Pages: [1]
Author Topic: WINOLS gurus: where is TDMLSDS located in M-box S4 file?  (Read 9275 times)
julex
Hero Member
*****

Karma: +79/-4
Offline Offline

Posts: 923


« on: May 05, 2011, 04:50:06 PM »

I have .OLS for european G-box but can't find similar region in M-box that would host this 1byte variable.

I have a suspicion that this little variable is the ticket for no lift shift.

And if you have .OLS for M-box.... please please please share Smiley
Logged
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12268


WWW
« Reply #1 on: May 05, 2011, 05:34:10 PM »

I have .OLS for european G-box but can't find similar region in M-box that would host this 1byte variable.

I have a suspicion that this little variable is the ticket for no lift shift.

And if you have .OLS for M-box.... please please please share Smiley

my guess is 113AC
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 653


« Reply #2 on: May 05, 2011, 05:35:19 PM »

I have .OLS for european G-box but can't find similar region in M-box that would host this 1byte variable.

I have a suspicion that this little variable is the ticket for no lift shift.

And if you have .OLS for M-box.... please please please share Smiley

Try addr 113ACh
Logged
julex
Hero Member
*****

Karma: +79/-4
Offline Offline

Posts: 923


« Reply #3 on: May 05, 2011, 07:35:35 PM »

That's not the spot, I really compared the values etc, the region is a bit different around the area with some stuff appearing as missing in comparison to "G" OLS. Apparently this variable as well as some other stuff got compiled into different region (edit:*idea here, search for missing stuff in M box and I might find the stuff I need*)

I don't know if that's the spot but I am wondering how you arrived at this conclusion? I assume you just guessed based on the fact that following region is the same as "G" bin.

Anybody has "M" and "G" box in IDA and could check address references and see what address same code in "M" box accesses?

Thanks.

Otherwise I will have to advance to Yoda level and start IDA dis-assembly, ahha.
« Last Edit: May 05, 2011, 07:40:53 PM by julex » Logged
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12268


WWW
« Reply #4 on: May 05, 2011, 08:30:43 PM »

I assume you just guessed based on the fact that following region is the same as "G" bin.

Yup. Blind ass guess Smiley

I was hoping spen would pipe up here and show us how its done!
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
setzi62
Full Member
***

Karma: +142/-0
Offline Offline

Posts: 249


« Reply #5 on: May 06, 2011, 02:17:49 AM »

I use a tool called bgrep (binary grep) to search for occurrences of hex patterns,
find attached the executable and source of bgrep.
This tool is quite handy when searching for matching code fragments in different images.

Here is how you can find the location of TDMLSDS if you have the disassembled code
and some basic knowledge about the C167 opcodes available:

1. Search for references to TDMLSDS in the assembler code of an image
with known symbol addresses (here F-Box is shown):
  ...
  87'FDA6: 8A2D06B0       JB      [B_kuppl], L_87FDB6 (87'FDB6)
  87'FDAA: 9A540460       JNB     [00FDA8h].6, L_87FDB6 (87'FDB6)
  87'FDAE: F3F81513       MOVB    RL4, [TDMLSDS]
  87'FDB2: F7F80DA8       MOVB    [38280Dh], RL4
  ...

2. Select a hex search pattern matching this code sequence,
verify that this search pattern is found only once:
  bash-3.2$ bgrep "8A2DxxB09AxxxxxxF3F8xxxxF7F8xxxxF3F8xxxx" fbox.bin
  fbox.bin: 0007FDA6 -> 8A2D06B09A540460F3F81513F7F80DA8F3F80DA8
-> found only once, see that address (0007FDA6) matches with assembler code (87'FDA6).

3. Have to know that the bit "B_kuppl" is at FD56.8 for M-Box (FD5A.11 for F-Box),
so the instruction  "JB [B_kuppl], address"
has pattern "8A2Bxx80" in M-Box compared to "8A2DxxB0" in F-Box
(need to read the C167 documentation to know how opcodes are encoded  Tongue).

4. Search the corresponding pattern in the M-Box image:
  bash-3.2$ bgrep "8A2Bxx809AxxxxxxF3F8xxxxF7F8xxxx" mbox.bin
  mbox.bin: 0007544A -> 8A2B06809A510400F3F8AC13F7F83BA9
-> also found only once at address 87'544A

5. Check this address in the assembler code of M-box:
  ...
  87'544A: 8A2B0680       JB      [B_kuppl], L_87545A (87'545A)
  87'544E: 9A510400       JNB     [00FDA2h].0, L_87545A (87'545A)
  87'5452: F3F8AC13       MOVB    RL4, [8113ACh]
  87'5456: F7F83BA9       MOVB    [38293Bh], RL4
  ...

-> TDMLSDS is at offset 0x113AC in M-Box as stated by nyet and gremlin (has value 0x33).
Logged
julex
Hero Member
*****

Karma: +79/-4
Offline Offline

Posts: 923


« Reply #6 on: May 07, 2011, 08:31:42 PM »

Thanks for all your help, I am starting IDA disassemble though so wish me luck and not many head aches Smiley
Logged
julex
Hero Member
*****

Karma: +79/-4
Offline Offline

Posts: 923


« Reply #7 on: May 09, 2011, 05:13:12 PM »

Thanks for all your help, I am starting IDA disassemble though so wish me luck and not many head aches Smiley

anybody has info as to what entry point for IDA should be for m-box.... thatnks!
Logged
phila_dot
Hero Member
*****

Karma: +173/-11
Offline Offline

Posts: 1709


« Reply #8 on: May 09, 2011, 06:13:47 PM »

Thanks for all your help, I am starting IDA disassemble though so wish me luck and not many head aches Smiley

anybody has info as to what entry point for IDA should be for m-box.... thatnks!

I use the info posted in the below thread and Andy Whittakers site. I am pretty lost when it comes to IDA though. It would be great if someone skilled did a DIY thread or posted a properly disassembled file, maybe even commented.

http://www.nefariousmotorsports.com/forum/index.php/topic,35.0title,.html
Logged
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12268


WWW
« Reply #9 on: May 11, 2011, 11:10:33 PM »


I have a suspicion that this little variable is the ticket for no lift shift.


make any progress on this?
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
julex
Hero Member
*****

Karma: +79/-4
Offline Offline

Posts: 923


« Reply #10 on: May 12, 2011, 07:07:39 AM »


I have a suspicion that this little variable is the ticket for no lift shift.


make any progress on this?

Well, yes and no. This one was a blind valley.

However SmileySmileySmiley

Eurodyne has this working in their Maestro software so I figured it is just a matter of finding how. Eurodyne's stuff is encrypted though so it would be hard to look at actual tune file and my attempts to Galletto it out in BOOT also didn't work for some strange reason.... They naturally disabled normal flash access to the ROM.

I found a loophole though. Comes out hooking up windbg and dumping the content of Maestro memory space yields a cool tune file since they don't encrypt memory (duh) that is nothing else than M-box binary with usual maps changed plus a very interesting piece of assembly code that provides anti-lag facilities. Basically they altered one of standard code's jumps to their custom piece of code located just before end of binaries. I am not sure what the standard code does but it looks like it must be controlling actual spark event. In the custom code they compare couple of EEPROM space values (where the tune keeps mph for launch control, RPMS and how long to interrupt spark event for no-lift-shift) to current car running values and amount of time lapsed for no-shift-lift.

I will need some help with altering this code to go to alternate memory space location somewhere in standard maps range where I will set up the three new scalars (DWORDS) to control the thing.


I will post the code I see later on.

Thanks.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.028 seconds with 18 queries. (Pretty URLs adds 0s, 0q)