|
dream3R
|
 |
« Reply #330 on: January 28, 2016, 10:19:01 PM »
|
|
|
It can be read from more than one address. I used another but I see now that 0xC0000 also works. I had to make a correct read before sleep.  btw there is also a statement earlier in thread that does not seem correct about addressing and memory. Statement by me? Surely you must rely on datasheet but remember PBL will be OE  I've noticed by some 0xC2000 in some vag code recently, not haldex though but it caught me out. |
|
|
|
« Last Edit: January 28, 2016, 10:20:36 PM by dream3R »
|
Logged
|
|
|
|
DT
Full Member
Karma: +20/-1
 Offline
Posts: 184
|
|
« Reply #331 on: January 29, 2016, 01:37:04 AM »
|
|
|
Statement by me? Surely you must rely on datasheet but remember PBL will be OE I've noticed by some 0xC2000 in some vag code recently, not haldex though but it caught me out. Not by you  (I think) |
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #332 on: January 29, 2016, 11:51:35 AM »
|
|
|
Not by you (I think) Cool best quote it and correct it for the integrity of the thread then? |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #333 on: January 29, 2016, 03:35:12 PM »
|
|
|
Cool best quote it and correct it for the integrity of the thread then? Let me know what post it is and I will edit it. |
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
DT
Full Member
Karma: +20/-1
Offline
Posts: 184
|
|
« Reply #334 on: January 29, 2016, 06:54:42 PM »
|
|
|
Well, I said: Does not seem correct.
It's Johns statement that it is a c167cr-lm without boot rom. Either I don't yet get the addressing of FLASH or there is a 128kb rom in cpu. Because I can get a second 128kb rom at 0x0 that also have the usual trap/int jump table at start.
|
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #335 on: January 29, 2016, 07:04:40 PM »
|
|
|
Well, I said: Does not seem correct.
It's Johns statement that it is a c167cr-lm without boot rom. Either I don't yet get the addressing of FLASH or there is a 128kb rom in cpu. Because I can get a second 128kb rom at 0x0 that also have the usual trap/int jump table at start.
I had a peak and it does say romless, weird... http://www.infineon.com/cms/en/product/microcontroller/legacy-products-c500-c166-xc166-audo1-family/c166-registered-family/c167cr%E2%81%84sr/channel.html?channel=ff80808112ab681d0112ab6b32eb0767C167CR-LM Version with PLL, 2 KByte XRAM, CAN module • C167CR-4RM Version with PLL, 2 KByte XRAM, 32 KByte ROM, CAN module • C167CR-16RM Version with PLL, 2 KByte XRAM, 128 KByte ROM, CAN module • C167SR-LM Version with PLL, 2 KByte XRAM Note: Accesses to the internal ROM area on ROMless devices will produce unpredictable results. http://www.infineon.com/dgdl/c167cr_um_v3.2_2003_05.pdf?fileId=db3a304412b407950112b41d8c0f3058 |
|
|
|
« Last Edit: January 29, 2016, 07:10:28 PM by dream3R »
|
Logged
|
|
|
|
DT
Full Member
Karma: +20/-1
Offline
Posts: 184
|
|
« Reply #336 on: January 29, 2016, 07:07:26 PM »
|
|
|
More important is that the 0006 flash from ccyberwing does not seem correct. But that file has been invaluable anyway for my work. Thank you Tom! I can see that a correctly read flash is perfect in IDA without jmp/calls to ASCII tables. |
|
|
|
|
Logged
|
|
|
|
|
dream3R
|
|
« Reply #337 on: January 29, 2016, 07:13:52 PM »
|
|
|
Interesting:
Figure 14-1 Bootstrap Loader Sequence
The Bootstrap Loader may be used to load the complete application software into
ROMless systems, it may load temporary software into complete systems for testing or
calibration, it may also be used to load a programming routine for Flash devices.
