NefMoto

Hi all,

I’ve seen a few people curious about this, so I wanted to put down some notes. It’s got a lot of pictures so hopefully it helps anyone who’s trying to get started :) I’m sure that there are many ways to go about this, probably some better but if it gets you interested then it’s done the job.

Start IDA (idaq.exe)

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10838;image)

Select New

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10840;image)

Select the bin you want to disassemble. Select Files of type ‘All Files (*)’ to see all possible files

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10842;image)

From the Processor type drop down, select ‘PowerPC: ppc’ and click the Set button

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10844;image)

Next click Processor options and enter the TOC and SDA (r13) addresses

TOC address: 0x5C9FF0
SDA (r13): 0x7FFFF0

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10846;image)

Click OK and OK to bring up the next dialogue where you’ll create the RAM and ROM segments

RAM @ 0x600000 size 0x300000
ROM @ 0x400000 size 0x200000
Loading address 0x400000 size 0x200000

Note – this is not completely accurate, but it’s quite sufficient for disassembly. I wish I had a proper memory map  ???

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10848;image)

Click OK and the next dialogue opens. This is where IDA begins the analysis.

Note - prj has written an AutoIT script (http://nefariousmotorsports.com/forum/index.php?topic=2431.0title=). AutoIT is a tool that lets you automate actions like mouse clicks, menu selections and button presses. Highlighting one entry and clicking a few buttons is fine. Imagine doing it a few thousand times… prj’s script is for ME7.1 so you’d have to amend it somewhat for MED9.1.
Instead of the AutoIT script, I took a bit of a shortcut here. I just needed a basic disassembly so all I did was highlight all the code between 0x400000 and 0x600000 and press ‘C’. More about that in the next step.

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10850;image)

Move the cursor to 0x400000 (by clicking there) and press ‘Alt L’ to mark the beginning of your selection.

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10852;image)

Then move down to 0x600000 (by using the slider on the right hand pane or the page up/page down keyboard keys).  Click a second time to mark the end of your selection. Everything between 0x400000 and 0x600000 should now be blocked in grey, indicating it’s been selected.

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10854;image)

Press ‘C’ and select Analyse. IDA will now work through your file.

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10856;image)

You will get a warning – ‘mtfsfi, bad optype’.

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10858;image)

Click OK, tick ‘don’t display message again’ and click OK again. IDA will continue with the analysis.

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10860;image)

After a minute or so, the disassembly is finished and you’re ready to go  ;D

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10862;image)


Again, amazing work you are doing! Thanks for sharing!

OK, so what can you do with this?

Here’s how I go about locating a ram variable. In this example I’m going to look for the ram address of nmot_w (engine speed, 16 bit)

Start with a map you know the location of that makes reference to the variable of interest. Looking at the FR, I can see that the entry to KLPROV is nmot_w.

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10866;image)

I also know the address of KLPROV (by comparing against a defined bin). The starting point of the whole map (including the axis) is 0x1D20C0.

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10872;image)

The addresses in IDA have an offset of 0x40000. That means if your map is 0x1D20C0 in WinOLS, it’s 0x5D20C0 in IDA (0x1D20C0 + 0x400000).

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10868;image)

Looking at address 0x5D20C0, you can see some blue text next to it. That’s called a cross-reference and clicking on it will take you to the segment of code that’s referring to that map address.

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=10870;image)

Basically the lookup of the map is a function. You pass it some variables, it does its thing and passes back the result.

So we pass r3 and r4 to the function 0x590434. It passes the result back in r3 again.

r4 is loaded with the map location, therefore by elimination r3 must be nmot_w – 0x7FD830

:)

I was jus thinking about how to do this last nite!
Thanks basano!

Qn: where did u get e ida.exe?

Basano!!
Really thanks!!
Wonderful work!!!

How are yall running IDA, in a non-networked VM? All the "donation optional" versions I've found probably have malware so don't want it on my main box. I'd get a legit version but it's way too expensive!

Correct,

I use Oracle VM VirtualBox.

I also got this advice from another member – legitimate versions of IDA won’t open idb files created by the knock-off versions of IDA. If you are using a knock-off, it’s fine while you are using it yourself or sharing projects with others using the same knock-off. But the real IDA has a blacklist to detect idb files created by the clones and doesn’t like them (understandably).

