360trev
Full Member
Karma: +68/-2
 Offline
Posts: 235
|
 |
« Reply #15 on: September 24, 2018, 03:38:42 AM »
|
|
|
Thanks Nyet, I havent done enough research on it yet but why are people referring to Absolute addresses in the external RAM range (which is a hardware configuration and NOT the same across all ME7 hardwares) ? Some of the different ME7 ecu (Volvo, Fiat, Lancia etc.) variants for example don't use the same base addressing for their external ram layout. Take for instance .. 2001.5 Audi S4 8D0907551M 0261207143(1).bin Opening [b]'2001.5 Audi S4 8D0907551M 0261207143(1).bin'[/b] file
Succeded loading file.
Loaded ROM: Tool in 1Mb Mode
-[ DPPx Setup Analysis ]-----------------------------------------------------------------
>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
main rom dppX byte sequence #1 found at offset=0xdc08.
dpp0: (seg: 0x0204 phy:0x00810000)
dpp1: (seg: 0x0205 phy:0x00814000)
[b]dpp2: (seg: 0x00e0 phy:0x00380000) ram start address[/b]
dpp3: (seg: 0x0003 phy:0x0000c000) cpu registers
It has the 0x380000 base address for ram vs VOLVO S60R_AUT 2.5L B5254T4 300HP NoCarPartNo 0261208289 30684626A.bin Opening 'VOLVO S60R_AUT 2.5L B5254T4 300HP NoCarPartNo 0261208289 30684626A.bin' file
Succeded loading file.
Loaded ROM: Tool in 1Mb Mode
-[ DPPx Setup Analysis ]-----------------------------------------------------------------
>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
main rom dppX byte sequence #1 found at offset=0x246.
dpp0: (seg: 0x0004 phy:0x00010000)
dpp1: (seg: 0x0005 phy:0x00014000)
[b]dpp2: (seg: 0x00c0 phy:0x00300000) ram start address[/b]
dpp3: (seg: 0x0003 phy:0x0000c000) cpu registers
In this case it actually starts at 0x300000 instead... Why therefore do we hardcode the BASE ADDRESS to $380000 ? ... when actually the value is determined by the project setup and the configuration of the DPP2 segment registers contents in the initial boot strap. If we search the ROM bootstraip itself (Which is how my ME7RomTool does it) its quite easy to work out the external ram address by then taking the segment value and multiplying it by a page size of 16Kbytes (0x4000), which funny enough is exactly how all of the 16-bit opcodes in the machine code refer to the locations, indirectly from the DPP2 register. This affords a higher compatibility than hardcoding as we do it today and would yield compatibility with 1mb roms and many other vehicle manufacturers like Fiat's, etc, then we could just save Relative offsets from the DPP2 base address rather than directly referencing the direct base address. Like I said I haven't yet checked if doing this would mean all the ram defines would align up on different memory maps. However really its far better to search for the needles to known functions and pull out all of the ram variables automatically thus having certainty that the correct addresses are used. Thoughts? |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #16 on: September 24, 2018, 08:04:30 AM »
|
|
|
No reason other that historic. But we don't have the source to ME7L to change it to accept a base and and offset for each location, so at minimum, the absolute addresses will have to be added before generating ME7L ecu files.
Alternaltely, we do have enough info to build an entire logger from scratch, but it is unlikely enough people are around to do the work.
IMO that is the only thing you're up against right now...
|
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
pc1010
Newbie
Karma: +0/-0
Offline
Posts: 13
|
|
« Reply #17 on: October 17, 2018, 01:04:48 PM »
|
|
|
Are there any plans to add support for 832KB file size for ST10 based ME7 variants? That would be the first software to offer that  |
|
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #18 on: October 22, 2018, 01:48:09 AM »
|
|
|
Send me some links to a few ROMs (and Ideally a definitions file of some locations to get me started) I can take a look. For what vehicles are you talking about btw?
Oh and latest update now includes a first cut (80% done) C16x dissassembler built-in (as always full sources included on the github)..
|
|
|
|
|
Logged
|
|
|
|
pectel
Newbie
Karma: +0/-0
Offline
Posts: 3
|
|
« Reply #19 on: October 22, 2018, 03:23:07 PM »
|
|
|
Hiya.new here:) trying to get this tool to work but just flashes fast and vanishes  trying to find a function in a bmw x5 ecu |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #20 on: October 22, 2018, 06:38:06 PM »
|
|
|
Hiya.new here:) trying to get this tool to work but just flashes fast and vanishes trying to find a function in a bmw x5 ecu It's a command line program. |
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #21 on: October 23, 2018, 08:09:27 AM »
|
|
|
Hiya.new here:) trying to get this tool to work but just flashes fast and vanishes trying to find a function in a bmw x5 ecu As Nyet stated the core functions run from command line today during initial development. I will build it with a full featured gui at a later date. For now you need to use it from command line. I'm currently in the process of making the dissassembler fully featured so that it can also help identify variables in the dissassembly listings... (i.e. support for segments) and some completion of the last few unsupported commands. This is significant as I will parse the entire rom during initial loading in preparation for function discovery followed by variables discovery. I can then generate xdf's, damos, etc. basically whatever format I wish... |
|
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #22 on: October 23, 2018, 08:13:58 AM »
|
|
|
For instance... me7romtool.exe -romfile LEFT_Eddie_2004_360Spider_EU.bin -seedkey -diss Ferrari 360 ME7.3H4 Rom Tool. *BETA TEST* Last Built: Oct 17 2018 12:51:49 v1.6
by 360trev. Needle lookup function borrowed from nyet (Thanks man!) from
the ME7sum tool development (see github).
