Pages: [1]
Author Topic: M3.8.x Memory Map for IDA / GHIDRA  (Read 2816 times)
ecuprog7
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 55


« on: June 26, 2023, 05:21:22 AM »

Hi, i am trying to reverse parts of the k-line comm on these old ecus but i can´t figure out the memory mapping. As i understand the external Memory needs to be paged with additional Port pins to access more than 64kB. As far i see write commands to 0xcxxx and 0xexxx. Can someone please help on these paging? A Schematic would also be cool!
thanks in advance ecuprog
« Last Edit: June 26, 2023, 05:35:00 AM by ecuprog7 » Logged
elias
Full Member
***

Karma: +20/-3
Offline Offline

Posts: 65


« Reply #1 on: June 26, 2023, 01:54:23 PM »

I have no idea about the M3.8.x but i can tell you how MED9.1 deals with KWP2000 and what to look for.

You would expect something like a "if SID==1 then <process service1>, elseif SID == 2 then <process service2>". However in MED9, the whole process is done via a "map". So basically there is a array of structs which looks like this:
Code:
struct{
<SID>
<some data>
<memory address of corresponding function>
<some data>
}

There is a for loop, which loops over this structs and then executes the code. I think it has been done to allow new services to be added later without much "rewriting" of the code.

Have a look in your binary if you can find such maps. Look for common SIDs like startDiagnosticSession,ecuReset etc. The list of SIDs is well defined and you try out which one your ECU supports.

Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #2 on: June 26, 2023, 02:36:21 PM »

I have no idea about the M3.8.x but i can tell you how MED9.1 deals with KWP2000 and what to look for.

KWP2000 in a 1995 ecu? Dude... nope.
The ECU is KW1281.

KWP2000 wasn't even invented yet.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
ecuprog7
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 55


« Reply #3 on: June 27, 2023, 04:31:15 AM »

Yeah, its KW1281, i´m trying to find out if (and how) its possible to write to Ram over obd.
I added the wiring diagram reversed so far.
« Last Edit: June 27, 2023, 07:20:57 AM by ecuprog7 » Logged
ecuprog7
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 55


« Reply #4 on: July 05, 2023, 04:34:04 AM »

I think i got it.
The paging is done with the PLCC-68 S9652AD SCL4402-V4. This stone is a parallel memory mapped I/O expander.
Code:
                             *************************************************************
                             *                           FUNCTION                         
                             *************************************************************
                             undefined  __stdcall  FUN_RAM_226c (void )
             undefined         R1C:1          <RETURN>
                             FUN_RAM_226c
        RAM:226c b3  01  41       LDB        RF0 ,DAT_RAM_e041 , LOOKUP[ZR]                    = ??
                 e0  f0
        RAM:2271 71  f0  f0       ANDB       RF0 ,#0xF0
        RAM:2274 91  04  f0       ORB        RF0 ,#0x4
        RAM:2277 c7  01  40       STB        RF0 ,DAT_RAM_e040 , LOOKUP[ZR]                    = ??
                 e0  f0
        RAM:227c e7  81  9d       LJMP       FUN_Code_10000-14000__c000                       undefined FUN_Code_10000-14000__
                             -- Flow Override: CALL_RETURN (CALL_TERMINATOR)

The actual page seems to be read from address 0xe041, new page will be written to 0xe040. On init 0x33 is written to 0xe040. Page size is 0x4000 and paging is only in memory region 0xc000 to 0xffff.
For now i guess page 3 is Rom 0xc000 - 0xffff, 4 is the next (0x10000-14000) and so on. I need to prove this with some test.
The instructions are always fetched from Rom, read/write to 0xc000-0xffff are on RAM and expander asic. I guess this is done with INST pin, needs also testing.
Logged
biela
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 25



WWW
« Reply #5 on: December 26, 2023, 09:33:19 AM »

Hello

Did you manage to load M3.8 file in IDA?
I have tried with values in ds and wsr segments registers.

Thanks
Logged

Racing is life. Anything that happens before or after is just waiting
ecuprog7
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 55


« Reply #6 on: December 27, 2023, 04:41:14 AM »

I never tried IDA, started with GHidra but was not successful until now to get the jumps to paged memory done from the analyze funcs.
I do not understand the concept of context variables in SLEIGH. I tried to integrate the external port expander into the processor model to get a 24 bit address range, but until now Sleigh is too much of black magic for me.
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #7 on: December 27, 2023, 06:44:07 AM »

80C196 is an abomination, I do not understand why anyone would want to waste their time on it in 2023.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
ecuprog7
Full Member
***

Karma: +3/-0
Offline Offline

Posts: 55


« Reply #8 on: February 19, 2024, 02:30:53 AM »

got the Xor key for the seed-Key algo of M38/M59 bootloader. Key is 0x18932250, algo is described here: http://nefariousmotorsports.com/forum/index.php?topic=4983.0.
Has someone managed to read out the boot-Rom?
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.018 seconds with 17 queries. (Pretty URLs adds 0s, 0q)