Pages: 1 2 3 [4] 5
Author Topic: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)  (Read 75495 times)
DT
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 184


« Reply #45 on: June 12, 2019, 03:15:54 PM »

I will be releasing a big update soon..

I have re-designed the way my search works now to be more like the way my custom disassembler works. This allows me to automatically mask out physical addresses for given instructions, etc. and therefore compare dumped functions between ecu dumps. This in turn allows rapid discovery of variables for the purposes of logging, etc.
Really nice!
I think I've suggested it before but have you thought about incorporating a points system to be able to get even higher hit count in different files. Like SpamAssassins system. Positive points for a opcode match, negative points if not matching. Sometimes the routine match execept for an additional command or different source/destination register within a very similar routine.
Logged

360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #46 on: June 14, 2019, 07:35:06 AM »

Really nice!
I think I've suggested it before but have you thought about incorporating a points system to be able to get even higher hit count in different files. Like SpamAssassins system. Positive points for a opcode match, negative points if not matching. Sometimes the routine match execept for an additional command or different source/destination register within a very similar routine.

Well yes I actually already mask out the registers anyway from all matches as this is compiler generation specific and not related to pure logic of the original functional C code.

I am sure a points systems could work well and I will invest some time on it, the only concern really is having enough data points in the original signatures for it to make sense. In other words the signatures need to be of given size to make it work well. The idea of looking at number of functional calls and the variables used already gives quite some decent level match, adding a weighting system could help refine it further and make it even better, agreed.

I'd like to re-visit this and re-write it with an opcode API (a bit like the one used in IDA) so I could make it instruction set agnostic. That would be useful then for attacking other later architectures like PowerPC and Infineon TriCore's too.



Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #47 on: June 20, 2019, 06:35:24 AM »

And here is the reverse lookup from the DTC table that I explained was possible earlier...

