Pages: [1]
Author Topic: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)  (Read 563 times)
360trev
Full Member
***

Karma: +16/-1
Online Online

Posts: 96


« on: September 06, 2018, 05:04:36 AM »

Ok guys...

I present to you the first (beta) of useful code showing how to do all kinds of things with ME7 rom's. The aim is that you will eventually need NO OTHER tools to analyse a ME7 rom. (commercial or otherwise).
Its starting to be possible to do so much that its easier to call it a swiss army knife tool for ME7's ROM's. Smiley

 I've just done a first cut of the map finder. Its very rough (but simple code!) at the moment but I will expand this to pretty much be able to identify ALL MAP's automatically AND label them. I can do this (unlike some commercial software!) because of the unique way this tool approaches it. Its very good at finding them in roms I have never even see before but derived from the same code base.

Q. So how does it work?
The idea is we directly search for 'masked signatures' in the rom in the machine code sub-routines which ACCESS the maps.

Q. What are masked signatures?

They are sinippets of rom code with all of the relocation and segment address information removed. We do this since this is essentially what changes with recompiliation and across different roms. By removing what changes we get a powerful way to identify sub-routines independent of the actual rom file version.

So if the rom accesses the maps for example we can find that specific generic code and then work back from there. After matching it (ignoring all of the relocation and segments) we extract the actual segment information and then re-calcuate the physical addresses from the segments, then mask those addresses to reveal the byte offset form the start of the rom! We can then use this offset to dump the maps... Its a very powerful method because of the way we mask the code. The approach of masking all segment and relocation information out of the signatures means it works on any ME7x rom file compiled for C167x cpu and works right across a huge number of rom variants.

Right now the first version of the Map finder is just showing X-Axis tables (entire set of rom tables will come shortly and then we can easily match them too!)... But ofcourse its quite simple to make this work for ALL the ROM resident tables and then we can start to identify the sub-routines with further signature bytes and automatically label all of those tables too.

...This is a far better way than 'guessing' the maps knowing they reside (as some even commercial tools do) within a certain range  in the rom. This guarentee's your actually looking at real tables.

Development wise the next step is to push the table start addresses into a hash table to make it easy to de-duplicate them so you don't find calls to the lookups to the same tables (happens occasionally since we are walking through the rom code and literaly picking up ALL of the accesses to the tables.

Hope this makes sense. Its called ME7RomTool_Ferrari (since that's my main focus) however be assured it does work with many many variants i've been continuing to download and test it with...

https://github.com/360trev/ME7RomTool_Ferrari
Logged
360trev
Full Member
***

Karma: +16/-1
Online Online

Posts: 96


« Reply #1 on: September 06, 2018, 05:06:38 AM »

Here's an example of it identifying KFAGK (Exhaust Flap changeover table)...


-[ Exhaust Valve KFAGK Table ]---------------------------------------------------------------------

>>> Scanning for KFAGK Table #1 Checking sub-routine [manages exhaust valve/flap opening]
Found at offset=0x4ab40 (seg:0x206 phy:0x818000 val:0x541)

KFAGK table: Characteristic map for exhaust flap changeover
KFAGK table: 0x00018541 (file-offset)
KFAGK table: X-Axis:  6 Rows : % of Throttle Applied.
KFAGK table: Y-Axis: 10 Rows : RPM before Opening occurs.

        0.00%   20.25%  63.75%  69.00%  81.00%  99.75%
        [1]---- [2]---- [3]---- [4]---- [5]---- [6]----
         0       0       0       0       0       0      [ 1] : 800   rpm
         0       0       0       0       0       0      [ 2] : 1000  rpm
         0       0       0       0       0       0      [ 3] : 2520  rpm
         0       0       1       1       1       1      [ 4] : 2720  rpm
         0       0       1       2       2       2      [ 5] : 2920  rpm
         0       0       1       2       2       2      [ 6] : 3720  rpm
         0       0       1       2       2       2      [ 7] : 3920  rpm
         0       0       1       2       2       2      [ 8] : 5000  rpm
         0       0       1       2       2       2      [ 9] : 6000  rpm
         0       0       1       2       2       2      [10] : 9000  rpm


Logged
360trev
Full Member
***

Karma: +16/-1
Online Online

Posts: 96


« Reply #2 on: September 06, 2018, 05:08:49 AM »

and here's the generic map (X-Axis only for now!) finder in action on the same Ferrari 360 rom file...


