NefMoto

Technical => Reverse Engineering => Topic started by: 360trev on September 06, 2018, 05:04:36 AM



Title: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on September 06, 2018, 05:04:36 AM
Ok guys...

I present to you the first (beta) of useful code showing how to do all kinds of things with ME7 rom's. The aim is that you will eventually need NO OTHER tools to analyse a ME7 rom. (commercial or otherwise).
Its starting to be possible to do so much that its easier to call it a swiss army knife tool for ME7's ROM's. :)

 I've just done a first cut of the map finder. Its very rough (but simple code!) at the moment but I will expand this to pretty much be able to identify ALL MAP's automatically AND label them. I can do this (unlike some commercial software!) because of the unique way this tool approaches it. Its very good at finding them in roms I have never even see before but derived from the same code base.

Q. So how does it work?
The idea is we directly search for 'masked signatures' in the rom in the machine code sub-routines which ACCESS the maps.

Q. What are masked signatures?

They are sinippets of rom code with all of the relocation and segment address information removed. We do this since this is essentially what changes with recompiliation and across different roms. By removing what changes we get a powerful way to identify sub-routines independent of the actual rom file version.

So if the rom accesses the maps for example we can find that specific generic code and then work back from there. After matching it (ignoring all of the relocation and segments) we extract the actual segment information and then re-calcuate the physical addresses from the segments, then mask those addresses to reveal the byte offset form the start of the rom! We can then use this offset to dump the maps... Its a very powerful method because of the way we mask the code. The approach of masking all segment and relocation information out of the signatures means it works on any ME7x rom file compiled for C167x cpu and works right across a huge number of rom variants.

Right now the first version of the Map finder is just showing X-Axis tables (entire set of rom tables will come shortly and then we can easily match them too!)... But ofcourse its quite simple to make this work for ALL the ROM resident tables and then we can start to identify the sub-routines with further signature bytes and automatically label all of those tables too.

...This is a far better way than 'guessing' the maps knowing they reside (as some even commercial tools do) within a certain range  in the rom. This guarentee's your actually looking at real tables.

Development wise the next step is to push the table start addresses into a hash table to make it easy to de-duplicate them so you don't find calls to the lookups to the same tables (happens occasionally since we are walking through the rom code and literaly picking up ALL of the accesses to the tables.

Hope this makes sense. Its called ME7RomTool_Ferrari (since that's my main focus) however be assured it does work with many many variants i've been continuing to download and test it with...

https://github.com/360trev/ME7RomTool_Ferrari (https://github.com/360trev/ME7RomTool_Ferrari)


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on September 06, 2018, 05:06:38 AM
Here's an example of it identifying KFAGK (Exhaust Flap changeover table)...


-[ Exhaust Valve KFAGK Table ]---------------------------------------------------------------------

>>> Scanning for KFAGK Table #1 Checking sub-routine [manages exhaust valve/flap opening]
Found at offset=0x4ab40 (seg:0x206 phy:0x818000 val:0x541)

KFAGK table: Characteristic map for exhaust flap changeover
KFAGK table: 0x00018541 (file-offset)
KFAGK table: X-Axis:  6 Rows : % of Throttle Applied.
KFAGK table: Y-Axis: 10 Rows : RPM before Opening occurs.

        0.00%   20.25%  63.75%  69.00%  81.00%  99.75%
        [1]---- [2]---- [3]---- [4]---- [5]---- [6]----
         0       0       0       0       0       0      [ 1] : 800   rpm
         0       0       0       0       0       0      [ 2] : 1000  rpm
         0       0       0       0       0       0      [ 3] : 2520  rpm
         0       0       1       1       1       1      [ 4] : 2720  rpm
         0       0       1       2       2       2      [ 5] : 2920  rpm
         0       0       1       2       2       2      [ 6] : 3720  rpm
         0       0       1       2       2       2      [ 7] : 3920  rpm
         0       0       1       2       2       2      [ 8] : 5000  rpm
         0       0       1       2       2       2      [ 9] : 6000  rpm
         0       0       1       2       2       2      [10] : 9000  rpm




Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on September 06, 2018, 05:08:49 AM
and here's the generic map (X-Axis only for now!) finder in action on the same Ferrari 360 rom file...


-[ Generic X-Axis MAP Table Scanner! ]---------------------------------------------------------------------

>>> Scanning for Map Tables #1 Checking sub-routine [map finder!]

[Map #1] X-Axis Map function found at: offset=0x33eb0 phy:0x1805f, file-offset=0x18060 x-axis=8
        14 19 26 32 3e 4b 58 64

[Map #2] X-Axis Map function found at: offset=0x3fc36 phy:0x18074, file-offset=0x18075 x-axis=5
        40 4d 5b 68 76

[Map #3] X-Axis Map function found at: offset=0x441da phy:0x1810c, file-offset=0x1810d x-axis=16
        14 1e 28 32 3c 46 50 5a 64 6e 78 82 8c 94 9b a3

[Map #4] X-Axis Map function found at: offset=0x441f2 phy:0x18137, file-offset=0x18138 x-axis=4
        34 5d 85 ad

[Map #5] X-Axis Map function found at: offset=0x44434 phy:0x181bc, file-offset=0x181bd x-axis=6
        00 02 14 1e 28 3c

[Map #6] X-Axis Map function found at: offset=0x44482 phy:0x180d5, file-offset=0x180d6 x-axis=8
        0d 19 26 32 4b 64 7d 96

[Map #7] X-Axis Map function found at: offset=0x444ca phy:0x180c0, file-offset=0x180c1 x-axis=5
        23 28 2d 32 37

[Map #8] X-Axis Map function found at: offset=0x444e2 phy:0x180a3, file-offset=0x180a4 x-axis=5
        08 0d 11 18 20

[Map #9] X-Axis Map function found at: offset=0x4452e phy:0x181c3, file-offset=0x181c4 x-axis=8
        1e 3c 5a 78 96 b4 d2 f0

[Map #10] X-Axis Map function found at: offset=0x44546 phy:0x180de, file-offset=0x180df x-axis=8
        26 32 4b 58 64 7d 8a 96

[Map #11] X-Axis Map function found at: offset=0x44576 phy:0x1811d, file-offset=0x1811e x-axis=16
        26 2c 32 38 3f 45 4b 51 58 64 6a 71 76 8a 96 a3

[Map #12] X-Axis Map function found at: offset=0x4458e phy:0x18161, file-offset=0x18162 x-axis=8
        33 40 54 61 90 9d b8 c5

[Map #13] X-Axis Map function found at: offset=0x445c6 phy:0x181e2, file-offset=0x181e3 x-axis=8
        00 03 06 09 0c 0f 12 15

[Map #14] X-Axis Map function found at: offset=0x445de phy:0x181eb, file-offset=0x181ec x-axis=8
        00 03 06 09 0c 0f 12 15

[Map #15] X-Axis Map function found at: offset=0x446aa phy:0x180fb, file-offset=0x180fc x-axis=16
        10 15 19 1f 26 2c 32 38 3f 45 4b 58 64 71 7d 96

[Map #16] X-Axis Map function found at: offset=0x446c2 phy:0x1813c, file-offset=0x1813d x-axis=8
        0a 14 1e 32 46 50 64 78

[Map #17] X-Axis Map function found at: offset=0x446f6 phy:0x180b7, file-offset=0x180b8 x-axis=8
        03 05 08 14 1e 32 50 64

[Map #18] X-Axis Map function found at: offset=0x4470e phy:0x180e7, file-offset=0x180e8 x-axis=8
        14 19 32 3c 4b 64 7d 96

[Map #19] X-Axis Map function found at: offset=0x44726 phy:0x180f0, file-offset=0x180f1 x-axis=10
        0f 16 1e 25 2d 37 41 50 64 82

[Map #20] X-Axis Map function found at: offset=0x4473e phy:0x18080, file-offset=0x18081 x-axis=10
        0a 17 29 40 54 6b 80 a4 cd ff

[Map #21] X-Axis Map function found at: offset=0x44756 phy:0x180a9, file-offset=0x180aa x-axis=6
        05 0d 19 32 64 c8

[Map #22] X-Axis Map function found at: offset=0x4476e phy:0x18092, file-offset=0x18093 x-axis=5
        59 73 80 8c a7

[Map #23] X-Axis Map function found at: offset=0x44786 phy:0x1816f, file-offset=0x18170 x-axis=4
        25 4d 68 ab

[Map #24] X-Axis Map function found at: offset=0x4479e phy:0x1810c, file-offset=0x1810d x-axis=16
        14 1e 28 32 3c 46 50 5a 64 6e 78 82 8c 94 9b a3

[Map #25] X-Axis Map function found at: offset=0x447b6 phy:0x18137, file-offset=0x18138 x-axis=4
        34 5d 85 ad

[Map #26] X-Axis Map function found at: offset=0x447ce phy:0x1e288, file-offset=0x1e289 x-axis=4
        00 1b 00 2f

[Map #27] X-Axis Map function found at: offset=0x447e6 phy:0x180cd, file-offset=0x180ce x-axis=7
        14 1e 2d 3c 50 64 7d

[Map #28] X-Axis Map function found at: offset=0x44816 phy:0x1819a, file-offset=0x1819b x-axis=9
        18 33 40 4d 61 75 90 ab c5

[Map #29] X-Axis Map function found at: offset=0x44868 phy:0x18181, file-offset=0x18182 x-axis=6
        0b 25 40 5b 90 b8

[Map #30] X-Axis Map function found at: offset=0x44880 phy:0x18191, file-offset=0x18192 x-axis=8
        0b 25 33 40 4d 5b 90 b8

[Map #31] X-Axis Map function found at: offset=0x448d8 phy:0x1817a, file-offset=0x1817b x-axis=6
        11 25 40 5b 75 ab

[Map #32] X-Axis Map function found at: offset=0x44978 phy:0x180b0, file-offset=0x180b1 x-axis=6
        02 19 32 4b 64 7d

[Map #33] X-Axis Map function found at: offset=0x44ec6 phy:0x1e382, file-offset=0x1e383 x-axis=4
        00 25 00 40

[Map #34] X-Axis Map function found at: offset=0x48aa2 phy:0x1eb26, file-offset=0x1eb27 x-axis=4
        00 2b 00 2c

... cut ... cut ...

[Map #80] X-Axis Map function found at: offset=0x7f510 phy:0x19d2e, file-offset=0x19d2f x-axis=10
        0a 14 1e 28 32 46 5a 78 96 f0

[Map #81] X-Axis Map function found at: offset=0x81ecc phy:0x23fd6, file-offset=0x23fd7 x-axis=4
        00 00 00 04
No match found



Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: prj on September 06, 2018, 05:11:37 AM
That's pretty cool, but I did this like 6 years ago: http://nefariousmotorsports.com/forum/index.php?topic=2703.0 (http://nefariousmotorsports.com/forum/index.php?topic=2703.0)

Just saying :p


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on September 06, 2018, 05:17:24 AM
That's pretty cool, but I did this like 6 years ago: http://nefariousmotorsports.com/forum/index.php?topic=2703.0 (http://nefariousmotorsports.com/forum/index.php?topic=2703.0)

Just saying :p

Hello prj, I know sir, your a guru on here ;) ...The aim here is a bit different...
I'm going to make it possible to extract and re-insert changed maps and automatically recalc sums. So its trivial to swap maps from one rom to another or make changes and repatch them in with no extra tools... I will do a gui frontend to 'control' this...

Did I mention it does summing too and works with multiple variants of signatures including support for 1Mb files too?



-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
main rom dppX byte sequence #1 found at offset=0x246.

dpp0: (seg: 0x0004 phy:0x00010000)
dpp1: (seg: 0x0005 phy:0x00014000)
dpp2: (seg: 0x00c0 phy:0x00300000) ram start address
dpp2: (seg: 0x0003 phy:0x0000c000) cpu registers

Note: dpp3 is always 3, otherwise accessing CPU register area not possible



-[ Main-Rom Checksum Analysis ]----------------------------------------------------------

>>> Scanning for Main ROM Checksum sub-routine #1 [to extract number of entries in table]
main checksum byte sequence #1 found at offset=0xbfb82.
Found #3 Regional Block Entries in table

>>> Scanning for Main ROM Checksum sub-routine #2 [to extract Start/End regions]
main checksum byte sequence #2 found at offset=0xbfb46.

Main Region Block #1:
        lo:0x293b4.W hi:0x293b6.W (seg: 0xa phy:0x293b4) : 0xc000
        lo:0x293b8.W hi:0x293ba.W (seg: 0xa phy:0x293b8) : 0xdfff sum=43d88af ~sum=fbc27750 : acc_sum=0
Main Region Block #2:
        lo:0x293bc.W hi:0x293be.W (seg: 0xa phy:0x293bc) : 0x10900
        lo:0x293c0.W hi:0x293c2.W (seg: 0xa phy:0x293c0) : 0x1f7ff sum=1b08c4eb ~sum=e4f73b14 : acc_sum=43d88af
Main Region Block #3:
        lo:0x293c4.W hi:0x293c6.W (seg: 0xa phy:0x293c4) : 0x1fc00
        lo:0x293c8.W hi:0x293ca.W (seg: 0xa phy:0x293c8) : 0xcffff sum=5279cec5 ~sum=ad86313a : acc_sum=1f464d9a

Final Main ROM Checksum calculation:  0x71c01c5f (after 3 rounds)
Final Main ROM Checksum calculation: ~0x8e3fe3a0


>>> Scanning for Main ROM Checksum sub-routine #3 variant #A [to extract stored checksums and locations in ROM]
main checksum byte sequence #3 block found at offset=0xbfbee.

Stored Main ROM Block Checksum:
        lo:0xffff0.W hi:0xffff2.W (seg: 0x3f phy:0xffff0) : 0x71c01c5f
Stored Main ROM Block ~Checksum:
        lo:0xffff4.W hi:0xffff6.W (seg: 0x3f phy:0xffff4) : 0x8e3fe3a0

MAIN STORED ROM  CHECKSUM: 0x71c01c5f ? 0x71c01c5f : OK!         ~CHECKSUM: 0x8e3fe3a0 ? 0x8e3fe3a0 : OK!


-[ Multipoint Checksum Analysis ]--------------------------------------------------------

>>> Scanning for Multipoint Checksum sub-routine #1 Variant A [to extract number entries in stored checksum list in ROM]
Found at offset=0xbe32a.
Found #48 Multipoint Entries in table

>>> Scanning for Multipoint Checksum sub-routine #2 Variant A [to extract address of stored checksum list location in ROM]
Found at offset=0xbe5ac.

Multipoint Block #01 of #48:
        lo:0x1f800.L (seg: 0x7 phy:0x1f800) : Start:   seg:0x0 phy:0x00000000 (offset: 0x00000000)
        lo:0x1f804.L (seg: 0x7 phy:0x1f804) :  End:    seg:0x0 phy:0x000001ff (offset: 0x000001ff)
        lo:0x1f808.L (seg: 0x7 phy:0x1f808) :  Block Checksum: 0x00407600 :  Calculated: 0x00407600 OK
        lo:0x1f80c.L (seg: 0x7 phy:0x1f80c) : ~Block Checksum: 0xffbf89ff : ~Calculated: 0xffbf89ff OK
Multipoint Block #02 of #48:
        lo:0x1f810.L (seg: 0x7 phy:0x1f810) : Start:   seg:0x0 phy:0x00000000 (offset: 0x00000000)
        lo:0x1f814.L (seg: 0x7 phy:0x1f814) :  End:    seg:0x0 phy:0x000001ff (offset: 0x000001ff)
        lo:0x1f818.L (seg: 0x7 phy:0x1f818) :  Block Checksum: 0x00407600 :  Calculated: 0x00407600 OK
        lo:0x1f81c.L (seg: 0x7 phy:0x1f81c) : ~Block Checksum: 0xffbf89ff : ~Calculated: 0xffbf89ff OK
Multipoint Block #03 of #48:
        lo:0x1f820.L (seg: 0x7 phy:0x1f820) : Start:   seg:0x2 phy:0x00008000 (offset: 0x00008000)
        lo:0x1f824.L (seg: 0x7 phy:0x1f824) :  End:    seg:0x2 phy:0x0000bfff (offset: 0x0000bfff)
        lo:0x1f828.L (seg: 0x7 phy:0x1f828) :  Block Checksum: 0x0da78c5f :  Calculated: 0x0da78c5f OK
        lo:0x1f82c.L (seg: 0x7 phy:0x1f82c) : ~Block Checksum: 0xf25873a0 : ~Calculated: 0xf25873a0 OK
Multipoint Block #04 of #48:
        lo:0x1f830.L (seg: 0x7 phy:0x1f830) : Start:   seg:0x3 phy:0x0000c000 (offset: 0x0000c000)
        lo:0x1f834.L (seg: 0x7 phy:0x1f834) :  End:    seg:0x3 phy:0x0000dfff (offset: 0x0000dfff)
        lo:0x1f838.L (seg: 0x7 phy:0x1f838) :  Block Checksum: 0x043d88af :  Calculated: 0x043d88af OK
        lo:0x1f83c.L (seg: 0x7 phy:0x1f83c) : ~Block Checksum: 0xfbc27750 : ~Calculated: 0xfbc27750 OK
Multipoint Block #05 of #48:
        lo:0x1f840.L (seg: 0x7 phy:0x1f840) : Start:   seg:0x4 phy:0x00010900 (offset: 0x00010900)
        lo:0x1f844.L (seg: 0x7 phy:0x1f844) :  End:    seg:0x4 phy:0x00013fff (offset: 0x00013fff)
        lo:0x1f848.L (seg: 0x7 phy:0x1f848) :  Block Checksum: 0x07e64140 :  Calculated: 0x07e64140 OK
        lo:0x1f84c.L (seg: 0x7 phy:0x1f84c) : ~Block Checksum: 0xf819bebf : ~Calculated: 0xf819bebf OK
Multipoint Block #06 of #48:
        lo:0x1f850.L (seg: 0x7 phy:0x1f850) : Start:   seg:0x5 phy:0x00014000 (offset: 0x00014000)
        lo:0x1f854.L (seg: 0x7 phy:0x1f854) :  End:    seg:0x5 phy:0x00017f67 (offset: 0x00017f67)
        lo:0x1f858.L (seg: 0x7 phy:0x1f858) :  Block Checksum: 0x082369b2 :  Calculated: 0x082369b2 OK
        lo:0x1f85c.L (seg: 0x7 phy:0x1f85c) : ~Block Checksum: 0xf7dc964d : ~Calculated: 0xf7dc964d OK
... cut...



Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on September 06, 2018, 05:23:20 AM
That's pretty cool, but I did this like 6 years ago: http://nefariousmotorsports.com/forum/index.php?topic=2703.0 (http://nefariousmotorsports.com/forum/index.php?topic=2703.0)

Just saying :p

I think I'll update my signatures to support your signature format sometime soon so both programs gain benefit from all the signatures I'm finding.... some are specific to Ferrari for example...



Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: IamwhoIam on September 07, 2018, 05:57:58 AM
wow, this looks good to me! a GUI would make it even more attractive!


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on September 07, 2018, 12:28:38 PM
Well its not really just a map finder... slightly misleading description. Its a

1. Checksum Corrector
2. Dppx Setting Locator
3. Map Locator
4. Map Changer
5. Seed Login Patcher

etc. with more and more features being added daily...

Yes, absolutely a GUI will be added soon (with full cell editing and graphs) as I get swapping of the most basic maps like KPED, etc. done.


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on September 07, 2018, 05:01:24 PM
For anyone tracking this project, I've just made some updates today to automated map detection routines.
On 1mb roms now its detecting a large number maps without individual signatures. With some more work it should be able to detect 100% of all maps automatically ;)

For example on the rom file "06A906032DS 0261207080 360930" it detects 115 maps...

e.g.;

--- cut --- cut

------------------------------------------------------------------
[Map #113] Multi Axis Map function found at: offset=0x95928

Table  : Identification not yet implemented (coming soon!)
X-Axis : 4 rows
Y-Axis : 4 rows


        [ 1 ]-- [ 2 ]-- [ 3 ]-- [ 4 ]--
         2626    2626    2626    2626   [ 1 ]
         2626    2626    2626    2626   [ 2 ]
         2626    2626    2626    2626   [ 3 ]
         2626    2626    404     755a   [ 4 ]


------------------------------------------------------------------
[Map #114] Multi Axis Map function found at: offset=0x99762

Table  : Identification not yet implemented (coming soon!)
X-Axis : 8 rows
Y-Axis : 5 rows


        [ 1 ]-- [ 2 ]-- [ 3 ]-- [ 4 ]-- [ 5 ]-- [ 6 ]-- [ 7 ]-- [ 8 ]--
         201     303     400     404     3       606     305     500    [ 1 ]
         404     304     600     506     3       505     305     500    [ 2 ]
         606     305     500     505     3       505     305     100    [ 3 ]
         505     305     500     505     3       201     303     100    [ 4 ]
         505     305     100     302     3       201     303     100    [ 5 ]


------------------------------------------------------------------
[Map #115] Multi Axis Map function found at: offset=0x99bf0

Table  : Identification not yet implemented (coming soon!)
X-Axis : 3 rows
Y-Axis : 8 rows


        [ 1 ]-- [ 2 ]-- [ 3 ]--
         2000    2000    2000   [ 1 ]
         2000    2000    2000   [ 2 ]
         2900    2600    2300   [ 3 ]
         2100    2000    2000   [ 4 ]
         2580    2380    2280   [ 5 ]
         2000    2000    2000   [ 6 ]
         10c     3219    644b   [ 7 ]
         c8af    fae1    ff     [ 8 ]


--- cut --- cut



Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: JTY on September 08, 2018, 04:57:55 AM
Very good work, compiled nicely in my Linux car computer.
Tried all the functions with porche ME7.1 bin and seems to work.
Only seedkey did not find anything.


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on September 13, 2018, 01:58:47 PM
If you ever wanted to know how to extract the ECU Identification information out of an ME7 rom be sure to take git clone of the latest source-code...

Latest version now supports this features.

There is a lookup table in the rom which defines a list containing the strings, so many people never even know they exist..


06                      vmecuhn_type:   db    6                 ; entry type, 6 = asciiz
0A                      vmecuhn_len:     db  0Ah
AE 01                  vmecuhn_val:    dw VMECUHN              ; "185392.001"
04 02                  vmecuhn_seg:    dw 204h                 ; segment

06                      ssecusn_type:   db    6                 ; entry type, 6 = asciiz
0A                      ssecuhn_len:    db 0Ah
98 01                   ssecuhn_val:    dw SSECUHN              ; "0261204841"
04 02                   ssecuhn_seg:    dw 204h


So if your looking to resolve these strings back to the map area take a look at the code as they don't seem to be referenced anywhere else except for indirectly via this table.

Have fun ;)


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: player on September 22, 2018, 06:01:50 AM
wow. really nice work


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: nyet on September 22, 2018, 09:44:04 AM
Request: drop in replacement for ME7Info that can be used directly with ME7Logger


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on September 23, 2018, 12:16:14 PM
Request: drop in replacement for ME7Info that can be used directly with ME7Logger

Actually I've just been exploring this a bit and I can definately do it.

I was also thinking of extending the ME7Bosch IDA plugin now that Andrew's released the source-code on Github (did you know?)

Here it is if you didn't....
https://github.com/AndyWhittaker/IDAProBoschMe7x

I could literally update it to take a special output file from my ME7RomTool to automatically name all of the functions and variables... thoughts?


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: nyet on September 23, 2018, 05:21:54 PM
Actually I've just been exploring this a bit and I can definately do it.

If you do, can you make sure these extras and torque vars are detected, along with the others already in ME7Info?

https://github.com/nyetwurk/ME7L/tree/master/ecus


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on September 24, 2018, 03:38:42 AM
Thanks Nyet,

I havent done enough research on it yet but why are people referring to Absolute addresses in the external RAM range (which is a hardware configuration and NOT the same across all ME7 hardwares) ?
Some of the different ME7 ecu (Volvo, Fiat, Lancia etc.) variants for example don't use the same base addressing for their external ram layout.

Take for instance .. 2001.5 Audi S4 8D0907551M 0261207143(1).bin

Code:
Opening [b]'2001.5 Audi S4 8D0907551M 0261207143(1).bin'[/b] file
Succeded loading file.

Loaded ROM: Tool in 1Mb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
main rom dppX byte sequence #1 found at offset=0xdc08.

dpp0: (seg: 0x0204 phy:0x00810000)
dpp1: (seg: 0x0205 phy:0x00814000)
[b]dpp2: (seg: 0x00e0 phy:0x00380000) ram start address[/b]
dpp3: (seg: 0x0003 phy:0x0000c000) cpu registers

It has the 0x380000 base address for ram

vs VOLVO S60R_AUT 2.5L B5254T4 300HP NoCarPartNo 0261208289 30684626A.bin

Code:
Opening 'VOLVO S60R_AUT 2.5L B5254T4 300HP NoCarPartNo 0261208289 30684626A.bin' file
Succeded loading file.

Loaded ROM: Tool in 1Mb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
main rom dppX byte sequence #1 found at offset=0x246.

dpp0: (seg: 0x0004 phy:0x00010000)
dpp1: (seg: 0x0005 phy:0x00014000)
[b]dpp2: (seg: 0x00c0 phy:0x00300000) ram start address[/b]
dpp3: (seg: 0x0003 phy:0x0000c000) cpu registers

In this case it actually starts at 0x300000 instead...

Why therefore do we hardcode the BASE ADDRESS to $380000 ?

... when actually the value is determined by the project setup and the configuration of the DPP2 segment registers contents in the initial boot strap.

If we search the ROM bootstraip itself (Which is how my ME7RomTool does it) its quite easy to work out the external ram address by then taking the segment value and multiplying it by a page size of 16Kbytes (0x4000), which funny enough is exactly how all of the 16-bit opcodes in the machine code refer to the locations, indirectly from the DPP2 register. This affords a higher compatibility than hardcoding as we do it today and would yield compatibility with 1mb roms and many other vehicle manufacturers like Fiat's, etc, then we could just save Relative offsets from the DPP2 base address rather than directly referencing the direct base address.

Like I said I haven't yet checked if doing this would mean all the ram defines would align up on different memory maps. However really its far better to search for the needles to known functions and pull out all of the ram variables automatically thus having certainty that the correct addresses are used.

Thoughts?


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: nyet on September 24, 2018, 08:04:30 AM
No reason other that historic. But we don't have the source to ME7L to change it to accept a base and and offset for each location, so at minimum, the absolute addresses will have to be added before generating ME7L ecu files.

Alternaltely, we do have enough info to build an entire logger from scratch, but it is unlikely enough people are around to do the work.

IMO that is the only thing you're up against right now...


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: pc1010 on October 17, 2018, 01:04:48 PM
Are there any plans to add support for 832KB file size for ST10 based ME7 variants? That would be the first software to offer that ;)


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on October 22, 2018, 01:48:09 AM
Send me some links to a few ROMs (and Ideally a definitions file of some locations to get me started) I can take a look. For what vehicles are you talking about btw?

Oh and latest update now includes a first cut (80% done) C16x dissassembler built-in (as always full sources included on the github)..


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: pectel on October 22, 2018, 03:23:07 PM
Hiya.new here:)
trying to get this tool to work but just flashes fast and vanishes :)
trying to find a function in a bmw x5 ecu


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: nyet on October 22, 2018, 06:38:06 PM
Hiya.new here:)
trying to get this tool to work but just flashes fast and vanishes :)
trying to find a function in a bmw x5 ecu

It's a command line program.


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on October 23, 2018, 08:09:27 AM
Hiya.new here:)
trying to get this tool to work but just flashes fast and vanishes :)
trying to find a function in a bmw x5 ecu

As Nyet stated the core functions run from command line today during initial development. I will build it with a full featured gui at a later date. For now you need to use it from command line. I'm currently in the process of making the dissassembler fully featured so that it can also help identify variables in the dissassembly listings... (i.e. support for segments) and some completion of the last few unsupported commands. This is significant as I will parse the entire rom during initial loading in preparation for function discovery followed by variables discovery. I can then generate xdf's, damos, etc. basically whatever format I wish... 





Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on October 23, 2018, 08:13:58 AM
For instance...

me7romtool.exe -romfile LEFT_Eddie_2004_360Spider_EU.bin -seedkey -diss

Code:
Ferrari 360 ME7.3H4 Rom Tool. *BETA TEST* Last Built: Oct 17 2018 12:51:49 v1.6
by 360trev.  Needle lookup function borrowed from nyet (Thanks man!) from
the ME7sum tool development (see github).

..Now fixed and working on 64-bit hosts, Linux, Apple and Android devices ;)

Ý Opening 'LEFT_Eddie_2004_360Spider_EU.bin' file
Succeded loading file.

Loaded ROM: Tool in 512Kb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
0x000064A6: (+0  )  E6 00 00 00                  mov      DPP0, #0
0x000064AA: (+4  )  E6 01 05 02                  mov      DPP1, #0205h
0x000064AE: (+8  )  E6 02 E0 00                  mov      DPP2, #00E0h
0x000064B2: (+12 )  E6 03 03 00                  mov      DPP3, #3
***

main rom dppX byte sequence #1 found at offset=0x64a6.

dpp0: (seg: 0x0000 phy:0x00000000)
dpp1: (seg: 0x0205 phy:0x00814000)
dpp2: (seg: 0x00e0 phy:0x00380000) ram start address
dpp3: (seg: 0x0003 phy:0x0000c000) cpu registers

Note: dpp3 is always 3, otherwise accessing CPU register area not possible

-[ Basic Firmware information ]-----------------------------------------------------------------

>>> Scanning for ROM String Table Byte Sequence #1 [info]

found needle at offset=0x2e75e
found table at offset=00019B90.

0x0002E75E: (+0  )  F6 F4 42 E2                  mov      word_E242, r4
0x0002E762: (+4  )  F6 F5 44 E2                  mov      word_E244, r5
0x0002E766: (+8  )  9A 23 05 E0                  jnb      word_FD46.14, loc_2E774

0x0002E76A: (+12 )  E7 F8 11 00                  movb     rl4, #0011h
0x0002E76E: (+16 )  F7 F8 0A E2                  movb     byte_E20A, rl4
0x0002E772: (+20 )  0D 04                        jmpr     cc_UC, loc_2E77C

0x0002E774: (+22 )  E7 F8 14 00                  movb     rl4, #0014h
0x0002E778: (+26 )  F7 F8 0A E2                  movb     byte_E20A, rl4
0x0002E77C: (+30 )  E6 F4 22 E9                  mov      r4, #E922h
0x0002E780: (+34 )  E6 F5 82 00                  mov      r5, #0082h
0x0002E784: (+38 )  F6 F4 32 E2                  mov      word_E232, r4
0x0002E788: (+42 )  F6 F5 34 E2                  mov      word_E234, r5
0x0002E78C: (+46 )  DB 00                        rets

0x0002E78E: (+48 )  88 60                        mov      [-r0], r6
0x0002E790: (+50 )  E6 F4 86 2B                  mov      r4, #2B86h
0x0002E794: (+54 )  E6 F5 00 00                  mov      r5, #0
0x0002E798: (+58 )  F6 F4 B2 E1                  mov      word_E1B2, r4
***
Idx=1   { 185392.001              } 0x101ae : VMECUHN [Vehicle Manufacturer ECU Hardware Number SKU]
Idx=2   { 0261204841              } 0x10198 : SSECUHN [Bosch Hardware Number]
Idx=4   { 0000000000              } 0x101a3 : SSECUSN [Bosch Serial Number]
Idx=6   { F131 EU 3 c.m.          } 0x10184 : EROTAN  [Model Description]
Idx=8   { R.BOSCH001              } 0x19b84 : TESTID
Idx=10  { 069117/15L501M2         } 0x10174 : DIF
Idx=11  { 0691175H                } 0x1016b : BRIF

>>> Scanning for EPK information [info]

found needle at offset=0x27902.
EPK: @ 0x10029 { /1/ME7.3/69/117/F131_US//15l50sm2/080501/ }

-[ SeedKey Security Access ]-------------------------------------------------------------

>>> Scanning for SecurityAccessBypass() Variant #1 Checking sub-routine [allow any login seed to pass]
Found at offset=0x4746. Patch at +(0x5d) +93, 0x04 (ret=0, login failed) goes to 0x14 (ret=1, login success)
0x00004746: (+0  )  88 C0                        mov      [-r0], r12
0x00004748: (+2  )  88 90                        mov      [-r0], r9
0x0000474A: (+4  )  88 80                        mov      [-r0], r8
0x0000474C: (+6  )  88 70                        mov      [-r0], r7
0x0000474E: (+8  )  88 60                        mov      [-r0], r6
0x00004750: (+10 )  F0 7D                        mov      r7, r13
0x00004752: (+12 )  F0 8E                        mov      r8, r14
0x00004754: (+14 )  F0 9F                        mov      r9, r15
0x00004756: (+16 )  07 FE 23 00                  addb     rl7, #0023h
0x0000475A: (+20 )  47 FE 23 00                  cmpb     rl7, #0023h
0x0000475E: (+24 )  9D 02                        jmpr     cc_NC, loc_4764

0x00004760: (+26 )  E7 FE FF 00                  movb     rl7, #00FFh
0x00004764: (+30 )  E1 0C                        movb     rl6, #0
0x00004766: (+32 )  0D 12                        jmpr     cc_UC, loc_478C

0x00004768: (+34 )  46 F9 00 80                  cmp      r9, #8000h
0x0000476C: (+38 )  3D 01                        jmpr     cc_NZ, loc_4770

0x0000476E: (+40 )  48 80                        cmp      r8, #0
0x00004770: (+42 )  8D 0A                        jmpr     cc_C, loc_4786

0x00004772: (+44 )  F4 80 08 00                  movb     rl4, [r0+8]
0x00004776: (+48 )  C0 8C                        movbz    r12, rl4
0x00004778: (+50 )  F0 D8                        mov      r13, r8
0x0000477A: (+52 )  F0 E9                        mov      r14, r9
0x0000477C: (+54 )  DA 00 90 60                  calls    0h, loc_6090

0x00004780: (+58 )  F0 84                        mov      r8, r4
0x00004782: (+60 )  F0 95                        mov      r9, r5
0x00004784: (+62 )  0D 02                        jmpr     cc_UC, loc_478A

0x00004786: (+64 )  00 88                        add      r8, r8
0x00004788: (+66 )  10 99                        addc     r9, r9
0x0000478A: (+68 )  09 C1                        addb     rl6, #1
0x0000478C: (+70 )  41 CE                        cmpb     rl6, rl7
0x0000478E: (+72 )  8D EC                        jmpr     cc_C, loc_4968

0x00004790: (+74 )  D4 40 0A 00                  mov      r4, [r0+0Ah]
0x00004794: (+78 )  D4 50 0C 00                  mov      r5, [r0+0Ch]
0x00004798: (+82 )  20 48                        sub      r4, r8
0x0000479A: (+84 )  30 59                        subc     r5, r9
0x0000479C: (+86 )  3D 02                        jmpr     cc_NZ, loc_47A2
0x0000479E: (+88 )  E0 14                        mov      r4, #1
0x000047A0: (+90 )  0D 01                        jmpr     cc_UC, loc_47A4

0x000047A2: (+92 )  E0 04                        mov      r4, #0
0x000047A4: (+94 )  98 60                        mov      r6, [r0+]
0x000047A6: (+96 )  98 70                        mov      r7, [r0+]
0x000047A8: (+98 )  98 80                        mov      r8, [r0+]
0x000047AA: (+100)  98 90                        mov      r9, [r0+]
0x000047AC: (+102)  08 02                        add      r0, #2
0x000047AE: (+104)  DB 00                        rets
... cut ... cut ...


