Pages: [1] 2 3
Author Topic: RAM variables  (Read 24549 times)
turbojohan
Full Member
***

Karma: +5/-0
Offline Offline

Posts: 185


« on: November 26, 2016, 12:26:23 PM »

I'm wondering how ME7Logger gets RAM variables out of a ME7 file.

Since i found this forum and everyone can do IDA and writing ASM script i of course want learn this.
So bit by bit i start to understand this all a little.
But not blessed with a Einstein brain it goes quite slowly  Grin
When i understand the C167 ME7 i want to start on my ME7.1.1 ST10 ecu.
But ME7Logger doesn't work with these ST10 ecu's so finding stuff in IDA is a lot harder.

So i try to understand how ME7L knows what label belongs to what RAM adres.
I think it searches for known maps and the axis should be linked to a RAM adres to use for example Nmot for the map.
But can't really find out how this is linked..

Hope someone can help me or give me a small hint how this works..
Logged
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12271


WWW
« Reply #1 on: November 26, 2016, 12:57:56 PM »

It looks for asm patterns, like prj's map locator

https://github.com/prj/me7-tools
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
turbojohan
Full Member
***

Karma: +5/-0
Offline Offline

Posts: 185


« Reply #2 on: November 26, 2016, 03:03:44 PM »

Thanks!
Logged
turbojohan
Full Member
***

Karma: +5/-0
Offline Offline

Posts: 185


« Reply #3 on: December 08, 2016, 11:47:38 PM »

Really slowly it start to make sense..
At this moment i still wonder how ME7Logger gets RAM adresses from file.
You can take an startadres of an axis of a map and reverse it to the RAM adress, but you have also need DPP offset.
And then you have 2 X's in this equation..
So probably ME7 uses same DPPoffset for most ecu's.
So always 0206h for Nmot and 0207h for RL_w for example.
That you can quite easy find RAM adress..

Is there an easier way?
This probably works for ME7 but i want to start on ME7 ST10 and MED9 later, and these have different DPPoffsets i think.
If i can find RAM adresses easy i can make monolamba etc. without completly reversing a file in IDA.
I love learning IDA pro but sometimes it is nice to get something done without hours of IDA :-)
Logged
IamwhoIam
Hero Member
*****

Karma: +52/-115
Offline Offline

Posts: 1070


« Reply #4 on: December 09, 2016, 01:29:28 AM »

I think that's a bingo in the right direction
Logged

I have no logs because I have a boost gauge (makes things easier)
turbojohan
Full Member
***

Karma: +5/-0
Offline Offline

Posts: 185


« Reply #5 on: December 09, 2016, 02:09:02 AM »

ok, so if i want to do other newer ecu's i need to disassemble 1 and write down DPPoffsets it uses for specified functions and hope it will be the same in other ecu's?
Logged
TijnCU
Hero Member
*****

Karma: +60/-4
Offline Offline

Posts: 690


flying brick


« Reply #6 on: December 09, 2016, 02:16:02 AM »

I would disassemble multiple ecu's and compare. Could save you more time in the end...
Logged

turbojohan
Full Member
***

Karma: +5/-0
Offline Offline

Posts: 185


« Reply #7 on: December 09, 2016, 03:49:15 AM »

Thanks, i will do some more digging than..  Grin
Logged
eliotroyano
Hero Member
*****

Karma: +48/-9
Offline Offline

Posts: 826


« Reply #8 on: December 09, 2016, 04:30:03 AM »

Personally this is a really interesting topic. From my point of view I think that should be somekind of index,  index calculation or offset index that ECU uses to point to that addresses and maps. I do not believe that Bosch makes a new estructure for every software version, well I think. If this is right finding that index will solve a lot of problems doing a really big "BINGO".
Logged
fknbrkn
Hero Member
*****

Karma: +186/-24
Offline Offline

Posts: 1456


mk4 1.8T AUM


« Reply #9 on: December 09, 2016, 05:48:02 AM »

Really slowly it start to make sense..
At this moment i still wonder how ME7Logger gets RAM adresses from file.
You can take an startadres of an axis of a map and reverse it to the RAM adress, but you have also need DPP offset.
And then you have 2 X's in this equation..
So probably ME7 uses same DPPoffset for most ecu's.
So always 0206h for Nmot and 0207h for RL_w for example.
That you can quite easy find RAM adress..