I've got it working and looking at my unnamed vendor's 4 program flash. Thanks for the tutorial. To anyone wondering, some versions ask byte order when selecting the processor type. Mine did, and the correct answer is PPC big-endian.

Have you written / modified any code, Basano, or are you still learning?

Hello
I think that memory map look like this:
ROM @ 0x000000 size 0x200000
Loading address 0x000000 size 0x200000

And i cut data from original file from 0x1C0000 to 0x1FFFFF,
then i load this data as additional binary file at 0x5C0000 size 0x40000

Now we have the correct addressing from beginning file, with correct subroutines address.
And correct addressing in data block.

Tell me please how did you find RAM address?

Actually, that does match up.

I poked around with this a bit more. Take a look at this extract from a random 2.0 TFSI MED9.1 .a2l file. There’s a section near the beginning that actually lists the memory segment layouts. It describes both ROM and RAM. I'm not sure what the section at 0x900000 is ??? , but the rest seems to align. You'll notice the bit in blue  has a mapping from 0x1C -> 0x5C.

.a2l file attached

  /begin MOD_PAR "D915A_41W200"
    VERSION "MED91"
    ADDR_EPK 0x1C21F0
    EPK "55/1/MED91/5/4420.01//D915A_41W200/D915A_41W200/150904/"
    CUSTOMER_NO "5"
    USER "GS-ES/EAD1-Richard"
    PHONE_NO ""
    CPU_TYPE "GoldenOak"
    ECU "MED91"
    /begin MEMORY_SEGMENT Pst20000 "" CODE EPROM EXTERN 0x20000 0x1A0000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x20000 /*mapping_adr:*/0x20000 /*length:*/0x1A0000 /end IF_DATA
    /begin IF_DATA ASAP1B_CCP ADDRESS_MAPPING /*orig_adr:*/0x20000 /*mapping_adr:*/0x20000 /*length:*/0x1A0000 /end IF_DATA
    /begin IF_DATA ASAP1B_KWP2000 ADDRESS_MAPPING /*orig_adr:*/0x20000 /*mapping_adr:*/0x20000 /*length:*/0x1A0000  /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst1F0000 "" CODE EPROM EXTERN 0x1F0000 0x10000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x1F0000 /*mapping_adr:*/0x1F0000 /*length:*/0x10000 /end IF_DATA
    /begin IF_DATA ASAP1B_CCP ADDRESS_MAPPING /*orig_adr:*/0x1F0000 /*mapping_adr:*/0x1F0000 /*length:*/0x10000 /end IF_DATA
    /begin IF_DATA ASAP1B_KWP2000 ADDRESS_MAPPING /*orig_adr:*/0x1F0000 /*mapping_adr:*/0x1F0000 /*length:*/0x10000  /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst0 "" CODE EPROM EXTERN 0x0 0x20000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x20000 /end IF_DATA
    /begin IF_DATA ASAP1B_CCP ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x20000 /end IF_DATA
    /begin IF_DATA ASAP1B_KWP2000 ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x20000  /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Dst1C2000 "" DATA EPROM EXTERN 0x1C2000 0x2E000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x1C2000 /*mapping_adr:*/0x902000 /*length:*/0x2E000 /end IF_DATA
    /begin IF_DATA ASAP1B_CCP ADDRESS_MAPPING /*orig_adr:*/0x1C2000 /*mapping_adr:*/0x5C2000 /*length:*/0x2E000 /end IF_DATA
    /begin IF_DATA ASAP1B_KWP2000 ADDRESS_MAPPING /*orig_adr:*/0x1C2000 /*mapping_adr:*/0x5C2000 /*length:*/0x2E000  /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT ExtRam900000 "" VARIABLES RAM EXTERN 0x900000 0x2000 -1 -1 -1 -1 -1
        /* AsapMLXFm - CCP_V2_1 */
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x900000 /*mapping_adr:*/0x900000 /*length:*/0x2000  /end IF_DATA
        /* AsapMLXFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Ram7F8000 "" VARIABLES RAM INTERN 0x7F8000 0x8000  -1 -1 -1 -1 -1
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Ram800000 "" VARIABLES RAM INTERN 0x800000 0x8000  -1 -1 -1 -1 -1
    /end MEMORY_SEGMENT

