Pages: [1]
Author Topic: Disassembly question - does this ECU uses IROM  (Read 8486 times)
nighthunter
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 25


« on: April 15, 2017, 02:12:13 AM »

Hi, i want to start learning disassemly of my ECUs.
I have bosch 0 261 205 005 and 0 261 205 006. 005 has B59233 wich should be SAK-C167CR-4RM (32k IROM) and the 006 SAK-C167CR-LM. Is the 006 really ROMless or is it only deliberatedly badly marked?
Logged
nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« Reply #1 on: April 17, 2017, 05:19:08 AM »

Hi, i want to start learning disassemly of my ECUs.
I have bosch 0 261 205 005 and 0 261 205 006. 005 has B59233 wich should be SAK-C167CR-4RM (32k IROM) and the 006 SAK-C167CR-LM. Is the 006 really ROMless or is it only deliberatedly badly marked?

Not sure about this specific ECU, but I have seen quite a few of them having bootloader in first 32k of the flash (could've been just a mirror, though?).
Would maybe make sense to check whatever is in the flash for clues?
Logged
nighthunter
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 25


« Reply #2 on: May 03, 2017, 12:41:04 AM »

Hi, i ve attached ORIs for the 005 and 006. Could you look at the files, if there is bootloader in flash on the 006?
Logged
nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« Reply #3 on: May 06, 2017, 05:13:33 AM »

Hi, i ve attached ORIs for the 005 and 006. Could you look at the files, if there is bootloader in flash on the 006?

Just a brief glance with hex editor - yes, it seems to be there.
It should be really irrelevant for usual disassembly as bootloader itself is of little interest? Or you're trying to do something specifically with it?
Logged
nighthunter
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 25


« Reply #4 on: May 07, 2017, 01:22:37 AM »

Thanks for your time to look at the files. I am trying to understand the ECU and disassembly of C167's. I am working 8b MCUs, so C167CR is new for me. Could you help me, please, how to correctly set IDA to disassembly the 006 ecu file?
Logged
nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« Reply #5 on: May 07, 2017, 05:33:53 AM »

I did a brief explanation a while ago, it's mostly correct: http://nefariousmotorsports.com/forum/index.php?topic=8845.msg79214#msg79214
Logged
nighthunter
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 25


« Reply #6 on: May 07, 2017, 12:12:50 PM »

Ive read your instructions, also downloaded the funktionsrahmen document. Seems that this ECU (when i compare the labels in DAMOS, that i have) is a ME7 family member. It is multi map ecu, that selects the coding depending on EEPROM VIN/FIN data. But when i want to create segments RAM and IRAM i am getting error messages. I am using IDA 6.8. Ive attached the ida file that i using to test it. Could you take look on that file?
EDIT:The unit has 6264 RAM connected to the micro.
« Last Edit: May 07, 2017, 12:18:20 PM by nighthunter » Logged
nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« Reply #7 on: May 07, 2017, 03:53:04 PM »

You missed the load BIN to the 0x800000 offset step.
Logged
nighthunter
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 25


« Reply #8 on: May 09, 2017, 03:22:47 AM »

I have modified the load offset. As a template i used the autoit scripts that are here on forum. But i think on many places the resulting code does not look ok. Could you look at it? The file is in attachment.
Logged
nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« Reply #9 on: May 09, 2017, 08:57:26 AM »

I have modified the load offset. As a template i used the autoit scripts that are here on forum. But i think on many places the resulting code does not look ok. Could you look at it? The file is in attachment.

Wrong offset still.
Forget scripts, do it by hand step by step like described in my post. You want the "0x800000" in both "ROM start" and "Input file loading address". Then create RAM segment and set DPPs. You will be 90% there.
Logged
nighthunter
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 25


« Reply #10 on: May 12, 2017, 01:05:59 AM »

Hi, today i changed the offsets, created RAM and IRAM, now i have only 2 functions after the automatic code analyze. Everything other is in data. Should i now mark all the 0x800000-880000 region as code manually?
Logged
nubcake
Sr. Member
****

Karma: +53/-4
Offline Offline

Posts: 400


« Reply #11 on: May 12, 2017, 05:33:30 AM »

Actually you know what. I'm sorry for wasting your time. Somehow I had presumed that the binary itself was from the same VW/Audi cars we usually discuss here.
Took a better look at the binary in IDA. It appears that loading the binary to "0" is right. And the RAM actually starts from 0xB0000. This way everything seems to align quite well.

So:
Start IDA, open binary, set CPU type.
Check "create RAM region", set it to 0xB0000, length 0x10000.
Leave "create ROM" default at zero, length 0x80000.

And this should produce a nice "basic" database.

Again, sorry for the initial mislead.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.017 seconds with 17 queries. (Pretty URLs adds 0s, 0q)