Is there an easier way?
This probably works for ME7 but i want to start on ME7 ST10 and MED9 later, and these have different DPPoffsets i think.
If i can find RAM adresses easy i can make monolamba etc. without completly reversing a file in IDA.
I love learning IDA pro but sometimes it is nice to get something done without hours of IDA :-)

read a c166 ecu manual. its very complex document but explains all stuff.
206h 207h its a pages used for a 16 bit adressing in a flash file.
206h * 4000h = 818000h (800000 = flash memory, so its basically 0x18000 in your file)
if you see something like a
mov r12 #1234h
mov r13 #206h
then its page 206h, offset 1234h. do some math and find start of a calling map. (206h * 4000h + 1234h = 819234h = 0x19234 ) typically me7 uses 204..20A pages
there is no ram adresses here until you dig a little deeper and learnt about map calling. its pretty clear when you know vars used by map (FR)
ok here is r12, r13 in 3d map calling. now if you know what map are called and you know which vars used, you can trace they ram locations
 take a look ar to r4, r5, r14 in typical map calling. (btw there is a few methods used for define axes of a map)
sometime you see the native variable here, sometime its a calculated axis value and you should trace to place where its written.
i cant help you with st10 ecu because never had an experience with it :/
Logged
turbojohan
Full Member
***

Karma: +5/-0
Offline Offline

Posts: 185


« Reply #10 on: December 09, 2016, 01:14:10 PM »

Yes this part i understood  Grin
I can find RAM adresses now.
But the more i learn about this stuff the more i realize that i need to learn so much more....  Roll Eyes Roll Eyes
Logged
turbojohan
Full Member
***

Karma: +5/-0
Offline Offline

Posts: 185


« Reply #11 on: December 09, 2016, 01:15:44 PM »

Personally this is a really interesting topic. From my point of view I think that should be somekind of index,  index calculation or offset index that ECU uses to point to that addresses and maps. I do not believe that Bosch makes a new estructure for every software version, well I think. If this is right finding that index will solve a lot of problems doing a really big "BINGO".

I don't think there is an index for it, i can't see why the ecu would need that, but i still need to learn a lot..
Logged
nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« Reply #12 on: December 09, 2016, 01:16:35 PM »

ST10 is very similar.
Take some public A2L for the ST10 ECU, parse it into IDA. Then it all will make sense.
Also, seriously, take a look at maplocator listed above. You can make it search for RAM values as well.

EDIT: scratch the ST10 idea for now. Start by getting yourself a fully "defined" ME7 IDA project. Same way - parsing a public A2L + bin. I might write a detailed post about it at some point, but it's not exactly that hard.
« Last Edit: December 09, 2016, 01:18:11 PM by nubcake » Logged
prj
Hero Member
*****

Karma: +1072/-483
Offline Offline

Posts: 6039


« Reply #13 on: December 09, 2016, 01:59:48 PM »

Really slowly it start to make sense..
At this moment i still wonder how ME7Logger gets RAM adresses from file.
You can take an startadres of an axis of a map and reverse it to the RAM adress, but you have also need DPP offset.
And then you have 2 X's in this equation..
So probably ME7 uses same DPPoffset for most ecu's.
So always 0206h for Nmot and 0207h for RL_w for example.
That you can quite easy find RAM adress..

Sorry, but you need to do more reading and less typing.
All you typed is totally useless BS. RAM is always at 0xE000 and up and 0x38000 and up.

ME7Info parses the TKMWL structure in the ECU. Maps are irrelevant.
For every ID it has some custom logic that specifies the factor/offset and also how to parse the address out of the block.

The reason it doesn't work on ST10 is because on ST10 the structure is slightly different.
I wrote a Python script for IDA Pro that parses this structure. Meaning you just tell the script the start of the structure and the ID you want to see, and it jumps you there.
It is easily possible to extend that to dump all the variables, but it is quite a lot of work which I have no interest in.

The ST10 stuff has decent logspeed with KWP2000, so just make your own measuring blocks with your own ID's and use VCDS to log a bunch of variables at the same time.
Same approach works on MED9.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
turbojohan
Full Member
***

Karma: +5/-0
Offline Offline

Posts: 185


« Reply #14 on: December 09, 2016, 02:20:28 PM »

Thanks Guys i Will stop typing learn Some more first.
Logged
Pages: [1] 2 3
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.023 seconds with 18 queries. (Pretty URLs adds 0s, 0q)