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: pectel on October 24, 2018, 03:52:51 PM
looks like i need to nerd up a bit  ;D
lot easier just mapping these ecus.

need to learn fast about reverse engineering.
good work guys  :)


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: nyet on October 24, 2018, 05:40:34 PM
Forget about learning anything about reverse engineering. Start with learning how command line programs work.


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: pectel on October 25, 2018, 03:27:20 AM
I`m trying :)


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on November 20, 2018, 10:09:36 AM
Just to inform people.

I'm still actively working on this and I can confirm it correctly performs checksum correction on F430 rom dumps as well as Maserati 4200 (which uses ME7.3.2) and a 1Mb rom file...

Another big update coming soon in which I will include a full diagnostics computer in a similar vein to the Ferrari SD2 but for free...


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: niijohnnie on January 14, 2019, 12:58:39 PM
Thank you 360trev for this great program. I am looking forward to being able to use it.
Currently i get  a 'libgcc_s_dw2-1.dll not found. Windows 10 64bit. attached error snip. Am I doing something wrong


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: Blazius on January 14, 2019, 02:03:29 PM
Thank you 360trev for this great program. I am looking forward to being able to use it.
Currently i get  a 'libgcc_s_dw2-1.dll not found. Windows 10 64bit. attached error snip. Am I doing something wrong

That DLL is a compiler dll for MinGW. You dont have it, same as me. Solution is to dl it separately https://www.dll-files.com/download/e2ac23418781f632311513944edd0a4c/libgcc_s_dw2-1.dll.html?c=OXpGQkVkRVA0a1R5dUNTYzNDR0RWUT09

And put the dll file next to the exe :)


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: niijohnnie on January 15, 2019, 04:37:54 AM
That DLL is a compiler dll for MinGW. You dont have it, same as me. Solution is to dl it separately https://www.dll-files.com/download/e2ac23418781f632311513944edd0a4c/libgcc_s_dw2-1.dll.html?c=OXpGQkVkRVA0a1R5dUNTYzNDR0RWUT09

And put the dll file next to the exe :)
Hahahahaa....simple huh.Thanks. I will try it.

@Blazius...Thanks man. it worked.


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: Blazius on January 15, 2019, 06:41:43 AM
Hahahahaa....simple huh.Thanks. I will try it.

@Blazius...Thanks man. it worked.

You are welcome :)


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: moodz on May 14, 2019, 03:00:07 PM
This is awesome work! you are a genius!
Im more than happy to assists with the GUI, (external offcoarse)

amazingly i just wrote a program to find maps in the 180HP vag me7.5 today ,only to find this that is just on another level.

respect!



Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on June 12, 2019, 07:02:30 AM
I will be releasing a big update soon..

I have re-designed the way my search works now to be more like the way my custom disassembler works. This allows me to automatically mask out physical addresses for given instructions, etc. and therefore compare dumped functions between ecu dumps. This in turn allows rapid discovery of variables for the purposes of logging, etc.

Another big advantage is I was able to ignore the differences between a 512Kbyte compiled function and a 1Mb compiled function in that the extX (e.g. extp etc.) instructions used to get access to larger address space can be ignored in both the needles and the rom code being searched through as part of a 'fuzzy logic' based search. The net result is that even functions compiled for a 512Kbyte rom file can be discovered on a larger address space rom like a 1Mb one without having to have unique signatures for each different variation just because a few differences existed due to the way the compiler addresses memory (short vs long memory model). Also going to do the same for a few other instructions too meaning that its technically possible in the future to define signatures based on higher level requirements such as finding that a function used variables like 'nmot' and looked up some known table references. Based on this inference you can pretty much auto discover a huge number of functions without requiring tonnes of signatures...

So yes, you could say this works really well!

Watch this space!



Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on June 12, 2019, 07:07:56 AM
E.g...

0x00067DD0:
  • E6 FC 970B ==  E6 XX 0000 ; mov       : ** MATCH [4] **
0x00067DD4:
  • E6 FD 0602 ==  E6 XX 0000 ; mov       : ** MATCH [4] **
0x00067DD8:
  • C2 FE 74F2 ==  C2 XX 0000 ; movbz     : ** MATCH [4] **
0x00067DDC:
  • D7 40 E100 ~~  C2 00 0000 ; extx  ... SKIP OPCODE IN NEEDLE
0x00067DE0:
  • C2 FF 710A ~~  C2 00 0000 ; extx  ... SKIP OPCODE IN BUFFER
0x00067DE0:
  • C2 FF 710A ==  C2 XX 0000 ; extx  ... : ** MATCH [4] **
0x00067DE4:
  • DA 83 DC46 ==  DA XX 0000 ; calls     : ** MATCH [4] **
0x00067DE8:
  • F1 XX       ==  F1 XX       ; movb      : ** MATCH [2] **
match #2 at offset 0x00067DD0 (0x2602df0)


0x00067DD0: (+0  )  E6 FC 97 0B                  mov      r12, #0B97h
0x00067DD4: (+4  )  E6 FD 06 02                  mov      r13, #0206h
0x00067DD8: (+8  )  C2 FE 74 F2                  movbz    r14, byte_F274
0x00067DDC: (+12 )  D7 40 E1 00                  extp     #00E1h, #1
0x00067DE0: (+16 )  C2 FF 71 0A                  movbz    r15, byte_A71
0x00067DE4: (+20 )  DA 83 DC 46                  calls    83h, loc_646DC
; ------------------------------------------------------------------------------

***
KFAGK      @ ROM:0x818b97 RAM:0x25b3bb7 File-Offset:0x18b97 (seg=0x0206 val=0x0B97)

KFAGK
    Long identifier:           Characteristic map for exhaust flap changeover.
    Display identifier:
    Address:                   0x818b97
    Value:

 No.           |        0        1        2        3        4        5        6        7        8        9
            PHY|   880.00   920.00  1000.00  3320.00  3400.00  4520.00  5840.00  5920.00  6000.00  9000.00
 --------------+------------------------------------------------------------------------------------------
  0         PHY|      0.0      0.0      0.0      0.0      0.0      0.0      0.0      1.0      2.0      2.0
  10        PHY|      0.0      0.0      0.0      0.0      0.0      0.0      0.0      1.0      2.0      2.0
  26        PHY|      0.0      0.0      0.0      0.0      1.0      1.0      1.0      1.0      2.0      2.0
  50        PHY|      0.0      0.0      0.0      0.0      1.0      2.0      2.0      2.0      2.0      2.0
  81        PHY|      0.0      0.0      0.0      0.0      1.0      2.0      2.0      2.0      2.0      2.0
  100       PHY|      0.0      0.0      0.0      0.0      1.0      2.0      2.0      2.0      2.0      2.0


    Cells:
      Unit:
      Conversion name:         rel_uw_b200
      Conversion formula:      f(phys) = 0.0 + 1.000000 * phys
      Data type:               UBYTE
    X-axis:
      Unit:                    Upm
      Conversion name:         nmot_ub_q40
      Conversion formula:      f(phys) = 0.0 + 0.025000 * phys
      Data type:               UBYTE
    Y-axis:
      Unit:                    %
      Conversion name:         rel_uw_q0p75
      Conversion formula:      f(phys) = 0.0 + 1.333333 * phys
      Data type:               UBYTE


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on June 12, 2019, 07:12:25 AM
vs ...

0x0004F0AE:
  • E6 FC EE08 ==  E6 XX 0000 ; mov       : ** MATCH [4] **
0x0004F0B2:
  • E6 FD 0602 ==  E6 XX 0000 ; mov       : ** MATCH [4] **
0x0004F0B6:
  • C2 FE 6CF8 ==  C2 XX 0000 ; movbz     : ** MATCH [4] **
0x0004F0BA:
  • C2 FF 658B ~~  C2 00 0000 ; movbz     SKIP OPCODE IN NEEDLE
0x0004F0BA:
  • C2 FF 658B ==  C2 XX 0000 ; movbz     : ** MATCH [4] **
0x0004F0BE:
  • DA 82 F49F ==  DA XX 0000 ; calls     : ** MATCH [4] **
0x0004F0C2:
  • F1 XX       ==  F1 XX       ; movb      : ** MATCH [2] **
match #4 at offset 0x0004F0AE (0x8d90ce)


0x0004F0AE: (+0  )  E6 FC EE 08                  mov      r12, #08EEh
0x0004F0B2: (+4  )  E6 FD 06 02                  mov      r13, #0206h
0x0004F0B6: (+8  )  C2 FE 6C F8                  movbz    r14, byte_F86C
0x0004F0BA: (+12 )  C2 FF 65 8B                  movbz    r15, byte_8B65
0x0004F0BE: (+16 )  DA 82 F4 9F                  calls    82h, loc_49FF4
; ------------------------------------------------------------------------------

0x0004F0C2: (+20 )  F1 E8                        movb     rl7, r14
***
KFAGK      @ ROM:0x8188ee RAM:0x8a290e File-Offset:0x188ee (seg=0x0206 val=0x08EE)

KFAGK
    Long identifier:           Characteristic map for exhaust flap changeover.
    Display identifier:
    Address:                   0x8188ee
    Value:

 No.           |        0        1        2        3        4        5        6        7        8        9       10       11       12       13
            PHY|   520.00  1000.00  1520.00  2000.00  3000.00  5120.00  5320.00  5520.00  6520.00  7520.00  8000.00  9000.00 10000.00 10200.00
 --------------+------------------------------------------------------------------------------------------------------------------------------
  0         PHY|      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0
  35        PHY|      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0      0.0
  40        PHY|      0.0      0.0      0.0      0.0      0.0      0.0      1.0      1.0      0.0      0.0      0.0      0.0      0.0      0.0
  47        PHY|      0.0      0.0      0.0      0.0      0.0      0.0      1.0      2.0      1.0      1.0      1.0      1.0      1.0      1.0
  50        PHY|      0.0      0.0      0.0      0.0      0.0      0.0      1.0      2.0      2.0      2.0      2.0      2.0      2.0      2.0
  100       PHY|      0.0      0.0      0.0      0.0      0.0      0.0      1.0      2.0      2.0      2.0      2.0      2.0      2.0      2.0


    Cells:
      Unit:
      Conversion name:         rel_uw_b200
      Conversion formula:      f(phys) = 0.0 + 1.000000 * phys
      Data type:               UBYTE
    X-axis:
      Unit:                    Upm
      Conversion name:         nmot_ub_q40
      Conversion formula:      f(phys) = 0.0 + 0.025000 * phys
      Data type:               UBYTE
    Y-axis:
      Unit:                    %
      Conversion name:         rel_uw_q0p75
      Conversion formula:      f(phys) = 0.0 + 1.333333 * phys
      Data type:               UBYTE

Fuzzy Matches <4>


Both are matched yet the code is different and the first (from a Ferrari F430) was discovered as well the one above (from a Ferrari 360) yet the 360 used a different version of the ecu on a 1Mb rom and the 360 a 512Kbyte rom.


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on June 12, 2019, 07:23:26 AM
And tonnes of new features too like ability to auto analyze, discover and decode the pcodes, error classes, etc. and then from the table id's Do a REVERSE LOOKUP and identify the functions (from the direct lookup calls to the DTC functions!)... This is neat as you find all of the functions in one go rather than having to manually do a lot of work... :)


-[ Find Errorclass (Ferrari Diagnostic P-Codes) ]-----------------

>>> Scanning for Errorclass Lookup code sequence - Variant #1...

found needle at offset=0x38892
CDTAAA     @ ROM:0x8135dc RAM:0x8745fc File-Offset:0x135dc (seg=0x0204 val=0x35DC)
CDKAAA     @ ROM:0x8133ec RAM:0x87440c File-Offset:0x133ec (seg=0x0204 val=0x33EC)

Skip Offset 1984
Number of CARB Table Entries: 124
ErrorClass Table Start: ROM:0x812C2C

