Pages: [1]
Author Topic: ME7.1.x Reading and Writing to the Serial EEPROM and RAM Mirror  (Read 9211 times)
nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« on: November 01, 2015, 08:46:20 AM »

Necro bump!

Don't you hate it when someone asks a question and then posts something like "fixed" or "solved" without describing the actual fix? I surely do!  Grin

Anyway, I wanted to play with EEPROM in my ME7.1.1 ECU. Since I already have the R-box disassembled and defined, I went to take a look at it (thanks, sweegie!). I then cheated and did a very "ghetto" thing (not proud): simply found the similar pattern in my BIN (well, looking in approx the same memory region). Then I went and read it with ME7L in my car and it indeed was spot on! With one minor exception: EEPROM is mapped not in a direct or raw way. What I mean by that is: RAM image starts from the second EEPROM page (first one is skipped), there are no "backup" pages either.

Here's the pic of the "reference" structure from IDA (for ME7.1.1 anyway):
« Last Edit: January 21, 2017, 03:58:59 PM by nubcake » Logged
TijnCU
Hero Member
*****

Karma: +60/-4
Offline Offline

Posts: 690


flying brick


« Reply #1 on: January 20, 2017, 04:13:17 AM »

I can confirm what nubcake has written above, I found in my ecu (4B0906018CA) that the EEPROM is mirrored in RAM from 383B3C (eeprom 0x0010). I also just looked for the same pattern in IDA from 383000 up Grin

* I am playing with the eeprom now, I came up with this idea to write and correct checksum in 1 routine. For example, checksum in word 0xfe is for example something like FFFC, I write the byte I use in this page and then do a subtraction of all byte adresses 0xf0 up to 0xfd from FFFC and write that value back to word 0xfe. Can anyone confirm I can get away with this auto checksumming of the eeprom?
« Last Edit: January 21, 2017, 12:54:02 PM by TijnCU » Logged

nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« Reply #2 on: January 21, 2017, 02:46:45 PM »

I have since found out that it's quite easy to find the reference to start of ME7 EEPROM memory mirror by looking around "VARCODE" functions. They are quite easy to backtrack by looking where "vkASRantrieb" (picked up by me7info) is written to. Then you go couple of function X-REFs back, scroll to the bottom and find:

Code:
mov     r2, #eeprom_start
sub     r14, r2
and     r14, #0Fh

That reference is usually picked up by IDA as just a hex offset, you have to press "o" to get it to display like a memory var.

RE: the checksum - didn't really play with it, but there already should be a function to correct it. So it's much easier to find and call it, than write your own routine.

We're also a bit offtopic here, since the thread title says "MED9". Tongue
« Last Edit: January 21, 2017, 02:59:58 PM by nubcake » Logged
gman86
Hero Member
*****

Karma: +45/-128
Offline Offline

Posts: 705


« Reply #3 on: January 21, 2017, 07:51:20 PM »

Smashing. I get excited when I see MED9 threads get updated. This is the ultimate cock tease. Could we split it off?
Logged
TijnCU
Hero Member
*****

Karma: +60/-4
Offline Offline

Posts: 690


flying brick


« Reply #4 on: January 22, 2017, 03:47:14 AM »

I agree, but great info! Nyet, can you split this to a new me7 eeprom thread?

I have found out that it is not possible to write the eeprom by altering the ram mirror. It seems to be a slave of the eeprom, after power off it copies those values again. I am currently trying to disassemble lemmiwinks to find out how they get their program to find the adaption blocks. I have never used that program before, but it works okay for quick placing of odd values in the eeprom Roll Eyes
« Last Edit: January 22, 2017, 11:50:12 PM by TijnCU » Logged

eliotroyano
Hero Member
*****

Karma: +48/-9
Offline Offline

Posts: 826


« Reply #5 on: January 22, 2017, 07:14:12 PM »

I am impress that Bosch still uses old strategies in new ECUs. M38x and M592 eeprom is located in RAM memory when ECU starts up too.
Logged
Teitek
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 21


« Reply #6 on: January 29, 2018, 04:53:00 PM »

I can confirm what nubcake has written above, I found in my ecu (4B0906018CA) that the EEPROM is mirrored in RAM from 383B3C (eeprom 0x0010). I also just looked for the same pattern in IDA from 383000 up Grin

* I am playing with the eeprom now, I came up with this idea to write and correct checksum in 1 routine. For example, checksum in word 0xfe is for example something like FFFC, I write the byte I use in this page and then do a subtraction of all byte adresses 0xf0 up to 0xfd from FFFC and write that value back to word 0xfe. Can anyone confirm I can get away with this auto checksumming of the eeprom?

Have you tried to fix the checksum after modify a position of the mirror? Work of similar way than MED9 ??

Logged
BWF
Jr. Member
**

Karma: +3/-0
Offline Offline

Posts: 25


« Reply #7 on: April 11, 2020, 07:13:19 AM »

Good afternoon, I would also like to find the mirror of the eeprom in my Me7.5.
Following the information of "nubcake" I find the address of vkASRAntrieb, and I look for the XRef, but I don't find anything similar to what he says.
Is there any other way to find it?

In EDC15 the eeprom is from C800, but this is not the case.
« Last Edit: April 11, 2020, 07:42:39 AM by BWF » Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.02 seconds with 16 queries. (Pretty URLs adds 0s, 0q)