Pages: 1 ... 3 4 [5] 6
Author Topic: Reversing an ME7.1.1 St10F27X Audi TT 3.2  (Read 49633 times)
gt-innovation
Sr. Member
****

Karma: +60/-89
Offline Offline

Posts: 442


« Reply #60 on: June 27, 2019, 12:23:49 PM »

Nothing is impossible but not in my schedule to work on that at the moment...Use the info i posted here to do it yourself or use an arduino to conver the signal.
Logged
elRey
Hero Member
*****

Karma: +31/-1
Offline Offline

Posts: 565


« Reply #61 on: October 02, 2021, 01:23:12 AM »

I know this is old, but wanted to bump it so I can refer back to this. ME7.5 1.8T TIPTronic with DSG swap hoping to do this.

Thanks for all the great info!
Logged
rysiektr
Jr. Member
**

Karma: +3/-3
Offline Offline

Posts: 45


« Reply #62 on: October 03, 2021, 02:51:40 AM »

You need to compare software from dsg and manual gearbox from r32 ex. CA and CB and check different like gearbox coding, clutch pedal coding and other limiters.
Logged
James1
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 21


« Reply #63 on: January 24, 2023, 05:15:02 PM »

When importing the flash,

is the offset 80000 or 800000?

Also, should create segments and/or code segments be selected?

Thank you.

So it is time to give a little bit back to the community.

Since i own an Audi TT 3.2 i decided some months ago to completely define the mpc and flash and not only just some parts.
As you all know there is no FR for this ecu/sw out public so i used parts of the me7.X and parts of the med9.1 FR to slowly define my project.

Attached you will find a complete map pack(genuine ols only) the mpc and flash of this ecu which fits the map pack directly and my progress till now but not the actual ida poject(for various "development" reasons).

I will right down however what you will need to import this to ida and make your own project. The file enums.txt and names.txt has my progress until today and you can use it to define lots of variables.In case anyone finds a mistake post it here so i can replace or correct it as cross referencing to both FRs could cause conflicts and misinterpretation.

The following ida import data are correct but i am sure i am missing something vital as some memory address calls are not displayed as they should.

IDA info :

import mpc file
Proc type : SGS-Thomson ST10 [st10]
Ram : 0x380000 with size 0x20000
do not split into 64kb segments
Select ST10F276
load additional binary file
-----------------------------
Enter Load segment : 0x80000
 Loading offset : 0x80000
 File offset in bytes : 0x0
 Number of bytes : 0x0
-----------------------------
Click Edit -> Segments -> Create segment
 Enter Segment name: RAM2
 Start Address: 0xF0000
 End Address: 0x10FFFF
 Base: 0x0
 Choose 16-bit segment
Click Edit -> Segments -> Set default segment register value

Dpps:

dpp0 0x23F
dpp1 and enter 0x3C
dpp2 and enter 0xE0



Future posts will include more enumerated bytes and more address names for this particular ecu.
Logged
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 245



« Reply #64 on: January 24, 2023, 11:58:27 PM »

80 00 00, but if asked paragraphs it is 80 00 0.
I dont create segments automatically. When loaded I manually create them by looking at a2l file and knowing the code segment and the data segment. You might find small sections in the code that decompiles wrong because some places are small chunks of data. Might be crc, not sure myself.
Logged
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 245



« Reply #65 on: January 25, 2023, 07:15:22 AM »

Forgot to mention that there are no clear instructions on how the MPC checksums are to be corrected should you ever modify that code.
Logged
James1
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 21


« Reply #66 on: January 25, 2023, 08:06:55 AM »

WinOLS corrects the checksum in the MPC when loaded with the Flash.

My A2L looks like this

 /begin MEMORY_SEGMENT Pst0 "" RESERVED FLASH INTERN 0x0 0x8000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x8000 /end IF_DATA
       
        /* AsapMLCFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst18000 "" RESERVED FLASH INTERN 0x18000 0xB8000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x18000 /*mapping_adr:*/0x18000 /*length:*/0xB8000 /end IF_DATA
       
        /* AsapMLCFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst800000 "" CODE EPROM EXTERN 0x800000 0xE0000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x800000 /*mapping_adr:*/0x800000 /*length:*/0xE0000 /end IF_DATA
       
        /* AsapMLCFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Dst8E0000 "" DATA EPROM EXTERN 0x8E0000 0x20000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x8E0000 /*mapping_adr:*/0x8E0000 /*length:*/0x20000 /end IF_DATA
       
        /* AsapMLCFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT ExtRam380000 "" VARIABLES RAM EXTERN 0x380000 0x8000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x380000 /*mapping_adr:*/0x380000 /*length:*/0x8000 /end IF_DATA
       
        /* AsapMLXFm - KWP2000 */
    /end MEMORY_SEGMENT



So i'm trying to work out what to use for loading segment and loading offset for the 1mb flash.

