Pages: 1 [2] 3 4 5
Author Topic: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)  (Read 87240 times)
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #15 on: September 24, 2018, 03:38:42 AM »

Thanks Nyet,

I havent done enough research on it yet but why are people referring to Absolute addresses in the external RAM range (which is a hardware configuration and NOT the same across all ME7 hardwares) ?
Some of the different ME7 ecu (Volvo, Fiat, Lancia etc.) variants for example don't use the same base addressing for their external ram layout.

Take for instance .. 2001.5 Audi S4 8D0907551M 0261207143(1).bin

Code:
Opening [b]'2001.5 Audi S4 8D0907551M 0261207143(1).bin'[/b] file
Succeded loading file.

Loaded ROM: Tool in 1Mb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
main rom dppX byte sequence #1 found at offset=0xdc08.

dpp0: (seg: 0x0204 phy:0x00810000)
dpp1: (seg: 0x0205 phy:0x00814000)
[b]dpp2: (seg: 0x00e0 phy:0x00380000) ram start address[/b]
dpp3: (seg: 0x0003 phy:0x0000c000) cpu registers

It has the 0x380000 base address for ram

vs VOLVO S60R_AUT 2.5L B5254T4 300HP NoCarPartNo 0261208289 30684626A.bin

Code:
Opening 'VOLVO S60R_AUT 2.5L B5254T4 300HP NoCarPartNo 0261208289 30684626A.bin' file
Succeded loading file.

Loaded ROM: Tool in 1Mb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
main rom dppX byte sequence #1 found at offset=0x246.

dpp0: (seg: 0x0004 phy:0x00010000)
dpp1: (seg: 0x0005 phy:0x00014000)
[b]dpp2: (seg: 0x00c0 phy:0x00300000) ram start address[/b]
dpp3: (seg: 0x0003 phy:0x0000c000) cpu registers

In this case it actually starts at 0x300000 instead...

Why therefore do we hardcode the BASE ADDRESS to $380000 ?

... when actually the value is determined by the project setup and the configuration of the DPP2 segment registers contents in the initial boot strap.

If we search the ROM bootstraip itself (Which is how my ME7RomTool does it) its quite easy to work out the external ram address by then taking the segment value and multiplying it by a page size of 16Kbytes (0x4000), which funny enough is exactly how all of the 16-bit opcodes in the machine code refer to the locations, indirectly from the DPP2 register. This affords a higher compatibility than hardcoding as we do it today and would yield compatibility with 1mb roms and many other vehicle manufacturers like Fiat's, etc, then we could just save Relative offsets from the DPP2 base address rather than directly referencing the direct base address.

Like I said I haven't yet checked if doing this would mean all the ram defines would align up on different memory maps. However really its far better to search for the needles to known functions and pull out all of the ram variables automatically thus having certainty that the correct addresses are used.

Thoughts?
Logged
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12268


WWW
« Reply #16 on: September 24, 2018, 08:04:30 AM »

No reason other that historic. But we don't have the source to ME7L to change it to accept a base and and offset for each location, so at minimum, the absolute addresses will have to be added before generating ME7L ecu files.

Alternaltely, we do have enough info to build an entire logger from scratch, but it is unlikely enough people are around to do the work.

IMO that is the only thing you're up against right now...
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
pc1010
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 13


« Reply #17 on: October 17, 2018, 01:04:48 PM »

Are there any plans to add support for 832KB file size for ST10 based ME7 variants? That would be the first software to offer that Wink
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #18 on: October 22, 2018, 01:48:09 AM »

Send me some links to a few ROMs (and Ideally a definitions file of some locations to get me started) I can take a look. For what vehicles are you talking about btw?

Oh and latest update now includes a first cut (80% done) C16x dissassembler built-in (as always full sources included on the github)..
Logged
pectel
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« Reply #19 on: October 22, 2018, 03:23:07 PM »

Hiya.new here:)
trying to get this tool to work but just flashes fast and vanishes Smiley
trying to find a function in a bmw x5 ecu
Logged
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12268


WWW
« Reply #20 on: October 22, 2018, 06:38:06 PM »

Hiya.new here:)
trying to get this tool to work but just flashes fast and vanishes Smiley
trying to find a function in a bmw x5 ecu

It's a command line program.
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #21 on: October 23, 2018, 08:09:27 AM »

Hiya.new here:)
trying to get this tool to work but just flashes fast and vanishes Smiley
trying to find a function in a bmw x5 ecu

As Nyet stated the core functions run from command line today during initial development. I will build it with a full featured gui at a later date. For now you need to use it from command line. I'm currently in the process of making the dissassembler fully featured so that it can also help identify variables in the dissassembly listings... (i.e. support for segments) and some completion of the last few unsupported commands. This is significant as I will parse the entire rom during initial loading in preparation for function discovery followed by variables discovery. I can then generate xdf's, damos, etc. basically whatever format I wish... 



Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #22 on: October 23, 2018, 08:13:58 AM »

For instance...

me7romtool.exe -romfile LEFT_Eddie_2004_360Spider_EU.bin -seedkey -diss

Code:
Ferrari 360 ME7.3H4 Rom Tool. *BETA TEST* Last Built: Oct 17 2018 12:51:49 v1.6
by 360trev.  Needle lookup function borrowed from nyet (Thanks man!) from
the ME7sum tool development (see github).