The BSL mechanism may be used for standard system startup as well as only for special
occasions like system maintenance (firmware update) or end-of-line programming or testing.
|
|
|
|
|
Logged
|
|
|
|
DT
Full Member
Karma: +20/-1
Offline
Posts: 184
|
|
« Reply #338 on: January 29, 2016, 07:15:21 PM »
|
|
|
It could be that the second 128kb might be second half of 256kb flash in a later version of the ecu. But strange that it is addressed like it is and that it even exist.
attached first 32kb of mentioned from a late version of ecu which hold a 29f200b and that is probably where this binary is from
edit:
I see now that this is not to be found in the earlier versions of ECU. There are a picture or two in thread of that early version with only a 29f100.
|
|
|
|
« Last Edit: January 29, 2016, 07:20:50 PM by DT »
|
Logged
|
|
|
|
DT
Full Member
Karma: +20/-1
Offline
Posts: 184
|
|
« Reply #339 on: January 29, 2016, 07:38:11 PM »
|
|
|
old ecu with 29f100 flash and C167SR-LC
|
|
|
|
« Last Edit: January 29, 2016, 08:23:13 PM by DT »
|
Logged
|
|
|
|
ccyberwing
Newbie
Karma: +7/-0
Offline
Posts: 19
|
|
« Reply #340 on: January 30, 2016, 02:53:45 AM »
|
|
|
right - this is the ecu where i read my first 29f100 file |
|
|
|
|
Logged
|
|
|
|
DT
Full Member
Karma: +20/-1
Offline
Posts: 184
|
|
« Reply #341 on: January 30, 2016, 08:02:31 PM »
|
|
|
Probably the checksum check. Who is quick to explain this? ; =============== S U B R O U T I N E =======================================
ROM:46DA
ROM:46DA
ROM:46DA sub_46DA: ; CODE XREF: sub_4738+34�p
ROM:46DA mov [-r0], r9
ROM:46DC mov [-r0], r8
ROM:46DE mov [-r0], r7
ROM:46E0 mov [-r0], r6
ROM:46E2 mov r8, #0
ROM:46E4 mov r9, #0
ROM:46E6 mov r6, #418Ch
ROM:46EA mov r1, r12
ROM:46EC shl r1, #2
ROM:46EE sub r1, r12
ROM:46F0 shl r1, #2
ROM:46F2 add r6, r1
ROM:46F4 mov r14, [r6]
ROM:46F6 mov r15, [r6+2]
ROM:46FA mov r4, [r1+4194h]
ROM:46FE mov r5, [r1+4196h]
ROM:4702 mov r7, r4
ROM:4704 mov r4, [r6]
ROM:4706 mov r5, [r6+2]
ROM:470A sub r7, r4
ROM:470C mov r13, #0
ROM:470E jmpr cc_UC, loc_4726
ROM:4710 ; ---------------------------------------------------------------------------
ROM:4710
ROM:4710 loc_4710: ; CODE XREF: sub_46DA+4E�j
ROM:4710 mov r4, r14
ROM:4712 mov r5, r15
ROM:4714 calls 0, sub_48F4
ROM:4718 mov DPP0, #0
ROM:471C add r8, r10
ROM:471E addc r9, r11
ROM:4720 add r13, #4
ROM:4722 add r14, #4
ROM:4724 addc r15, #0
ROM:4726
ROM:4726 loc_4726: ; CODE XREF: sub_46DA+34�j
ROM:4726 cmp r13, r7
ROM:4728 jmpr cc_C, loc_4710
ROM:472A mov r4, r8
ROM:472C mov r5, r9
ROM:472E mov r6, [r0+]
ROM:4730 mov r7, [r0+]
ROM:4732 mov r8, [r0+]
ROM:4734 mov r9, [r0+]
ROM:4736 ret
ROM:4736 ; End of function sub_46DA
ROM:4736
ROM:4738