Num Entries = 124
                     -----[ LH Bank 1 ]-----    -----[ RH Bank 2 ]-----
                     min   max   sig   npl      min   max   sig   npl
0x00 [000]      AAA: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Dummy Table Start [DFPM_DFPM]
0x01 [001]      AAV: P1462,P1462,P1462,P1462    P0449,P0449,P0449,P0449 : Activated Carbon Filter Shut-Off Valve (Function) [DFPM_DTESK]
0x02 [002]     AAVE: P0000,P0000,P0000,P0000    P0446,P0448,P0447,P0000 : Activated Carbon Filter Shut-Off Valve (Power Amplifier) [DFPM_DEKON]
0x03 [003]     AGKE: P1461,P1461,P1461,P1461    P1448,P1448,P1448,P1448 : Exhaust Bypass Valves [DFPM_DEKON]
0x04 [004]     AGRE: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : (Unsupported) Monitoring EGR Power Amplifier [DFPM_DUMMY_D]
0x05 [005]     AGRF: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : (Unsupported) Monitoring AGR-FLOW [DFPM_DUMMY_D]
0x06 [006]       BM: P0000,P0000,P0000,P0386    P0000,P0000,P0000,P0336 : Engine Revolution Sensing [DFPM_DDG]
0x07 [007]    BREMS: P1569,P1569,P1569,P1569    P0571,P0571,P0571,P0571 : Brake Pedal Encoder [DFPM_GGEGAS]
0x08 [008]      BWF: P0000,P0000,P0000,P0000    P1639,P1639,P1639,P1639 : PWG Movement [DFPM_GGPED]
0x09 [009]      CAS: P1631,P1631,P1631,P1631    P1626,P1626,P1626,P1626 : CAN Interface: Timeout Anti-Slip Control (ABS/ASR ECU) [DFPM_DCAS]
0x0A [010]     CINS: P1675,P1675,P1675,P1675    P1674,P1674,P1674,P1674 : CAN Interface: Timeout Instrument (Dashboard ECU) [DFPM_DCINS]
0x0B [011]     CKUP: P1632,P1632,P1632,P1632    P1627,P1627,P1627,P1627 : CAN Interface: Timeout Electronic Clutch (TCU ECU) [DFPM_DCKUP]
0x0C [012]       DK: P0223,P0222,P0220,P0221    P0123,P0122,P0120,P0121 : DK - Throttle Body Potentiometer [DFPM_DDVE]
0x0D [013]     DK1P: P1190,P1191,P1192,P1192    P1173,P1172,P1170,P1170 : DK - Throttle Body 1. Poti [DFPM_DDVE]
0x0E [014]     DK2P: P1193,P1194,P1195,P1195    P1177,P1176,P1174,P1174 : DK - Throttle Body 2. Poti [DFPM_DDVE]
0x0F [015]      DPL: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : (Unsupported) Continuous plus [DFPM_DUMMY_D]
0x10 [016]      DSS: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : (Unsupported) Suction Pipe Pressure Sensor [DFPM_DUMMY_D]
0x11 [017]      DST: P0000,P0000,P0000,P0000    P0453,P0452,P0451,P0450 : Pressure Sensor Tank [DFPM_DDST]
0x12 [018]     DVEE: P1167,P1167,P1167,P1167    P1184,P1184,P1184,P1184 : DV-E Power Amplifier [DFPM_DDVE]
0x13 [019]     DVEF: P1163,P1163,P1163,P1163    P1180,P1180,P1180,P1180 : DV-E Feather Check Error [DFPM_DDVE]
0x14 [020]    DVEFO: P1162,P1162,P1162,P1162    P1179,P1179,P1179,P1179 : DV-E Return Spring Failure [DFPM_DDVE]
0x15 [021]     DVEL: P1171,P1171,P1171,P1171    P1185,P1185,P1185,P1185 : DV-E Position Deviation [DFPM_DDVE]
0x16 [022]     DVEN: P1164,P1164,P1164,P1164    P1181,P1181,P1181,P1181 : DV-E Error Checking Emergency Air Position [DFPM_DDVE]
0x17 [023]     DVER: P1175,P1175,P1175,P1175    P1186,P1186,P1186,P1186 : DV-E Control Range [DFPM_DDVE]
0x18 [024]     DVET: P1161,P1161,P1161,P1161    P1178,P1178,P1178,P1178 : DV-E Error Undefined [DFPM_DDVE]
0x19 [025]     DVEU: P1165,P1165,P1165,P1165    P1182,P1182,P1182,P1182 : DV-E Errors in UMA Learning [DFPM_DDVE]
0x1A [026]    DVEUB: P1196,P1196,P1196,P1196    P1187,P1187,P1187,P1187 : DV-E Errors in Motor Driven Throttle [DFPM_DDVE]
0x1B [027]    DVEUW: P1197,P1197,P1197,P1197    P1188,P1188,P1188,P1188 : DV-E Errors Undefined [DFPM_DDVE]
0x1C [028]     DVEV: P1166,P1166,P1166,P1166    P1183,P1183,P1183,P1183 : DV-E Amplifier Matching Error [DFPM_DDVE]
0x1D [029]     EGFE: P1148,P1148,P1148,P1148    P1145,P1145,P1145,P1145 : Load Detection [DFPM_EGFE]
0x1E [030]    EPCLE: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Driving Behavior Error Lamp (Power Amplifier) [DFPM_DEKON]
0x1F [031]     ETSE: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Electric Thermostat Power Amplifier [DFPM_DEKON]
0x20 [032]      EV1: P1217,P1229,P1241,P1205    P1213,P1225,P1237,P1201 : EV by Cylinder 1 [DFPM_DEKON]
0x21 [033]      EV2: P1218,P1230,P1242,P1206    P1214,P1226,P1238,P1202 : EV by Cylinder 2 [DFPM_DEKON]
0x22 [034]      EV3: P1219,P1231,P1243,P1207    P1215,P1227,P1239,P1203 : EV by Cylinder 3 [DFPM_DEKON]
0x23 [035]      EV4: P1220,P1232,P1244,P1208    P1216,P1228,P1240,P1204 : EV by Cylinder 4 [DFPM_DEKON]
0x24 [036]     FP1P: P0000,P0000,P0000,P0000    P1146,P1147,P1147,P1149 : Throttle Pedal Poti 1 [DFPM_GGPED]
0x25 [037]     FP2P: P0000,P0000,P0000,P0000    P1150,P1151,P1151,P1153 : Throttle Pedal Poti 2 [DFPM_GGPED]
0x26 [038]      FPP: P0000,P0000,P0000,P0000    P1189,P1189,P1189,P1189 : Gas Pedal [DFPM_GGPED]
0x27 [039]     FRAO: P1158,P1157,P1157,P1157    P1156,P1155,P1155,P1155 : LR-Adaption Upper Multiplicative [DFPM_DKVS]
0x28 [040]     FRAU: P1154,P1152,P1152,P1152    P1160,P1159,P1159,P1159 : LR Adaption Lower Multiplicative [DFPM_DKVS]
0x29 [041]     FRST: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : LR Deviation [DFPM_DKVS]
0x2A [042]     GRBH: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : GRA Control Lever Error [DFPM_GGFGRH]
0x2B [043]      HSH: P0000,P0000,P0000,P1113    P0000,P0000,P0000,P1144 : Lambda Probe Heater Behind Catalyst [DFPM_DHLSHK]
0x2C [044]     HSHE: P1110,P1121,P1122,P0000    P1105,P1117,P1118,P0000 : Power amplifier heating probe behind cat. [DFPM_DEKON]
0x2D [045]      HSV: P1107,P1119,P1120,P1114    P1102,P1115,P1116,P1103 : Lambda Probe Heating Before Catalyst [DFPM_DHLSU]
0x2E [046]     HSV2: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Lambda probe heater in front of catalyst; (Bank2) [DFPM_DHLSU]
0x2F [047]    HSVSA: P1198,P1198,P1198,P1198    P1135,P1135,P1135,P1135 : Lambda Probe Heating Before Catalyst [DFPM_DHLSU]
0x30 [048]   HSVSA2: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Lambda Probe Heating 2 before Catalyst [DFPM_DHLSU]
0x31 [049]      KAS: P1454,P1454,P1454,P1454    P1446,P1446,P1446,P1446 : Catalyst Protection Active [DFPM_SAK]
0x32 [050]      KAT: P0432,P0432,P0432,P0432    P0422,P0422,P0422,P0422 : Catalyst Efficiency [DFPM_DKAT]
0x33 [051]     KATT: P1449,P1449,P1449,P1449    P1445,P1445,P1445,P1445 : Catalyst Temperature [DFPM_DTKAT]
0x34 [052]     KOSE: P0000,P0000,P0000,P0000    P1456,P1457,P1455,P1455 : Air Conditioning Compressor Control Power Amplifier [DFPM_DEKON]
0x35 [053]      KPE: P1505,P1504,P1506,P1503    P1502,P1501,P1541,P1500 : EKP relay power amplifier [DFPM_DEKON]
0x36 [054]     KRNT: P1387,P1387,P1387,P1387    P1386,P1386,P1386,P1386 : Knock Control Null Test [DFPM_DKRNT]
0x37 [055]     KROF: P1390,P1390,P1390,P1390    P1388,P1388,P1388,P1388 : Knock Control Offset [DFPM_DKRNT]
0x38 [056]     KRTP: P1394,P1394,P1394,P1394    P1393,P1393,P1393,P1393 : Knock Control Test Pulses [DFPM_DKRTP]
0x39 [057]      KS1: P1384,P1383,P1384,P1384    P0328,P0327,P0325,P0326 : Knock Sensor 1 [DFPM_DKRS]
0x3A [058]      KS2: P1385,P1382,P1385,P1385    P0333,P0332,P0330,P0331 : Knock Sensor 2 [DFPM_DKRS]
0x3B [059]      KS3: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Knock Sensor 3 [DFPM_DKRS]
0x3C [060]      KS4: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : Knock Sensor 4 [DFPM_DKRS]
0x3D [061]     LASH: P0159,P0159,P0159,P0159    P0139,P0139,P0139,P0139 : Lambda Probe aging behind cat. [DFPM_DLSAHK]
0x3E [062]     LATP: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : (Unsupported) Lambda Probe Aging TP [DFPM_DUMMY_D]
0x3F [063]     LATV: P0000,P0000,P0000,P0000    P0000,P0000,P0000,P0000 : (Unsupported) Lambda Probe Aging TV [DFPM_DUMMY_D]
.. cut .. cut ... cut

 


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: nyet on June 12, 2019, 08:38:57 AM
AWESOME! good work! Any idea if autodetecting ESKONF is possible? (i.e. correlate it with the various inputs/output on the ECU?)


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: Blazius on June 12, 2019, 09:02:11 AM
AWESOME! good work! Any idea if autodetecting ESKONF is possible? (i.e. correlate it with the various inputs/output on the ECU?)

Thats amazing. btw n156 is not in ESKONF via FR is it? I need to code it out but I dont know which pair is it :D


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on June 12, 2019, 01:35:17 PM
AWESOME! good work! Any idea if autodetecting ESKONF is possible? (i.e. correlate it with the various inputs/output on the ECU?)

Yes ESKONF is entirely possible to detect and I already support it!

... however the meanings to decode it are specific to a vehicle model so quite how you'd interpret and visualize that is challenging to understand, config files perhaps?

Here's the way it works on the Ferrari 360 version of ME7 Swiss Army Knife..

Code:
-[ ESKONF Configuration of power stage (actuators) ]-----------------------------
                                                                                
>>> Scanning for ESKONF Lookup code sequence...                                  
                                                                                
found needle at offset=0x55da2                                                  
                                                                                
 1. Configuration of output stages                                              
 =================================                                              
 The configuration is made with the Label ESKONF_R (right bank) & ESKONF_L (left
                                                                                
 Every byte is standing for 4 output stages. Therefore every output stage has got
 configuration Bits.                                                            
                                                                                
 Enable of the output stages diagnosis                                          
 -------------------------------------                                          
 With the configurations-Bytes in ESKONF the functions have to be set active / in
 on the available components in the car. At the same time with the 2 Bits the fun
 diagnosis is set.                                                              
                                                                                
 Assignment of the Bit pattern:                                                  
 ------------------------------                                                  
 00  Diagnosis active with OBDII-malfunction storage with test of healing        
 01  Diagnosis active without OBDII-malfunction storage with test of healing    
 10  Diagnosis active without OBDII-fault memory without test of healing (EKP)  
 11  Diagnosis not active                                                        
                                                                                
                                                                                
ESKONF_L @ ADR:0x810acd (offset 0x10acd) - Left Bank Configuration              
----------+----------------------------------------------------------------------
[i] Hex   |           Bit                                                        
          | 76     54     32     10                                              
----------+----------------------------------------------------------------------
          | EV4    EV3    EV2    EV1                                            
[0] 0x00  | 00     00     00     00                                              
          | M52    M03    M35    M19                                            
          +----------------------------------------------------------------------
          | M52   Cylinder 6 injector control power output                      
          | M03   Cylinder 8 injector control power output                      
          | M35   Cylinder 7 injector control power output                      
          | M19   Cylinder 5 injector control power output                      
----------+----------------------------------------------------------------------
          | LSHVK1 xxxx   TEV    MIL                                            
[1] 0x33  | 00     11     00     11                                              
          | M34    M21    M05    F46                                            
          +----------------------------------------------------------------------
          | M34   LH rear Lambda sensor heater (duty cycle) Power output        
          | M21   Not Used                                                      
          | M05   Control for LH canister purge valve (duty cycle) Power output  
          | F46   Not Used                                                      
----------+----------------------------------------------------------------------
          | EKP    LUE1   LSHVK2 MIL                                            
[2] 0xbf  | 10     11     11     11                                              
          | F30    F50    M02    F02                                            
          +----------------------------------------------------------------------
          | F30   Fuel pump control Digital output                              
          | F50   Not Used                                                      
          | M02   Not Used                                                      
          | F02   Not Used                                                      
----------+----------------------------------------------------------------------
          | --     --     KOS    LUE2                                            
[3] 0xff  | 11     11     11     11                                              
          | Fxx    Fxx    F13    F62                                            
          +----------------------------------------------------------------------
          | Fxx   Not Used                                                      
          | Fxx   Not Used                                                      
          | F13   Not Used                                                      
          | F62   Not Used                                                      
----------+----------------------------------------------------------------------
          | xxxx   SU1    NWS    xxxx                                            
[4] 0xfc  | 11     11     11     00                                              
          | M53    M04    M36    M20                                            
          +----------------------------------------------------------------------
          | M53   Not Used                                                      
          | M04   Not Used                                                      
          | M36   Not Used                                                      
          | M20   Control for LH exhaust by-pass power output                    
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx                                            
[5] 0xff  | 11     11     11     11                                              
          | F18    F33    F34    F01                                            
          +----------------------------------------------------------------------
          | F18   Not Used                                                      
          | F33   Not Used                                                      
          | F34   Not Used                                                      
          | F01   Not Used                                                      
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx                                            
[6] 0xff  | 11     11     11     11                                              
          | M13    M13    M45    M45                                            
          +----------------------------------------------------------------------
          | M13   Not Used                                                      
          | M13   Not Used                                                      
          | M45   Not Used                                                      
          | M45   Not Used                                                      
----------+----------------------------------------------------------------------


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on June 12, 2019, 01:36:43 PM
.. and also does the same decoding for RHS bank too...

Code:
ESKONF_R @ ADR:0x810ad4 (offset 0x10ad4) - Right Bank Configuration
----------+----------------------------------------------------------------------
[i] Hex   |           Bit
          | 76     54     32     10
----------+----------------------------------------------------------------------
          | EV4    EV3    EV2    EV1
[0] 0x00  | 00     00     00     00
          | M52    M03    M35    M19
          +----------------------------------------------------------------------
          | M52   Cylinder 2 injector control power output
          | M03   Cylinder 4 injector control power output
          | M35   Cylinder 3 injector control power output
          | M19   Cylinder 1 injector control power output
----------+----------------------------------------------------------------------
          | LSHVK1 xxxx   TEV    MIL
[1] 0x33  | 00     11     00     11
          | M34    M21    M05    F46
          +----------------------------------------------------------------------
          | M34   RH rear Lambda sensor heater (duty cycle) power output
          | M21   Not Used
          | M05   Control for RH canister purge valve (duty cycle) power output
          | F46   Not Used
----------+----------------------------------------------------------------------
          | EKP    LUE1   LSHVK2 MIL
[2] 0xbf  | 10     11     11     11
          | F30    F50    M02    F02
          +----------------------------------------------------------------------
          | F30   Fuel pump control digital output
          | F50   Not Used
          | M02   Not Used
          | F02   Not Used
----------+----------------------------------------------------------------------
          | --     --     KOS    LUE2
[3] 0xf3  | 11     11     00     11
          | Fxx    Fxx    F13    F62
          +----------------------------------------------------------------------
          | Fxx   Not Used
          | Fxx   Not Used
          | F13   A/C compressor control digital output
          | F62   Secondary air pump control digital output
----------+----------------------------------------------------------------------
          | xxxx   SU1    NWS    xxxx
[4] 0x00  | 00     00     00     00
          | M53    M04    M36    M20
          +----------------------------------------------------------------------
          | M53   Modular manifolds control power output
          | M04   Compensation throttle control power output
          | M36   Timing variator control  Digital output
          | M20   Control for RH exhaust by-pass power output
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx
[5] 0xff  | 11     11     11     11
          | F18    F33    F34    F01
          +----------------------------------------------------------------------
          | F18   Canister closing control power output
          | F33   Not Used
          | F34   Secondary air valve control digital output
          | F01   Not Used
----------+----------------------------------------------------------------------
          | xxxx   xxxx   xxxx   xxxx
[6] 0xff  | 11     11     11     11
          | M13    M13    M45    M45
          +----------------------------------------------------------------------
          | M13   Not Used
          | M13   Not Used
          | M45   Not Used
          | M45   Not Used
----------+----------------------------------------------------------------------
Secondary Air Valve Diagnostics are off: This is probably a European spec car
Air Injection Diagnostics are off: This is probably a European spec car
LH Rear O2 Heater is on : Secondary O2 sensor heating is enabled
RH Rear O2 Heater is on : Secondary O2 sensor heating is enabled
LH Canister Purge Valve is: on
RH Canister Purge Valve is: on


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on June 12, 2019, 01:53:44 PM
On the Ferrari 360 its really easy to detect functions (and even the GPIO bsets) from discovery of the ESKONF..

For example. Here's the segment of code regarding selection of either LHS or RHS banks...