-[ Generic X-Axis MAP Table Scanner! ]---------------------------------------------------------------------

>>> Scanning for Map Tables #1 Checking sub-routine [map finder!]

[Map #1] X-Axis Map function found at: offset=0x33eb0 phy:0x1805f, file-offset=0x18060 x-axis=8
        14 19 26 32 3e 4b 58 64

[Map #2] X-Axis Map function found at: offset=0x3fc36 phy:0x18074, file-offset=0x18075 x-axis=5
        40 4d 5b 68 76

[Map #3] X-Axis Map function found at: offset=0x441da phy:0x1810c, file-offset=0x1810d x-axis=16
        14 1e 28 32 3c 46 50 5a 64 6e 78 82 8c 94 9b a3

[Map #4] X-Axis Map function found at: offset=0x441f2 phy:0x18137, file-offset=0x18138 x-axis=4
        34 5d 85 ad

[Map #5] X-Axis Map function found at: offset=0x44434 phy:0x181bc, file-offset=0x181bd x-axis=6
        00 02 14 1e 28 3c

[Map #6] X-Axis Map function found at: offset=0x44482 phy:0x180d5, file-offset=0x180d6 x-axis=8
        0d 19 26 32 4b 64 7d 96

[Map #7] X-Axis Map function found at: offset=0x444ca phy:0x180c0, file-offset=0x180c1 x-axis=5
        23 28 2d 32 37

[Map #8] X-Axis Map function found at: offset=0x444e2 phy:0x180a3, file-offset=0x180a4 x-axis=5
        08 0d 11 18 20

[Map #9] X-Axis Map function found at: offset=0x4452e phy:0x181c3, file-offset=0x181c4 x-axis=8
        1e 3c 5a 78 96 b4 d2 f0

[Map #10] X-Axis Map function found at: offset=0x44546 phy:0x180de, file-offset=0x180df x-axis=8
        26 32 4b 58 64 7d 8a 96

[Map #11] X-Axis Map function found at: offset=0x44576 phy:0x1811d, file-offset=0x1811e x-axis=16
        26 2c 32 38 3f 45 4b 51 58 64 6a 71 76 8a 96 a3

[Map #12] X-Axis Map function found at: offset=0x4458e phy:0x18161, file-offset=0x18162 x-axis=8
        33 40 54 61 90 9d b8 c5

[Map #13] X-Axis Map function found at: offset=0x445c6 phy:0x181e2, file-offset=0x181e3 x-axis=8
        00 03 06 09 0c 0f 12 15

[Map #14] X-Axis Map function found at: offset=0x445de phy:0x181eb, file-offset=0x181ec x-axis=8
        00 03 06 09 0c 0f 12 15

[Map #15] X-Axis Map function found at: offset=0x446aa phy:0x180fb, file-offset=0x180fc x-axis=16
        10 15 19 1f 26 2c 32 38 3f 45 4b 58 64 71 7d 96

[Map #16] X-Axis Map function found at: offset=0x446c2 phy:0x1813c, file-offset=0x1813d x-axis=8
        0a 14 1e 32 46 50 64 78

[Map #17] X-Axis Map function found at: offset=0x446f6 phy:0x180b7, file-offset=0x180b8 x-axis=8
        03 05 08 14 1e 32 50 64

[Map #18] X-Axis Map function found at: offset=0x4470e phy:0x180e7, file-offset=0x180e8 x-axis=8
        14 19 32 3c 4b 64 7d 96

[Map #19] X-Axis Map function found at: offset=0x44726 phy:0x180f0, file-offset=0x180f1 x-axis=10
        0f 16 1e 25 2d 37 41 50 64 82

[Map #20] X-Axis Map function found at: offset=0x4473e phy:0x18080, file-offset=0x18081 x-axis=10
        0a 17 29 40 54 6b 80 a4 cd ff