ROM:4738 ; =============== S U B R O U T I N E =======================================
ROM:4738
ROM:4738
ROM:4738 sub_4738: ; CODE XREF: ROM:43A2�p
ROM:4738 mov [-r0], r9
ROM:473A mov [-r0], r8
ROM:473C mov [-r0], r7
ROM:473E mov r9, #0
ROM:4740
ROM:4740 loc_4740: ; CODE XREF: sub_4738+48�j
ROM:4740 movb rl4, [r9+0F768h]
ROM:4744 movbs r4, rl4
ROM:4746 cmp r4, #0FFFFh
ROM:474A jmpr cc_NZ, loc_477C
ROM:474C mov r4, r9
ROM:474E shl r4, #2
ROM:4750 sub r4, r9
ROM:4752 shl r4, #2
ROM:4754 mov r10, r4
ROM:4756 mov r4, [r10+4194h]
ROM:475A mov r5, [r10+4196h]
ROM:475E calls 0, sub_48F4
ROM:4762 mov DPP0, #0
ROM:4766 mov r7, r10
ROM:4768 mov r8, r11
ROM:476A mov r12, r9
ROM:476C callr sub_46DA
ROM:476E sub r4, r7
ROM:4770 subc r5, r8
ROM:4772 jmpr cc_Z, loc_477C
ROM:4774 mov r4, #0FFFFh
ROM:4778 sub r4, r9
ROM:477A jmpr cc_UC, loc_4784
ROM:477C ; ---------------------------------------------------------------------------
ROM:477C
ROM:477C loc_477C: ; CODE XREF: sub_4738+12�j
ROM:477C ; sub_4738+3A�j
ROM:477C add r9, #1
ROM:477E cmp r9, #5
ROM:4780 jmpr cc_C, loc_4740
ROM:4782 mov r4, #0
ROM:4784
ROM:4784 loc_4784: ; CODE XREF: sub_4738+42�j
ROM:4784 mov r7, [r0+]
ROM:4786 mov r8, [r0+]
ROM:4788 mov r9, [r0+]
ROM:478A ret
ROM:478A ; End of function sub_4738
ROM:478A
ROM:478C
ROM:478C ; =============== S U B R O U T I N E =======================================
ROM:478C
ROM:478C
ROM:478C sub_478C: ; CODE XREF: sub_47E6+52�p
ROM:478C ; sub_47E6+A2�p
ROM:478C mov [-r0], r9
ROM:478E mov [-r0], r6
ROM:4790 mov r9, r12
ROM:4792 mov r6, #0F768h
ROM:4796 add r6, r9
ROM:4798 movb rl4, [r6]
ROM:479A movbs r4, rl4
ROM:479C cmp r4, #0FFFFh
ROM:47A0 jmpr cc_NZ, loc_47A6
ROM:47A2 mov r4, #0
ROM:47A4 jmpr cc_UC, loc_47E0
ROM:47A6 ; ---------------------------------------------------------------------------
ROM:47A6
ROM:47A6 loc_47A6: ; CODE XREF: sub_478C+14�j
ROM:47A6 movb rl4, [r6]
ROM:47A8 cmpb rl4, #1
ROM:47AA jmpr cc_NZ, loc_47B2
ROM:47AC mov r4, #0FFFAh
ROM:47B0 jmpr cc_UC, loc_47E0
ROM:47B2 ; ---------------------------------------------------------------------------
ROM:47B2
ROM:47B2 loc_47B2: ; CODE XREF: sub_478C+1E�j
ROM:47B2 mov r4, r9
ROM:47B4 shl r4, #2
ROM:47B6 sub r4, r9
ROM:47B8 shl r4, #2
ROM:47BA mov r12, [r4+418Ch]
ROM:47BE mov r13, [r4+418Eh]
ROM:47C2 mov r4, word_F76E
ROM:47C6 mov r5, word_F770
ROM:47CA calls 0, sub_48EE
ROM:47CE cmp r4, #0
ROM:47D0 jmpr cc_Z, loc_47D8
ROM:47D2 mov r4, #0FFFBh
ROM:47D6 jmpr cc_UC, loc_47E0
ROM:47D8 ; ---------------------------------------------------------------------------
ROM:47D8
ROM:47D8 loc_47D8: ; CODE XREF: sub_478C+44�j
ROM:47D8 movb rl4, #0FFh
ROM:47DC movb [r6], rl4
ROM:47DE mov r4, #0
ROM:47E0
ROM:47E0 loc_47E0: ; CODE XREF: sub_478C+18�j
ROM:47E0 ; sub_478C+24�j ...
