NefMoto

Technical => Reverse Engineering => Topic started by: totti on August 04, 2021, 01:40:00 AM



Title: Identify RAM variable
Post by: totti on August 04, 2021, 01:40:00 AM
Hi,

I started to disassembly binary files. I'm using .ecu file to identify the RAM variables. But I found some which are not listed in the ecu file. Is there any way to identify these?


thank you


Title: Re: Identify RAM variable
Post by: timus on August 04, 2021, 02:21:24 AM
You can use damos file for your bin, its contains all important ram variables and maps.

If you don't have damos you can analyze code and read funktionsrahmen and try to find out which variable you are looking at.


Title: Re: Identify RAM variable
Post by: totti on August 04, 2021, 03:15:44 AM
You can use damos file for your bin, its contains all important ram variables and maps.

If you don't have damos you can analyze code and read funktionsrahmen and try to find out which variable you are looking at.

I dont have damos for 8N0906018BH 0001. The variable is what I'm searching is 0x380AC4. It is somehow related to pops and bangs unique code. The code sets it to 0xFF.


Title: Re: Identify RAM variable
Post by: fknbrkn on August 04, 2021, 04:11:41 AM
Search for crosslinks (x key)
Trace it to known ones



Title: Re: Identify RAM variable
Post by: timus on August 04, 2021, 04:44:58 AM
The variable is what I'm searching is 0x380AC4. It is somehow related to pops and bangs unique code.
If it's some unique code all you can do is to analyze what it do and where it come from and come with name for it by yourself.


Title: Re: Identify RAM variable
Post by: gremlin on August 04, 2021, 12:20:04 PM
The variable is what I'm searching is 0x380AC4.

380AC4 - nwe [Wiedereinsetzdrehzahl]
Full RAM and BITs list in attachment.



Title: Re: Identify RAM variable
Post by: totti on August 04, 2021, 12:39:55 PM
380AC4 - nwe [Wiedereinsetzdrehzahl]
Full RAM and BITs list in attachment.



Thank you very much. I have not found these kind of documents. Do you have it for 06A906032HN 0001?


Title: Re: Identify RAM variable
Post by: totti on August 04, 2021, 02:15:08 PM
Now I'm totally don't understand what happened in the bin file.
Original bin contains:
movb    byte_8AC4, rl6

The modified bin which contains a function what I would like understand(cruise control switched pops and bangs)
The original line replaced with calls   8Ah, 19D0h ; 8A19D0h
At 8A19D0 this is the code
ROM:000A19D0                 jb      word_FD10.2, loc_A19E2
ROM:000A19D4                 movb    rl6, #0FFh
ROM:000A19D8                 exts    #38h, #1 ; '8'
ROM:000A19DC                 movb    0AC4h, rl6 ; 380AC4h
ROM:000A19E0                 jmpr    cc_UC, locret_A19EA
ROM:000A19E2 ; ---------------------------------------------------------------------------
ROM:000A19E2
ROM:000A19E2 loc_A19E2:                              ; CODE XREF: ROM:000A19D0↑j
ROM:000A19E2                 exts    #38h, #1 ; '8'
ROM:000A19E6                 movb    0AC4h, rl6 ; 380AC4h
ROM:000A19EA
ROM:000A19EA locret_A19EA:                           ; CODE XREF: ROM:000A19E0↑j
ROM:000A19EA                 rets


So for me it seems that the original 8AC4 adress changed to 0AC4.


Title: Re: Identify RAM variable
Post by: Blazius on August 04, 2021, 03:06:37 PM
Post the file.


Title: Re: Identify RAM variable
Post by: gremlin on August 04, 2021, 03:37:39 PM
Now I'm totally don't understand what happened in the bin file.


It's simple.
If the CCS key is pressed (flag FFD0.2 = 1), we set the fuel supply resumption engine speed to unrealistically high 256 * 40 = 10240rpm
It actually means that fuel is switch off.
Not pressed - leave the value as was in the original code.


Title: Re: Identify RAM variable
Post by: totti on August 04, 2021, 11:30:14 PM
It's simple.
If the CCS key is pressed (flag FFD0.2 = 1), we set the fuel supply resumption engine speed to unrealistically high 256 * 40 = 10240rpm
It actually means that fuel is switch off.
Not pressed - leave the value as was in the original code.


The first part is ok. My problem is that in the original file the 8AC4 value get the rl6 register value, in the custom code the 0AC4.


Title: Re: Identify RAM variable
Post by: fknbrkn on August 05, 2021, 12:04:25 AM
8AC4 is the short adressing for 380AC4
program flow looks sooo nooby


Title: Re: Identify RAM variable
Post by: totti on August 05, 2021, 12:52:48 AM
8AC4 is the short adressing for 380AC4
program flow looks sooo nooby

Ahh ok. Thanks for the info. I just received the bin with the function and try to understand what is implemented inside.


Title: Re: Identify RAM variable
Post by: totti on August 06, 2021, 05:34:30 AM
Post the file.