..Now fixed and working on 64-bit hosts, Linux, Apple and Android devices ;)

Ý Opening 'LEFT_Eddie_2004_360Spider_EU.bin' file
Succeded loading file.

Loaded ROM: Tool in 512Kb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
0x000064A6: (+0  )  E6 00 00 00                  mov      DPP0, #0
0x000064AA: (+4  )  E6 01 05 02                  mov      DPP1, #0205h
0x000064AE: (+8  )  E6 02 E0 00                  mov      DPP2, #00E0h
0x000064B2: (+12 )  E6 03 03 00                  mov      DPP3, #3
***

main rom dppX byte sequence #1 found at offset=0x64a6.

dpp0: (seg: 0x0000 phy:0x00000000)
dpp1: (seg: 0x0205 phy:0x00814000)
dpp2: (seg: 0x00e0 phy:0x00380000) ram start address
dpp3: (seg: 0x0003 phy:0x0000c000) cpu registers

Note: dpp3 is always 3, otherwise accessing CPU register area not possible

-[ Basic Firmware information ]-----------------------------------------------------------------

>>> Scanning for ROM String Table Byte Sequence #1 [info]

found needle at offset=0x2e75e
found table at offset=00019B90.

0x0002E75E: (+0  )  F6 F4 42 E2                  mov      word_E242, r4
0x0002E762: (+4  )  F6 F5 44 E2                  mov      word_E244, r5
0x0002E766: (+8  )  9A 23 05 E0                  jnb      word_FD46.14, loc_2E774

0x0002E76A: (+12 )  E7 F8 11 00                  movb     rl4, #0011h
0x0002E76E: (+16 )  F7 F8 0A E2                  movb     byte_E20A, rl4
0x0002E772: (+20 )  0D 04                        jmpr     cc_UC, loc_2E77C

0x0002E774: (+22 )  E7 F8 14 00                  movb     rl4, #0014h
0x0002E778: (+26 )  F7 F8 0A E2                  movb     byte_E20A, rl4
0x0002E77C: (+30 )  E6 F4 22 E9                  mov      r4, #E922h
0x0002E780: (+34 )  E6 F5 82 00                  mov      r5, #0082h
0x0002E784: (+38 )  F6 F4 32 E2                  mov      word_E232, r4
0x0002E788: (+42 )  F6 F5 34 E2                  mov      word_E234, r5
0x0002E78C: (+46 )  DB 00                        rets

0x0002E78E: (+48 )  88 60                        mov      [-r0], r6
0x0002E790: (+50 )  E6 F4 86 2B                  mov      r4, #2B86h
0x0002E794: (+54 )  E6 F5 00 00                  mov      r5, #0
0x0002E798: (+58 )  F6 F4 B2 E1                  mov      word_E1B2, r4
***
Idx=1   { 185392.001              } 0x101ae : VMECUHN [Vehicle Manufacturer ECU Hardware Number SKU]
Idx=2   { 0261204841              } 0x10198 : SSECUHN [Bosch Hardware Number]
Idx=4   { 0000000000              } 0x101a3 : SSECUSN [Bosch Serial Number]
Idx=6   { F131 EU 3 c.m.          } 0x10184 : EROTAN  [Model Description]
Idx=8   { R.BOSCH001              } 0x19b84 : TESTID
Idx=10  { 069117/15L501M2         } 0x10174 : DIF
Idx=11  { 0691175H                } 0x1016b : BRIF

>>> Scanning for EPK information [info]

found needle at offset=0x27902.
EPK: @ 0x10029 { /1/ME7.3/69/117/F131_US//15l50sm2/080501/ }

-[ SeedKey Security Access ]-------------------------------------------------------------

>>> Scanning for SecurityAccessBypass() Variant #1 Checking sub-routine [allow any login seed to pass]
Found at offset=0x4746. Patch at +(0x5d) +93, 0x04 (ret=0, login failed) goes to 0x14 (ret=1, login success)
0x00004746: (+0  )  88 C0                        mov      [-r0], r12
0x00004748: (+2  )  88 90                        mov      [-r0], r9
0x0000474A: (+4  )  88 80                        mov      [-r0], r8
0x0000474C: (+6  )  88 70                        mov      [-r0], r7
0x0000474E: (+8  )  88 60                        mov      [-r0], r6
0x00004750: (+10 )  F0 7D                        mov      r7, r13
0x00004752: (+12 )  F0 8E                        mov      r8, r14
0x00004754: (+14 )  F0 9F                        mov      r9, r15
0x00004756: (+16 )  07 FE 23 00                  addb     rl7, #0023h
0x0000475A: (+20 )  47 FE 23 00                  cmpb     rl7, #0023h
0x0000475E: (+24 )  9D 02                        jmpr     cc_NC, loc_4764

0x00004760: (+26 )  E7 FE FF 00                  movb     rl7, #00FFh
0x00004764: (+30 )  E1 0C                        movb     rl6, #0
0x00004766: (+32 )  0D 12                        jmpr     cc_UC, loc_478C