ROM:47E0 mov r6, [r0+]
ROM:47E2 mov r9, [r0+]
ROM:47E4 ret
ROM:47E4 ; End of function sub_478C
ROM:47E4
ROM:47E6
Continued in next post |
|
|
|
|
Logged
|
|
|
|
DT
Full Member
Karma: +20/-1
Offline
Posts: 184
|
|
« Reply #342 on: January 30, 2016, 08:03:43 PM »
|
|
|
ROM:47E6
ROM:47E6 ; =============== S U B R O U T I N E =======================================
ROM:47E6
ROM:47E6
ROM:47E6 sub_47E6: ; CODE XREF: ROM:42FA�p
ROM:47E6 mov [-r0], r13
ROM:47E8 mov [-r0], r12
ROM:47EA mov [-r0], r9
ROM:47EC mov [-r0], r8
ROM:47EE mov [-r0], r7
ROM:47F0 mov [-r0], r6
ROM:47F2 mov r6, r14
ROM:47F4 mov r7, r15
ROM:47F6 mov r9, #0
ROM:47F8
ROM:47F8 loc_47F8: ; CODE XREF: sub_47E6+B2�j
ROM:47F8 mov r4, r9
ROM:47FA shl r4, #2
ROM:47FC sub r4, r9
ROM:47FE shl r4, #2
ROM:4800 mov r10, [r4+418Ch]
ROM:4804 mov r11, [r4+418Eh]
ROM:4808 mov r4, [r0+8]
ROM:480C mov r5, [r0+0Ah]
ROM:4810 sub r4, r10
ROM:4812 subc r5, r11
ROM:4814 jmpr cc_C, loc_4894
ROM:4816 mov r4, #4190h
ROM:481A mov r5, r9
ROM:481C shl r5, #2
ROM:481E sub r5, r9
ROM:4820 shl r5, #2
ROM:4822 add r4, r5
ROM:4824 mov r10, [r4+]
ROM:4826 mov r11, [r4]
ROM:4828 mov r4, [r0+8]
ROM:482C mov r5, [r0+0Ah]
ROM:4830 sub r4, r10
ROM:4832 subc r5, r11
ROM:4834 jmpr cc_NC, loc_4894
ROM:4836 mov r12, r9
ROM:4838 callr sub_478C
ROM:483A mov r8, r4
ROM:483C cmp r4, #0
ROM:483E jmpr cc_Z, loc_4844
ROM:4840 mov r4, r8
ROM:4842 jmpr cc_UC, loc_489E
ROM:4844 ; ---------------------------------------------------------------------------
ROM:4844
ROM:4844 loc_4844: ; CODE XREF: sub_47E6+58�j
ROM:4844 mov r4, r9
ROM:4846 shl r4, #2
ROM:4848 sub r4, r9
ROM:484A shl r4, #2
ROM:484C mov r10, [r4+4190h]
ROM:4850 mov r11, [r4+4192h]
ROM:4854 sub r10, r6
ROM:4856 subc r11, r7
ROM:4858 jmpr cc_ULE, loc_485E
ROM:485A mov r4, #0
ROM:485C jmpr cc_UC, loc_489E
ROM:485E ; ---------------------------------------------------------------------------
ROM:485E
ROM:485E loc_485E: ; CODE XREF: sub_47E6+72�j
ROM:485E add r9, #1
ROM:4860 jmpr cc_UC, loc_4890
ROM:4862 ; ---------------------------------------------------------------------------
ROM:4862
ROM:4862 loc_4862: ; CODE XREF: sub_47E6+AC�j
ROM:4862 mov r1, r9
ROM:4864 shl r1, #2
ROM:4866 sub r1, r9
ROM:4868 shl r1, #2
ROM:486A mov r4, [r1+418Ch]
ROM:486E mov r5, [r1+418Eh]
ROM:4872 sub r4, r6
ROM:4874 subc r5, r7
ROM:4876 jmpr cc_UGT, loc_488E
ROM:4878 mov r4, [r1+4190h]
ROM:487C mov r5, [r1+4192h]
ROM:4880 sub r4, r6
ROM:4882 subc r5, r7
ROM:4884 jmpr cc_ULE, loc_488E
ROM:4886 mov r12, r9
ROM:4888 calla cc_UC, sub_478C
ROM:488C jmpr cc_UC, loc_489E
ROM:488E ; ---------------------------------------------------------------------------
ROM:488E
ROM:488E loc_488E: ; CODE XREF: sub_47E6+90�j
ROM:488E ; sub_47E6+9E�j
ROM:488E add r9, #1
ROM:4890
ROM:4890 loc_4890: ; CODE XREF: sub_47E6+7A�j
ROM:4890 cmp r9, #5
ROM:4892 jmpr cc_C, loc_4862
ROM:4894
ROM:4894 loc_4894: ; CODE XREF: sub_47E6+2E�j
ROM:4894 ; sub_47E6+4E�j
ROM:4894 add r9, #1
ROM:4896 cmp r9, #5
ROM:4898 jmpr cc_C, loc_47F8
ROM:489A mov r4, #0FFFCh
ROM:489E
ROM:489E loc_489E: ; CODE XREF: sub_47E6+5C�j
ROM:489E ; sub_47E6+76�j ...
