NefMoto

Hi guys,

I started to work on injection my code into ECU. Beginings were quite hard, but i successfully tested few functions/instructions C167 (ME7.5 518AL) on the bench. I used some variables located at 0x387006 and 0x387004, succesfully changed it. But when i loaded ECU to the car on original software i noticed that data on those addressess are changing in some special conditions during drive, so i decided to log ram space using me7logger on driving and when ignition is on. I figured out 20 possible locations always nulled. So i exchanged my 387006/4 to new one, but with those my program (working properly on previous vars) is not changing values on those adressess.

Is it possible that new found vars are somehow protected by ori bosch software??

Zero that seldom changes is not a good marker for unused bytes. You always have to check a full flash disassembly before using ram.

I know that full dissasembly is great way to determine which parts of memory can be used without any doubts.
But for example Antliag php script (shared here) uses easy search algoritm by pattern 0xFF


{
      echo "Finding a good space for launch control configuration variables..\r\n";
      // OLD Function $launchvars = strpos($bin,"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF",97700)+17;
      $launchvars=findHole($bin, 32, hexdec("17000"), hexdec("18000"));
      
      // Wurde kein Platz gefunden?
      if(!$launchvars)
         {
            echo "cannot find space for configuration variables, please input offset by argument!\n";
            die();
         }
   }

Yes, and it often uses already occupied RAM.

Examples:

One RS6 file it uses some of the cruise control whatnot.
Later files it uses the bits that are tasked with RSA calculations.

Successfully i've found some space and used it.

btw. Is there anybody who knows why ECU on bench does not notify (me7logg) changes on pines for clutch and cruise?

I checked by shortcutting to ground those pins:

T39 cluch
T38 cruise
T57 cruise
T75  cruise
T76  cruise

You need shortcut to   "Positive connection 2 (15), in dash panel wiring harness (A104)"

thanks.
Working perfectly.

(http://s9.postimg.org/o6pc1at8b/IMG_20151129_154923.jpg) (http://postimg.org/image/o6pc1at8b/)

Has anyone ecu definition with B_epcl flag? me7logger didn't find it on many ECUs
i've only read on forum that should be the same address as B_mil flag but bit 1 instead of bit 0.

;B_mil           , {}                                , 0x00FD2A,  2,  0x0001,
;B_epcl          , {}                                , 0x00FD2A,  2,  0x0002,

I checked in the car, and when b_mil is ON also b_epcl is ON on dashboard but 1 bit is zero.

Guys, i am looking for any information about me7.5 startup / init procedure especially conditions which have to be meet to start engine.

I've already tried view those:
- evz_austot
- b_bevab
- b_evabu
..but not sufficient.

i want to find some variable responsible for blocking startup engine.

In which sw version you need this? post some more info and i might find one for you...

8E0909518AQ

go for word_FD44.10  (fd44.10)

0x0625aa

at this addres i have setting of 9bit =>> bset    word_FD44.9


; =============== S U B R O U T I N E ====================================
Seg0x218@860000:25AA
Seg0x218@860000:25AA
Seg0x218@860000:25AA             sub_8625AA:                             ; CODE XREF: sub_8623B6+144P
Seg0x218@860000:25AA                                                     ; sub_8623B6+1D2P ...
Seg0x218@860000:25AA 9F 22                       bset    word_FD44.9
Seg0x218@860000:25AC DB 00                       rets
Seg0x218@860000:25AC             ; End of function sub_8625AA
Seg0x218@860000:25AC
Seg0x218@860000:25AE
Seg0x218@860000:25AE           
  ; =============== S U B R O U T I N E =======================================

both are zero on bench (9 & 10):

gt-innovation        , {}                                       , 0x00FD44,  2,  0x0400, {}
gt-innovation2        , {}                                       , 0x00FD44,  2,  0x0200, {}

bset    word_FD44.10   did not work for you?

On my car this solution doesn't work. I am wondering if i setting this bit not to late on startup procedure.
Anyway me7logger always show "1" so any other soubroutines don't overwrite it with zero.
@gt-innovation Could you share peace of your dissasembled code with this FD44.10 i will compare it, maybe on my software version different bits are used.

the fd44.10 was from your sw... in mine it is different. Check on the me7 pdf for b_st and b_stend in order to see which function you need

Thanks gt-innovation, but your solution doesn't work on my ecu.
I am investigating me7 functionsrahmen and noticed that evz_austot must working. Looks like i am jumping to my code from wrong place in bosch code. I think i need to do that from the begining of KOEVAB function.


Reference:
(http://s29.postimg.org/a2i2nloub/fuell_cut_off.jpg) (http://postimg.org/image/a2i2nloub/)(http://s29.postimg.org/fpefl2rcz/fuell_cut_off2.jpg) (http://postimg.org/image/fpefl2rcz/)(http://s29.postimg.org/xhzzsy8lf/fuell_cut_off3.jpg) (http://postimg.org/image/xhzzsy8lf/)

Doesn't necessarily mean the RAM location isn't in use.... It may only be sampled by me7logger in a way that doesn't show if it changes

yep you are right, i jumped from 8be70, maybe ori bosch code used this variable before my jump (0->1->0) or me7logger is not able to show changes because of sample rate. But we are still talking about fd44.10 bit which nobody doesn't know what is this but someone use it:)

...anyway i am still trying to proper inject into evz_austot but unsuccessfully:

Seg0x21d@874000:5948
Seg0x21d@874000:5948             loc_875948:                             ; CODE XREF: sub_8758E8+58j
Seg0x21d@874000:5948             F3 F8 7C 8A                 movb    rl4, byte_380A7C
Seg0x21d@874000:594C             F7 F8 9F 8A                 movb    evz_austot, rl4

changed F7 F8 9F 8A => to DA 8C 00 03
code placed at C0300 returning:

  mov rl4, #0x01
or
   mov r4, [r0+]

..have to analyze with IDA deeply...

Guys sorry for bothering you, i succesfully managed to turn off injection in my car forever.
Of course evz_austot working properly. Now i need to change design because i would to turn off inj only in some specific condition, right now looks like code with evz is executed only once on ignition and my code with condition is being executed every 200ms. So when i jump to evz my conditions are not fullfilled...