The a2l is not an exact match but close enough to find maps in my image, and now i would like to find some RAM variables too.
Logged
Blazius
Hero Member
*****

Karma: +89/-40
Online Online

Posts: 1277



« Reply #67 on: January 25, 2023, 10:13:36 AM »


I dont create segments automatically. When loaded I manually create them by looking at a2l file and knowing the code segment and the data segment. You might find small sections in the code that decompiles wrong because some places are small chunks of data. Might be crc, not sure myself.

If you got a damos/ A2L for the project which tells you the segments exactly, then do not disassemble the data(maps) segments as it will give you a bunch of bullshit if you go to xref certain things or etc. and it will just confuse you.
Logged
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 245



« Reply #68 on: January 26, 2023, 06:35:14 AM »

WinOLS corrects the checksum in the MPC when loaded with the Flash.

The version I have, 1.5, looks like it does something but still shows that there are 77 checksums when in reality the st10 has over 100. Tried all sorts of ways of importing the elements but I dont trust it, something is sus.
 Its great just for the flash.
Logged
prj
Hero Member
*****

Karma: +903/-420
Offline Offline

Posts: 5787


« Reply #69 on: January 26, 2023, 08:51:34 AM »

The version I have, 1.5, looks like it does something but still shows that there are 77 checksums when in reality the st10 has over 100. Tried all sorts of ways of importing the elements but I dont trust it, something is sus.
 Its great just for the flash.
There is no issue with the genuine version...
Logged

PM's will not be answered, so don't even try.
Log your car properly.
bamofo
Sr. Member
****

Karma: +34/-3
Offline Offline

Posts: 420


« Reply #70 on: January 26, 2023, 12:08:01 PM »

The version I have, 1.5, looks like it does something but still shows that there are 77 checksums when in reality the st10 has over 100. Tried all sorts of ways of importing the elements but I dont trust it, something is sus.
 Its great just for the flash.

In addition to what PRJ Said... if you try using the free version your gonna have a bad time with that ECU. already did that....
Logged
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 245



« Reply #71 on: January 27, 2023, 02:25:09 AM »

WinOLS corrects the checksum in the MPC when loaded with the Flash.

My A2L looks like this

 /begin MEMORY_SEGMENT Pst0 "" RESERVED FLASH INTERN 0x0 0x8000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x8000 /end IF_DATA
        
        /* AsapMLCFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst18000 "" RESERVED FLASH INTERN 0x18000 0xB8000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x18000 /*mapping_adr:*/0x18000 /*length:*/0xB8000 /end IF_DATA
        
        /* AsapMLCFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst800000 "" CODE EPROM EXTERN 0x800000 0xE0000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x800000 /*mapping_adr:*/0x800000 /*length:*/0xE0000 /end IF_DATA
        
        /* AsapMLCFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Dst8E0000 "" DATA EPROM EXTERN 0x8E0000 0x20000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x8E0000 /*mapping_adr:*/0x8E0000 /*length:*/0x20000 /end IF_DATA
        
        /* AsapMLCFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT ExtRam380000 "" VARIABLES RAM EXTERN 0x380000 0x8000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x380000 /*mapping_adr:*/0x380000 /*length:*/0x8000 /end IF_DATA
        
        /* AsapMLXFm - KWP2000 */
    /end MEMORY_SEGMENT



So i'm trying to work out what to use for loading segment and loading offset for the 1mb flash.

The a2l is not an exact match but close enough to find maps in my image, and now i would like to find some RAM variables too.

Load flash at 80 00 00. If you load as additional file drop a zero when asked paragraphs, zero offset
« Last Edit: January 27, 2023, 02:28:09 AM by R32Dude » Logged
James1
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 21


« Reply #72 on: January 27, 2023, 03:09:43 PM »

It looks like the 1mb flash has code and data.  So does it make sense to load the 1mb flash in two parts?

The first part as a code segment at 0x800000 with length 0xE000, and then the second part as a non code segment, i.e. map data at 0x8E0000  with length 0x20000?

Logged
R32Dude
Full Member
***

Karma: +45/-10
Offline Offline

Posts: 245



« Reply #73 on: January 27, 2023, 03:17:58 PM »

You load it once, make segments manually.
Logged
James1
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 21


« Reply #74 on: January 31, 2023, 07:18:29 AM »

Ok Segments defined,

Do the DPP's need defining for the code in the flash?

https://ibb.co/0JFYYgH
Logged
Pages: 1 ... 3 4 [5] 6
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.025 seconds with 18 queries. (Pretty URLs adds 0.001s, 0q)