ROM:489E mov r6, [r0+]
ROM:48A0 mov r7, [r0+]
ROM:48A2 mov r8, [r0+]
ROM:48A4 mov r9, [r0+]
ROM:48A6 add r0, #4
ROM:48A8 ret
ROM:48A8 ; End of function sub_47E6
ROM:48A8
ROM:48AA
ROM:48AA ; =============== S U B R O U T I N E =======================================
ROM:48AA
ROM:48AA
ROM:48AA sub_48AA: ; CODE XREF: ROM:4248�p
ROM:48AA mov r12, #0
ROM:48AC
ROM:48AC loc_48AC: ; CODE XREF: sub_48AA+40�j
ROM:48AC mov r13, r12
ROM:48AE shl r13, #2
ROM:48B0 sub r13, r12
ROM:48B2 shl r13, #2
ROM:48B4 mov r4, [r13+418Ch]
ROM:48B8 mov r5, [r13+418Eh]
ROM:48BC sub r4, word_41C8
ROM:48C0 subc r5, word_41CA
ROM:48C4 jmpr cc_UGT, loc_48E0
ROM:48C6 mov r4, [r13+4190h]
ROM:48CA mov r5, [r13+4192h]
ROM:48CE sub r4, word_41C8
ROM:48D2 subc r5, word_41CA
ROM:48D6 jmpr cc_ULE, loc_48E0
ROM:48D8 movb rl4, #1
ROM:48DA movb [r12+0F768h], rl4
ROM:48DE jmpr cc_UC, loc_48E6
ROM:48E0 ; ---------------------------------------------------------------------------
ROM:48E0
ROM:48E0 loc_48E0: ; CODE XREF: sub_48AA+1A�j
ROM:48E0 ; sub_48AA+2C�j
ROM:48E0 movb rl4, #0
ROM:48E2 movb [r12+0F768h], rl4
ROM:48E6
ROM:48E6 loc_48E6: ; CODE XREF: sub_48AA+34�j
ROM:48E6 add r12, #1
ROM:48E8 cmp r12, #5
ROM:48EA jmpr cc_C, loc_48AC
ROM:48EC ret
ROM:48EC ; End of function sub_48AA
ROM:48EC
ROM:48EE
ROM:48EE ; =============== S U B R O U T I N E =======================================
ROM:48EE
ROM:48EE
ROM:48EE sub_48EE: ; CODE XREF: ROM:434E�P
ROM:48EE ; ROM:43DC�P ...