I look at checksumm table in dump. That's part from several table with the addresses of the data blocks:

(StartAddress EndAddress)

0x005CA3DC 0x005CA87F
0x005C2000 0x005C223F
0x005C2E00 0x005C7FFF
0x005C8000 0x005CFFFF
0x005D0000 0x005D7FFF
0x005D8000 0x005DFFFF
This mapped data 0x1C to 0x5C. Range 0x5C2000-0x5DFFFF


0x00180000 0x00187FFF
0x00188000 0x0018FFFF
0x00190000 0x00197FFF
0x00198000 0x0019FFFF
0x001A0000 0x001A7FFF
0x001A8000 0x001AFFFF
0x001B0000 0x001BFFFF
0x001B8000 0x001BFFFF
0x001E0000 0x001EFFFF
0x001F0000 0x001FFFFF
There is no data on mapped block in range 0x1C0000-0x1E0000, but present data on block 0x1E0000-0x1FFFFF.
Maybe necessary to load data in this range (0x1E0000-0x1FFFFF) to original address.

Maybe  data in section 0x900000 - external RAM in separate chip? Need to see photo of disassembled ECU :)

Looking at the checksum tables - clever!  :D

Again from the .a2l, perhaps 0x1C0000 is related to the e2p... Only a guess though. I know the e2p shows up in a ram mirror as well but that's slightly different.

        SERAM
            /* SERAM_A */ 0x1C0000
            /* SERAM_O */ 0x1C0000
            /* SERAM_U */ 0x1DFFFE
            /* SERAM_E */ 0x1DFFFE
           /* Flash address */ 0x000000
           /* RAM address   */ 0x000000
              /* Data Read   */ 1
              /* Code Verify */ 0
              /* Code Read   */ 0
              /* Load mode   */ 1

How do you do this?. I cannot generate a new file in IDA after I copy the lines.
epy

I tried to copy the lines, then create a new segment from 0x5C0000 to 0x600000, but IDA would not let me. It spit out an error that the segment is bad with negative entries.

epy

1. Load in IDA original file
2. In IDA File->Load file->Additional binary file... Select cuted file (0x1C0000-0x1FFFFF)
Loading segment: 0x5C000

How do I make a cut file? If I highlight the 0x1C0000-0x1FFFFF sections, I can copy it onto the clipboard, but what next? If I go to File->Load File->Additional Binary File, I just get a box to open another file, but I have not actually created another separate file yet.

I have tried to create a new file with the copy of 0x1C0000-0x1FFFFF, but that did not work. I am probably missing something very simple on how to create the additional binary file.

Please forgive me if I am asking a super newbe question.
epy

ok, i think i have it. I highlighted the segment, then dumped the file, then loaded additional binary. The dumped file became the cut. Right?
epy

Right :)

When you load the file, do you not specify the RAM address (leave RAM box unchecked), or do you use the address and size indicated by Basano, i.e.,
RAM @ 0x600000 size 0x300000
ROM @ 0x000000 size 0x200000
Loading address 0x000000 size 0x200000

I'm sorry, but at the moment I'm searching for some axis for some maps for my Octavia.
All the steps in IDA are very clear and everything is working,
but I was wondering how do you find you're axis for your map.

I'm looking for the axis for the maps:
-KFPZU0_UC   1C3114   x-ax:V      y-ax:1/min            source x-ax:spsn_uc   source y-ax:nmot_uc
-KFPZU1_UC   1C3154   x-ax:V      y-ax:1/min            source x-ax:spsn_uc   source y-ax:nmot_uc

If I look in IDA and go to the sub routine of KFPZU1_UC you see the following code:

ROM:004263BC loc_4263BC:                             # CODE XREF: sub_426310+8Cj
ROM:004263BC                 lbz       r12, byte_7F8214
ROM:004263C0                 cmpwi     r12, 0
ROM:004263C4                 beq       loc_4263FC
ROM:004263C8                 addi      r3, r2, -0x6E9C # dword_5C3154
ROM:004263CC                 lbz       r4, byte_5C3354
ROM:004263D0                 lwz       r5, dword_7F8168
ROM:004263D4                 lwz       r6, dword_7F8208
ROM:004263D8                 bl        sub_423D90
ROM:004263DC                 stb       r3, word_7F8178+1
ROM:004263E0                 addi      r3, r2, -0x6F1C # aAaaaaaaaaaaaaa # "ÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇ"...
ROM:004263E4                 lbz       r4, byte_5C3354
ROM:004263E8                 lwz       r5, dword_7F8168
ROM:004263EC                 lwz       r6, dword_7F8208
ROM:004263F0                 bl        sub_423D90
ROM:004263F4                 stb       r3, word_7F817C+1
ROM:004263F8                 b         loc_42642C
ROM:004263FC # ---------------------------------------------------------------------------

I have an offset of 00400000.
I think the ax for nmot_uc is 5C3354 - 400000 = 1C3354,
but I can't find spsn_uc....

Maybe someone can point me in the right direction.
I tried the 7F location, but there is nothing.

In this particular case, the x and y axis are actually little maps in themselves.

You are very, very close :)

7F8168 and 7F8208 are the correct places to look at, but they will be blank since they are variables themselves.

Double-click 7F8208. Make sure the cursor is still on the line 7F8208. Then from the menu View -> Open subviews -> Cross references

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=11357;image)

Double click the entry that stores (stw) 7F8208. The other entries just read 7F8208 (lwz)

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=11359;image)

In the next screen that opens, you can see just a few lines above 7F8208 is your axis 5C3354 (which is 1C3354)

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=11361;image)

For the other axis, do the same thing and you should get 5C2F89 (which is 1C2F89)

RAM should still be in a range that includes 0x7Fxxxx upwards, so this will include that:

RAM @ 0x600000 size 0x300000


It also struck me that instead of cutting the data and pasting it into a new file, when you specify the additional file, choose the same original input file but use a different file offset:

(http://nefariousmotorsports.com/forum/index.php?action=dlattach;topic=6834.0;attach=11363;image)


In other words, you use the same file, but but just tell it to load up in different places

Wow great, thanks, now it's much clearer to find the axis,
I will give it a try this evening.

That actually makes a lot of sense, given that you are just taking the same info into different locations.
epy

So in this case, since the file is correct, would we now analyze the whole thing, or do we still restrict IDA to only analyze a segment?

epy

The two previous maps I found the 2 axis.
In the next map I know 1 ax, because it's the same, the nmot_uc, from the previous maps,
but now I'm strugling with the other ax.

The map is KFMOF_UM and I thought it was starting on 1C32D8, but when looking in IDA I think it starts at 1C32DA
I see the y-ax, nmot_uc, is 1C3354 (following 7F8208), but it's a little unclear what the x-ax is, mz_um,
because there is a bl sub_423D90 next to the y-ax. Do I have to follow the sub_423D90 or should I skip it and go to the next lbz (byte_7F81F9)?

Or am I totally in the wrong map?

KFMOF_UM   1C32D8   x-as:1/min   y-as:%      source x:mz_um      source y:nmot_uc

ROM:00426C94 loc_426C94:                             # CODE XREF: sub_4268D0+3B8j
ROM:00426C94                 lbz       r5, word_7F8188+1
ROM:00426C98                 stb       r5, byte_7F81FA
ROM:00426C9C                 lbz       r11, word_7F8188+1
ROM:00426CA0                 not       r11, r11
ROM:00426CA4                 stb       r11, byte_7F836E
ROM:00426CA8                 addi      r3, r2, -0x6CB6
ROM:00426CAC                 mr        r4, r5
ROM:00426CB0                 bl        sub_423B24
ROM:00426CB4                 stw       r3, dword_7F81FC
ROM:00426CB8                 lwz       r5, dword_7F81FC
ROM:00426CBC                 not       r9, r5
ROM:00426CC0                 stw       r9, dword_7F8370
ROM:00426CC4                 addi      r3, r2, -0x6D16 # word_5C32DA
ROM:00426CC8                 lbz       r4, byte_5C3354
ROM:00426CCC                 lwz       r6, dword_7F8208
ROM:00426CD0                 bl        sub_423D90
ROM:00426CD4                 stb       r3, byte_7F81F9
ROM:00426CD8                 lbz       r9, byte_7F81F9
ROM:00426CDC                 not       r9, r9
ROM:00426CE0                 stb       r9, byte_7F836D
ROM:00426CE4                 lwz       r3, dword_800EB4
ROM:00426CE8                 bl        sub_58C23C
ROM:00426CEC