                       DEKON_Get_ESKONF:
9A 23 09 E0                             jnb     word_FD46.14, Get_ESKONF_L ; Are we running on LHS or RHS ?
                        Get_ESKONF_R:
E6 F4 E6 4F                             mov     r4, #prokon_tbl_RHS
F6 F4 F8 A0                             mov     dekon_v, r4
E6 F5 EB 0A                             mov     r5, #ESKONF_R   ; ESKONF_R : Undefined [DEKON]
F6 F5 FA A0                             mov     ram_ESKONF_p, r5
DB 00                                   rets
                        Get_ESKONF_L:                           ; ...
E6 F4 64 50                             mov     r4, #prokon_tbl_LHS
F6 F4 F8 A0                             mov     dekon_v, r4
E6 F5 E4 0A                             mov     r5, #ESKONF_L   ; ESKONF_L : Undefined [DEKON]
F6 F5 FA A0                             mov     ram_ESKONF_p, r5
DB 00                                   rets



If you decode the lookup tables you see something like this (after you correctly define the offsets);


                       ESKONF_R - Right Bank Configuration
                        ----------+----------------------------------------------------------------------
                         Hex   |           Bit
                                  | 76     54     32     10
                        ----------+----------------------------------------------------------------------
                                  | EV4    EV3    EV2    EV1
                        
  • 0x00  | 00     00     00     00
                                 | M52    M03    M35    M19
                                  +----------------------------------------------------------------------
                                  | M52   Cylinder 2 injector control power output
                                  | M03   Cylinder 4 injector control power output
                                  | M35   Cylinder 3 injector control power output
                                  | M19   Cylinder 1 injector control power output
                        ----------+----------------------------------------------------------------------

02 00                   prokon_tbl_RHS: dw 2                    ; ...
8A C3                                   dw Process_State_Cylinder2_InjectorControl ; M19
84 00                                   dw 84h
DA C3                                   dw Process_State_Cylinder4_InjectorControl ; M35
84 00                                   dw 84h
2A C4                                   dw Process_State_Cylinder3_InjectorControl ; M03
84 00                                   dw 84h
7A C4                                   dw Process_State_Cylinder1_InjectorControl ; M52
84 00                                   dw 84h

                        ----------+----------------------------------------------------------------------
                                  | LSHVK1 xxxx   TEV    MIL
                        [1] 0x33  | 00     11     00     11
                                  | M34    M21    M05    F46
                                  +----------------------------------------------------------------------
                                  | M34   RH rear Lambda sensor heater (duty cycle) power output
                                  | M21   Not Used
                                  | M05   Control for RH canister purge valve (duty cycle) power output
                                  | F46   Not Used
                        ----------+----------------------------------------------------------------------
02 00                                   dw 2
90 B2                                   dw Process_State_Unused ; F46
84 00                                   dw 84h
78 85                                   dw Process_State_CanisterPurgeValveDutyCycleOutput_Control ; M05
85 00                                   dw 85h
90 B2                                   dw Process_State_Unused ; M21
84 00                                   dw 84h
6C 87                                   dw Process_State_O2Sensor_Heater_Output ; M34
85 00                                   dw 85h

                        ----------+----------------------------------------------------------------------
                                  | EKP    LUE1   LSHVK2 MIL
                        [2] 0xbf  | 10     11     11     11
                                  | F30    F50    M02    F02
                                  +----------------------------------------------------------------------
                                  | F30   Fuel pump control digital output
                                  | F50   Not Used
                                  | M02   Not Used
                                  | F02   Not Used
                        ----------+----------------------------------------------------------------------
02 00                                   dw 2
90 B2                                   dw Process_State_Unused ; F02
84 00                                   dw 84h
90 B2                                   dw Process_State_Unused ; M02
84 00                                   dw 84h
90 B2                                   dw Process_State_Unused ; F50
84 00                                   dw 84h
D0 87                                   dw Process_State_FuelPumpControl ; F30
85 00                                   dw 85h

                        ----------+----------------------------------------------------------------------
                                  | --     --     KOS    LUE2
                        [3] 0xf3  | 11     11     00     11
                                  | Fxx    Fxx    F13    F62
                                  +----------------------------------------------------------------------
                                  | Fxx   Not Used
                                  | Fxx   Not Used
                                  | F13   A/C compressor control digital output
                                  | F62   Secondary air pump control digital output
                        ----------+----------------------------------------------------------------------
02 00                                   dw 2
F2 85                                   dw Process_State_SecondaryAirPumpControl ; F62
85 00                                   dw 85h
9E 87                                   dw Process_State_AC_CompressorOutput ; F13
85 00                                   dw 85h
90 B2                                   dw Process_State_Unused ; Fxx - Not Used
84 00                                   dw 84h
90 B2                                   dw Process_State_Unused ; Fxx - Not Used
84 00                                   dw 84h

                        ----------+----------------------------------------------------------------------
                                  | xxxx   SU1    NWS    xxxx
                        [4] 0x00  | 00     00     00    

... cut ... cut ... cut ...




Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: IamwhoIam on June 12, 2019, 02:53:31 PM
Nice job man! When is this big update coming?


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: nyet on June 12, 2019, 02:55:14 PM
Yes ESKONF is entirely possible to detect and I already support it!

... however the meanings to decode it are specific to a vehicle model so quite how you'd interpret and visualize that is challenging to understand, config files perhaps?



For unknown vehicles just outputting GPIO information would be sufficient, since all thats needed for the rest is the schematic. Beats trail and error.


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: Blazius on June 12, 2019, 03:00:20 PM
btw. if you dont me asking, how the hell did you get ur hands on a ferrari 360 :"D


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: nyet on June 12, 2019, 03:04:19 PM
also, offtopic but it bears mention: if not for this fine fellow me7sum would not exist :)


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: DT on June 12, 2019, 03:15:54 PM
I will be releasing a big update soon..

I have re-designed the way my search works now to be more like the way my custom disassembler works. This allows me to automatically mask out physical addresses for given instructions, etc. and therefore compare dumped functions between ecu dumps. This in turn allows rapid discovery of variables for the purposes of logging, etc.
Really nice!
I think I've suggested it before but have you thought about incorporating a points system to be able to get even higher hit count in different files. Like SpamAssassins system. Positive points for a opcode match, negative points if not matching. Sometimes the routine match execept for an additional command or different source/destination register within a very similar routine.


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on June 14, 2019, 07:35:06 AM
Really nice!
I think I've suggested it before but have you thought about incorporating a points system to be able to get even higher hit count in different files. Like SpamAssassins system. Positive points for a opcode match, negative points if not matching. Sometimes the routine match execept for an additional command or different source/destination register within a very similar routine.

Well yes I actually already mask out the registers anyway from all matches as this is compiler generation specific and not related to pure logic of the original functional C code.

I am sure a points systems could work well and I will invest some time on it, the only concern really is having enough data points in the original signatures for it to make sense. In other words the signatures need to be of given size to make it work well. The idea of looking at number of functional calls and the variables used already gives quite some decent level match, adding a weighting system could help refine it further and make it even better, agreed.

I'd like to re-visit this and re-write it with an opcode API (a bit like the one used in IDA) so I could make it instruction set agnostic. That would be useful then for attacking other later architectures like PowerPC and Infineon TriCore's too.





Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on June 20, 2019, 06:35:24 AM
And here is the reverse lookup from the DTC table that I explained was possible earlier...

  0) MATCHED @ 0x0002B572 : DTC idx= 62 (0x3E)     DFPM_DUMMY_D() : (Unsupported) Lambda Probe Aging TP
  1) MATCHED @ 0x0002B572 : DTC idx= 63 (0x3F)     DFPM_DUMMY_D() : (Unsupported) Lambda Probe Aging TV
  2) MATCHED @ 0x0002B572 : DTC idx= 98 (0x62)     DFPM_DUMMY_D() : (Unsupported) OBDII Empty Tank Failure
  3) MATCHED @ 0x0002B572 : DTC idx=100 (0x64)     DFPM_DUMMY_D() : (Unsupported) Tank Low Flow Switch Valve (Power Amplifier)
  5) MATCHED @ 0x0002B572 : DTC idx=106 (0x6A)     DFPM_DUMMY_D() : (Unsupported) Engine Oil Temperature
  6) MATCHED @ 0x0002B572 : DTC idx=107 (0x6B)     DFPM_DUMMY_D() : (Unsupported) Ambient (Air) Temperature TUM
  7) MATCHED @ 0x0002C554 : DTC idx= 91 (0x5B)     DFPM_DSLSLRS() : Secondary Air System
  9) MATCHED @ 0x00035A72 : DTC idx=117 (0x75)       DFPM_DVKUP() : Engine Off Request from F1 TCU Failure
 12) MATCHED @ 0x0003809C : DTC idx= 69 (0x45)      DFPM_DMDMIL() : Misfire, Sum Error (Multiple)
 14) MATCHED @ 0x0003CB14 : DTC idx= 79 (0x4F)         DFPM_DDG() : Speed Sensor
 16) MATCHED @ 0x0003D314 : DTC idx= 80 (0x50)       DFPM_DNWKW() : Assignment Camshaft to Crankshaft
 17) MATCHED @ 0x0003D5D8 : DTC idx= 84 (0x54)         DFPM_DPH() : Phase Sensor
 18) MATCHED @ 0x00040000 : DTC idx= 61 (0x3D)      DFPM_DLSAHK() : Lambda Probe aging behind cat.
 19) MATCHED @ 0x000408FA : DTC idx= 48 (0x30)       DFPM_DHLSU() : Lambda Probe Heating 2 before Catalyst
 20) MATCHED @ 0x000408FA : DTC idx= 46 (0x2E)       DFPM_DHLSU() : Lambda probe heater in front of catalyst; (Bank2)
 21) MATCHED @ 0x00042C64 : DTC idx= 67 (0x43)        DFPM_DLSU() : Lambda Probe before Cat
 22) MATCHED @ 0x000431A4 : DTC idx=116 (0x74)        DFPM_DVFZ() : Vehicle Speed
 24) MATCHED @ 0x00044642 : DTC idx= 36 (0x24)       DFPM_GGPED() : Throttle Pedal Poti 1
 25) MATCHED @ 0x000472D2 : DTC idx= 24 (0x18)        DFPM_DDVE_ERR() : DV-E Error Undefined
 26) MATCHED @ 0x00047628 : DTC idx= 19 (0x13)        DFPM_DDVE_FAULT() : DV-E Feather Check Error
 27) MATCHED @ 0x00047628 : DTC idx= 28 (0x1C)        DFPM_DDVE_FAULT() : DV-E Amplifier Matching Error
 28) MATCHED @ 0x00047628 : DTC idx= 20 (0x14)        DFPM_DDVE_FAULT() : DV-E Return Spring Failure
 29) MATCHED @ 0x00047628 : DTC idx= 26 (0x1A)        DFPM_DDVE_FAULT() : DV-E Errors in Motor Driven Throttle
 30) MATCHED @ 0x00047628 : DTC idx= 23 (0x17)        DFPM_DDVE_FAULT() : DV-E Control Range
 33) MATCHED @ 0x0004BE5C : DTC idx= 32 (0x20)       DFPM_DEKON_EV() : EV by Cylinder 1
 34) MATCHED @ 0x0004BE5C : DTC idx= 33 (0x21)       DFPM_DEKON_EV() : EV by Cylinder 2
 35) MATCHED @ 0x0004BE5C : DTC idx= 34 (0x22)       DFPM_DEKON_EV() : EV by Cylinder 3
 39) MATCHED @ 0x0004C2C8 : DTC idx= 44 (0x2C)       DFPM_DEKON_PWR() : Power amplifier heating probe behind cat.
 40) MATCHED @ 0x0004C2C8 : DTC idx= 44 (0x2C)       DFPM_DEKON_PWR() : Power amplifier heating probe behind cat.
 41) MATCHED @ 0x0004C556 : DTC idx= 83 (0x53)       DFPM_DEKON_CAM() : Camshaft Control Valve Power Amplifier
 42) MATCHED @ 0x0004C71C : DTC idx= 94 (0x5E)       DFPM_DEKON_CHG1() : End Stage Suction Tube Changeover
 43) MATCHED @ 0x0004C7A8 : DTC idx= 95 (0x5F)       DFPM_DEKON_CHG2() : Circuit intake manifold Bank 2
 44) MATCHED @ 0x0004CA60 : DTC idx= 88 (0x58)         DFPM_SGA() : Switch Control Selector
 45) MATCHED @ 0x0005117E : DTC idx= 81 (0x51)        DFPM_DNWS() : Camshaft Control
 46) MATCHED @ 0x00051206 : DTC idx= 82 (0x52)        DFPM_DNWS() : Camshaft Control Bank2
 47) MATCHED @ 0x00055E50 : DTC idx= 39 (0x27)        DFPM_DKVS_UPR() : LR-Adaption Upper Multiplicative
 48) MATCHED @ 0x00055E50 : DTC idx= 86 (0x56)        DFPM_DKVS_UPR() : LR adaptation QL additive
 49) MATCHED @ 0x00055F34 : DTC idx= 40 (0x28)        DFPM_DKVS_LWR() : LR Adaption Lower Multiplicative
 50) MATCHED @ 0x00055F34 : DTC idx= 87 (0x57)        DFPM_DKVS_LWR() : LR adaptation ti-additive
 51) MATCHED @ 0x000576B2 : DTC idx= 97 (0x61)       DFPM_GGTFA() : (IAT) Intake Air Temperature Sensor (Airflow Meters)
 52) MATCHED @ 0x00057AA4 : DTC idx=105 (0x69)       DFPM_GGTFM() : Engine Temperature TMOT
 53) MATCHED @ 0x000597BC : DTC idx= 51 (0x33)       DFPM_DTKAT() : Catalyst Temperature
 54) MATCHED @ 0x000597BC : DTC idx= 51 (0x33)       DFPM_DTKAT() : Catalyst Temperature
 55) MATCHED @ 0x000597BC : DTC idx= 51 (0x33)       DFPM_DTKAT() : Catalyst Temperature
 56) MATCHED @ 0x00059AC4 : DTC idx= 49 (0x31)         DFPM_SAK() : Catalyst Protection Active
 57) MATCHED @ 0x0005B414 : DTC idx= 54 (0x36)       DFPM_DKRNT() : Knock Control Null Test
 58) MATCHED @ 0x0005B414 : DTC idx= 55 (0x37)       DFPM_DKRNT() : Knock Control Offset
 59) MATCHED @ 0x0005BD90 : DTC idx= 56 (0x38)       DFPM_DKRTP() : Knock Control Test Pulses
 60) MATCHED @ 0x00064F7C : DTC idx=111 (0x6F)         DFPM_DUF() : Function Monitoring : Safety Fuel Cutoff
 61) MATCHED @ 0x00064F7C : DTC idx=110 (0x6E)         DFPM_DUF() : Function Monitoring : Moment Comparison
 62) MATCHED @ 0x00064F7C : DTC idx=109 (0x6D)         DFPM_DUF() : Function Monitoring : Other ME Data
 63) MATCHED @ 0x00064FEA : DTC idx=111 (0x6F)         DFPM_DUF_CUT() : Function Monitoring : Safety Fuel Cutoff
 64) MATCHED @ 0x0006520A : DTC idx=113 (0x71)         DFPM_DUR() : Computer Monitoring : ROM
 65) MATCHED @ 0x0006A696 : DTC idx= 96 (0x60)       DFPM_BGRBS() : Bad Path Detection Acceleration Sensor
 66) MATCHED @ 0x0006BDAE : DTC idx= 17 (0x11)        DFPM_DDST() : Pressure Sensor Tank
 67) MATCHED @ 0x0006C134 : DTC idx=102 (0x66)       DFPM_DTESK() : Tank Bleeding System Grobleck
 68) MATCHED @ 0x0006C134 : DTC idx=103 (0x67)       DFPM_DTESK() : Tank detoxification system Kleinstleck


Its discovered all of these diagnostic function entry points from the original DTC's. It does this by deriving the ID from the table and then searching for the opcode where the ID calls the DTC function. Once it finds a hit it walks backwards until it finds the start of the function. This makes it very easy (even for DTC's you haven't yet reversed) to lookup their function from workshop manuals or the web and then find the function entry point directly. From this I could now generate a IDC script to use MakeName() on the entries. You could for example use this to automatically label very rapidly all of the DTC functions AND for functions you know their variables in a new rom you've just dumped. That's why this approach is very powerful and rapidly accelerates the reversing of a rom...

 


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: Blazius on June 23, 2019, 03:07:57 PM
snip
 

You should probably also update the github readme lol, I bet people dont even know you can instafind KRKTE , MLHFM, KFPED , LAMFA in any bin and others , instantly because the github readme is not updated  :P


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: vwaudiguy on September 10, 2019, 09:05:25 PM
test.bin is in the same directory as the .exe

├╛ Opening 'test.bin' file

Can't open file "test.bin".
Failed to load, result = -1
Nothing to free

Halp? :)



Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: mdccode5150 on September 08, 2020, 11:18:27 PM
I have been banging my head on figuring out object oriented programming without a formal education, and have concluded that I'm not that smart LOL. I have to say I admire the fact that you have stayed on it for so long.

I do have a question : Are you doing all of this because you don't have an A2L, or DAMOS file?

I have one for The Ferrari 360, The Maserati, SAAB, and Porsche GT3 Hybrid ECU's and some ME7 (I think) C, H etc code. Would this be helpful?


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: Blazius on April 10, 2021, 05:08:27 PM
I will be releasing a big update soon..

I have re-designed the way my search works now to be more like the way my custom disassembler works. This allows me to automatically mask out physical addresses for given instructions, etc. and therefore compare dumped functions between ecu dumps. This in turn allows rapid discovery of variables for the purposes of logging, etc.

