|
Title: MED9info tool (very basic version) Post by: nubcake on November 19, 2017, 02:24:30 PM Here's a small (and very basic) tool I made for my MED9 logger a while ago. It's far from being complete, but I didn't get to work on it for quite a while, so I guess I'll just post it "as is" and maybe it will be useful for someone playing with IDA.
It's a console (cmd) application that takes 2Mb MED9 flash readout, parses it for ECUID and TKMWL and prints out info it found. EDIT: Uploaded a new version! Had to zip it up due to some weird upload bug (was telling me that upload folder is full). Title: Re: MED9info tool (very basic version) Post by: Khendal on November 19, 2017, 04:18:38 PM Just tried... really thanks ;)
Title: Re: MED9info tool (very basic version) Post by: vwaudiguy on November 19, 2017, 04:50:02 PM Thanks for sharing!
Title: Re: MED9info tool (very basic version) Post by: nubcake on December 10, 2017, 03:04:47 PM Rolled out a new version. Now 20% more vars! Included some important ones that were missing (like ps_w, etc).
Will eventually get to writing a bit more complicated analysis logic, but for now this will do. Let me know if you find some weirdness. Did a couple of tests on the available A2L bins - and everything seems to be working as expected. The only known bug is with dual-ECU systems: in those upwg_cw can be picked up as upwg_w, but that essentially doesn't matter, so I didn't bother to fix it. :D Title: Re: MED9info tool (very basic version) Post by: IamwhoIam on December 11, 2017, 04:32:22 AM Awesome job!!! nmot_w would be helpful, as well as zwout and zwoutakt... thanks for making this tool, I'm loving it already!
Title: Re: MED9info tool (very basic version) Post by: nubcake on December 11, 2017, 05:23:00 PM Awesome job!!! nmot_w would be helpful, as well as zwout and zwoutakt... thanks for making this tool, I'm loving it already! nmot_w is not included in TKMWL for whatever reason, hence it would require additional code to look specifically for it. However, shouldn't be too hard and will add a lot of convenience, so I'll probably get it done soon'ish. In the meantime you can look for writes to "nmot" in IDA - and nmot_w will be just before one of them. I'd show a picture, but forum won't me upload. :) Title: Re: MED9info tool (very basic version) Post by: HelperD on December 11, 2017, 05:32:01 PM Great share!
If I can help find common markers for you to id more variables please don't hesitate to reach out to me :) Christian Title: Re: MED9info tool (very basic version) Post by: gt-innovation on December 12, 2017, 04:25:38 AM nmot_w is not included in TKMWL for whatever reason, hence it would require additional code to look specifically for it. However, shouldn't be too hard and will add a lot of convenience, so I'll probably get it done soon'ish. In the meantime you can look for writes to "nmot" in IDA - and nmot_w will be just before one of them. I'd show a picture, but forum won't me upload. :) In my tool i found and used this string from the beginning of the file : 39 61 00 00 94 21 FF E8 7C 08 02 A6 4B FF 8F 39 The next 4 bytes after this string is 100% nmot_w in all 2.0l tfsi files. Title: Re: MED9info tool (very basic version) Post by: Praga on December 12, 2017, 06:38:43 AM Great share !!
Thank you Title: Re: MED9info tool (very basic version) Post by: focalpoint519 on December 13, 2017, 07:38:18 AM Thank you good sir ! :)
Title: Re: MED9info tool (very basic version) Post by: superglitch on December 13, 2017, 11:51:42 AM This is pretty awesome. Care to share source code on how you were able to do this?
Title: Re: MED9info tool (very basic version) Post by: bram380 on January 02, 2018, 10:58:04 AM Thank you.
Happy new year !!! Title: Re: MED9info tool (very basic version) Post by: nubcake on January 18, 2018, 05:46:15 PM This is pretty awesome. Care to share source code on how you were able to do this? Sorry, no source. But it's rather primitive. Check FR for documented TKMWL structure. Find out how it's handled in the binary. Code some "hex pattern search". BAM! :) Same goes for ECUID structure parsing. I was too lazy to implement proper analysis logic for all the "sub-functions" to cover more vars (or some "conditional" vars), but like mentioned, at some point will probably get to it. Note that it's only supposed to work for VAG ECUs, since other ME(D)9s will use their own tester communication routines. Title: Re: MED9info tool (very basic version) Post by: MyTunes on October 07, 2019, 03:45:28 PM Thank you for this!
Did I miss the med9 logger somewhere? That would be very helpful Title: Re: MED9info tool (very basic version) Post by: 360trev on November 11, 2019, 04:38:38 AM Sorry, no source. But it's rather primitive. Check FR for documented TKMWL structure. Find out how it's handled in the binary. Code some "hex pattern search". BAM! :) Same goes for ECUID structure parsing. I was too lazy to implement proper analysis logic for all the "sub-functions" to cover more vars (or some "conditional" vars), but like mentioned, at some point will probably get to it. Note that it's only supposed to work for VAG ECUs, since other ME(D)9s will use their own tester communication routines. Seriously, why not publish the source? I don't really understand this position. After all I am sure you've learned a lot from here and this place is all about learning, sharing with like minded people so they in turn can learn from you. If your only willing to donate binaries it diminishes value considerably. I strongly urge you to re-consider as there are no major secrets in what you've done, its neat but its such a small piece of code (must be less than a couple of thousand lines its got to be at the stage of being a great learning tool for some... Title: Re: MED9info tool (very basic version) Post by: 360trev on November 11, 2019, 05:58:57 AM This is pretty awesome. Care to share source code on how you were able to do this? Oh sod it.. just spent 15 mins and built an 'equivalent' of this tool. Cannot be bothered to 'beg' people... I will develop an MED9 disassembler soon and add it to the project so you can also see exactly what's going on with better understanding... Git repo is here.. https://github.com/360trev/MED9inf.git I've NOT added the code to walk the table and extract the variables. I've left that as an exercise for the reader so they can tax their brain cells a little. I have extracted the signatures from cake's tool and added them into the project so it should be cakewalk for someone to finish it now... Enjoy Trev Title: Re: MED9info tool (very basic version) Post by: nyet on November 11, 2019, 08:26:46 AM Oh sod it.. just spent 15 mins and built an 'equivalent' of this tool. Cannot be bothered to 'beg' people... grin Title: Re: MED9info tool (very basic version) Post by: 360trev on November 11, 2019, 01:41:52 PM If anyone wants the version which generates all the variables PM me and I will upload it...
I just thought it might be useful to start simple and then work up to doing that, a sort of challenge for those interested. It basically just walks the tables in the ROM and extracts the addresses and size of the variables then adds labels to the ones we are interested in. One could easily make the variables a text file that's loaded in so it could be edited to extend it for all the ones yet to be labelled up. Looks like only a couple of hundred are labelled from a couple of thousand possible entries. |