I tried loading the original file twice, using the approach above, and I do not have any 004 addresses at all. At the end of 001FFFFC it skips directly to 005C0000.
epy

I found this a little confusing, so for those who need to know how to dump the user selected lines into a separate file.

Step 1. Open Jump->Jump To Address
2. Type 0x1C0000 and hit Enter
3. Alt+L (to mark start of selection)
4. Jump->Jump To Address
5. 0x1FFFFF and hit Enter
6. Place the cursor directly before RAM:00600000, and click (this should highlight all the lines you want)
7. Open File->Produce File->Create LST File
8. Enter the name of the file you want, and the location you want it, and hit Enter

You have just dumped the user selected area to a second file that you can then import as additional binary.

epy

I think your axis is 0x1C333A.

There's a pattern to this. The registers that hold the maps and axis are normally very close together.

R3 - map location
R5 - y axis
R6 - x axis

So you found the map (which is loaded into R3). You've got one axis (which is loaded in R6). It's a pretty solid guess the other axis will be in R5. Have a look just before the map is loaded into R3 and you'll see R5. Follow R5 back a bit and you can see that R5 is 7F81FC. Just above where this is done is another line addi      r3, r2, -0x6CB6

5C9FF0 - 0x6CB6 = 5C333A aka 1C333A

If anyone has too much time on their hands, attached is a doc explaining the conventions and usage of r3 and so on.

 :)

I'll have a go at this tomorrow and see if I can nail it down for once and for all ;D

Roger that. Thank you, this is starting to (barely) make sense! Darn, and I thought it would be as easy as 3 steps:
Step 1. Open IDA and reverse engineer the ME9.1
Step 2. Use this knowledge to define all the maps in WinOLS and understand how to tune the files
Step 3. Make awesome Stage III+ tune for my car

I guess I was a bit off :)
epy

This is some great stuff here.

Basano is the best thing that happened to Nefmoto community atleast in MED9 wise ;D

With some scripting containing advanced filtering (map size and known ROM sub-region) you can find the critical maps in five minutes or so  :o

Thanks, I will try it.

Is it also possible to see how long the maps are is assembly? If a map is 8x8 or 16x1?

I’m not sure if this answers your question, or perhaps you know it already, but have a search on ‘map descriptors’. The byte(s) at the beginning of an axis contain some information about the map itself.

Using your axis as an example:

0x1C333A - 08
0x1C3354 - 08

The first byte of each is 0x08. From this I surmise the map in question is an 8x8.

Here’s another example using KFLDIMX
0x1CF46E - 00 08
0x1CA306 - 00 10

(0x10 hex = 16 dec)

So this is a 8x16 map

Sometime it could be combined, e.g. LAMFA
0x1D6868 – 0F 06

(0x0F hex = 15 dec)

So this is a 15x6 map

There was a post on the forum very recently about map descriptors, with some links and reading, but I cannot find it at the moment!

Thanks! I will take a look at it!

Has anybody made progress here? I am starting back into IDA on ME9 with the goal of getting a 5120 hack onto ME9.

Guys, could you recommend any compiler enviromnent for PowerPc MPC582 MED9.1 ?

That should be fairly easy with the a2l.  GGPVD will give you a headache :)  it's 5120 already lol

This isn't always true but it's nice when it is.

Using your guide I have gained access to the sub routines of my file. Thank you very much. I am having a hard time getting others IDB files to open unfortunately.  I have tried different versions of ida and I've hit a brick wall. Any suggestions?

Nevermind, I found a version of 6.1 and it works. Thanks again.

Hello, i'm newest to coding with Ida, i'm interested to see how to add map switching in Med9 and also of course to know how the map structure and reference is.
Any one who want to help me?

Hello

Great topic. Thanks for sharing Basano & everyone else.