Another big advantage is I was able to ignore the differences between a 512Kbyte compiled function and a 1Mb compiled function in that the extX (e.g. extp etc.) instructions used to get access to larger address space can be ignored in both the needles and the rom code being searched through as part of a 'fuzzy logic' based search. The net result is that even functions compiled for a 512Kbyte rom file can be discovered on a larger address space rom like a 1Mb one without having to have unique signatures for each different variation just because a few differences existed due to the way the compiler addresses memory (short vs long memory model). Also going to do the same for a few other instructions too meaning that its technically possible in the future to define signatures based on higher level requirements such as finding that a function used variables like 'nmot' and looked up some known table references. Based on this inference you can pretty much auto discover a huge number of functions without requiring tonnes of signatures...

So yes, you could say this works really well!

Watch this space!



Any update on this Trev :)?


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on April 18, 2021, 04:11:11 PM
I didn't think people cared about ME7 anymore.. Every time I seemed to post anything related to ME7 it felt like I was getting flamed!

I've done a huge amount actually just never checked anything in to the public repo's (for my ME7 C167 variant) and now i am upgrading it to work on ME9.x (PowerPC) and subsequently MED17.x (Tricore) too. So it will span across all 3 different generations.

The last thing I implement was a reverse KWP2000 protocol analysis and detection feature. It works by looking for the emit code function (return codes) and just from that alone it can work out exactly all the addresses of the individual functions in any ME7 roms.

E.g. Trying it on '8E0910560G  0030 - Stock.bin' rom file from nyet's server...

Code:
Opening 'Release\other_roms\8E0910560G  0030 - Stock.bin' file
Succeeded loading romfile #1 (0x100000 bytes).

SHA-256 of romfile #1: 39427bd5dcd454d197e01deb79e8d0ff4bebcb651ad7283f3faf037ae4e6795d

Loaded Primary ROM in 1Mb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]

Searching for DPPx ..
1) found reference to sig @ byte_offset=0xdb28
2) found reference to sig @ byte_offset=0xd93dc

dpp0: (seg: 0x0204 phy:0x00810000) calibration data segment 0, constants
dpp1: (seg: 0x0205 phy:0x00814000) calibration data segment 1, constants
dpp2: (seg: 0x00e0 phy:0x00380000) external RAM
dpp3: (seg: 0x0003 phy:0x0000c000) Int. RAM, XRAM, SFR

Note: dpp3 is always 3, otherwise accessing Int. RAM, XRAM, SFR is not possible

-[ EEPROM Analysis ]-----------------------------------------------------------------

>>> Scanning for basic EEPROM extraction parameters
EEPROM Number of Pages: 64 (1024 Bytes)
EEPROM Chip Select Pin: P6.3

-[ Basic Firmware information (Primary ROM) ]-----------------------------------

>>> Scanning for ROM String Table Byte Sequence #1 [info]

found kwp2000 needle @ offset:0x00001DF4  (val=0005,seg=0204).
EPK: @ 0x10005 -> 0x10055 (41 bytes) { /1/ME7.1.1/5/C1105B//25F9/L5f9bh3/080807/ }
{
    "rominfo": {
        "SSECUHN": "0261207997",
        "SSECUSN ": "1037392093",
        "DIF": "8E0910560G  ",
        "BRIF": "0030",
        "OTHERID": "4.2L V8\/5V     ",
        "EPK": "\/1\/ME7.1.1\/5\/C1105B\/\/25F9\/L5f9bh3\/080807\/"
    }
}

KWP2000 Service Identifier (SID)
--------------------------------
    The following chart indicates the different ranges of service identifier values, which are defined in
    SAE J1979, Keyword Protocol 2000 or by the vehicle manufacturer.

    SID    Service type                     Described in
    --------------------------------------- ---------------------------------
    00-0F  Request                          SAE J1979
    10-1F  Request (bit 6 = 0)              KWP 2000 Part 3
    20-2F  Request (bit 6 = 0)              KWP 2000 Part 3
    30-3E  Request (bit 6 = 0)              KWP 2000 Part 3
    3F     Not Applicable                   Reserved
    40-4F  Response                         SAE J1979
    50-5F  Positive Response                KWP 2000 Part 3
    60-6F  to Services ($10 - $3E)          KWP 2000 Part 3
    70-7E  (bit 6 = 1)                      KWP 2000 Part 3
    7F     Negative Response                KWP 2000 Part 3
    80     Request 'ESC' - Code             KWP 2000 Part 3
    81-8F  Request (bit 6 = 0)              KWP 2000 Part 2
    90-9F  Request (bit 6 = 0)              Reserved for future exp. as needed
    A0-BF  Request (bit 6 = 0)              Defined by vehicle manufacturer
    C0     Positive Resp. 'ESC' - Code      KWP 2000 Part 3
    C1-CF  Positive Response (bit 6 = 1)    KWP 2000 Part 2
    D0-DF  Positive Response (bit 6 = 1)    Reserved for future exp. as needed
    E0-FF  Positive Response (bit 6 = 1)    Defined by vehicle manufacturer
    --------------------------------------- ---------------------------------

        entrypoint BOOT:00008C8E SID: 0x81 : kwp2000_service_startCommunication_rom()
        entrypoint ROM :00035A76 SID: 0x81 : kwp2000_service_startCommunication_fw()

        entrypoint ROM :00008F14 SID: 0x10 : kwp2000_service_startDiagnosticSession_fw()
        entrypoint ROM :0000B8D2 SID: 0x36 : kwp2000_service_transferData_fw()
        entrypoint ROM :00026878 SID: 0x38 : kwp2000_service_startRoutineByAddress_fw()
        entrypoint ROM :00026896 SID: 0x39 : kwp2000_service_stopRoutineByAddress_fw()
        entrypoint ROM :000268EC SID: 0x3A : kwp2000_service_requestRoutineResultsByAddress_fw()
        entrypoint ROM :00036AA2 SID: 0x27 : kwp2000_service_securityAccess_fw()
        entrypoint ROM :000383F0 SID: 0x2C : kwp2000_service_dynamicallyDefineLocalIdentifier_fw()
        entrypoint ROM :00038A58 SID: 0x23 : kwp2000_service_readMemoryByAddress_fw()
        entrypoint ROM :00038D88 SID: 0x3D : kwp2000_service_writeMemoryByAddress_fw()
        entrypoint ROM :0003923E SID: 0x21 : kwp2000_service_readDataByLocalIdentifier_fw()
        entrypoint ROM :000396EA SID: 0x3B : kwp2000_service_writeDataByLocalIdentifier_fw()
        entrypoint ROM :0003AF80 SID: 0x31 : kwp2000_service_startRoutinebyLocalIdentifier_fw()
        entrypoint ROM :0003CFE0 SID: 0x14 : kwp2000_service_clearDiagnosticsInformation_fw()
        entrypoint ROM :0003D260 SID: 0x18 : kwp2000_service_readDiagnosticTroubleCodesByStatus_fw()
        entrypoint ROM :0003D5A6 SID: 0x12 : kwp2000_service_readFreezeFrameData_fw()
        entrypoint ROM :00008E0E SID: 0x10 : kwp2000_service_startDiagnosticSession_fw()
        entrypoint ROM :000092C2 SID: 0x82 : kwp2000_service_stopCommunication_fw()
        entrypoint ROM :0000957E SID: 0x1A : kwp2000_service_readECUIdentification_fw()
        entrypoint ROM :00009762 SID: 0x27 : kwp2000_service_securityAccess_fw()
        entrypoint ROM :0000A2D2 SID: 0x31 : kwp2000_service_startRoutinebyLocalIdentifier_fw()
        entrypoint ROM :0000A40A SID: 0x33 : kwp2000_service_requestRoutineResultByLocalIdentifier_fw()
        entrypoint ROM :0000A60A SID: 0x34 : kwp2000_service_requestDownload_fw()
        entrypoint ROM :0000A7F6 SID: 0x35 : kwp2000_service_requestUpload_fw()
        entrypoint ROM :0000A992 SID: 0x36 : kwp2000_service_transferData_fw()
        entrypoint ROM :0000AA72 SID: 0x37 : kwp2000_service_requestTransferExit_fw()
        entrypoint ROM :0000BD1E SID: 0x20 : kwp2000_service_stopDiagnosticSession_fw()
        entrypoint ROM :0000BDD0 SID: 0x83 : kwp2000_service_accessTimingParameter_fw()
        entrypoint ROM :00035C2E SID: 0xA0 : kwp2000_service_startCommunicationMcMess_fw()
        entrypoint ROM :00035CDA SID: 0x11 : kwp2000_service_resetECU_fw()
        entrypoint ROM :00038290 SID: 0x21 : kwp2000_service_readDataByLocalIdentifier_fw()
        entrypoint ROM :0003834C SID: 0x3B : kwp2000_service_writeDataByLocalIdentifier_fw()
        entrypoint ROM :00038966 SID: 0x22 : kwp2000_service_readDataByCommonIdentifier_fw()
        entrypoint ROM :0003CE62 SID: 0x32 : kwp2000_service_stopRoutineByLocalIdentifier_fw()
        entrypoint ROM :0003D526 SID: 0x17 : kwp2000_service_readStatusOfDiagnosticTroubleCodes_fw()
        entrypoint ROM :0003DFB8 SID: 0x14 : kwp2000_service_clearDiagnosticsInformation_fw()

ReadDataByLocalIdentifier() : 0x21 @ 038290
Address of subfunc() : 0x0083923E : seg=0x020C)

SEGC            @ ROM:0X83923E RAM:0X81E25E File-Offset:0X3923E (seg=0x020C [segadr=0x830000] val=0x923E)
1) found reference to sig @ byte_offset=0x39298
Note: This firmware doesn't contain a LIT table


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on April 18, 2021, 04:12:45 PM
KWP2000 automatic detection of all the protocol functions in the rom (with full tracing enabled )

Code:
       entrypoint BOOT:00008C8E SID: 0x81 : kwp2000_service_startCommunication_rom()
        entrypoint ROM :00035A76 SID: 0x81 : kwp2000_service_startCommunication_fw()
                (1) found reference to kwp2000_emit() @ byte_offset=0x90d2 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
        entrypoint ROM :00008F14 SID: 0x10 : kwp2000_service_startDiagnosticSession_fw()
                (2) found reference to kwp2000_emit() @ byte_offset=0x912a : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (3) found reference to kwp2000_emit() @ byte_offset=0xba92 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
        entrypoint ROM :0000B8D2 SID: 0x36 : kwp2000_service_transferData_fw()
                (4) found reference to kwp2000_emit() @ byte_offset=0xbaba : fault_id=0x10 <generalReject>
                (5) found reference to kwp2000_emit() @ byte_offset=0x2687c : fault_id=0x11 <serviceNotSupported>
        entrypoint ROM :00026878 SID: 0x38 : kwp2000_service_startRoutineByAddress_fw()
                (6) found reference to kwp2000_emit() @ byte_offset=0x2689a : fault_id=0x11 <serviceNotSupported>
        entrypoint ROM :00026896 SID: 0x39 : kwp2000_service_stopRoutineByAddress_fw()
                (7) found reference to kwp2000_emit() @ byte_offset=0x268f0 : fault_id=0x11 <serviceNotSupported>
        entrypoint ROM :000268EC SID: 0x3A : kwp2000_service_requestRoutineResultsByAddress_fw()
                (8) found reference to kwp2000_emit() @ byte_offset=0x35ed4 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (9) found reference to kwp2000_emit() @ byte_offset=0x36078 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (10) found reference to kwp2000_emit() @ byte_offset=0x36230 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (11) found reference to kwp2000_emit() @ byte_offset=0x36b38 : fault_id=0x37 <requiredTimeDelayNotExpired>
        entrypoint ROM :00036AA2 SID: 0x27 : kwp2000_service_securityAccess_fw()
                (12) found reference to kwp2000_emit() @ byte_offset=0x36c4e : fault_id=0x37 <requiredTimeDelayNotExpired>
                (13) found reference to kwp2000_emit() @ byte_offset=0x36d26 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (14) found reference to kwp2000_emit() @ byte_offset=0x36dfe : fault_id=0x37 <requiredTimeDelayNotExpired>
                (15) found reference to kwp2000_emit() @ byte_offset=0x36ede : fault_id=0x35 <invalidKey>
                (16) found reference to kwp2000_emit() @ byte_offset=0x36fca : fault_id=0x35 <invalidKey>
                (17) found reference to kwp2000_emit() @ byte_offset=0x36fe6 : fault_id=0x37 <requiredTimeDelayNotExpired>
                (18) found reference to kwp2000_emit() @ byte_offset=0x36ffa : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (19) found reference to kwp2000_emit() @ byte_offset=0x3700e : fault_id=0x10 <generalReject>
                (20) found reference to kwp2000_emit() @ byte_offset=0x371f8 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (21) found reference to kwp2000_emit() @ byte_offset=0x3720c : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (22) found reference to kwp2000_emit() @ byte_offset=0x3723e : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (23) found reference to kwp2000_emit() @ byte_offset=0x38910 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
        entrypoint ROM :000383F0 SID: 0x2C : kwp2000_service_dynamicallyDefineLocalIdentifier_fw()
                (24) found reference to kwp2000_emit() @ byte_offset=0x38c5e : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
        entrypoint ROM :00038A58 SID: 0x23 : kwp2000_service_readMemoryByAddress_fw()
                (25) found reference to kwp2000_emit() @ byte_offset=0x38c80 : fault_id=0x21 <busyRepeatRequest>
                (26) found reference to kwp2000_emit() @ byte_offset=0x38d42 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (27) found reference to kwp2000_emit() @ byte_offset=0x38d64 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (28) found reference to kwp2000_emit() @ byte_offset=0x39118 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
        entrypoint ROM :00038D88 SID: 0x3D : kwp2000_service_writeMemoryByAddress_fw()
                (29) found reference to kwp2000_emit() @ byte_offset=0x3913a : fault_id=0x21 <busyRepeatRequest>
                (30) found reference to kwp2000_emit() @ byte_offset=0x391f6 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (31) found reference to kwp2000_emit() @ byte_offset=0x3921a : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (32) found reference to kwp2000_emit() @ byte_offset=0x3927c : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
        entrypoint ROM :0003923E SID: 0x21 : kwp2000_service_readDataByLocalIdentifier_fw()
                (33) found reference to kwp2000_emit() @ byte_offset=0x393ba : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (34) found reference to kwp2000_emit() @ byte_offset=0x39512 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (35) found reference to kwp2000_emit() @ byte_offset=0x396b4 : fault_id=0x10 <generalReject>
                (36) found reference to kwp2000_emit() @ byte_offset=0x396c8 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (37) found reference to kwp2000_emit() @ byte_offset=0x39820 : fault_id=0x10 <generalReject>
        entrypoint ROM :000396EA SID: 0x3B : kwp2000_service_writeDataByLocalIdentifier_fw()
                (38) found reference to kwp2000_emit() @ byte_offset=0x39834 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (39) found reference to kwp2000_emit() @ byte_offset=0x3a60c : fault_id=0x10 <generalReject>
                (40) found reference to kwp2000_emit() @ byte_offset=0x3aa30 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (41) found reference to kwp2000_emit() @ byte_offset=0x3aa5a : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (42) found reference to kwp2000_emit() @ byte_offset=0x3aa96 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (43) found reference to kwp2000_emit() @ byte_offset=0x3aafe : fault_id=0x10 <generalReject>
                (44) found reference to kwp2000_emit() @ byte_offset=0x3abae : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (45) found reference to kwp2000_emit() @ byte_offset=0x3abc2 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (46) found reference to kwp2000_emit() @ byte_offset=0x3abd6 : fault_id=0x10 <generalReject>
                (47) found reference to kwp2000_emit() @ byte_offset=0x3b040 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
        entrypoint ROM :0003AF80 SID: 0x31 : kwp2000_service_startRoutinebyLocalIdentifier_fw()
                (48) found reference to kwp2000_emit() @ byte_offset=0x3b18e : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (49) found reference to kwp2000_emit() @ byte_offset=0x3b1a2 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (50) found reference to kwp2000_emit() @ byte_offset=0x3b2a0 : fault_id=0x31 <requestOutOfRange>
                (51) found reference to kwp2000_emit() @ byte_offset=0x3b2b4 : fault_id=0x31 <requestOutOfRange>
                (52) found reference to kwp2000_emit() @ byte_offset=0x3b2c8 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (53) found reference to kwp2000_emit() @ byte_offset=0x3b33e : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (54) found reference to kwp2000_emit() @ byte_offset=0x3b474 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (55) found reference to kwp2000_emit() @ byte_offset=0x3b5da : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
... cut ...

I've had to cut the output as the generated file far exceeds the size limitations of a post, but you get the idea :)

If anyone's interested to kick the tires on this let me know and I'll clean it up and github it..


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on April 18, 2021, 04:38:55 PM
Also worked out a completely rom independent 'generic'  way to detect all the exact locations of the CDxxx booleans used.

For example the CDLSH configuration of secondary o2's for example...
The way it works is a little complicated but its all automated in my tool.