[Map #21] X-Axis Map function found at: offset=0x44756 phy:0x180a9, file-offset=0x180aa x-axis=6
        05 0d 19 32 64 c8

[Map #22] X-Axis Map function found at: offset=0x4476e phy:0x18092, file-offset=0x18093 x-axis=5
        59 73 80 8c a7

[Map #23] X-Axis Map function found at: offset=0x44786 phy:0x1816f, file-offset=0x18170 x-axis=4
        25 4d 68 ab

[Map #24] X-Axis Map function found at: offset=0x4479e phy:0x1810c, file-offset=0x1810d x-axis=16
        14 1e 28 32 3c 46 50 5a 64 6e 78 82 8c 94 9b a3

[Map #25] X-Axis Map function found at: offset=0x447b6 phy:0x18137, file-offset=0x18138 x-axis=4
        34 5d 85 ad

[Map #26] X-Axis Map function found at: offset=0x447ce phy:0x1e288, file-offset=0x1e289 x-axis=4
        00 1b 00 2f

[Map #27] X-Axis Map function found at: offset=0x447e6 phy:0x180cd, file-offset=0x180ce x-axis=7
        14 1e 2d 3c 50 64 7d

[Map #28] X-Axis Map function found at: offset=0x44816 phy:0x1819a, file-offset=0x1819b x-axis=9
        18 33 40 4d 61 75 90 ab c5

[Map #29] X-Axis Map function found at: offset=0x44868 phy:0x18181, file-offset=0x18182 x-axis=6
        0b 25 40 5b 90 b8

[Map #30] X-Axis Map function found at: offset=0x44880 phy:0x18191, file-offset=0x18192 x-axis=8
        0b 25 33 40 4d 5b 90 b8

[Map #31] X-Axis Map function found at: offset=0x448d8 phy:0x1817a, file-offset=0x1817b x-axis=6
        11 25 40 5b 75 ab

[Map #32] X-Axis Map function found at: offset=0x44978 phy:0x180b0, file-offset=0x180b1 x-axis=6
        02 19 32 4b 64 7d

[Map #33] X-Axis Map function found at: offset=0x44ec6 phy:0x1e382, file-offset=0x1e383 x-axis=4
        00 25 00 40

[Map #34] X-Axis Map function found at: offset=0x48aa2 phy:0x1eb26, file-offset=0x1eb27 x-axis=4
        00 2b 00 2c

... cut ... cut ...

[Map #80] X-Axis Map function found at: offset=0x7f510 phy:0x19d2e, file-offset=0x19d2f x-axis=10
        0a 14 1e 28 32 46 5a 78 96 f0

[Map #81] X-Axis Map function found at: offset=0x81ecc phy:0x23fd6, file-offset=0x23fd7 x-axis=4
        00 00 00 04
No match found

Logged
prj
Hero Member
*****

Karma: +266/-13
Offline Offline

Posts: 3358


« Reply #3 on: September 06, 2018, 05:11:37 AM »

That's pretty cool, but I did this like 6 years ago: http://nefariousmotorsports.com/forum/index.php?topic=2703.0

Just saying :p
Logged
360trev
Full Member
***

Karma: +16/-1
Online Online

Posts: 96


« Reply #4 on: September 06, 2018, 05:17:24 AM »

That's pretty cool, but I did this like 6 years ago: http://nefariousmotorsports.com/forum/index.php?topic=2703.0

Just saying :p

Hello prj, I know sir, your a guru on here Wink ...The aim here is a bit different...
I'm going to make it possible to extract and re-insert changed maps and automatically recalc sums. So its trivial to swap maps from one rom to another or make changes and repatch them in with no extra tools... I will do a gui frontend to 'control' this...

Did I mention it does summing too and works with multiple variants of signatures including support for 1Mb files too?



-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
main rom dppX byte sequence #1 found at offset=0x246.

dpp0: (seg: 0x0004 phy:0x00010000)
dpp1: (seg: 0x0005 phy:0x00014000)
dpp2: (seg: 0x00c0 phy:0x00300000) ram start address
dpp2: (seg: 0x0003 phy:0x0000c000) cpu registers

Note: dpp3 is always 3, otherwise accessing CPU register area not possible



-[ Main-Rom Checksum Analysis ]----------------------------------------------------------

>>> Scanning for Main ROM Checksum sub-routine #1 [to extract number of entries in table]
main checksum byte sequence #1 found at offset=0xbfb82.
Found #3 Regional Block Entries in table

>>> Scanning for Main ROM Checksum sub-routine #2 [to extract Start/End regions]
main checksum byte sequence #2 found at offset=0xbfb46.