  0) MATCHED @ 0x0002B572 : DTC idx= 62 (0x3E)     DFPM_DUMMY_D() : (Unsupported) Lambda Probe Aging TP
  1) MATCHED @ 0x0002B572 : DTC idx= 63 (0x3F)     DFPM_DUMMY_D() : (Unsupported) Lambda Probe Aging TV
  2) MATCHED @ 0x0002B572 : DTC idx= 98 (0x62)     DFPM_DUMMY_D() : (Unsupported) OBDII Empty Tank Failure
  3) MATCHED @ 0x0002B572 : DTC idx=100 (0x64)     DFPM_DUMMY_D() : (Unsupported) Tank Low Flow Switch Valve (Power Amplifier)
  5) MATCHED @ 0x0002B572 : DTC idx=106 (0x6A)     DFPM_DUMMY_D() : (Unsupported) Engine Oil Temperature
  6) MATCHED @ 0x0002B572 : DTC idx=107 (0x6B)     DFPM_DUMMY_D() : (Unsupported) Ambient (Air) Temperature TUM
  7) MATCHED @ 0x0002C554 : DTC idx= 91 (0x5B)     DFPM_DSLSLRS() : Secondary Air System
  9) MATCHED @ 0x00035A72 : DTC idx=117 (0x75)       DFPM_DVKUP() : Engine Off Request from F1 TCU Failure
 12) MATCHED @ 0x0003809C : DTC idx= 69 (0x45)      DFPM_DMDMIL() : Misfire, Sum Error (Multiple)
 14) MATCHED @ 0x0003CB14 : DTC idx= 79 (0x4F)         DFPM_DDG() : Speed Sensor
 16) MATCHED @ 0x0003D314 : DTC idx= 80 (0x50)       DFPM_DNWKW() : Assignment Camshaft to Crankshaft
 17) MATCHED @ 0x0003D5D8 : DTC idx= 84 (0x54)         DFPM_DPH() : Phase Sensor
 18) MATCHED @ 0x00040000 : DTC idx= 61 (0x3D)      DFPM_DLSAHK() : Lambda Probe aging behind cat.
 19) MATCHED @ 0x000408FA : DTC idx= 48 (0x30)       DFPM_DHLSU() : Lambda Probe Heating 2 before Catalyst
 20) MATCHED @ 0x000408FA : DTC idx= 46 (0x2E)       DFPM_DHLSU() : Lambda probe heater in front of catalyst; (Bank2)
 21) MATCHED @ 0x00042C64 : DTC idx= 67 (0x43)        DFPM_DLSU() : Lambda Probe before Cat
 22) MATCHED @ 0x000431A4 : DTC idx=116 (0x74)        DFPM_DVFZ() : Vehicle Speed
 24) MATCHED @ 0x00044642 : DTC idx= 36 (0x24)       DFPM_GGPED() : Throttle Pedal Poti 1
 25) MATCHED @ 0x000472D2 : DTC idx= 24 (0x18)        DFPM_DDVE_ERR() : DV-E Error Undefined
 26) MATCHED @ 0x00047628 : DTC idx= 19 (0x13)        DFPM_DDVE_FAULT() : DV-E Feather Check Error
 27) MATCHED @ 0x00047628 : DTC idx= 28 (0x1C)        DFPM_DDVE_FAULT() : DV-E Amplifier Matching Error
 28) MATCHED @ 0x00047628 : DTC idx= 20 (0x14)        DFPM_DDVE_FAULT() : DV-E Return Spring Failure
 29) MATCHED @ 0x00047628 : DTC idx= 26 (0x1A)        DFPM_DDVE_FAULT() : DV-E Errors in Motor Driven Throttle
 30) MATCHED @ 0x00047628 : DTC idx= 23 (0x17)        DFPM_DDVE_FAULT() : DV-E Control Range
 33) MATCHED @ 0x0004BE5C : DTC idx= 32 (0x20)       DFPM_DEKON_EV() : EV by Cylinder 1
 34) MATCHED @ 0x0004BE5C : DTC idx= 33 (0x21)       DFPM_DEKON_EV() : EV by Cylinder 2
 35) MATCHED @ 0x0004BE5C : DTC idx= 34 (0x22)       DFPM_DEKON_EV() : EV by Cylinder 3
 39) MATCHED @ 0x0004C2C8 : DTC idx= 44 (0x2C)       DFPM_DEKON_PWR() : Power amplifier heating probe behind cat.
 40) MATCHED @ 0x0004C2C8 : DTC idx= 44 (0x2C)       DFPM_DEKON_PWR() : Power amplifier heating probe behind cat.
 41) MATCHED @ 0x0004C556 : DTC idx= 83 (0x53)       DFPM_DEKON_CAM() : Camshaft Control Valve Power Amplifier
 42) MATCHED @ 0x0004C71C : DTC idx= 94 (0x5E)       DFPM_DEKON_CHG1() : End Stage Suction Tube Changeover
 43) MATCHED @ 0x0004C7A8 : DTC idx= 95 (0x5F)       DFPM_DEKON_CHG2() : Circuit intake manifold Bank 2
 44) MATCHED @ 0x0004CA60 : DTC idx= 88 (0x58)         DFPM_SGA() : Switch Control Selector
 45) MATCHED @ 0x0005117E : DTC idx= 81 (0x51)        DFPM_DNWS() : Camshaft Control
 46) MATCHED @ 0x00051206 : DTC idx= 82 (0x52)        DFPM_DNWS() : Camshaft Control Bank2
 47) MATCHED @ 0x00055E50 : DTC idx= 39 (0x27)        DFPM_DKVS_UPR() : LR-Adaption Upper Multiplicative
 48) MATCHED @ 0x00055E50 : DTC idx= 86 (0x56)        DFPM_DKVS_UPR() : LR adaptation QL additive
 49) MATCHED @ 0x00055F34 : DTC idx= 40 (0x28)        DFPM_DKVS_LWR() : LR Adaption Lower Multiplicative
 50) MATCHED @ 0x00055F34 : DTC idx= 87 (0x57)        DFPM_DKVS_LWR() : LR adaptation ti-additive
 51) MATCHED @ 0x000576B2 : DTC idx= 97 (0x61)       DFPM_GGTFA() : (IAT) Intake Air Temperature Sensor (Airflow Meters)
 52) MATCHED @ 0x00057AA4 : DTC idx=105 (0x69)       DFPM_GGTFM() : Engine Temperature TMOT
 53) MATCHED @ 0x000597BC : DTC idx= 51 (0x33)       DFPM_DTKAT() : Catalyst Temperature
 54) MATCHED @ 0x000597BC : DTC idx= 51 (0x33)       DFPM_DTKAT() : Catalyst Temperature
 55) MATCHED @ 0x000597BC : DTC idx= 51 (0x33)       DFPM_DTKAT() : Catalyst Temperature
 56) MATCHED @ 0x00059AC4 : DTC idx= 49 (0x31)         DFPM_SAK() : Catalyst Protection Active
 57) MATCHED @ 0x0005B414 : DTC idx= 54 (0x36)       DFPM_DKRNT() : Knock Control Null Test
 58) MATCHED @ 0x0005B414 : DTC idx= 55 (0x37)       DFPM_DKRNT() : Knock Control Offset
 59) MATCHED @ 0x0005BD90 : DTC idx= 56 (0x38)       DFPM_DKRTP() : Knock Control Test Pulses
 60) MATCHED @ 0x00064F7C : DTC idx=111 (0x6F)         DFPM_DUF() : Function Monitoring : Safety Fuel Cutoff
 61) MATCHED @ 0x00064F7C : DTC idx=110 (0x6E)         DFPM_DUF() : Function Monitoring : Moment Comparison
 62) MATCHED @ 0x00064F7C : DTC idx=109 (0x6D)         DFPM_DUF() : Function Monitoring : Other ME Data
 63) MATCHED @ 0x00064FEA : DTC idx=111 (0x6F)         DFPM_DUF_CUT() : Function Monitoring : Safety Fuel Cutoff
 64) MATCHED @ 0x0006520A : DTC idx=113 (0x71)         DFPM_DUR() : Computer Monitoring : ROM
 65) MATCHED @ 0x0006A696 : DTC idx= 96 (0x60)       DFPM_BGRBS() : Bad Path Detection Acceleration Sensor
 66) MATCHED @ 0x0006BDAE : DTC idx= 17 (0x11)        DFPM_DDST() : Pressure Sensor Tank
 67) MATCHED @ 0x0006C134 : DTC idx=102 (0x66)       DFPM_DTESK() : Tank Bleeding System Grobleck
 68) MATCHED @ 0x0006C134 : DTC idx=103 (0x67)       DFPM_DTESK() : Tank detoxification system Kleinstleck


