Really slowly it start to make sense..
At this moment i still wonder how ME7Logger gets RAM adresses from file.
You can take an startadres of an axis of a map and reverse it to the RAM adress, but you have also need DPP offset.
And then you have 2 X's in this equation..
So probably ME7 uses same DPPoffset for most ecu's.
So always 0206h for Nmot and 0207h for RL_w for example.
That you can quite easy find RAM adress..
Is there an easier way?
This probably works for ME7 but i want to start on ME7 ST10 and MED9 later, and these have different DPPoffsets i think.
If i can find RAM adresses easy i can make monolamba etc. without completly reversing a file in IDA.
I love learning IDA pro but sometimes it is nice to get something done without hours of IDA :-)
read a c166 ecu manual. its very complex document but explains all stuff.
206h 207h its a pages used for a 16 bit adressing in a flash file.
206h * 4000h = 818000h (800000 = flash memory, so its basically 0x18000 in your file)
if you see something like a
mov r12 #1234h
mov r13 #206h
then its page 206h, offset 1234h. do some math and find start of a calling map. (206h * 4000h + 1234h = 819234h = 0x19234 ) typically me7 uses 204..20A pages
there is no ram adresses here until you dig a little deeper and learnt about map calling. its pretty clear when you know vars used by map (FR)
ok here is r12, r13 in 3d map calling. now if you know what map are called and you know which vars used, you can trace they ram locations
take a look ar to r4, r5, r14 in typical map calling. (btw there is a few methods used for define axes of a map)
sometime you see the native variable here, sometime its a calculated axis value and you should trace to place where its written.
i cant help you with st10 ecu because never had an experience with it :/