..Now fixed and working on 64-bit hosts, Linux, Apple and Android devices ;)
Ý Opening 'LEFT_Eddie_2004_360Spider_EU.bin' file
Succeded loading file.
Loaded ROM: Tool in 512Kb Mode
-[ DPPx Setup Analysis ]-----------------------------------------------------------------
>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
0x000064A6: (+0 ) E6 00 00 00 mov DPP0, #0
0x000064AA: (+4 ) E6 01 05 02 mov DPP1, #0205h
0x000064AE: (+8 ) E6 02 E0 00 mov DPP2, #00E0h
0x000064B2: (+12 ) E6 03 03 00 mov DPP3, #3
***
main rom dppX byte sequence #1 found at offset=0x64a6.
dpp0: (seg: 0x0000 phy:0x00000000)
dpp1: (seg: 0x0205 phy:0x00814000)
dpp2: (seg: 0x00e0 phy:0x00380000) ram start address
dpp3: (seg: 0x0003 phy:0x0000c000) cpu registers
Note: dpp3 is always 3, otherwise accessing CPU register area not possible
-[ Basic Firmware information ]-----------------------------------------------------------------
>>> Scanning for ROM String Table Byte Sequence #1 [info]
found needle at offset=0x2e75e
found table at offset=00019B90.
0x0002E75E: (+0 ) F6 F4 42 E2 mov word_E242, r4
0x0002E762: (+4 ) F6 F5 44 E2 mov word_E244, r5
0x0002E766: (+8 ) 9A 23 05 E0 jnb word_FD46.14, loc_2E774
0x0002E76A: (+12 ) E7 F8 11 00 movb rl4, #0011h
0x0002E76E: (+16 ) F7 F8 0A E2 movb byte_E20A, rl4
0x0002E772: (+20 ) 0D 04 jmpr cc_UC, loc_2E77C
0x0002E774: (+22 ) E7 F8 14 00 movb rl4, #0014h
0x0002E778: (+26 ) F7 F8 0A E2 movb byte_E20A, rl4
0x0002E77C: (+30 ) E6 F4 22 E9 mov r4, #E922h
0x0002E780: (+34 ) E6 F5 82 00 mov r5, #0082h
0x0002E784: (+38 ) F6 F4 32 E2 mov word_E232, r4
0x0002E788: (+42 ) F6 F5 34 E2 mov word_E234, r5
0x0002E78C: (+46 ) DB 00 rets
0x0002E78E: (+48 ) 88 60 mov [-r0], r6
0x0002E790: (+50 ) E6 F4 86 2B mov r4, #2B86h
0x0002E794: (+54 ) E6 F5 00 00 mov r5, #0
0x0002E798: (+58 ) F6 F4 B2 E1 mov word_E1B2, r4
***
Idx=1 { 185392.001 } 0x101ae : VMECUHN [Vehicle Manufacturer ECU Hardware Number SKU]
Idx=2 { 0261204841 } 0x10198 : SSECUHN [Bosch Hardware Number]
Idx=4 { 0000000000 } 0x101a3 : SSECUSN [Bosch Serial Number]
Idx=6 { F131 EU 3 c.m. } 0x10184 : EROTAN [Model Description]
Idx=8 { R.BOSCH001 } 0x19b84 : TESTID
Idx=10 { 069117/15L501M2 } 0x10174 : DIF
Idx=11 { 0691175H } 0x1016b : BRIF
>>> Scanning for EPK information [info]
found needle at offset=0x27902.