Its discovered all of these diagnostic function entry points from the original DTC's. It does this by deriving the ID from the table and then searching for the opcode where the ID calls the DTC function. Once it finds a hit it walks backwards until it finds the start of the function. This makes it very easy (even for DTC's you haven't yet reversed) to lookup their function from workshop manuals or the web and then find the function entry point directly. From this I could now generate a IDC script to use MakeName() on the entries. You could for example use this to automatically label very rapidly all of the DTC functions AND for functions you know their variables in a new rom you've just dumped. That's why this approach is very powerful and rapidly accelerates the reversing of a rom...

 
Logged
Blazius
Hero Member
*****

Karma: +89/-40
Offline Offline

Posts: 1277



« Reply #48 on: June 23, 2019, 03:07:57 PM »

snip
 

You should probably also update the github readme lol, I bet people dont even know you can instafind KRKTE , MLHFM, KFPED , LAMFA in any bin and others , instantly because the github readme is not updated  Tongue
Logged
vwaudiguy
Hero Member
*****

Karma: +53/-37
Offline Offline

Posts: 2024



« Reply #49 on: September 10, 2019, 09:05:25 PM »

test.bin is in the same directory as the .exe

├╛ Opening 'test.bin' file

Can't open file "test.bin".
Failed to load, result = -1
Nothing to free

Halp? Smiley

Logged

"If you have a chinese turbo, that you are worried is going to blow up when you floor it, then LOL."
mdccode5150
Full Member
***

Karma: +11/-4
Offline Offline

Posts: 122


« Reply #50 on: September 08, 2020, 11:18:27 PM »

I have been banging my head on figuring out object oriented programming without a formal education, and have concluded that I'm not that smart LOL. I have to say I admire the fact that you have stayed on it for so long.

