totti
Full Member
Karma: +15/-29
Offline
Posts: 227
|
|
« Reply #15 on: August 06, 2021, 02:20:25 PM »
|
|
|
Its basically:
if(FD10.2 == 1(S_fgrhs - Main switch on the FGR control lever)) { movb RAM:380AC4 ( nwe - Wiedereinsetzdrehzahl) , whatever is in rl6) } else FF rl6 FF'd RAM:380AC4 with rl6 unconditional jump to A19EA -> return
I understand the code, the problem was with the variables. But thank you to described it
|
|
|
Logged
|
|
|
|
totti
Full Member
Karma: +15/-29
Offline
Posts: 227
|
|
« Reply #16 on: August 13, 2021, 02:07:28 PM »
|
|
|
8AC4 is the short adressing for 380AC4 program flow looks sooo nooby
I've modified it ROM:000A592A jb word_FD10.4, loc_A5932 ROM:000A592E movb rl6, #0FFh ROM:000A5932 ROM:000A5932 loc_A5932: ; CODE XREF: ROM:000A592A↑j ROM:000A5932 exts #38h, #1 ; '8' ROM:000A5936 movb 0ADAh, rl6 ; 380ADAh ROM:000A593A rets ROM:000A593A ; --------------------------------------------------------------------------- ROM:000A593C db 0FFh ROM:000A593D db 0FFh ROM:000A593E db 0FFh ROM:000A593F db 0FFh ROM:000A5940 ; --------------------------------------------------------------------------- ROM:000A5940 jb word_FD10.4, loc_A5960 ROM:000A5944 movb rl4, nmot ROM:000A5948 cmpb rl4, #3Eh ; '>' ROM:000A594C jmpr cc_ULE, loc_A5960 ROM:000A594E exts #38h, #1 ; '8' ROM:000A5952 movb rl4, 9B1h ; 3809B1h ROM:000A5956 cmpb rl4, #0 ROM:000A5958 jmpr cc_NZ, loc_A5960 ROM:000A595A movb rl4, #0E8h ROM:000A595E movb [r12], rl4 ROM:000A5960 ROM:000A5960 loc_A5960: ; CODE XREF: ROM:000A5940↑j ROM:000A5960 ; ROM:000A594C↑j ... ROM:000A5960 movb zwout, [r12] ROM:000A5964 rets
|
|
|
Logged
|
|
|
|
totti
Full Member
Karma: +15/-29
Offline
Posts: 227
|
|
« Reply #17 on: September 14, 2021, 01:46:16 PM »
|
|
|
I would like to modify lamfa when the different conditions are true. I have HN 0001 ECU. This is my ecu file lamfa_w , {TargetAFRDriverRequest} , 0x384ACE, 2, 0x0000, {-} , 0, 0, 0.000244141, 0, {Lambdasoll Fahrerwunsch (word)} lamfaw_w , {} , 0x384ACC, 2, 0x0000, {-} , 0, 0, 0.000244141, 0, {Lambdasoll Fahrerwunsch Anteil aus Kennfeld LAMFA}
I searched for lamfa and lamfaw but I could not find any movb functions to them. How can I find where these variables are written in the code?
Thank you
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +186/-24
Offline
Posts: 1454
mk4 1.8T AUM
|
|
« Reply #18 on: September 14, 2021, 11:46:58 PM »
|
|
|
After the lamfa map as usual Screenshot from another file but its the same as yours any movb
its a word so..
|
|
|
Logged
|
|
|
|
DT
Full Member
Karma: +20/-1
Offline
Posts: 184
|
|
« Reply #19 on: September 15, 2021, 01:39:13 PM »
|
|
|
I searched for lamfa and lamfaw but I could not find any movb functions to them. How can I find where these variables are written in the code?
As fukenbroken said, they are words. With me7idatool the following pictures show what you can produce in IDA in less than 10min without an a2l/dam for your specific revision. There are 5+2 positions for lamfa_w and lamfaw_w respectively.
|
|
|
Logged
|
|
|
|
totti
Full Member
Karma: +15/-29
Offline
Posts: 227
|
|
« Reply #20 on: September 16, 2021, 12:36:00 AM »
|
|
|
Thank you for all of you. I just start with IDA and I don't know which plugin, tool is needed. Currently I just loaded the bin and try to manually find the code and variables. Can you tell me where can I fond the me7idatool?
Thank you
|
|
|
Logged
|
|
|
|
totti
Full Member
Karma: +15/-29
Offline
Posts: 227
|
|
« Reply #21 on: September 16, 2021, 06:55:07 AM »
|
|
|
As fukenbroken said, they are words. With me7idatool the following pictures show what you can produce in IDA in less than 10min without an a2l/dam for your specific revision. There are 5+2 positions for lamfa_w and lamfaw_w respectively. I found where I can modify lamfaw_w. What I don't know is what to do with extp command. Change it to calls and the mov command to NOP or the extp can stay and change mov to calls?
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +186/-24
Offline
Posts: 1454
mk4 1.8T AUM
|
|
« Reply #22 on: September 16, 2021, 07:12:00 AM »
|
|
|
Nop extp and change mov with calls
|
|
|
Logged
|
|
|
|
totti
Full Member
Karma: +15/-29
Offline
Posts: 227
|
|
« Reply #23 on: September 16, 2021, 09:41:46 AM »
|
|
|
8AC4 is the short adressing for 380AC4 program flow looks sooo nooby
Is there any benefit to use short or long address?
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +186/-24
Offline
Posts: 1454
mk4 1.8T AUM
|
|
« Reply #24 on: September 16, 2021, 10:37:50 AM »
|
|
|
Less operations = les cpu load Pretty sure unnecessary in that case but optimization skill is always counts
|
|
|
Logged
|
|
|
|
totti
Full Member
Karma: +15/-29
Offline
Posts: 227
|
|
« Reply #25 on: September 16, 2021, 12:51:35 PM »
|
|
|
Less operations = les cpu load Pretty sure unnecessary in that case but optimization skill is always counts
Thank you. I will read about the C166 to understand why ram is mapped into 2 space.
|
|
|
Logged
|
|
|
|
|