Here is the cutted part of the bin


Title: Re: Identify RAM variable
Post by: Blazius on August 06, 2021, 12:50:03 PM
Here is the cutted part of the bin

Its basically:

if(FD10.2 == 1(S_fgrhs - Main switch on the FGR control lever))
{
  movb RAM:380AC4 ( nwe - Wiedereinsetzdrehzahl) , whatever is in rl6)
}
else
FF rl6
FF'd RAM:380AC4 with rl6
unconditional jump to A19EA -> return


Title: Re: Identify RAM variable
Post by: totti on August 06, 2021, 02:20:25 PM
Its basically:

if(FD10.2 == 1(S_fgrhs - Main switch on the FGR control lever))
{
  movb RAM:380AC4 ( nwe - Wiedereinsetzdrehzahl) , whatever is in rl6)
}
else
FF rl6
FF'd RAM:380AC4 with rl6
unconditional jump to A19EA -> return

I understand the code, the problem was with the variables. But thank you to described it


Title: Re: Identify RAM variable
Post by: totti on August 13, 2021, 02:07:28 PM
8AC4 is the short adressing for 380AC4
program flow looks sooo nooby

I've modified it
Code:
ROM:000A592A                 jb      word_FD10.4, loc_A5932
ROM:000A592E                 movb    rl6, #0FFh
ROM:000A5932
ROM:000A5932 loc_A5932:                              ; CODE XREF: ROM:000A592A↑j
ROM:000A5932                 exts    #38h, #1 ; '8'
ROM:000A5936                 movb    0ADAh, rl6 ; 380ADAh
ROM:000A593A                 rets
ROM:000A593A ; ---------------------------------------------------------------------------
ROM:000A593C                 db 0FFh
ROM:000A593D                 db 0FFh
ROM:000A593E                 db 0FFh
ROM:000A593F                 db 0FFh
ROM:000A5940 ; ---------------------------------------------------------------------------
ROM:000A5940                 jb      word_FD10.4, loc_A5960
ROM:000A5944                 movb    rl4, nmot
ROM:000A5948                 cmpb    rl4, #3Eh ; '>'
ROM:000A594C                 jmpr    cc_ULE, loc_A5960
ROM:000A594E                 exts    #38h, #1 ; '8'
ROM:000A5952                 movb    rl4, 9B1h ; 3809B1h
ROM:000A5956                 cmpb    rl4, #0
ROM:000A5958                 jmpr    cc_NZ, loc_A5960
ROM:000A595A                 movb    rl4, #0E8h
ROM:000A595E                 movb    [r12], rl4
ROM:000A5960
ROM:000A5960 loc_A5960:                              ; CODE XREF: ROM:000A5940↑j
ROM:000A5960                                         ; ROM:000A594C↑j ...
ROM:000A5960                 movb    zwout, [r12]
ROM:000A5964                 rets


Title: Re: Identify RAM variable
Post by: totti on September 14, 2021, 01:46:16 PM
I would like to modify lamfa when the different conditions are true.
I have HN 0001 ECU. This is my ecu file
lamfa_w         , {TargetAFRDriverRequest}          , 0x384ACE,  2,  0x0000, {-}       , 0, 0,  0.000244141,      0, {Lambdasoll Fahrerwunsch (word)}
lamfaw_w        , {}                                , 0x384ACC,  2,  0x0000, {-}       , 0, 0,  0.000244141,      0, {Lambdasoll Fahrerwunsch Anteil aus Kennfeld LAMFA}

I searched for lamfa and lamfaw but I could not find any movb functions to them. How can I find where these variables are written in the code?

Thank you


Title: Re: Identify RAM variable
Post by: fknbrkn on September 14, 2021, 11:46:58 PM
After the lamfa map as usual
Screenshot from another file but its the same as yours

any movb

its a word so..


Title: Re: Identify RAM variable
Post by: DT on September 15, 2021, 01:39:13 PM
I searched for lamfa and lamfaw but I could not find any movb functions to them. How can I find where these variables are written in the code?
As fukenbroken said, they are words.

With me7idatool the following pictures show what you can produce in IDA in less than 10min without an a2l/dam for your specific revision.  :o  ;D
There are 5+2 positions for lamfa_w and lamfaw_w respectively.


Title: Re: Identify RAM variable
Post by: totti on September 16, 2021, 12:36:00 AM
Thank you for all of you. I just start with IDA and I don't know which plugin, tool is needed. Currently I just loaded the bin and try to manually find the code and variables. Can you tell me where can I fond the me7idatool?

Thank you


Title: Re: Identify RAM variable
Post by: totti on September 16, 2021, 06:55:07 AM
As fukenbroken said, they are words.

With me7idatool the following pictures show what you can produce in IDA in less than 10min without an a2l/dam for your specific revision.  :o  ;D
There are 5+2 positions for lamfa_w and lamfaw_w respectively.


I found where I can modify lamfaw_w. What I don't know is what to do with extp command. Change it to calls and the mov command to NOP or the extp can stay and change mov to calls?


Title: Re: Identify RAM variable
Post by: fknbrkn on September 16, 2021, 07:12:00 AM
Nop extp and change mov with calls


Title: Re: Identify RAM variable
Post by: totti on September 16, 2021, 09:41:46 AM
8AC4 is the short adressing for 380AC4
program flow looks sooo nooby

Is there any benefit to use short or long address?


Title: Re: Identify RAM variable
Post by: fknbrkn on September 16, 2021, 10:37:50 AM
Less operations = les cpu load
Pretty sure unnecessary in that case but optimization skill is always counts


Title: Re: Identify RAM variable
Post by: totti on September 16, 2021, 12:51:35 PM
Less operations = les cpu load
Pretty sure unnecessary in that case but optimization skill is always counts


Thank you.  I will read about the C166 to understand why ram is mapped into 2 space.