I do have a question : Are you doing all of this because you don't have an A2L, or DAMOS file?

I have one for The Ferrari 360, The Maserati, SAAB, and Porsche GT3 Hybrid ECU's and some ME7 (I think) C, H etc code. Would this be helpful?
Logged
Blazius
Hero Member
*****

Karma: +89/-40
Offline Offline

Posts: 1277



« Reply #51 on: April 10, 2021, 05:08:27 PM »

I will be releasing a big update soon..

I have re-designed the way my search works now to be more like the way my custom disassembler works. This allows me to automatically mask out physical addresses for given instructions, etc. and therefore compare dumped functions between ecu dumps. This in turn allows rapid discovery of variables for the purposes of logging, etc.

Another big advantage is I was able to ignore the differences between a 512Kbyte compiled function and a 1Mb compiled function in that the extX (e.g. extp etc.) instructions used to get access to larger address space can be ignored in both the needles and the rom code being searched through as part of a 'fuzzy logic' based search. The net result is that even functions compiled for a 512Kbyte rom file can be discovered on a larger address space rom like a 1Mb one without having to have unique signatures for each different variation just because a few differences existed due to the way the compiler addresses memory (short vs long memory model). Also going to do the same for a few other instructions too meaning that its technically possible in the future to define signatures based on higher level requirements such as finding that a function used variables like 'nmot' and looked up some known table references. Based on this inference you can pretty much auto discover a huge number of functions without requiring tonnes of signatures...

So yes, you could say this works really well!

Watch this space!



Any update on this Trev Smiley?
Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #52 on: April 18, 2021, 04:11:11 PM »

I didn't think people cared about ME7 anymore.. Every time I seemed to post anything related to ME7 it felt like I was getting flamed!

I've done a huge amount actually just never checked anything in to the public repo's (for my ME7 C167 variant) and now i am upgrading it to work on ME9.x (PowerPC) and subsequently MED17.x (Tricore) too. So it will span across all 3 different generations.

The last thing I implement was a reverse KWP2000 protocol analysis and detection feature. It works by looking for the emit code function (return codes) and just from that alone it can work out exactly all the addresses of the individual functions in any ME7 roms.

E.g. Trying it on '8E0910560G  0030 - Stock.bin' rom file from nyet's server...

Code:
Opening 'Release\other_roms\8E0910560G  0030 - Stock.bin' file
Succeeded loading romfile #1 (0x100000 bytes).

SHA-256 of romfile #1: 39427bd5dcd454d197e01deb79e8d0ff4bebcb651ad7283f3faf037ae4e6795d

Loaded Primary ROM in 1Mb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]

Searching for DPPx ..
1) found reference to sig @ byte_offset=0xdb28
2) found reference to sig @ byte_offset=0xd93dc

dpp0: (seg: 0x0204 phy:0x00810000) calibration data segment 0, constants
dpp1: (seg: 0x0205 phy:0x00814000) calibration data segment 1, constants
dpp2: (seg: 0x00e0 phy:0x00380000) external RAM
dpp3: (seg: 0x0003 phy:0x0000c000) Int. RAM, XRAM, SFR

Note: dpp3 is always 3, otherwise accessing Int. RAM, XRAM, SFR is not possible

-[ EEPROM Analysis ]-----------------------------------------------------------------

>>> Scanning for basic EEPROM extraction parameters
EEPROM Number of Pages: 64 (1024 Bytes)
EEPROM Chip Select Pin: P6.3