Was following it on my Seat Leon 2007 BWA file.

Does anyone know what this area is for in the file/disassembly ?

ROM:004067F4                 .long 0x792A9A95, 0xC37971, 0x12CF4BA, 0x3A1611C3, 0xBACC3AD9, 0xF420B80F, 0xA616F1C7, 0x6C526101, 0x23415A63, 0xFE0A7B0C, 0x6A33F219, 0xA31371F3, 0x13FCF15F, 0x6E242943, 0x8F58CD39, 0xF5F87D5, 0xAA2FB6B6, 0x53D2E94F, 0x11161A73, 0xA0F7ABA2
ROM:004067F4                 .long 0xC7CD2116, 0x7A36A28B, 0xB0C12FD2, 0x25FA214, 0x98A67E7, 0x7432FA12, 0xEB6C2420, 0xA7DAF5A7, 0xCED88055, 0x8F6B59C0, 0x2EACFEA, 0xBD6AEA95, 0x36EB234C, 0xDB44E62E, 0xF3CEC879, 0x32D388DA, 0x1FB5C777, 0x26DE87B8, 0x7C6B65D9, 0xB7979631
ROM:004067F4                 .long 0x29E9A33F, 0x1DE479, 0x1ED4BED5, 0xB9FB9C14, 0xB2FBAED1, 0xB6A5644D, 0x17DBA9F7, 0x68FFE0BE, 0xDA1D9F17, 0x59D82ECD, 0x6615BE8C, 0xB369692B, 0x8043EDBD, 0xB8D92856, 0xCAD4539D, 0x49BAFE16, 0x421FCF2C, 0x618BFA01, 0xC22A80F6, 0x983627F9
ROM:004067F4                 .long 0x80253C91, 0xA3920BAB, 0x8EEC1B22, 0xD1E02A10, 0x5987EBD7, 0x8D4F82ED, 0x2BABBB6B, 0xE17A0E55, 0xAB3853A7, 0xEFE74524, 0x5ABBB9DE, 0x78889A84, 0x16ECAB6E, 0x583CFC6A, 0x992F2944, 0x54D5617, 0xF815EA56, 0x15F10E99, 0x26DAE429, 0xB7CB884A
ROM:004067F4                 .long 0x71E7C74B, 0x3769A24E, 0x24F81D8, 0x7DC63717, 0x6054B9F7, 0x8DC89EE3, 0xEBE1565B, 0x6C12A3A, 0x6310F7C5, 0xA4EFAA73, 0x61A37A7F, 0xC0FEE82E, 0xDA8C78E0, 0xCD832DD9, 0xA168C5CD, 0xDC81B92D, 0xE3FEF334, 0x17E64DB0, 0xABC3CE91, 0x470CA333
ROM:004067F4                 .long 0x5E57DF6B, 0x503BF253, 0x3F06EBD5, 0xB1246DFA, 0xEA4A73F0, 0x765C3DD, 0xDA463366, 0x890A9FFE, 0xE54AA5EF, 0x8B082729, 0xBD547ECD, 0xFEC17E79, 0x6F8C2E51, 0xEC8544D2, 0xE6C56356, 0xFE0E1367, 0x670084C4, 0xF8010233, 0x14EA380C, 0x3A722482
ROM:004067F4                 .long 0x6B5BDEB0, 0x3F5E0868, 0xC6D714BA, 0x1F303946, 0xDA0F3342, 0xF3FBD4A, 0x3B5FCFEB, 0xDE4D97ED, 0xD5503964, 0x77084775, 0x7215FFE9, 0x648A4773, 0x391069C1, 0x47DA8E45, 0x2A4CFCC0, 0x616B0F93, 0xA503F9C5, 0xD9A39D3, 0xE317DC3B, 0x443277C7
ROM:004067F4                 .long 0x799BE09A, 0x18EAAFFC, 0xDA4977E5, 0x3BE3C44B, 0xD40BD42B, 0x782D1659, 0x10756408, 0x3741FF19, 0x94474E24, 0xFB865647, 0x43EEF8B1, 0xE5CEEEED, 0x590184EF, 0x31D816DF, 0xF2C64DA9, 0xB5CE1841, 0x82AD6CB7, 0x67C7BCFE, 0x5CD2377C, 0xD744C551
ROM:004067F4                 .long 0x2D7DBF67, 0xAFB4703E, 0x80A35074, 0x38F2FA17, 0x3A65F2AB, 0xD5C419FA, 0x1D8EEC9E, 0x875C804F, 0x47163EED, 0x6AD95E4C, 0xB2A425C3, 0x35C5DD73, 0xB4069958, 0xBC96A511, 0x7FB9CF6F, 0x702F59BF, 0xA066B9D8, 0xDB5F17E3, 0x816083ED, 0x265EFA2E
ROM:004067F4                 .long 0xE9291717, 0x9555001D, 0x79EC9848, 0x7D5867A, 0x2F03E880, 0x795DD2DA, 0xE570244A, 0x82D7871F, 0xD066253E, 0xD7192AF5, 0x4BFFF80, 0xC6664157, 0xED85833D, 0xBDECC909, 0xD56CBF33, 0xC246BC1E, 0x62547B27, 0xFAF99372, 0x17CABC6F, 0x25F9C02E
ROM:004067F4                 .long 0xD0854268, 0x1E243249, 0x49EB0CFE, 0x5EC3D303, 0x968CD12A, 0x770E0B6A, 0xAAA4866D, 0x9BA73DD7, 0xD39BDD58, 0x151C4670, 0x3A86C205, 0xCC6703A6, 0x65A6DF9D, 0xC670CAB7, 0xB6E617D2, 0xA187EE2B, 0xEC5F0C64, 0x19ED3E58, 0x9FD59B9F, 0x874A84E0
ROM:004067F4                 .long 0xC6395CD9, 0x5D36082F, 0x332725F7, 0xADB30C00, 0x136887E6, 0xA2AF50D8, 0x71704D24, 0xC3848E87, 0xB1DE0237, 0xB779FCAC, 0x18016A32, 0x3A41CF30
ROM:00406FF4                 .long 0x414F0536, 0x2979B5C8, 0xA7EE92EC, 0x5A5A5A5A, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF
ROM:00406FF4                 .long 0xFFFFFFFF,

