NefMoto

I'm wondering how ME7Logger gets RAM variables out of a ME7 file.

Since i found this forum and everyone can do IDA and writing ASM script i of course want learn this.
So bit by bit i start to understand this all a little.
But not blessed with a Einstein brain it goes quite slowly  ;D
When i understand the C167 ME7 i want to start on my ME7.1.1 ST10 ecu.
But ME7Logger doesn't work with these ST10 ecu's so finding stuff in IDA is a lot harder.

So i try to understand how ME7L knows what label belongs to what RAM adres.
I think it searches for known maps and the axis should be linked to a RAM adres to use for example Nmot for the map.
But can't really find out how this is linked..

Hope someone can help me or give me a small hint how this works..

It looks for asm patterns, like prj's map locator

https://github.com/prj/me7-tools

Thanks!

Really slowly it start to make sense..
At this moment i still wonder how ME7Logger gets RAM adresses from file.
You can take an startadres of an axis of a map and reverse it to the RAM adress, but you have also need DPP offset.
And then you have 2 X's in this equation..
So probably ME7 uses same DPPoffset for most ecu's.
So always 0206h for Nmot and 0207h for RL_w for example.
That you can quite easy find RAM adress..

Is there an easier way?
This probably works for ME7 but i want to start on ME7 ST10 and MED9 later, and these have different DPPoffsets i think.
If i can find RAM adresses easy i can make monolamba etc. without completly reversing a file in IDA.
I love learning IDA pro but sometimes it is nice to get something done without hours of IDA :-)

I think that's a bingo in the right direction

ok, so if i want to do other newer ecu's i need to disassemble 1 and write down DPPoffsets it uses for specified functions and hope it will be the same in other ecu's?

I would disassemble multiple ecu's and compare. Could save you more time in the end...

Thanks, i will do some more digging than..  ;D

Personally this is a really interesting topic. From my point of view I think that should be somekind of index,  index calculation or offset index that ECU uses to point to that addresses and maps. I do not believe that Bosch makes a new estructure for every software version, well I think. If this is right finding that index will solve a lot of problems doing a really big "BINGO".

read a c166 ecu manual. its very complex document but explains all stuff.
206h 207h its a pages used for a 16 bit adressing in a flash file.
206h * 4000h = 818000h (800000 = flash memory, so its basically 0x18000 in your file)
if you see something like a
mov r12 #1234h
mov r13 #206h
then its page 206h, offset 1234h. do some math and find start of a calling map. (206h * 4000h + 1234h = 819234h = 0x19234 ) typically me7 uses 204..20A pages
there is no ram adresses here until you dig a little deeper and learnt about map calling. its pretty clear when you know vars used by map (FR)
ok here is r12, r13 in 3d map calling. now if you know what map are called and you know which vars used, you can trace they ram locations
 take a look ar to r4, r5, r14 in typical map calling. (btw there is a few methods used for define axes of a map)
sometime you see the native variable here, sometime its a calculated axis value and you should trace to place where its written.
i cant help you with st10 ecu because never had an experience with it :/

Yes this part i understood  ;D
I can find RAM adresses now.
But the more i learn about this stuff the more i realize that i need to learn so much more....  ::) ::)

I don't think there is an index for it, i can't see why the ecu would need that, but i still need to learn a lot..

ST10 is very similar.
Take some public A2L for the ST10 ECU, parse it into IDA. Then it all will make sense.
Also, seriously, take a look at maplocator listed above. You can make it search for RAM values as well.

EDIT: scratch the ST10 idea for now. Start by getting yourself a fully "defined" ME7 IDA project. Same way - parsing a public A2L + bin. I might write a detailed post about it at some point, but it's not exactly that hard.

Sorry, but you need to do more reading and less typing.
All you typed is totally useless BS. RAM is always at 0xE000 and up and 0x38000 and up.

ME7Info parses the TKMWL structure in the ECU. Maps are irrelevant.
For every ID it has some custom logic that specifies the factor/offset and also how to parse the address out of the block.

The reason it doesn't work on ST10 is because on ST10 the structure is slightly different.
I wrote a Python script for IDA Pro that parses this structure. Meaning you just tell the script the start of the structure and the ID you want to see, and it jumps you there.
It is easily possible to extend that to dump all the variables, but it is quite a lot of work which I have no interest in.