Main Region Block #1:
        lo:0x293b4.W hi:0x293b6.W (seg: 0xa phy:0x293b4) : 0xc000
        lo:0x293b8.W hi:0x293ba.W (seg: 0xa phy:0x293b8) : 0xdfff sum=43d88af ~sum=fbc27750 : acc_sum=0
Main Region Block #2:
        lo:0x293bc.W hi:0x293be.W (seg: 0xa phy:0x293bc) : 0x10900
        lo:0x293c0.W hi:0x293c2.W (seg: 0xa phy:0x293c0) : 0x1f7ff sum=1b08c4eb ~sum=e4f73b14 : acc_sum=43d88af
Main Region Block #3:
        lo:0x293c4.W hi:0x293c6.W (seg: 0xa phy:0x293c4) : 0x1fc00
        lo:0x293c8.W hi:0x293ca.W (seg: 0xa phy:0x293c8) : 0xcffff sum=5279cec5 ~sum=ad86313a : acc_sum=1f464d9a

Final Main ROM Checksum calculation:  0x71c01c5f (after 3 rounds)
Final Main ROM Checksum calculation: ~0x8e3fe3a0


>>> Scanning for Main ROM Checksum sub-routine #3 variant #A [to extract stored checksums and locations in ROM]
main checksum byte sequence #3 block found at offset=0xbfbee.

Stored Main ROM Block Checksum:
        lo:0xffff0.W hi:0xffff2.W (seg: 0x3f phy:0xffff0) : 0x71c01c5f
Stored Main ROM Block ~Checksum:
        lo:0xffff4.W hi:0xffff6.W (seg: 0x3f phy:0xffff4) : 0x8e3fe3a0

MAIN STORED ROM  CHECKSUM: 0x71c01c5f ? 0x71c01c5f : OK!         ~CHECKSUM: 0x8e3fe3a0 ? 0x8e3fe3a0 : OK!


-[ Multipoint Checksum Analysis ]--------------------------------------------------------

>>> Scanning for Multipoint Checksum sub-routine #1 Variant A [to extract number entries in stored checksum list in ROM]
Found at offset=0xbe32a.
Found #48 Multipoint Entries in table

>>> Scanning for Multipoint Checksum sub-routine #2 Variant A [to extract address of stored checksum list location in ROM]
Found at offset=0xbe5ac.