Thanks,

Praga

Totally wrong way to grab that data and post it...

Use a screen grab while you are on the actual code. If you don`t understand check what everyone has done in the previous post.
What you got is just hex strings displayed as .long

I would suggest to practice your ida skills a little bit more and check the forum on previous posts on what has been done.

Posting your original file and describing what you are searching for is also a good thing.

Sorry. Is this better ?

No.

Read first page of posts and you will understand.

thats a nice question, anybody worked here?

I have done 5120 MED9.1, but in a "brute" way, just rescaling everything, apart from fueling.
I believe it can be done in a much more elegant way, since there's a bunch of 5120 stuff already in there.

Not enough time to research it right now. Maybe some day. :)

You can easily compare a file from a golf 5 gti (bwa) with a file from an audi s3/cupra
and check what needs to be done ith a little bit more scaling if you are using a bigger map sensor.
By compare i mean disassemble and compare the code.

but that doesnt help me ? both would have max requested boost @ 2550mbar..  255 x 10...
it not like scaling gradient and offset of boostsensor..

as far as is see its not like ME7 on MED9

It's not like ME7, but you can do it brute force like ME7 if you want.
Or if you are more clever, you can do it a little easier.

But I can't help but get the feeling that you are looking to get a free handout.

iam not looing for a free handout, we are already studying the process, but its not that easy to rewrite the sourcecode if u havent learnd the scripting.
tuning files in ols and programming scource codes in different script languages are 2 pair of shoes.
iam also open for buying help or trading...

BR

Hello Lads,

I've got the MPCxxx Instruction Set and which should help people with the explanation of the Assembly Language seen in IDA Pro when looking at MED9.1 Binaries.

https://cache.freescale.com/files/product/doc/MPC82XINSET.pdf

How much progress have we made?
 

No ECU software in history was written in a scripting language, as far as I know.

change it to assembley language..

TOC and SDA addresses are always the same in MED9.1?

sorry to bring this up from the dead, but i have an honest question. did you by any change made a mistake when typing this and switched r4 with r3?