ROM:48EE push r5
ROM:48F0 push r4
ROM:48F2 rets
ROM:48F2 ; End of function sub_48EE
ROM:48F2
ROM:48F4
ROM:48F4 ; =============== S U B R O U T I N E =======================================
ROM:48F4
ROM:48F4
ROM:48F4 sub_48F4: ; CODE XREF: sub_46DA+3A�P
ROM:48F4 ; sub_4738+26�P
ROM:48F4 exts r5, #1
ROM:48F6 mov r10, [r4]
ROM:48F8 add r4, #2
ROM:48FA addc r5, #0
ROM:48FC exts r5, #1
ROM:48FE mov r11, [r4]
ROM:4900 rets
ROM:4900 ; End of function sub_48F4
|
|
|
|
|
Logged
|
|
|
|
DT
Full Member
Karma: +20/-1
Offline
Posts: 184
|
|
« Reply #343 on: January 30, 2016, 08:04:43 PM »
|
|
|
0x418A
ROM:418A db 5
ROM:418B db 0
ROM:418C db 0
ROM:418D db 0
ROM:418E db 0
ROM:418F db 0
ROM:4190 db 0
ROM:4191 db 40h ; @
ROM:4192 db 0
ROM:4193 db 0
ROM:4194 dw 3FFCh
ROM:4196 db 0
ROM:4197 db 0
ROM:4198 db 0
ROM:4199 db 40h ; @
ROM:419A db 0
ROM:419B db 0
ROM:419C db 0
ROM:419D db 60h ; `
ROM:419E db 0
ROM:419F db 0
ROM:41A0 dw 5FFCh
ROM:41A2 db 0
ROM:41A3 db 0
ROM:41A4 db 0
ROM:41A5 db 60h ; `
ROM:41A6 db 0
ROM:41A7 db 0
ROM:41A8 db 0
ROM:41A9 db 80h ; Ç
ROM:41AA db 0
ROM:41AB db 0
ROM:41AC dw 7FFCh
ROM:41AE db 0
ROM:41AF db 0
ROM:41B0 db 0
ROM:41B1 db 80h ; Ç
ROM:41B2 db 0
ROM:41B3 db 0
ROM:41B4 db 0
ROM:41B5 db 0
ROM:41B6 db 1
ROM:41B7 db 0
ROM:41B8 dw 0DDFCh
ROM:41BA db 0
ROM:41BB db 0
ROM:41BC db 0
ROM:41BD db 0
ROM:41BE db 1
ROM:41BF db 0
ROM:41C0 db 0
ROM:41C1 db 0
ROM:41C2 db 2
ROM:41C3 db 0
ROM:41C4 dw 0FFFCh
ROM:41C6 db 1
ROM:41C7 db 0
0x3FFC
ROM:3FFC dw 1A3h
ROM:3FFE dw 88C5h
0x5FFC
ROM:5FFC dw 9987h
ROM:5FFE dw 709Ah
0x7FFC
ROM:7FFC dw 94DBh
ROM:7FFE dw 2623h
0xDFFC
MEM_EXT:DDFC dw E881h
0x1FFFC
seg009:FFFC dw 0D8F6h
seg009:FFFE dw 9EF4h
|
|
|
|
|
Logged
|
|
|
|
ccyberwing
Newbie
Karma: +7/-0
Offline
Posts: 19
|
|
« Reply #344 on: January 31, 2016, 05:35:47 AM »
|
|
|
Here is the bootloader checksum check from my 29f100 file. Just replace the Z jmpr against a NC jmpr. seg009:41C2 sub_141C2: ; CODE XREF: sub_12766�P
seg009:41C2 mov [-r0], r9
seg009:41C4 mov [-r0], r8
seg009:41C6 sub r0, #2
seg009:41C8 mov r4, #4000h
seg009:41CC mov r8, r4
seg009:41CE mov r9, r8
seg009:41D0 shr r9, #14
seg009:41D2 shl r9, #1
seg009:41D4 mov r9, [r9+0FE00h]
seg009:41D8 bmov r8.14, r9.0
seg009:41DC bmov r8.15, r9.1
seg009:41E0 shr r9, #2
seg009:41E2 movb byte_E7C2, ZEROS
seg009:41E6 calls 1, sub_14A30
seg009:41EA mov r4, word_E7C4
seg009:41EE mov r5, word_E7C6
seg009:41F2 sub r4, #5678h
seg009:41F6 subc r5, #1234h
seg009:41FA jmpr cc_Z, [glow=red,2,300]CHECKSUM_OK[/glow]
seg009:41FC calls 1, sub_16BB6
seg009:4200 mov [r0], r4
seg009:4202 cmp r4, #0
seg009:4204 jmpr cc_Z, loc_1420A
seg009:4206 calls 1, sub_142B4 |
|
|
|
|
Logged
|
|
|
|
|