The ST10 stuff has decent logspeed with KWP2000, so just make your own measuring blocks with your own ID's and use VCDS to log a bunch of variables at the same time.
Same approach works on MED9.

Thanks Guys i Will stop typing learn Some more first.

finally had some time to look into this again.
Starts to make a bit more sense.
Found TKMWL list in FR and found space in the file were in same order the ram adresses are put.
And found MWNTKB where measureblocks are labeled.
Now need to find the pattern to find RAM adresses in other files..

I put ME7info in IDA, lots of patterns and stuff in there.
Here is IDA file for who wants.

It's not ram addresses you found, it's block numbers. Useless pretty much.

I meant this:
seg003:826BC                 and     r4, #0Fh
seg003:826C0                 cmp     r4, #1
seg003:826C2                 jmpa    cc_Z, loc_888D36
seg003:826C6                 cmp     r4, #2
seg003:826C8                 jmpr    cc_Z, loc_882726
seg003:826CA                 cmp     r4, #3
seg003:826CC                 jmpr    cc_Z, loc_882736
seg003:826CE                 cmp     r4, #5
seg003:826D0                 jmpa    cc_Z, loc_88277C
seg003:826D4                 cmp     r4, #7
seg003:826D6                 jmpa    cc_Z, loc_8827A8
seg003:826DA                 cmp     r4, #8
seg003:826DE                 jmpa    cc_Z, loc_8827B8
seg003:826E2                 cmp     r4, #9
seg003:826E6                 jmpa    cc_Z, loc_8827CC
seg003:826EA                 cmp     r4, #0Ah
seg003:826EE                 jmpa    cc_Z, loc_8827E4
seg003:826F2                 cmp     r4, #0Bh
seg003:826F6                 jmpa    cc_Z, loc_88280E
seg003:826FA                 cmp     r4, #0Ch
seg003:826FE                 jmpa    cc_Z, loc_882830
seg003:82702                 cmp     r4, #0Dh
seg003:82706                 jmpa    cc_Z, loc_882852
seg003:8270A                 cmp     r4, #0Eh
seg003:8270E                 jmpa    cc_Z, loc_8828D4
seg003:82712                 cmp     r4, #0Fh
seg003:82716                 jmpa    cc_Z, loc_8828E2
seg003:8271A                 cmp     r4, #3F7h
seg003:8271E                 jmpa    cc_Z, loc_8828F0
that refers to adres where RAM adres is in TKMWL order.
It is just annoying that it is not in 1 block all together.

Yes that is correct, but you only have a tiny chunk. You also need to figure out how to go from block number to subroutine.

Thanks!
Getting there bit by bit, still lots to learn...

Can anyone help me where to put the eeprom data in IDA pro?

http://nefariousmotorsports.com/forum/index.php?topic=6159.15 look here

thanks!

Writing to EEPROM there are subroutines in ME7.
Reading can be done off of the mirror directly, same as MED9 as described in that thread.

Here's something I did utilizing this a few years ago:
https://www.youtube.com/watch?v=0Zp_iCeigEI (https://www.youtube.com/watch?v=0Zp_iCeigEI)

Hehe, I have tried this rpm indication on a b5 A4 cluster. That ecu was super unhappy and bricked itself after ignition off  ;D during the test it did still run however!...kind of...

I tested the mirror and it is read-only as prj says. Havent found out how to write the eeprom from functions yet, I spent some time in the FR and IDA but decided I have other priorities before I invest more time in this...

Interesting stuff!
Will look into it when i have some time...

but you need a wot box for this right?  ::)

No this is ASM coded into ME7..


Verzonden vanaf mijn iPhone met Tapatalk

Sarcasm. I quoted the first comment in the video.

LOL. Sorry.

The mirror is not strictly read-only, but you are much better off using the subroutines provided, than try to reverse engineer how you have to write it.
And if you do you will find the routines anyway :D

Hi, one question.

What software use for make a RAM dump and locate the eep mirror?

I tried with me7logger but is laborious.

Regards

Reverse engineer EEPROM R/W subroutines and you will have the location.
It's different in every binary. Scanning ram is a pretty stupid approach.