-[ Basic Firmware information (Primary ROM) ]-----------------------------------

>>> Scanning for ROM String Table Byte Sequence #1 [info]

found kwp2000 needle @ offset:0x00001DF4  (val=0005,seg=0204).
EPK: @ 0x10005 -> 0x10055 (41 bytes) { /1/ME7.1.1/5/C1105B//25F9/L5f9bh3/080807/ }
{
    "rominfo": {
        "SSECUHN": "0261207997",
        "SSECUSN ": "1037392093",
        "DIF": "8E0910560G  ",
        "BRIF": "0030",
        "OTHERID": "4.2L V8\/5V     ",
        "EPK": "\/1\/ME7.1.1\/5\/C1105B\/\/25F9\/L5f9bh3\/080807\/"
    }
}

KWP2000 Service Identifier (SID)
--------------------------------
    The following chart indicates the different ranges of service identifier values, which are defined in
    SAE J1979, Keyword Protocol 2000 or by the vehicle manufacturer.

    SID    Service type                     Described in
    --------------------------------------- ---------------------------------
    00-0F  Request                          SAE J1979
    10-1F  Request (bit 6 = 0)              KWP 2000 Part 3
    20-2F  Request (bit 6 = 0)              KWP 2000 Part 3
    30-3E  Request (bit 6 = 0)              KWP 2000 Part 3
    3F     Not Applicable                   Reserved
    40-4F  Response                         SAE J1979
    50-5F  Positive Response                KWP 2000 Part 3
    60-6F  to Services ($10 - $3E)          KWP 2000 Part 3
    70-7E  (bit 6 = 1)                      KWP 2000 Part 3
    7F     Negative Response                KWP 2000 Part 3
    80     Request 'ESC' - Code             KWP 2000 Part 3
    81-8F  Request (bit 6 = 0)              KWP 2000 Part 2
    90-9F  Request (bit 6 = 0)              Reserved for future exp. as needed
    A0-BF  Request (bit 6 = 0)              Defined by vehicle manufacturer
    C0     Positive Resp. 'ESC' - Code      KWP 2000 Part 3
    C1-CF  Positive Response (bit 6 = 1)    KWP 2000 Part 2
    D0-DF  Positive Response (bit 6 = 1)    Reserved for future exp. as needed
    E0-FF  Positive Response (bit 6 = 1)    Defined by vehicle manufacturer
    --------------------------------------- ---------------------------------

        entrypoint BOOT:00008C8E SID: 0x81 : kwp2000_service_startCommunication_rom()
        entrypoint ROM :00035A76 SID: 0x81 : kwp2000_service_startCommunication_fw()