0x00004768: (+34 )  46 F9 00 80                  cmp      r9, #8000h
0x0000476C: (+38 )  3D 01                        jmpr     cc_NZ, loc_4770

0x0000476E: (+40 )  48 80                        cmp      r8, #0
0x00004770: (+42 )  8D 0A                        jmpr     cc_C, loc_4786

0x00004772: (+44 )  F4 80 08 00                  movb     rl4, [r0+8]
0x00004776: (+48 )  C0 8C                        movbz    r12, rl4
0x00004778: (+50 )  F0 D8                        mov      r13, r8
0x0000477A: (+52 )  F0 E9                        mov      r14, r9
0x0000477C: (+54 )  DA 00 90 60                  calls    0h, loc_6090

0x00004780: (+58 )  F0 84                        mov      r8, r4
0x00004782: (+60 )  F0 95                        mov      r9, r5
0x00004784: (+62 )  0D 02                        jmpr     cc_UC, loc_478A

0x00004786: (+64 )  00 88                        add      r8, r8
0x00004788: (+66 )  10 99                        addc     r9, r9
0x0000478A: (+68 )  09 C1                        addb     rl6, #1
0x0000478C: (+70 )  41 CE                        cmpb     rl6, rl7
0x0000478E: (+72 )  8D EC                        jmpr     cc_C, loc_4968

0x00004790: (+74 )  D4 40 0A 00                  mov      r4, [r0+0Ah]
0x00004794: (+78 )  D4 50 0C 00                  mov      r5, [r0+0Ch]
0x00004798: (+82 )  20 48                        sub      r4, r8
0x0000479A: (+84 )  30 59                        subc     r5, r9
0x0000479C: (+86 )  3D 02                        jmpr     cc_NZ, loc_47A2
0x0000479E: (+88 )  E0 14                        mov      r4, #1
0x000047A0: (+90 )  0D 01                        jmpr     cc_UC, loc_47A4

0x000047A2: (+92 )  E0 04                        mov      r4, #0
0x000047A4: (+94 )  98 60                        mov      r6, [r0+]
0x000047A6: (+96 )  98 70                        mov      r7, [r0+]
0x000047A8: (+98 )  98 80                        mov      r8, [r0+]
0x000047AA: (+100)  98 90                        mov      r9, [r0+]
0x000047AC: (+102)  08 02                        add      r0, #2
0x000047AE: (+104)  DB 00                        rets
... cut ... cut ...
Logged
pectel
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« Reply #23 on: October 24, 2018, 03:52:51 PM »

looks like i need to nerd up a bit  Grin
lot easier just mapping these ecus.

need to learn fast about reverse engineering.
good work guys  Smiley
Logged
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12268


WWW
« Reply #24 on: October 24, 2018, 05:40:34 PM »

Forget about learning anything about reverse engineering. Start with learning how command line programs work.
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
pectel
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« Reply #25 on: October 25, 2018, 03:27:20 AM »

I`m trying Smiley
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #26 on: November 20, 2018, 10:09:36 AM »

Just to inform people.

I'm still actively working on this and I can confirm it correctly performs checksum correction on F430 rom dumps as well as Maserati 4200 (which uses ME7.3.2) and a 1Mb rom file...

Another big update coming soon in which I will include a full diagnostics computer in a similar vein to the Ferrari SD2 but for free...
Logged
niijohnnie
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 19


« Reply #27 on: January 14, 2019, 12:58:39 PM »

Thank you 360trev for this great program. I am looking forward to being able to use it.
Currently i get  a 'libgcc_s_dw2-1.dll not found. Windows 10 64bit. attached error snip. Am I doing something wrong
Logged
Blazius
Hero Member
*****

Karma: +89/-40
Offline Offline

Posts: 1282



« Reply #28 on: January 14, 2019, 02:03:29 PM »

Thank you 360trev for this great program. I am looking forward to being able to use it.
Currently i get  a 'libgcc_s_dw2-1.dll not found. Windows 10 64bit. attached error snip. Am I doing something wrong

That DLL is a compiler dll for MinGW. You dont have it, same as me. Solution is to dl it separately https://www.dll-files.com/download/e2ac23418781f632311513944edd0a4c/libgcc_s_dw2-1.dll.html?c=OXpGQkVkRVA0a1R5dUNTYzNDR0RWUT09

And put the dll file next to the exe Smiley
Logged
niijohnnie
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 19


« Reply #29 on: January 15, 2019, 04:37:54 AM »

That DLL is a compiler dll for MinGW. You dont have it, same as me. Solution is to dl it separately https://www.dll-files.com/download/e2ac23418781f632311513944edd0a4c/libgcc_s_dw2-1.dll.html?c=OXpGQkVkRVA0a1R5dUNTYzNDR0RWUT09

And put the dll file next to the exe Smiley
Hahahahaa....simple huh.Thanks. I will try it.

@Blazius...Thanks man. it worked.
« Last Edit: January 15, 2019, 05:43:08 AM by niijohnnie » Logged
Pages: 1 [2] 3 4 5
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.026 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)