ecu/disassemblingaboschme755.aspx (http://www.andywhittaker.com/en-us/ecu/disassemblingaboschme755.aspx)):
1. Load lower 64K of ECU stock file to 0x0000
2. Create 64K of RAM at 0x380000
3. Load the rest of ECU stock file to 0x810000
4. Set DPP0 = 204h, DPP1 = 205h, DPP2 = E0h, DPP3 = 3

From other side, Tony's and Spen's suggestions coincide:
1. Load all ECU stock file to 0x800000
2. Set DPP0 = 204h, DPP1 = 205h, DPP2 = E0h, DPP3 = 3

Now, let's take into account the following facts:
1. ECU ROM is 512K, so it's impossible to fit 1Mb ECU stock file size in ECU ROM starting at 0x800000.
2. Interrupt vectors start at 0, so it looks like at least 1-st 64K really should be loaded to 0, not 0x800000
3. RESET_handler sets DPP0 = 0, so where 204h is taken from at all?
So, who is right here and what is exact correct way of loading a ECU stock file to disassembler?

Thanks in advance.

During my consequent investigation I found out that Me7.1 has 1Mb ROM so question #1 is solved now.

Also I found out that interruptions often set DPP0 = 204h and then call routines from 0x820000-* area, so maybe DPP0 should be 0 for segment #0 and 204h for segments starting #82 and further?

It also looked correct to me when I loaded first 64K of ECU stock file to segment #0 and #80, i.e. duplicated it, and then I found references from segment #82 to both segments #0 and #80.

Please, correct me if I'm wrong. Thanks

No.
First you must load C167 CPU 32K-dump to address area 0000...7FFF.
Than create and add other RAM-ROM segments as additional files.

Thanks, Gremlin!

Could you please clarify what to do with the rest 32K of segement #0? I mean, the stock file does contain something in the range 0x8000-0x10000 and this data doesn't look like it should be ignored.

Clarificatoin about 32-kb dump of CPU programm.
It isn't first 32k of main stock dump that contain flash chip. It's internal content of CPU and it differs from content of start part of flash.
The rest of segment (8000...FFFF) is internal registers and internal CPU RAM. See datasheets for C167 processor for details.
External RAM and ROM are mapped on 380000 and 800000  respectively.
 

Ok, I guess I know the point where I got confused. I used Andy Whitttaker's video tutorials to get familiar with essentials. In patr 1 Andy loads a binary to address 0x00000000 and IDA correctly shows interruption vectors, in particular RESET_handler with correct code for setting up CPU parameters. I guess that was internal CPU ROM, correct? I saw several stock files that when loaded 64K of which to 0, the code looks correctly.

But, there is a stock file example on Andy's site http://andywhittaker.com/LinkClick.aspx?link=software%2fS4TT-108.bin&tabid=68, and if I load lower 32K or 64K of this file to 0, then I got a mess, so it doesn't really look like it should be loaded this way. And I saw many other similar stocks,  including samples on Nyet's site - http://nyet.org/cars/files/stock/.

So, I guess the problem is in different stock file format, correct?

Thanks.

The problem is that both people doesn't take in account CPU internal programm code.
When you disasm main flash code you will see some "jumps" and "calls" addressing to 0000...7FFF.
But if you see these addrs remapped from 800000 to 0000 these calls and jumps will be targeted to wrong subroutines entry points.
What software dump do you plan to disasm?
Give me SW number and I wiil post CPU internal dump for this ECU.
Than you try to disasm using the method described above.

 

PS: In some cases low 32K of flash dump are equal to internal CPU ROM dump.
But only "sometimes" not "allways".
From this point of view allways use real CPU dump to avoid possible errors by disasm.
See example.

Gremlin, thank you very much for clarification and example! To summarize, the 0x800000-0x808000 range can either duplicate CPU ROM or contain come code using during boot, correct?

If so, then the meaning of next 32k can vary as well depending on what first 32k means, correct? And what is the purpose of this area at all?

Thanks

Btw, is it known how CPU ROM depends on SW? Is it possible that CPU ROM from one ECU will be good for another one, or every SW actually indicates changes in CPU ROM?

Thanks.