        entrypoint ROM :00008F14 SID: 0x10 : kwp2000_service_startDiagnosticSession_fw()
        entrypoint ROM :0000B8D2 SID: 0x36 : kwp2000_service_transferData_fw()
        entrypoint ROM :00026878 SID: 0x38 : kwp2000_service_startRoutineByAddress_fw()
        entrypoint ROM :00026896 SID: 0x39 : kwp2000_service_stopRoutineByAddress_fw()
        entrypoint ROM :000268EC SID: 0x3A : kwp2000_service_requestRoutineResultsByAddress_fw()
        entrypoint ROM :00036AA2 SID: 0x27 : kwp2000_service_securityAccess_fw()
        entrypoint ROM :000383F0 SID: 0x2C : kwp2000_service_dynamicallyDefineLocalIdentifier_fw()
        entrypoint ROM :00038A58 SID: 0x23 : kwp2000_service_readMemoryByAddress_fw()
        entrypoint ROM :00038D88 SID: 0x3D : kwp2000_service_writeMemoryByAddress_fw()
        entrypoint ROM :0003923E SID: 0x21 : kwp2000_service_readDataByLocalIdentifier_fw()
        entrypoint ROM :000396EA SID: 0x3B : kwp2000_service_writeDataByLocalIdentifier_fw()
        entrypoint ROM :0003AF80 SID: 0x31 : kwp2000_service_startRoutinebyLocalIdentifier_fw()
        entrypoint ROM :0003CFE0 SID: 0x14 : kwp2000_service_clearDiagnosticsInformation_fw()
        entrypoint ROM :0003D260 SID: 0x18 : kwp2000_service_readDiagnosticTroubleCodesByStatus_fw()
        entrypoint ROM :0003D5A6 SID: 0x12 : kwp2000_service_readFreezeFrameData_fw()
        entrypoint ROM :00008E0E SID: 0x10 : kwp2000_service_startDiagnosticSession_fw()
        entrypoint ROM :000092C2 SID: 0x82 : kwp2000_service_stopCommunication_fw()
        entrypoint ROM :0000957E SID: 0x1A : kwp2000_service_readECUIdentification_fw()
        entrypoint ROM :00009762 SID: 0x27 : kwp2000_service_securityAccess_fw()
        entrypoint ROM :0000A2D2 SID: 0x31 : kwp2000_service_startRoutinebyLocalIdentifier_fw()
        entrypoint ROM :0000A40A SID: 0x33 : kwp2000_service_requestRoutineResultByLocalIdentifier_fw()
        entrypoint ROM :0000A60A SID: 0x34 : kwp2000_service_requestDownload_fw()
        entrypoint ROM :0000A7F6 SID: 0x35 : kwp2000_service_requestUpload_fw()
        entrypoint ROM :0000A992 SID: 0x36 : kwp2000_service_transferData_fw()
        entrypoint ROM :0000AA72 SID: 0x37 : kwp2000_service_requestTransferExit_fw()
        entrypoint ROM :0000BD1E SID: 0x20 : kwp2000_service_stopDiagnosticSession_fw()
        entrypoint ROM :0000BDD0 SID: 0x83 : kwp2000_service_accessTimingParameter_fw()
        entrypoint ROM :00035C2E SID: 0xA0 : kwp2000_service_startCommunicationMcMess_fw()
        entrypoint ROM :00035CDA SID: 0x11 : kwp2000_service_resetECU_fw()
        entrypoint ROM :00038290 SID: 0x21 : kwp2000_service_readDataByLocalIdentifier_fw()
        entrypoint ROM :0003834C SID: 0x3B : kwp2000_service_writeDataByLocalIdentifier_fw()
        entrypoint ROM :00038966 SID: 0x22 : kwp2000_service_readDataByCommonIdentifier_fw()
        entrypoint ROM :0003CE62 SID: 0x32 : kwp2000_service_stopRoutineByLocalIdentifier_fw()
        entrypoint ROM :0003D526 SID: 0x17 : kwp2000_service_readStatusOfDiagnosticTroubleCodes_fw()
        entrypoint ROM :0003DFB8 SID: 0x14 : kwp2000_service_clearDiagnosticsInformation_fw()

ReadDataByLocalIdentifier() : 0x21 @ 038290
Address of subfunc() : 0x0083923E : seg=0x020C)

SEGC            @ ROM:0X83923E RAM:0X81E25E File-Offset:0X3923E (seg=0x020C [segadr=0x830000] val=0x923E)
1) found reference to sig @ byte_offset=0x39298
Note: This firmware doesn't contain a LIT table
Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #53 on: April 18, 2021, 04:12:45 PM »

KWP2000 automatic detection of all the protocol functions in the rom (with full tracing enabled )