Here's a breakdown summary of how it works...

We search for reference to generic lookup's in the PROKON_ini function, the machine code signature mask with all the rom/compiler specific data removed looks something like "E6FxXXXX,64FxXXXX,C2FxXXXX,68XX".
The PROKON, is "Project Configuration" and its used to extract the boolean bytes out of the calibration area of rom and place them into bit positions in the 'cd_bits1_w' 16-bits variable.


Here we only care to discover address of 'cd_bits1_w' variable itself to ensure we get perfect signature matches on exactly what we want. so ..
e.g.

Code:
0x00022ED2:seg002: (+0   )  E6 F4 FD FF                  mov      rY, #XXXXh
0x00022ED6:seg002: (+4   )  64 F4 32 8D                  and      word_XXXX, rY <--------------- 328D   this finds us "cd_bits1_w"
0x00022EDA:seg002: (+8   )  C2 F4 19 00                  movbz    rY, byte_XXXX
0x00022EDE:seg002: (+12  )  68 41                        and      rY, #XX
0x00022EE0:seg002: (+14  )  2D 04                        jmpr     cc_Y, loc_XXXX

+6 = 328D  ( cw_bits1_w )

After discovering cd_bits1_w, now find start by looking for a reference the CDLSH bit setting. A good generic case is the Secondary Lambda function DLSH_20ms() with cd_bits1_w.
So we mask (substitute **** with 328D which is different in every rom ). Hence why we looked it up in the first step...

--                   
Code:
DLSH_20ms+0    F2 F4 ** **                              mov     r4, cd_bits1_w  ; cd_bits1_w :  [PROKON DDST DHLSHK DIMC DKATLRS DKVS DLSH DLSU DMDLU DSWEC]
DLSH_20ms+4    66 F4 XX XX                              and     r4, #XXXXh      ; bit 4 : B_CDLSH
DLSH_20ms+8    EA .. .. ..                              jmpa    cc_X, locret_XXXX
DLSH_20ms+C    9A .. .. ..                              jnb     XXXX.Y, loc_ZZZZ
DLSH_20ms+10   E0 ..                                    mov     rX, #YY
DLSH_20ms+12   74 .. .. ..                              or      .., rY ; DLSHintbits :  [DLSH]
Here's we are searching for "f2fx****,66fxXXXX,ea20XXXX,9aXXXXXX,e0XX,74FxXXXX"

But first substitute **** for 328D then search for;

So we actually search for "f2fx328d,66fxXXXX,ea20XXXX,9aXXXXXX,e0XX,74FxXXXX"
   
This will match something like ;

Code:
0x0003F0A8:seg003: (+0   )  F2 F4 32 8D                  mov      r4, word_8D32
0x0003F0AC:seg003: (+4   )  66 F4 10 00                  and      r4, #0010h    <-------------- 1000  +6
0x0003F0B0:seg003: (+8   )  EA 20 88 F2                  jmpa     cc_UC, .loc_3F288
0x0003F0B4:seg003: (+12  )  9A 18 03 20                  jnb      word_FD30.2, loc_3F0BE
0x0003F0B8:seg003: (+16  )  E0 14                        mov      r4, #1
0x0003F0BA:seg003: (+18  )  74 F4 18 9B                  or       word_9B18, r4
   
where +6 = 0010h  <-----------
ZZZZ = 0010 (hex value). This is the bit value assigned by PROKON for the CDLSH variable. Again it varies across roms, hence why we are having to do this dance..

This is the bit hex value we now need to discover the address of...

---
So knowing that cd_bits1_w is 328D ,... call it YYYY

Search for the Prokon again but this time to match again to find actual address... but this time with hex value we are interested in, in this case 1000 () which was discovered in the DLSH function...

Code:
PROKON_IniVariablesFromControlWords+198  C2 FX XX XX                             movbz   r4, CDLSH       ; CDLSH : Codewort Sondendiagnose hinter Kat im OBDII-Mode (invers: Europa-Mode) [PROKON]
PROKON_IniVariablesFromControlWords+19C  68 XX                                   and     r4, #1
PROKON_IniVariablesFromControlWords+19E  2D XX                                   jmpr    cc_Z, _not_set
PROKON_IniVariablesFromControlWords+1A0  E6 FX YY YY                             mov     r4, #10h
PROKON_IniVariablesFromControlWords+1A4  74 FX ZZ ZZ                             or      cd_bits1_w, r4  ; cd_bits1_w :  [PROKON DDST DHLSHK DIMC DKATLRS DKVS DLSH DLSU DMDLU DSWEC]
PROKON_IniVariablesFromControlWords+1A8  0D XX                                   jmpr    cc_UC, _prk6
-------------------------------------------------
Search for "C2FxXXXX,68XX,2Dxx,E6FxZZZZ,74FxYYYY"

becomes.. "C2FxXXXX,68XX,2Dxx,E6Fx1000,74Fx328D"

Finally we find the correct entry in PROKON reference...

Code:
PROKON_IniVariablesFromControlWords+198  C2 F4 12 00                             movbz   r4, CDLSH       ; <------------- CDLSH 1200h
PROKON_IniVariablesFromControlWords+19C  68 41                                   and     r4, #1
PROKON_IniVariablesFromControlWords+19E  2D 05                                   jmpr    cc_Z, _prk5
PROKON_IniVariablesFromControlWords+1A0  E6 F4 10 00                             mov     r4, #10h
PROKON_IniVariablesFromControlWords+1A4  74 F4 32 8D                             or      cd_bits1_w, r4  ; cd_bits1_w :  [PROKON DDST DHLSHK DIMC DKATLRS DKVS DLSH DLSU DMDLU DSWEC]
PROKON_IniVariablesFromControlWords+1A8  0D 04                                   jmpr    cc_UC, _prk6
so... at offset +4, i.e. 1200 is CDLSH

0x204 (calibration start segment) * 0x4000 (segment size)
== 0x810000 + CDLSH
== 0x810000 + 0012
== 0x810012

so rom file offset is 0x10012  <=========== final offset to CDLSH in rom file in this specific case.

offset 0x10012 in the file is the boolean for CDLSH, this determines if Codeword for LSH (Secondary O2 is active or not)

It may seem long but it always automatically can discover any of the CDxxx variables if you approach it like this and you never need an original DAMOS / A2L .


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on April 18, 2021, 04:41:31 PM
And here it is running 'in action'...

Code:
-[ PROKON Codewords for Diagnostics (CEL) ]-------------------------------------

>>> Scanning for 'PO2' Post O2 Cat Sensor disable
CDHSH   : From 1 to 0 @ offset=0x10007 : 'O2 Sensor Heating Diagnosis' Downstream of cat (after CAT) (OBDII Mode)
CDHSHE  : From 1 to 0 @ offset=0x10008 : 'O2 Sensor Heating Diagnosis' Downstream of cat (after CAT) (EU-coding)
CDKAT   : From 1 to 0 @ offset=0x1000B : 'Catalyst Diagnosis' (OBDII Mode)
CDLASH  : From 1 to 0 @ offset=0x1000D : 'O2 Sensor Aging Diagnosis' (SHK) (OBDII Mode)
CDLSH   : From 1 to 0 @ offset=0x10012 : 'Readiness' of O2 Sensor downstream of cat (after CAT) (OBDII Mode)

>>> Scanning for CWKONLS [Codeword for configuration of Lambda sensors]

found at offset=0x22d72 CWKONLS @ ADR:0x810020

[Forced PO2 Disable]
                   7 6 5 4 3 2 1 0  bits
                   ---------------
CWKONLS:     0X03  0 0 0 0 0 0 1 1
                   | | | | | | | |
                   | | | | | | | +--- b_lsv       Bit 0 : (Bank 1) Condition [1]. Lambda sensor installed upstream of cat downstream of outlet
                   | | | | | | +----- b_lsh       Bit 1 : (Bank 1) Condition [2]. Lambda sensor installed downstream of cat downstream of outlet
                   | | | | | +------- b_ls3       Bit 2 : (Bank 1) Condition [3]. Lambda sensor installed downstream of outlet
                   | | | | +--------- b_ls4       Bit 3 : (Bank 1) Condition [4]. Lambda sensor installed downstream of outlet
                   | | | +----------- b_lsv2      Bit 4 : (Bank 2) Condition [1]. Lambda sensor installed upstream of cat downstream of outlet
                   | | +------------- b_lsh2      Bit 5 : (Bank 2) Condition [2]. Lambda sensor installed downstream of cat downstream of outlet
                   | +--------------- b_ls32      Bit 6 : (Bank 2) Condition [3]. Lambda sensor installed downstream of outlet
                   +----------------- b_ls42      Bit 7 : (Bank 2) Condition [4]. Lambda sensor installed downstream of outlet

                   7 6 5 4 3 2 1 0  bits
                   ---------------
CWKONLS:     0X01  0 0 0 0 0 0 0 1
                   | | | | | | | |
                   | | | | | | | +--- b_lsv       Bit 0 : (Bank 1) Condition [1]. Lambda sensor installed upstream of cat downstream of outlet
                   | | | | | | +----- b_lsh       Bit 1 : (Bank 1) Condition [2]. Lambda sensor installed downstream of cat downstream of outlet
                   | | | | | +------- b_ls3       Bit 2 : (Bank 1) Condition [3]. Lambda sensor installed downstream of outlet
                   | | | | +--------- b_ls4       Bit 3 : (Bank 1) Condition [4]. Lambda sensor installed downstream of outlet
                   | | | +----------- b_lsv2      Bit 4 : (Bank 2) Condition [1]. Lambda sensor installed upstream of cat downstream of outlet
                   | | +------------- b_lsh2      Bit 5 : (Bank 2) Condition [2]. Lambda sensor installed downstream of cat downstream of outlet
                   | +--------------- b_ls32      Bit 6 : (Bank 2) Condition [3]. Lambda sensor installed downstream of outlet
                   +----------------- b_ls42      Bit 7 : (Bank 2) Condition [4]. Lambda sensor installed downstream of outlet



*before* : val=0x01
*after* .0: state=TRUE  & 01    PROKON_FD02.4  b_lsv  : Condition 1. Lambda sensor installed upstream   of cat (Bank1)
*after* .1: state=false & 02    PROKON_FD02.2  b_lsh  : Condition 2. Lambda sensor installed downstream of cat (Bank1)
*after* .2: state=false & 04    PROKON_FD00.14 b_ls3  : Condition 3. Lambda sensor installed downstream of cat (Bank1)
*after* .3: state=false & 08    PROKON_FD02.0  b_ls4  : Condition 4. Lambda sensor installed downstream of cat (Bank1)
*after* .4: state=false & 10    PROKON_FD02.5  b_lsv2 : Condition 1. Lambda sensor installed upstream   of cat (Bank2)
*after* .5: state=false & 20    PROKON_FD02.3  b_lsh2 : Condition 2. Lambda sensor installed downstream of cat (Bank2)
*after* .6: state=false & 40    PROKON_FD00.15 b_ls32 : Condition 3. Lambda sensor installed downstream of cat (Bank2)
*after* .7: state=false & 80    PROKON_FD02.1  b_ls42 : Condition 4. Lambda sensor installed downstream of cat (Bank2)

---------[ ROM #1 ]----------------------

-[ ESKONF Configuration of power stage (actuators) ]-------------------------------------------

>>> Scanning for ESKONF Lookup code sequence...

found needle at offset=0x58336
*** Deactivating ESKONF_L : LH Rear O2 heater output        ***, orig = 0x33
*** Deactivating ESKONF_L : LH Rear O2 heater output        ***, new  = 0xf3

*** Deactivating ESKONF_R : RH Rear O2 heater output        ***, orig = 0x33
*** Deactivating ESKONF_R : RH Rear O2 heater output        ***, new  = 0xf3


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on April 18, 2021, 04:58:06 PM
And here's the ME9 version (still WIP!) dumping the Errorclass and p-codes table from a Ferrari 458 (PowerPC) rom. I guess people will be more interested when I release my Tricore version :)

0) [search=1] All Buffer                Start:00000000 Length:00200000 2048.0 KBytes
        (1) found reference to sig @ byte_offset=0x47CC0

00047CC0: 88 8D AD 66   lbz         r4, -0x529A (r13)             ; +   0 (0x0000)
00047CC4: 3D 80 00 5E   lis         r12, 0x005E                   ; +   4 (0x0004)
00047CC8: 39 8C 90 F3   subi        r12, r12, 0x6F0D              ; +   8 (0x0008)
00047CCC: 3D 60 00 5E   lis         r11, 0x005E                   ; +  12 (0x000C)
00047CD0: 7D 8C 22 14   add         r12, r12, r4                  ; +  16 (0x0010)
00047CD4: 3C 60 00 5E   lis         r3, 0x005E                    ; +  20 (0x0014)
00047CD8: 39 6B A4 38   subi        r11, r11, 0x5BC8              ; +  24 (0x0018)
00047CDC: 7D 44 22 14   add         r10, r4, r4                   ; +  28 (0x001C)
00047CE0: 38 63 93 18   subi        r3, r3, 0x6CE8                ; +  32 (0x0020)
00047CE4: 54 84 18 38   rlwinm      r4, r4, 3, 0, 28              ; +  36 (0x0024)

        CLAAAA: seg=0x1D valu=0x90F3  file-offset=0x1D90F3  phy=0x5D90F3


--(Dumped Error Class Table [548 bytes] )
(001) 0x1D90F3:00 0x1D90F4:00
(002) 0x1D90F5:06 0x1D90F6:06
(003) 0x1D90F7:00 0x1D90F8:00
(004) 0x1D90F9:00 0x1D90FA:06
(005) 0x1D90FB:03 0x1D90FC:03
(006) 0x1D90FD:03 0x1D90FE:03
(007) 0x1D90FF:03 0x1D9100:03
(008) 0x1D9101:03 0x1D9102:03
(009) 0x1D9103:06 0x1D9104:06

.. cut ..

(273) 0x1D9313:03 0x1D9314:03
(274) 0x1D9315:00 0x1D9316:00
--
        CDCAAA: seg=0x1D valu=0x9318  file-offset=0x1D9318  phy=0x5D9318



--(Dumped Fault Code PID Table [4384 bytes] )
1D9318: (001) P0000 P0000 P0000 P0000   P0000 P0000 P0000 P0000   # +   0 (0x0000)
1D9320: (002) P0478 P0477 P0475 P0000   P1460 P1462 P1461 P0000   # +   8 (0x0008)
1D9328: (003) P0000 P0000 P0000 P0000   P0000 P0000 P0000 P0000   # +  16 (0x0010)
1D9330: (004) P0000 P0000 P0000 P0000   P145D P145E P145F P0000   # +  24 (0x0018)
1D9338: (005) P0000 P0000 P0000 P102E   P0000 P0000 P0000 P102F   # +  32 (0x0020)
1D9340: (006) P0000 P0000 P0014 P000B   P0000 P0000 P0024 P000D   # +  40 (0x0028)
1D9348: (007) P1526 P1527 P1528 P0000   P1534 P1535 P1536 P0000   # +  48 (0x0030)
1D9350: (008) P0338 P0000 P0339 P0336   P0388 P0000 P0389 P0386   # +  56 (0x0038)
1D9358: (009) P0000 P0000 P0000 P0571   P0000 P0000 P0000 P1569   # +  64 (0x0040)

.. cut ..

1D9B90: (272) P0000 P0000 P0000 P0000   P0000 P0000 P0000 P0000   # +2168 (0x0878)
1D9B98: (273) P1607 P160C P060A P0000   P1608 P160D P160A P0000   # +2176 (0x0880)
1D9BA0: (274) P0000 P0000 P0000 P0000   P0000 P0000 P0000 P0000   # +2184 (0x0888)
--
        (2) found reference to sig @ byte_offset=0x177A8C

00177A8C: 88 8D AD 66   lbz         r4, -0x529A (r13)             ; +   0 (0x0000)
00177A90: 3D 80 00 5E   lis         r12, 0x005E                   ; +   4 (0x0004)
00177A94: 39 8C 90 F3   subi        r12, r12, 0x6F0D              ; +   8 (0x0008)
00177A98: 3D 60 00 5E   lis         r11, 0x005E                   ; +  12 (0x000C)
00177A9C: 7D 8C 22 14   add         r12, r12, r4                  ; +  16 (0x0010)
00177AA0: 3C 60 00 5E   lis         r3, 0x005E                    ; +  20 (0x0014)
00177AA4: 39 6B A4 38   subi        r11, r11, 0x5BC8              ; +  24 (0x0018)
00177AA8: 7D 44 22 14   add         r10, r4, r4                   ; +  28 (0x001C)
00177AAC: 38 63 93 18   subi        r3, r3, 0x6CE8                ; +  32 (0x0020)
00177AB0: 54 84 18 38   rlwinm      r4, r4, 3, 0, 28              ; +  36 (0x0024)



Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: IamwhoIam on April 19, 2021, 03:34:52 AM
Very nice work, Trev!


