turbojohan
Full Member
Karma: +5/-0
 Offline
Posts: 185
|
 |
« Reply #15 on: December 28, 2016, 03:21:06 AM »
|
|
|
finally had some time to look into this again.
Starts to make a bit more sense.
Found TKMWL list in FR and found space in the file were in same order the ram adresses are put.
And found MWNTKB where measureblocks are labeled.
Now need to find the pattern to find RAM adresses in other files..
|
|
|
|
|
Logged
|
|
|
|
turbojohan
Full Member
Karma: +5/-0
Offline
Posts: 185
|
|
« Reply #16 on: December 30, 2016, 12:48:52 PM »
|
|
|
I put ME7info in IDA, lots of patterns and stuff in there.
Here is IDA file for who wants.
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #17 on: January 05, 2017, 04:45:23 AM »
|
|
|
Found TKMWL list in FR and found space in the file were in same order the ram adresses are put.
It's not ram addresses you found, it's block numbers. Useless pretty much. |
|
|
|
|
Logged
|
|
|
|
turbojohan
Full Member
Karma: +5/-0
Offline
Posts: 185
|
|
« Reply #18 on: January 16, 2017, 02:00:52 PM »
|
|
|
I meant this:
seg003:826BC and r4, #0Fh
seg003:826C0 cmp r4, #1
seg003:826C2 jmpa cc_Z, loc_888D36
seg003:826C6 cmp r4, #2
seg003:826C8 jmpr cc_Z, loc_882726
seg003:826CA cmp r4, #3
seg003:826CC jmpr cc_Z, loc_882736
seg003:826CE cmp r4, #5
seg003:826D0 jmpa cc_Z, loc_88277C
seg003:826D4 cmp r4, #7
seg003:826D6 jmpa cc_Z, loc_8827A8
seg003:826DA cmp r4, #8
seg003:826DE jmpa cc_Z, loc_8827B8
seg003:826E2 cmp r4, #9
seg003:826E6 jmpa cc_Z, loc_8827CC
seg003:826EA cmp r4, #0Ah
seg003:826EE jmpa cc_Z, loc_8827E4
seg003:826F2 cmp r4, #0Bh
seg003:826F6 jmpa cc_Z, loc_88280E
seg003:826FA cmp r4, #0Ch
seg003:826FE jmpa cc_Z, loc_882830
seg003:82702 cmp r4, #0Dh
seg003:82706 jmpa cc_Z, loc_882852
seg003:8270A cmp r4, #0Eh
seg003:8270E jmpa cc_Z, loc_8828D4
seg003:82712 cmp r4, #0Fh
seg003:82716 jmpa cc_Z, loc_8828E2
seg003:8271A cmp r4, #3F7h
seg003:8271E jmpa cc_Z, loc_8828F0
that refers to adres where RAM adres is in TKMWL order.
It is just annoying that it is not in 1 block all together.
|
|
|
|
« Last Edit: January 16, 2017, 02:36:14 PM by turbojohan »
|
Logged
|
|
|
|
|
prj
|
|
« Reply #19 on: January 20, 2017, 06:42:24 AM »
|
|
|
Yes that is correct, but you only have a tiny chunk. You also need to figure out how to go from block number to subroutine.
|
|
|
|
|
Logged
|
|
|
|
turbojohan
Full Member
Karma: +5/-0
Offline
Posts: 185
|
|
« Reply #20 on: January 21, 2017, 01:21:07 AM »
|
|
|
Thanks!
Getting there bit by bit, still lots to learn...
Can anyone help me where to put the eeprom data in IDA pro?
|
|
|
|
|
Logged
|
|
|
|
|
|
turbojohan
Full Member
Karma: +5/-0
Offline
Posts: 185
|
|
« Reply #22 on: January 21, 2017, 12:56:29 PM »
|
|
|
thanks!
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #23 on: January 29, 2017, 06:45:53 AM »
|
|
|
Writing to EEPROM there are subroutines in ME7. Reading can be done off of the mirror directly, same as MED9 as described in that thread. Here's something I did utilizing this a few years ago: https://www.youtube.com/watch?v=0Zp_iCeigEI |
|
|
|
|
Logged
|
|
|
|
TijnCU
Hero Member
Karma: +60/-4
Offline
Posts: 690
flying brick
|
|
« Reply #24 on: January 29, 2017, 07:55:21 AM »
|
|
|
Hehe, I have tried this rpm indication on a b5 A4 cluster. That ecu was super unhappy and bricked itself after ignition off  during the test it did still run however!...kind of... I tested the mirror and it is read-only as prj says. Havent found out how to write the eeprom from functions yet, I spent some time in the FR and IDA but decided I have other priorities before I invest more time in this... |
|
|
|
|
Logged
|
|
|
|
turbojohan
Full Member
Karma: +5/-0
Offline
Posts: 185
|
|
« Reply #25 on: January 29, 2017, 11:51:52 AM »
|
|
|
Interesting stuff!
Will look into it when i have some time...
|
|
|
|
|
Logged
|
|
|
|
|
vwaudiguy
|
|
« Reply #26 on: January 29, 2017, 01:37:40 PM »
|
|
|
but you need a wot box for this right?  |
|
|
|
|
Logged
|
"If you have a chinese turbo, that you are worried is going to blow up when you floor it, then LOL."
|
|
|
turbojohan
Full Member
Karma: +5/-0
Offline
Posts: 185
|
|
« Reply #27 on: January 29, 2017, 02:16:02 PM »
|
|
|
No this is ASM coded into ME7..
Verzonden vanaf mijn iPhone met Tapatalk
|
|
|
|
|
Logged
|
|
|
|
|
vwaudiguy
|
|
« Reply #28 on: January 29, 2017, 03:30:56 PM »
|
|
|
No this is ASM coded into ME7..
Sarcasm. I quoted the first comment in the video. |
|
|
|
|
Logged
|
"If you have a chinese turbo, that you are worried is going to blow up when you floor it, then LOL."
|
|
|
turbojohan
Full Member
Karma: +5/-0
Offline
Posts: 185
|
|
« Reply #29 on: January 29, 2017, 11:38:53 PM »
|
|
|
LOL. Sorry.
|
|
|
|
|
Logged
|
|
|
|
|
