Title: How are maps referenced in code?
Post by: zibbo on June 30, 2011, 02:57:08 AM
Hi everybody,
For example I have ECU (http://nefariousmotorsports.com/forum/index.php/topic,744.msg6306.html#msg6306 (http://nefariousmotorsports.com/forum/index.php/topic,744.msg6306.html#msg6306)) and XDF (http://nefariousmotorsports.com/forum/index.php/topic,430.msg2912.html#msg2912 (http://nefariousmotorsports.com/forum/index.php/topic,430.msg2912.html#msg2912)) files that look like match each other, but when I load the binary to IDA it doesn't show me any references to maps defined in the XDF file. Can anybody make at leasst a hint of where to start looking at to track a reference from a known map to a code that uses it?
Thanks in advance.
Title: Re: How are maps referenced in code?
Post by: ArgDub on June 30, 2011, 08:27:17 AM
I'm not immersed in this stuff, but I think you should read about the DPP addressing mechanism.
While I'm here, with the dpp1 set at 0x205 the highest addressed position would be 0x817FFF, I'm right? If so, what addressing mode is used for the maps beyond 0x817FFF position?
Title: Re: How are maps referenced in code?
Post by: zibbo on July 01, 2011, 03:48:13 AM
DPP addressing mechanism is only a programmatic way to refer to some data, there are other way of doing so as well, e.g. using EXTP, EXTS etc, in fact you can just change a DPP register need, access data, then restore DPP.
I have found some info here http://motronic.ws/maptable3.htm (http://motronic.ws/maptable3.htm), but not sure it is applicable to mored ECUs, I just couldn't replicate it. If at least someone could say if this is true for modern ECUs or note, that would be a huge help.
Thanks.
Title: Re: How are maps referenced in code?
Post by: gremlin on July 01, 2011, 04:50:11 AM
ME7 ECUs using various methods to referencing maps.
Direct, index tables e.t.c
Below is direct (page number + offset) reference example:
seg002:0087CB8A mov word_A3E2, r4
seg002:0087CB8E jnb word_FDA8.8, loc_87CBA6 ; knock flag
seg002:0087CB92 mov r12, #33EEh ; LDRXNZK 16x1 81F3EEseg002:0087CB96 mov r13, #207h ; addr of map descriptor
seg002:0087CB9A mov r14, RPM_16bit ; rpm
seg002:0087CB9E calls 82h, Map2D_16bit
seg002:0087CBA2 mov r9, r4
seg002:0087CBA4 jmpr cc_UC, loc_87CBB8
seg002:0087CBA6 ; ---------------------------------------------------------------------------
seg002:0087CBA6
seg002:0087CBA6 loc_87CBA6: ; CODE XREF: sub_87CB6A+24�j
seg002:0087CBA6 mov r12, #33ACh ; LDRXN 16x1 81F3ACseg002:0087CBAA mov r13, #207h ; addr of map descriptor
seg002:0087CBAE mov r14, RPM_16bit ; rpm
seg002:0087CBB2 calls 82h, Map2D_16bit
seg002:0087CBB6 mov r9, r4
seg002:0087CBB8
seg002:0087CBB8 loc_87CBB8: ; CODE XREF: sub_87CB6A+3A�j
seg002:0087CBB8 movbz r4, byte_8ACE
Title: Re: How are maps referenced in code?
Post by: ArgDub on July 01, 2011, 06:16:19 PM
so, you calculate: map_page as (MAP_ADDRESS / PAGE_SIZE) and map_offset as (MAP_ADDRESS % PAGE_SIZE), rigth? If map_page equals 204h or 205h then dpp0 or dpp1 is used respectively. When the page isn't dpp0 or dpp1, indirect addressing is used?
You named a function Map2D_16bit, is there a function for every type of map? like single_8, single_16, ... , Map2D_8bit, Map2D_16bit.
Title: Re: How are maps referenced in code?
Post by: zibbo on July 03, 2011, 08:27:09 AM
Thanks, Gremlin! It made me think that in order to find all maps I need just to disassemble everything and understood every line of code! If I start right now hope I will be done by next year ;)
Title: Re: How are maps referenced in code?
Post by: gremlin on July 03, 2011, 09:43:45 AM
Thanks, Gremlin! It made me think that in order to find all maps I need just to disassemble everything and understood every line of code! If I start right now hope I will be done by next year ;)
Who say that knowing all is easy as 1,2,3.... ?? :)
|