EPK: @ 0x10029 { /1/ME7.3/69/117/F131_US//15l50sm2/080501/ }
-[ SeedKey Security Access ]-------------------------------------------------------------
>>> Scanning for SecurityAccessBypass() Variant #1 Checking sub-routine [allow any login seed to pass]
Found at offset=0x4746. Patch at +(0x5d) +93, 0x04 (ret=0, login failed) goes to 0x14 (ret=1, login success)
0x00004746: (+0 ) 88 C0 mov [-r0], r12
0x00004748: (+2 ) 88 90 mov [-r0], r9
0x0000474A: (+4 ) 88 80 mov [-r0], r8
0x0000474C: (+6 ) 88 70 mov [-r0], r7
0x0000474E: (+8 ) 88 60 mov [-r0], r6
0x00004750: (+10 ) F0 7D mov r7, r13
0x00004752: (+12 ) F0 8E mov r8, r14
0x00004754: (+14 ) F0 9F mov r9, r15
0x00004756: (+16 ) 07 FE 23 00 addb rl7, #0023h
0x0000475A: (+20 ) 47 FE 23 00 cmpb rl7, #0023h
0x0000475E: (+24 ) 9D 02 jmpr cc_NC, loc_4764
0x00004760: (+26 ) E7 FE FF 00 movb rl7, #00FFh
0x00004764: (+30 ) E1 0C movb rl6, #0
0x00004766: (+32 ) 0D 12 jmpr cc_UC, loc_478C
0x00004768: (+34 ) 46 F9 00 80 cmp r9, #8000h
0x0000476C: (+38 ) 3D 01 jmpr cc_NZ, loc_4770
0x0000476E: (+40 ) 48 80 cmp r8, #0
0x00004770: (+42 ) 8D 0A jmpr cc_C, loc_4786
0x00004772: (+44 ) F4 80 08 00 movb rl4, [r0+8]
0x00004776: (+48 ) C0 8C movbz r12, rl4
0x00004778: (+50 ) F0 D8 mov r13, r8
0x0000477A: (+52 ) F0 E9 mov r14, r9
0x0000477C: (+54 ) DA 00 90 60 calls 0h, loc_6090
0x00004780: (+58 ) F0 84 mov r8, r4
0x00004782: (+60 ) F0 95 mov r9, r5
0x00004784: (+62 ) 0D 02 jmpr cc_UC, loc_478A
0x00004786: (+64 ) 00 88 add r8, r8
0x00004788: (+66 ) 10 99 addc r9, r9
0x0000478A: (+68 ) 09 C1 addb rl6, #1
0x0000478C: (+70 ) 41 CE cmpb rl6, rl7
0x0000478E: (+72 ) 8D EC jmpr cc_C, loc_4968
0x00004790: (+74 ) D4 40 0A 00 mov r4, [r0+0Ah]
0x00004794: (+78 ) D4 50 0C 00 mov r5, [r0+0Ch]
0x00004798: (+82 ) 20 48 sub r4, r8
0x0000479A: (+84 ) 30 59 subc r5, r9
0x0000479C: (+86 ) 3D 02 jmpr cc_NZ, loc_47A2
0x0000479E: (+88 ) E0 14 mov r4, #1
0x000047A0: (+90 ) 0D 01 jmpr cc_UC, loc_47A4
0x000047A2: (+92 ) E0 04 mov r4, #0
0x000047A4: (+94 ) 98 60 mov r6, [r0+]
0x000047A6: (+96 ) 98 70 mov r7, [r0+]
0x000047A8: (+98 ) 98 80 mov r8, [r0+]
0x000047AA: (+100) 98 90 mov r9, [r0+]
0x000047AC: (+102) 08 02 add r0, #2
0x000047AE: (+104) DB 00 rets
... cut ... cut ...
|
|
|
|
|
Logged
|
|
|
|
pectel
Newbie
Karma: +0/-0
Offline
Posts: 3
|
|
« Reply #23 on: October 24, 2018, 03:52:51 PM »
|
|
|
looks like i need to nerd up a bit  lot easier just mapping these ecus. need to learn fast about reverse engineering. good work guys |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #24 on: October 24, 2018, 05:40:34 PM »
|
|
|
Forget about learning anything about reverse engineering. Start with learning how command line programs work.
|
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
pectel
Newbie
Karma: +0/-0
Offline
Posts: 3
|
|
« Reply #25 on: October 25, 2018, 03:27:20 AM »
|
|
|
I`m trying |
|
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #26 on: November 20, 2018, 10:09:36 AM »
|
|
|
Just to inform people.
I'm still actively working on this and I can confirm it correctly performs checksum correction on F430 rom dumps as well as Maserati 4200 (which uses ME7.3.2) and a 1Mb rom file...
Another big update coming soon in which I will include a full diagnostics computer in a similar vein to the Ferrari SD2 but for free...
|
|
|
|
|
Logged
|
|
|
|
niijohnnie
Newbie
Karma: +0/-0
Offline
Posts: 19
|
|
« Reply #27 on: January 14, 2019, 12:58:39 PM »
|
|
|
Thank you 360trev for this great program. I am looking forward to being able to use it.
Currently i get a 'libgcc_s_dw2-1.dll not found. Windows 10 64bit. attached error snip. Am I doing something wrong
|
|
|
|
|
Logged
|
|
|
|
|
|
niijohnnie
Newbie
Karma: +0/-0
Offline
Posts: 19
|
|
« Reply #29 on: January 15, 2019, 04:37:54 AM »
|
|
|
Hahahahaa....simple huh.Thanks. I will try it. @Blazius...Thanks man. it worked. |
|
|
|
« Last Edit: January 15, 2019, 05:43:08 AM by niijohnnie »
|
Logged
|
|
|
|
|