Code:
       entrypoint BOOT:00008C8E SID: 0x81 : kwp2000_service_startCommunication_rom()
        entrypoint ROM :00035A76 SID: 0x81 : kwp2000_service_startCommunication_fw()
                (1) found reference to kwp2000_emit() @ byte_offset=0x90d2 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
        entrypoint ROM :00008F14 SID: 0x10 : kwp2000_service_startDiagnosticSession_fw()
                (2) found reference to kwp2000_emit() @ byte_offset=0x912a : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (3) found reference to kwp2000_emit() @ byte_offset=0xba92 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
        entrypoint ROM :0000B8D2 SID: 0x36 : kwp2000_service_transferData_fw()
                (4) found reference to kwp2000_emit() @ byte_offset=0xbaba : fault_id=0x10 <generalReject>
                (5) found reference to kwp2000_emit() @ byte_offset=0x2687c : fault_id=0x11 <serviceNotSupported>
        entrypoint ROM :00026878 SID: 0x38 : kwp2000_service_startRoutineByAddress_fw()
                (6) found reference to kwp2000_emit() @ byte_offset=0x2689a : fault_id=0x11 <serviceNotSupported>
        entrypoint ROM :00026896 SID: 0x39 : kwp2000_service_stopRoutineByAddress_fw()
                (7) found reference to kwp2000_emit() @ byte_offset=0x268f0 : fault_id=0x11 <serviceNotSupported>
        entrypoint ROM :000268EC SID: 0x3A : kwp2000_service_requestRoutineResultsByAddress_fw()
                (8) found reference to kwp2000_emit() @ byte_offset=0x35ed4 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (9) found reference to kwp2000_emit() @ byte_offset=0x36078 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (10) found reference to kwp2000_emit() @ byte_offset=0x36230 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (11) found reference to kwp2000_emit() @ byte_offset=0x36b38 : fault_id=0x37 <requiredTimeDelayNotExpired>
        entrypoint ROM :00036AA2 SID: 0x27 : kwp2000_service_securityAccess_fw()
                (12) found reference to kwp2000_emit() @ byte_offset=0x36c4e : fault_id=0x37 <requiredTimeDelayNotExpired>
                (13) found reference to kwp2000_emit() @ byte_offset=0x36d26 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (14) found reference to kwp2000_emit() @ byte_offset=0x36dfe : fault_id=0x37 <requiredTimeDelayNotExpired>
                (15) found reference to kwp2000_emit() @ byte_offset=0x36ede : fault_id=0x35 <invalidKey>
                (16) found reference to kwp2000_emit() @ byte_offset=0x36fca : fault_id=0x35 <invalidKey>
                (17) found reference to kwp2000_emit() @ byte_offset=0x36fe6 : fault_id=0x37 <requiredTimeDelayNotExpired>
                (18) found reference to kwp2000_emit() @ byte_offset=0x36ffa : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (19) found reference to kwp2000_emit() @ byte_offset=0x3700e : fault_id=0x10 <generalReject>
                (20) found reference to kwp2000_emit() @ byte_offset=0x371f8 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (21) found reference to kwp2000_emit() @ byte_offset=0x3720c : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (22) found reference to kwp2000_emit() @ byte_offset=0x3723e : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (23) found reference to kwp2000_emit() @ byte_offset=0x38910 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
        entrypoint ROM :000383F0 SID: 0x2C : kwp2000_service_dynamicallyDefineLocalIdentifier_fw()
                (24) found reference to kwp2000_emit() @ byte_offset=0x38c5e : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
        entrypoint ROM :00038A58 SID: 0x23 : kwp2000_service_readMemoryByAddress_fw()
                (25) found reference to kwp2000_emit() @ byte_offset=0x38c80 : fault_id=0x21 <busyRepeatRequest>
                (26) found reference to kwp2000_emit() @ byte_offset=0x38d42 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (27) found reference to kwp2000_emit() @ byte_offset=0x38d64 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (28) found reference to kwp2000_emit() @ byte_offset=0x39118 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
        entrypoint ROM :00038D88 SID: 0x3D : kwp2000_service_writeMemoryByAddress_fw()
                (29) found reference to kwp2000_emit() @ byte_offset=0x3913a : fault_id=0x21 <busyRepeatRequest>
                (30) found reference to kwp2000_emit() @ byte_offset=0x391f6 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (31) found reference to kwp2000_emit() @ byte_offset=0x3921a : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (32) found reference to kwp2000_emit() @ byte_offset=0x3927c : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
        entrypoint ROM :0003923E SID: 0x21 : kwp2000_service_readDataByLocalIdentifier_fw()
                (33) found reference to kwp2000_emit() @ byte_offset=0x393ba : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (34) found reference to kwp2000_emit() @ byte_offset=0x39512 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (35) found reference to kwp2000_emit() @ byte_offset=0x396b4 : fault_id=0x10 <generalReject>
                (36) found reference to kwp2000_emit() @ byte_offset=0x396c8 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (37) found reference to kwp2000_emit() @ byte_offset=0x39820 : fault_id=0x10 <generalReject>
        entrypoint ROM :000396EA SID: 0x3B : kwp2000_service_writeDataByLocalIdentifier_fw()
                (38) found reference to kwp2000_emit() @ byte_offset=0x39834 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (39) found reference to kwp2000_emit() @ byte_offset=0x3a60c : fault_id=0x10 <generalReject>
                (40) found reference to kwp2000_emit() @ byte_offset=0x3aa30 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (41) found reference to kwp2000_emit() @ byte_offset=0x3aa5a : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (42) found reference to kwp2000_emit() @ byte_offset=0x3aa96 : fault_id=0x78 <requestCorrectlyReceivedResponsePending>
                (43) found reference to kwp2000_emit() @ byte_offset=0x3aafe : fault_id=0x10 <generalReject>
                (44) found reference to kwp2000_emit() @ byte_offset=0x3abae : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (45) found reference to kwp2000_emit() @ byte_offset=0x3abc2 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (46) found reference to kwp2000_emit() @ byte_offset=0x3abd6 : fault_id=0x10 <generalReject>
                (47) found reference to kwp2000_emit() @ byte_offset=0x3b040 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
        entrypoint ROM :0003AF80 SID: 0x31 : kwp2000_service_startRoutinebyLocalIdentifier_fw()
                (48) found reference to kwp2000_emit() @ byte_offset=0x3b18e : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (49) found reference to kwp2000_emit() @ byte_offset=0x3b1a2 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (50) found reference to kwp2000_emit() @ byte_offset=0x3b2a0 : fault_id=0x31 <requestOutOfRange>
                (51) found reference to kwp2000_emit() @ byte_offset=0x3b2b4 : fault_id=0x31 <requestOutOfRange>
                (52) found reference to kwp2000_emit() @ byte_offset=0x3b2c8 : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
                (53) found reference to kwp2000_emit() @ byte_offset=0x3b33e : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (54) found reference to kwp2000_emit() @ byte_offset=0x3b474 : fault_id=0x12 <subFunctionNotSupported-invalidFormat>
                (55) found reference to kwp2000_emit() @ byte_offset=0x3b5da : fault_id=0x22 <conditionsNotCorrectOrRequestSequenceError>
... cut ...

