NefMoto

Hi everybody,

I did the same (http://www.andywhittaker.com/disassemble-a-bosch-me7-1-ecu/)
1. Load lower 64K of ECU stock file to 0x0000
2. Create 64K of RAM at DPP1
3. Load the rest of ECU stock file to DPP2
4. Set DPP0 = 1Сh, DPP1 = 10h, DPP2 = 24h.
How to properly install the load address ?

I would appreciate any help.
Do not judge strictly. I'm a beginner at this.
Thanks in advance.

Sorry! It is impossible to attach a draft (IDA).
(Your attachment couldn't be saved. This might happen because it took too long to upload or the file is bigger than the server will allow.)

Simtec is probably from Siemens and most probably very different from Bosch ecu. Even if the processor and flash is the very same, the structure, layout ect is going to be way different.

Upload the untouched 512kb file please.

(edit)

I build the 512kb file from your stuff and surprisingly it looks pretty equal to Siemens EMS2000 ecu ;) You may wanna take a look at what we found for it:

http://nefariousmotorsports.com/forum/index.php?topic=9441.0title=

Post the full file and I'll give you the DPP's

 ;)

It's late here laptop off but will tomorrow hopefully or well need a minimon read lol.

Btw the file labelled rom isn't.

That means crack minimon out btw read the cpu code or if u have an a2l I can calculate it

Hi everybody.
Thank you for your answers.
Apologies for the delay in replying.
processor C167CS-LM
flash AM29F400BB

It disassembles quite nice :) You probably don´t have access to a damos or a2l file for it?

Yes. Unfortunately I have no files(damos, a2l).
I do so:
 - load 512kb file (processor type c166)
 - create rom section default (start 0x0, size 80000)
 - choose yhe device name c167cs
 - (http://1.JPG)
 - (http://2.JPG)
 - (http://3.JPG)

How to properly install the load address ?
Thanks in advance.

DPPs are in the last pic.   Load location is done by a register check the sheet.

Thank you for your answer.
That's right ?

Yup well done.   Remember DPPs can be overridden in the code extp is the instruction iirc.   It's probably worth reading the instruction set manual as well.

Hi everybody.
Was a lot of work.
I used the plugin by Andy.
Poorly ;D (plugin converted into code MEM_EXT)
I'm looking for an algorithm seed-key.
It is not found  ;D
Maybe it does not exist in the firmware?

it will involve xor instructions, no doubt lol.

I found that in this version of the firmware, the seed and the key(910C _ B3CE) can be found at 0x3D02 (ROM). Algorithm until I found. Maybe it does not exist in the firmware? Thank you for your answers.

Kind of has to lol, it will be multiple functions in a segment most likely.