Multipoint Block #01 of #48:
        lo:0x1f800.L (seg: 0x7 phy:0x1f800) : Start:   seg:0x0 phy:0x00000000 (offset: 0x00000000)
        lo:0x1f804.L (seg: 0x7 phy:0x1f804) :  End:    seg:0x0 phy:0x000001ff (offset: 0x000001ff)
        lo:0x1f808.L (seg: 0x7 phy:0x1f808) :  Block Checksum: 0x00407600 :  Calculated: 0x00407600 OK
        lo:0x1f80c.L (seg: 0x7 phy:0x1f80c) : ~Block Checksum: 0xffbf89ff : ~Calculated: 0xffbf89ff OK
Multipoint Block #02 of #48:
        lo:0x1f810.L (seg: 0x7 phy:0x1f810) : Start:   seg:0x0 phy:0x00000000 (offset: 0x00000000)
        lo:0x1f814.L (seg: 0x7 phy:0x1f814) :  End:    seg:0x0 phy:0x000001ff (offset: 0x000001ff)
        lo:0x1f818.L (seg: 0x7 phy:0x1f818) :  Block Checksum: 0x00407600 :  Calculated: 0x00407600 OK
        lo:0x1f81c.L (seg: 0x7 phy:0x1f81c) : ~Block Checksum: 0xffbf89ff : ~Calculated: 0xffbf89ff OK
Multipoint Block #03 of #48:
        lo:0x1f820.L (seg: 0x7 phy:0x1f820) : Start:   seg:0x2 phy:0x00008000 (offset: 0x00008000)
        lo:0x1f824.L (seg: 0x7 phy:0x1f824) :  End:    seg:0x2 phy:0x0000bfff (offset: 0x0000bfff)
        lo:0x1f828.L (seg: 0x7 phy:0x1f828) :  Block Checksum: 0x0da78c5f :  Calculated: 0x0da78c5f OK
        lo:0x1f82c.L (seg: 0x7 phy:0x1f82c) : ~Block Checksum: 0xf25873a0 : ~Calculated: 0xf25873a0 OK
Multipoint Block #04 of #48:
        lo:0x1f830.L (seg: 0x7 phy:0x1f830) : Start:   seg:0x3 phy:0x0000c000 (offset: 0x0000c000)
        lo:0x1f834.L (seg: 0x7 phy:0x1f834) :  End:    seg:0x3 phy:0x0000dfff (offset: 0x0000dfff)
        lo:0x1f838.L (seg: 0x7 phy:0x1f838) :  Block Checksum: 0x043d88af :  Calculated: 0x043d88af OK
        lo:0x1f83c.L (seg: 0x7 phy:0x1f83c) : ~Block Checksum: 0xfbc27750 : ~Calculated: 0xfbc27750 OK
Multipoint Block #05 of #48:
        lo:0x1f840.L (seg: 0x7 phy:0x1f840) : Start:   seg:0x4 phy:0x00010900 (offset: 0x00010900)
        lo:0x1f844.L (seg: 0x7 phy:0x1f844) :  End:    seg:0x4 phy:0x00013fff (offset: 0x00013fff)
        lo:0x1f848.L (seg: 0x7 phy:0x1f848) :  Block Checksum: 0x07e64140 :  Calculated: 0x07e64140 OK
        lo:0x1f84c.L (seg: 0x7 phy:0x1f84c) : ~Block Checksum: 0xf819bebf : ~Calculated: 0xf819bebf OK
Multipoint Block #06 of #48:
        lo:0x1f850.L (seg: 0x7 phy:0x1f850) : Start:   seg:0x5 phy:0x00014000 (offset: 0x00014000)
        lo:0x1f854.L (seg: 0x7 phy:0x1f854) :  End:    seg:0x5 phy:0x00017f67 (offset: 0x00017f67)
        lo:0x1f858.L (seg: 0x7 phy:0x1f858) :  Block Checksum: 0x082369b2 :  Calculated: 0x082369b2 OK
        lo:0x1f85c.L (seg: 0x7 phy:0x1f85c) : ~Block Checksum: 0xf7dc964d : ~Calculated: 0xf7dc964d OK
... cut...

Logged
360trev
Full Member
***

Karma: +16/-1
Online Online

Posts: 96


« Reply #5 on: September 06, 2018, 05:23:20 AM »

That's pretty cool, but I did this like 6 years ago: http://nefariousmotorsports.com/forum/index.php?topic=2703.0

Just saying :p

I think I'll update my signatures to support your signature format sometime soon so both programs gain benefit from all the signatures I'm finding.... some are specific to Ferrari for example...

Logged
IamwhoIam
Hero Member
*****

Karma: +17/-24
Offline Offline

Posts: 577


« Reply #6 on: September 07, 2018, 05:57:58 AM »

wow, this looks good to me! a GUI would make it even more attractive!
Logged

I have no logs because I have a boost gauge (makes things easier)
360trev
Full Member
***

Karma: +16/-1
Online Online

Posts: 96


« Reply #7 on: September 07, 2018, 12:28:38 PM »

Well its not really just a map finder... slightly misleading description. Its a

1. Checksum Corrector
2. Dppx Setting Locator
3. Map Locator
4. Map Changer
5. Seed Login Patcher

etc. with more and more features being added daily...