I've had to cut the output as the generated file far exceeds the size limitations of a post, but you get the idea Smiley

If anyone's interested to kick the tires on this let me know and I'll clean it up and github it..
Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #54 on: April 18, 2021, 04:38:55 PM »

Also worked out a completely rom independent 'generic'  way to detect all the exact locations of the CDxxx booleans used.

For example the CDLSH configuration of secondary o2's for example...
The way it works is a little complicated but its all automated in my tool.

Here's a breakdown summary of how it works...

We search for reference to generic lookup's in the PROKON_ini function, the machine code signature mask with all the rom/compiler specific data removed looks something like "E6FxXXXX,64FxXXXX,C2FxXXXX,68XX".
The PROKON, is "Project Configuration" and its used to extract the boolean bytes out of the calibration area of rom and place them into bit positions in the 'cd_bits1_w' 16-bits variable.


Here we only care to discover address of 'cd_bits1_w' variable itself to ensure we get perfect signature matches on exactly what we want. so ..
e.g.

Code:
0x00022ED2:seg002: (+0   )  E6 F4 FD FF                  mov      rY, #XXXXh
0x00022ED6:seg002: (+4   )  64 F4 32 8D                  and      word_XXXX, rY <--------------- 328D   this finds us "cd_bits1_w"
0x00022EDA:seg002: (+8   )  C2 F4 19 00                  movbz    rY, byte_XXXX
0x00022EDE:seg002: (+12  )  68 41                        and      rY, #XX
0x00022EE0:seg002: (+14  )  2D 04                        jmpr     cc_Y, loc_XXXX

+6 = 328D  ( cw_bits1_w )

After discovering cd_bits1_w, now find start by looking for a reference the CDLSH bit setting. A good generic case is the Secondary Lambda function DLSH_20ms() with cd_bits1_w.
So we mask (substitute **** with 328D which is different in every rom ). