Pages: [1]
Author Topic: ME7.5 and C167  (Read 14252 times)
Ionut
Full Member
***

Karma: +4/-3
Offline Offline

Posts: 89


« on: December 19, 2013, 03:55:14 AM »

Hello.
I`m new in dissasembly ecu (yesterday first day Tongue ).
I Work with IDA Pro and 032AF file.
I know C167 has internal ROM and flash and is connected to 29F400BB / 29F800BB.

Firstly, i`m curious the IMMO check routine is stored in external flash or in internal processor`s flash?
Secondly, On C167 datasheet i`ve didn`t found the way processor boots-up. Wich routine is called. If Reset is performed first, wich routine is next?
And how maps are called from software?
For example i have the KFMIRL map starting at 0x123DC but didn`t found that part in dissasembled flash image.

Could you please help me understand where map selection routine begins and how is made?

Thank you in advance.
Logged
Aurélien
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 60


« Reply #1 on: December 22, 2013, 07:10:02 AM »

Where is your CPU read ?
Logged
Ionut
Full Member
***

Karma: +4/-3
Offline Offline

Posts: 89


« Reply #2 on: December 22, 2013, 10:02:35 AM »

as i know, there are 2 types of dump.

For example, how to find map address and entry point from attached dump?
Logged
Aurélien
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 60


« Reply #3 on: December 22, 2013, 12:29:25 PM »

I don't think you can use C167 from RS4/S4 to disassemble 1.8T file.

I'm not sure about the memory mapping for 29F400 file but I would do the following :

A_ Load your IROM C167 binary first to defaut value
B_ Create your IRAM segment 0xE000 length 0x10000
C_ Load your ROM 06A906032AF file at 0x800000 length defaut value ( file size )
D_ Create your RAM segment at 0x380000 length 0x20000

The code and data follow that structure :

CODE1 0x800000 - 0x80FFFF , length 0x0000FFFF
DATA1 0x810000 - 0x81FFFF , length 0x0000FFFF
CODE2 0x820000 - 0x87FFFF , length 0x0005FFFF

At first, select whole code1 and press C, ignore error. Same for code 2.

Then go to map adress ( don't forget there is a 0x800000 offset compared to winols ), give the right shape ( create array ) and follow xref.
Good luck.
Logged
Ionut
Full Member
***

Karma: +4/-3
Offline Offline

Posts: 89


« Reply #4 on: December 22, 2013, 01:55:19 PM »

ok, so let me understand. I need to load default IROM (32K) inside Ida Pro. After this i need to load the 512K (my dump from ECU)?
But how ca i find the boot sequenc and where maps are loaded?
I want this mainly because i want to know how is selected KLBTS and where is located TABGBTS in my file.
Logged
Aurélien
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 60


« Reply #5 on: December 23, 2013, 03:14:05 AM »

Yes.

You maps will be in the data area :

DATA1 0x810000 - 0x81FFFF , length 0x0000FFFF

Go in winols and look for KFLBTS, go to that adress ( + offset 0x800000 ) in IDA and follow XREF, there should only have 1 subroutine.

This subroutine will tell you how it works after you analyse it. You will also find map axis and other LBTS related maps.
Logged
Ionut
Full Member
***

Karma: +4/-3
Offline Offline

Posts: 89


« Reply #6 on: December 23, 2013, 03:50:28 AM »

do my kfmirl address that i should search for is 0x800000 + 0x123dc ?
that means 0x8123dc ?
Logged
Aurélien
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 60


« Reply #7 on: December 23, 2013, 11:30:09 AM »

Yes, KFMIRL Z data will be at 0x8123DC in that case.  Wink
Logged
Ionut
Full Member
***

Karma: +4/-3
Offline Offline

Posts: 89


« Reply #8 on: December 23, 2013, 02:43:17 PM »

searched all refs to 0x123dc, 0x123dc and nothing found. Did i miss something?
Logged
Aurélien
Full Member
***

Karma: +4/-0
Offline Offline

Posts: 60


« Reply #9 on: December 23, 2013, 04:29:49 PM »

Yes. How map is referenced.

Look for KFLDRL, it's easier. If you find a reference to that map, you are doing it right.
Logged
Ionut
Full Member
***

Karma: +4/-3
Offline Offline

Posts: 89


« Reply #10 on: December 24, 2013, 02:14:49 AM »

i can`t find anything related to 812C94h wich is address of KFLDRL.
Logged
dream3R
Hero Member
*****

Karma: +18/-8
Offline Offline

Posts: 1194


« Reply #11 on: December 24, 2013, 04:56:24 AM »

It will be offset my DPP so try masking more off
Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
Ionut
Full Member
***

Karma: +4/-3
Offline Offline

Posts: 89


« Reply #12 on: January 04, 2014, 04:27:18 PM »

How can i read my C167 dump? i have a Galleto and VCDS and bench setup for it.
I`ve made the 10x16 array of KFLDR and looks like on WinOLS, but how do i find xrefs? http://screencast.com/t/ZAwDhocKgsR
« Last Edit: January 04, 2014, 05:49:31 PM by Ionut » Logged
geo22
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


« Reply #13 on: August 06, 2019, 11:17:47 PM »

Bump!

Not to create new topic can I ask here?
Now Im trying to dig into c167 disassembly. How can I find where is addressing to a particular map? Found a map address in the a2l but there is no direct link from code section to this map. So I guess its some kind of indirect addressing. Could someone give me a tip where to search?

 
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.021 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)