AFAIK there is 4 version of CPU dumps for VAG ME7.x ECUs family for turbo engines.
Unfortunately CPU chip marking can be different for chips having inside equal dumps.
But it's no problem to read CPU content using boot-mode and C167 software tools like minimon for example.
 

How do we determine all of these settings accurately?

Are you getting it all from the datasheet? Or is there a method to ascertain it from the binary?

This is the memory layout of the ME7.1:
0x0-0x7FFF: Internal ROM on the C167 processor
0xE000-0xFFFF: Internal RAM on the C167 processor
0x380000-0x38FFFF: External RAM
0x800000-0x8FFFFF: External Flash

The bin files that everyone reads off of their ECU are the external flash memory in the starting at 0x800000.

The only way to read the internal ROM from 0x0 to 0x7FFF is in boot mode. All of the OBD communication protocols prevent reading the internal ROM memory region.

The code in the internal ROM forwards some interrupts to the code in the external Flash. That is why it looks like there are interrupt vectors at 0x800000, because the internal ROM code forwards to there.

I can 100% guarantee the DPP registers are set as such:
DPP0: 0x0204
DPP1: 0x0205
DPP2: 0x00E0
DPP3: 0x0003

Hi,

I have a Renault clio sport with a sirius 32n ecu.
It uses the c167 processor and a am29f200bb flash.
If i have a full readout using bootmode from the flash it is 256kb.
Since the file is so much smaller then the file you are giving example about what would be the correct addressing
for the :
Internal ROM on the C167 processor :Always the same size?
Internal RAM on the C167 processor :Always the same size?
External RAM
External Flash

and the ddp registers?

I would be ever so happy if you can help me out.

Best regards
Daniel Ohde

I'm newbie with ida pro and assembler, but after watching andy videos and reading this, cant understand how to load whole bin file to 0x800000 address without splitting.
Could someone tell me what values to write into window (attached image)? I've checked my DPP0...3 and they're same in Andy video. But after identifying DPP... He splits file into two parts and then sets RAM start address @ 0x380000and uses default for ROM...

Found some good pictures with detailed description of these blocks content in C167CR User's Manual

The C167CR provides a total addressable memory space of 16 MBytes. This address
space is arranged as 256 segments of 64 KBytes each, and each segment is again
subdivided into four data pages of 16 KBytes each
Most internal memory areas are mapped into segment 0, the system segment. The
upper 4 KByte of segment 0 (00’F000H … 00’FFFFH) hold the Internal RAM and Special
Function Register Areas (SFR and ESFR).
The lower 32 KByte of segment 0
(00’0000H… 00’7FFFH) may be occupied by a part of the on-chip ROM/Flash/OTP
memory and is called the Internal ROM area. This ROM area can be remapped to
segment 1 (01’0000H … 01’7FFFH), to enable external memory access in the lower half
of segment 0, or the internal ROM may be disabled at all.
Code and data may be stored in any part of the internal memory areas, except for the
SFR blocks, which may be used for control/data, but not for instructions.

The C167CR may reserve an address area of variable size (depending on the version)
for on-chip mask-programmable ROM/Flash/OTP memory (organized as X × 32). The
lower 32 KByte of this on-chip memory block are referred to as “Internal ROM Area”.
Internal ROM accesses are globally enabled or disabled via bit ROMEN in register
SYSCON. This bit is set during reset according to the level on pin EA, or may be altered
via software. If enabled, the internal ROM area occupies the lower 32 KByte of either
segment 0 or segment 1 (alternate ROM area). This mapping is controlled by bit ROMS1
in register SYSCON.

anybody?

Subscribed.  I played with this the other day and the AutoIT script works pretty well.  Still need to get my head around it.

I just split the file, wasn't too hard to do. 

I did the auto script but it doesn't seem correct is why I'm questioning it.

Sorry for the noob question, but I want to learn and I get mixed up with so many posts going on about the same thing, I thought I'd keep in under the same thread. . Having no background in IT, I have basically no idea what I am doing when trying to load the file. From what you posted I do understand that files not read via boot mode are the external flash. I tried downloading automan001's disassembled project but cant even start to open it. I understand that I have to use loading at 0x800000 because that is the ExtFlash location. How do I tell IDA not to bother ? I get this error. It is expecting me to fill out the layout of the whole ecu but i am loading a smaller file on it (bin) ? Thanks in advance  ;)