Yes, absolutely a GUI will be added soon (with full cell editing and graphs) as I get swapping of the most basic maps like KPED, etc. done.
Logged
360trev
Full Member
***

Karma: +16/-1
Online Online

Posts: 96


« Reply #8 on: September 07, 2018, 05:01:24 PM »

For anyone tracking this project, I've just made some updates today to automated map detection routines.
On 1mb roms now its detecting a large number maps without individual signatures. With some more work it should be able to detect 100% of all maps automatically Wink

For example on the rom file "06A906032DS 0261207080 360930" it detects 115 maps...

e.g.;

--- cut --- cut

------------------------------------------------------------------
[Map #113] Multi Axis Map function found at: offset=0x95928

Table  : Identification not yet implemented (coming soon!)
X-Axis : 4 rows
Y-Axis : 4 rows


        [ 1 ]-- [ 2 ]-- [ 3 ]-- [ 4 ]--
         2626    2626    2626    2626   [ 1 ]
         2626    2626    2626    2626   [ 2 ]
         2626    2626    2626    2626   [ 3 ]
         2626    2626    404     755a   [ 4 ]


------------------------------------------------------------------
[Map #114] Multi Axis Map function found at: offset=0x99762

Table  : Identification not yet implemented (coming soon!)
X-Axis : 8 rows
Y-Axis : 5 rows


        [ 1 ]-- [ 2 ]-- [ 3 ]-- [ 4 ]-- [ 5 ]-- [ 6 ]-- [ 7 ]-- [ 8 ]--
         201     303     400     404     3       606     305     500    [ 1 ]
         404     304     600     506     3       505     305     500    [ 2 ]
         606     305     500     505     3       505     305     100    [ 3 ]
         505     305     500     505     3       201     303     100    [ 4 ]
         505     305     100     302     3       201     303     100    [ 5 ]


------------------------------------------------------------------
[Map #115] Multi Axis Map function found at: offset=0x99bf0

Table  : Identification not yet implemented (coming soon!)
X-Axis : 3 rows
Y-Axis : 8 rows


        [ 1 ]-- [ 2 ]-- [ 3 ]--
         2000    2000    2000   [ 1 ]
         2000    2000    2000   [ 2 ]
         2900    2600    2300   [ 3 ]
         2100    2000    2000   [ 4 ]
         2580    2380    2280   [ 5 ]
         2000    2000    2000   [ 6 ]
         10c     3219    644b   [ 7 ]
         c8af    fae1    ff     [ 8 ]


--- cut --- cut

Logged
JTY
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 10


« Reply #9 on: September 08, 2018, 04:57:55 AM »

Very good work, compiled nicely in my Linux car computer.
Tried all the functions with porche ME7.1 bin and seems to work.
Only seedkey did not find anything.
Logged
360trev
Full Member
***

Karma: +16/-1
Online Online

Posts: 96


« Reply #10 on: September 13, 2018, 01:58:47 PM »

If you ever wanted to know how to extract the ECU Identification information out of an ME7 rom be sure to take git clone of the latest source-code...

Latest version now supports this features.

There is a lookup table in the rom which defines a list containing the strings, so many people never even know they exist..


06                      vmecuhn_type:   db    6                 ; entry type, 6 = asciiz
0A                      vmecuhn_len:     db  0Ah
AE 01                  vmecuhn_val:    dw VMECUHN              ; "185392.001"
04 02                  vmecuhn_seg:    dw 204h                 ; segment

06                      ssecusn_type:   db    6                 ; entry type, 6 = asciiz
0A                      ssecuhn_len:    db 0Ah
98 01                   ssecuhn_val:    dw SSECUHN              ; "0261204841"
04 02                   ssecuhn_seg:    dw 204h


So if your looking to resolve these strings back to the map area take a look at the code as they don't seem to be referenced anywhere else except for indirectly via this table.

Have fun Wink
Logged
player
Full Member
***

Karma: +1/-3
Offline Offline

Posts: 94


« Reply #11 on: Yesterday at 06:01:50 AM »

wow. really nice work
Logged
nyet
Administrator
Hero Member
*****

Karma: +374/-42
Offline Offline

Posts: 8679


WWW
« Reply #12 on: Yesterday at 09:44:04 AM »

Request: drop in replacement for ME7Info that can be used directly with ME7Logger
Logged

ME7.1 tuning guide (READ FIRST)
ECUx Plot
ME7Sum checksum checker/corrrector for ME7.x

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience.
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.027 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)