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on April 21, 2021, 05:01:47 AM
Very nice work, Trev!

I'd forgotten just how much I'd done actually. For instance, I just downloaded a random ME7 file for test purposes, in this case '06A906032HN.bin'.
Ran it on it and found 'free' space for code injection purposes (fully automatically)..

SSECUHN      : 0261207440               : systemSupplierECUHardwareNumber
SSECUSN      : 1037360646               : systemSupplierECUSoftwareNumber
DIF          : 06A906032HN              : ..
BRIF         : 0001                     : ..
OTHERID      : 1.8L R4/5VT              : ..

>>> Scanning for McMess EPK String information [info]
found KWP2000 needle @ offset:0x0002374A  (val=0005,seg=0204).
EPK: @ 0x10005 -> 0x10057 (39 bytes) { /1/ME7.5/5/4019.02//24b/Dst01o/210201// }
{
    "readECUIdentification": {
        "SSECUHN": "0261207440",
        "SSECUSN ": "1037360646",
        "DIF": "06A906032HN ",
        "BRIF": "0001",
        "OTHERID": "1.8L R4\/5VT     ",
        "EPK": "\/1\/ME7.5\/5\/4019.02\/\/24b\/Dst01o\/210201\/\/"
    }
}
Serialize readECUIdentification to file 'readECUIdentification.json' ..



-[ Free Space Analysis ]-----------------------------------

Searching for free space in firmware...

 1 ) Unused bytes @ 0x008040 - 0x008318 : length      728 (0x2D8   ) bytes
 2 ) Unused bytes @ 0x009A92 - 0x009DE6 : length      852 (0x354   ) bytes
 3 ) Unused bytes @ 0x00CB34 - 0x00DB00 : length    4,044 (0xFCC   ) bytes
 4 ) Unused bytes @ 0x00DF50 - 0x00F002 : length    4,274 (0x10B2  ) bytes
 5 ) Unused bytes @ 0x00F380 - 0x00FC00 : length    2,176 (0x880   ) bytes
 6 ) Unused bytes @ 0x00FC2E - 0x00FFFE : length      976 (0x3D0   ) bytes
 7 ) Unused bytes @ 0x0202E2 - 0x021B00 : length    6,174 (0x181E  ) bytes
 8 ) Unused bytes @ 0x028ABA - 0x030000 : length   30,022 (0x7546  ) bytes
 9 ) Unused bytes @ 0x032EA0 - 0x033A00 : length    2,912 (0xB60   ) bytes
10 ) Unused bytes @ 0x0A5848 - 0x0FFFE0 : length  370,584 (0x5A798 ) bytes

Discovered 422,742 bytes (412.0 KBytes) unused in firmware [40.3%].

Largest free chunk region : 0xA5848, length  370,584 bytes.

--
Yes easy stuff but useful..

Or how about detecting VSV?

>>> Scanning for ROM VerstellSystem Variables table...

Num of entries: 17
VSV             @ ROM:0X813282 RAM:0X6E32A2 File-Offset:0X13282 (seg=0x0204 [segadr=0x810000] val=0x3282)

 1 ) vszw             | 0x3808A5 | Ignition timing           | 0 KW  | Byte |-96..95.25 KW       | 0.75 KW   | ZUE
 2 ) vsfrk            | 0x38089E | Mixture factor            | 1,0   | Byte | 0.75..1.25         | 0.001953  | ESGRU
 3 ) vsvw             | 0x3808A3 | Advancement angle         | 0 KW  | Byte | -768...762         | 6 KW      | ESVW
 4 ) vsns             | 0x3808A1 | Nominal speed             | 0 RPM | Byte | 0..2550/min        | 10 RPM    | LLRNS
 5 ) vszwkr_0_A       | 0x3808A6 | Ignition timing firing 1  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
 6 ) vszwkr_1_A       | 0x3808A7 | Ignition timing firing 2  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
 7 ) vszwkr_2_A       | 0x3808A8 | Ignition timing firing 3  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
 8 ) vszwkr_3_A       | 0x3808A9 | Ignition timing firing 4  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
 9 ) vszwkr_4_A       | 0x3808AA | Ignition timing firing 5  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
10 ) vszwkr_5_A       | 0x3808AB | Ignition timing firing 6  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
11 ) vszwkr_6_A       | 0x3808AC | Ignition timing firing 7  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
12 ) vszwkr_7_A       | 0x3808AD | Ignition timing firing 8  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
13 ) vske             | 0x38089F | Knock detection threshold | 0     | Byte | -8..8              | 0,0627    | KRKE
14 ) vsdmr            | 0x38089C | Torque reserve            | 0 %   | Byte | 0..99.6%           | 0.3906%   | MDKOL
15 ) vsfpses          | 0x38089D | Manifold air pressure     | 1     | Byte | 0..2               | 0,0078    | AES
16 ) vsrlmx           | 0x3808A2 | max.rl for LDR            | 0%    | Byte | rel sb q0p75                   | LDRLMX  ** Note: This is a SY_Turbo=true Application**
17 ) vsldtv           | 0x3808A0 | TV LDR for appl. control  | 0%    | Byte | tv ub q0p64                    | LDTVMA  ** Note: This is a SY_Turbo=true Application**


The list of things it can do is quite extensive these days...



Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on April 21, 2021, 05:18:23 AM
Or if thats a bit 'meh'... what about this feature? Automated CAN analysis.

Code:
Discovered 1 CAN node transmission function:
        CAN_A @ 0x34280

CAN Signature matches: 24
CAN Receive Ids
------------------------------------------------------------------------------------

can_msgobj[00]: type RX, RxCount= 1 { 0x0316 (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] miist_b  : Indexed engine torque high-pressure phase value
        [ 1    ] mifa_b   : Indexed engine torque driver request
        [ 2    ] mrfa_b   : Relative driver's wish torque from FGR and Pedal
        [ 3    ] mdverl_b : Engine loss moment
        [ 4    ] mimax_b  : Maximum reachable indexed moment
        [ 5    ] mdnorm_b : Maximum indexed engine torque for moment normalization
        [ 6    ] .0 : word_FD4A.11  **FIXME**
                 .1 : word_FD76.12  **FIXME**
                 .2 : word_FD76.8   **FIXME**
                 .3 : word_FD52.14  **FIXME**
                 .4 : word_FD52.11  **FIXME**
                 .5 : word_FD5C.11  **FIXME**
                 .6 : sfpbrems     : Sfpbrems: Status Error Path Brake: Brake Switch
                 .7 : word_FD5C.5   **FIXME**
        [ 7    ] unused
 };
can_msgobj[01]: type RX, RxCount= 1 { 0x0329 (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0- 1 ] mdverl_w: Motor torque loss
        [ 2- 3 ] dmllri_w: Required change in torque from the LLR (I component)
        [ 4    ] unused
        [ 5    ] unused
        [ 6    ] unused
        [ 7    ] unused
 };
can_msgobj[02]: type RX, RxCount= 1 { 0x051F (8) @ CAN_A };
can_msgobj[03]: type RX, RxCount= 1 { 0x034A (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] mist_w    : Indexed engine torque high pressure phase
        [ 1    ] mifa_w    : Indexed engine torque driver request
        [ 2    ] mrfa_w    : Relative driver's wish torque from FGG and pedal
        [ 3    ] mdlover_w : Engine loss moment
        [ 4    ] mimax_w   : Maximum reachable indexed moment
        [ 5    ] mdnorm    : Maximum indexed engine torque for moment normalization
        [ 6    ] _bits_    : Various bits **FIXME**
        [ 7    ] unused
 };
can_msgobj[04]: type RX, RxCount= 1 { 0x037C (8) @ CAN_A };
can_msgobj[05]: type RX, RxCount= 1 { 0x058F (8) @ CAN_A };
can_msgobj[06]: type RX, RxCount= 1 { 0x0153 (8) @ CAN_A        ASR Anti-Slip };
can_msgobj[07]: type RX, RxCount= 1 { 0x0613 (8) @ CAN_A
        *** Dashboard/Body ECU ***
        [ 0    ] unused
        [ 1    ] unused
        [ 2    ] unused
        [ 3    ] tankfst   : Fuel Tank Level
        [ 4    ] unused
        [ 5    ] unused
        [ 6    ] unused
        [ 7    ] unused
 };
can_msgobj[08]: type RX, RxCount= 1 { 0x045F (8) @ CAN_A
        *** Transmission Control Unit (NCR) ***
        [ 0    ] mdnorm
        [ 1    ] mdnorm
        [ 2    ] .0 \
                 .1  + gang_kup       : From F1 gearbox NCR Received current gear (3 bits)
                 .2 /
                 .3 CAN_bits1_FD10.2  : **FIXME**
                 .4 word_FD14.13      : **FIXME**
                 .5 CAN_FLAGS_ERR.5   : **FIXME**
                 .6 word_FD14.15      : **FIXME**
                 .7 CAN_FLAGS_ERR.1   : **FIXME**
        [ 3    ] mdindkuc_w : Indexed engine torque Request from F1 gearbox
        [ 4    ] nsoll_kup  : Setpoint speed from F1 gearbox
        [ 5    ] unused
        [ 6    ] unused
        [ 7    ] .0 CAN_bits2_FD18.6  : **FIXME**
 };
can_msgobj[09]: type RX, RxCount= 1 { 0x05AF (8) @ CAN_A };
can_msgobj[10]: type RX, RxCount= 1 { 0x05CF (8) @ CAN_A        Secondary Air Mass };
can_msgobj[11]: type RX, RxCount= 1 { 0x01F0 (8) @ CAN_A
        *** ABS Wheel Speeds: Message Populated/Generated/Sent by ABS ECU *** ;
        [ 0 -1 ] vrad_vl_w  : Wheel speed Front left
        [ 2 -3 ] vrad_vr_w  : Wheel speed Front right
        [ 4 -5 ] vrad_hl_w  : Wheel speed Rear left
        [ 6 -7 ] vrad_hr_w  : Wheel speed Rear right
 };
can_msgobj[12]: type RX, RxCount= 1 { 0x05BF (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] unused
        [ 1    ] unused
        [ 2    ] unused
        [ 3    ] unused
        [ 4    ] unused
        [ 5    ] _bits_    : Various bits **FIXME**
        [ 6 -7 ] wpedc_w   : Pedal value shared between ME7 ECU's
 };
can_msgobj[13]: type RX, RxCount= 1 { 0x05D5 (8) @ CAN_A };
can_msgobj[14]: Unused
can_msgobj[15]: Unused

CAN Transmit Ids
------------------------------------------------------------------------------------

can_msgobj[00]: type TX, RxCount= 1 { 0x0316 (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] miist_b  : Indexed engine torque high-pressure phase value
        [ 1    ] mifa_b   : Indexed engine torque driver request
        [ 2    ] mrfa_b   : Relative driver's wish torque from FGR and Pedal
        [ 3    ] mdverl_b : Engine loss moment
        [ 4    ] mimax_b  : Maximum reachable indexed moment
        [ 5    ] mdnorm_b : Maximum indexed engine torque for moment normalization
        [ 6    ] .0 : word_FD4A.11  **FIXME**
                 .1 : word_FD76.12  **FIXME**
                 .2 : word_FD76.8   **FIXME**
                 .3 : word_FD52.14  **FIXME**
                 .4 : word_FD52.11  **FIXME**
                 .5 : word_FD5C.11  **FIXME**
                 .6 : sfpbrems     : Sfpbrems: Status Error Path Brake: Brake Switch
                 .7 : word_FD5C.5   **FIXME**
        [ 7    ] unused
 };
can_msgobj[01]: type TX, RxCount= 1 { 0x0329 (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0- 1 ] mdverl_w: Motor torque loss
        [ 2- 3 ] dmllri_w: Required change in torque from the LLR (I component)
        [ 4    ] unused
        [ 5    ] unused
        [ 6    ] unused
        [ 7    ] unused
 };
can_msgobj[02]: type TX, RxCount= 1 { 0x051F (8) @ CAN_A };
can_msgobj[03]: type TX, RxCount= 1 { 0x034A (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] mist_w    : Indexed engine torque high pressure phase
        [ 1    ] mifa_w    : Indexed engine torque driver request
        [ 2    ] mrfa_w    : Relative driver's wish torque from FGG and pedal
        [ 3    ] mdlover_w : Engine loss moment
        [ 4    ] mimax_w   : Maximum reachable indexed moment
        [ 5    ] mdnorm    : Maximum indexed engine torque for moment normalization
        [ 6    ] _bits_    : Various bits **FIXME**
        [ 7    ] unused
 };
can_msgobj[04]: type TX, RxCount= 1 { 0x037C (8) @ CAN_A };
can_msgobj[05]: type TX, RxCount= 1 { 0x058F (8) @ CAN_A };
can_msgobj[06]: Unused
can_msgobj[07]: Unused
can_msgobj[08]: Unused
can_msgobj[09]: type TX, RxCount= 1 { 0x05AF (8) @ CAN_A };
can_msgobj[10]: type TX, RxCount= 1 { 0x05CF (8) @ CAN_A        Secondary Air Mass };
can_msgobj[11]: Unused
can_msgobj[12]: type TX, RxCount= 1 { 0x05BF (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] unused
        [ 1    ] unused
        [ 2    ] unused
        [ 3    ] unused
        [ 4    ] unused
        [ 5    ] _bits_    : Various bits **FIXME**
        [ 6 -7 ] wpedc_w   : Pedal value shared between ME7 ECU's
 };
can_msgobj[13]: type TX, RxCount= 1 { 0x05D5 (8) @ CAN_A };
can_msgobj[14]: Unused
can_msgobj[15]: Unused


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: 360trev on April 21, 2021, 05:38:49 AM
Very nice work, Trev!

Thanks!


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: Blazius on April 24, 2021, 09:32:49 AM
Good job Trev, I'd say ME7 is far from dead(hell it was still manufactured in 2010), given that many B5's and etc. are still running around the roads, however it probably doesnt hold monetary value to professional tuners so yeah :)


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: Tomas on April 29, 2021, 03:53:09 AM
Trev, it looks very interesting! Great job! How close are you to releasing the update? I am interested to learn


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: darklet on August 30, 2022, 03:56:06 AM
how far have you got adding ST10F275 flash support to this, the 832k file type found on ME7.4.5 in PSA cars and others.


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: Xylynx on October 25, 2022, 02:19:07 AM
Nice work Trev. Gave this a go on a VW VR5 binary and it got 1 or 2 maps, I guess the low his rate is due to the strict pattern matching you mentioned. Is there going to another update coming for this or is it "for trevs eyes only" now? :)


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: geo22 on November 09, 2022, 07:58:27 AM
How can I get it working?
Clicking me7romtool.exe makes its cmd window just blink once, and that's it. Nothing happens.
What could I do wrong?


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: nyet on November 09, 2022, 08:47:07 AM
How can I get it working?
Clicking me7romtool.exe makes its cmd window just blink once, and that's it. Nothing happens.
What could I do wrong?

You don't click on it.

It's a command line program.

You run it from the command line.


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: geo22 on November 16, 2022, 01:26:42 PM
Yes, sir! I've tried and it showed me the list of options which I can't manage to use


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: adam- on November 17, 2022, 01:13:13 AM
Printscreen of the options and what you're stuck on.


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: Geomeo on November 17, 2022, 12:27:21 PM
Yes, sir! I've tried and it showed me the list of options which I can't manage to use
Try typing help at the command prompt followed by the return key...This thing here.   C:\Users\NOOOOOB>.  This will list all the commands currently supported in by Microsoft.  There are more commands not listed, but let's just not go there at the moment.  The two commands that will help you the most are CD and Dir.   If you type any command listed in the help menu followed by /? you will see the arguments to pass to that specific command.  For example CD /?  This is used for changing directory or folder and will give you options on what to do with it.  Or Dir /? Dir is used to find out what is in that directory or folder.  You can use Google for more information for the commands too.   Typically speaking you want your command prompt to be showing the directory your program is in and any associated files that came with the program should be in the same directory. Programs and files can be done using different directories, but it's a bit more typing.  And a lot more explaining.    So for example C:\Users\NOOOOOB\Desktop\myfolder\Myprogram.exe associatedfile.bin   Some 3rd party programs allow for /? at the end depending who built the program.  And some if you just type in Myprogram without passing an argument the window will list all the arguments that can be passed into the program.  Some programs have readme files that come with it.  ALWAYS read those first.  If you still getting nowhere Google example of running commands in the command window. 


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: nyet on November 17, 2022, 12:56:25 PM
Printscreen of the options and what you're stuck on.

Please dont print screen

copy/paste text.


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: zCruuz on October 16, 2023, 01:02:13 PM
will the up to date version ever be released on git?


Title: Re: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)
Post by: jibberjive on October 23, 2023, 11:55:52 AM
Also curious if there is a plan to get the updated version on github?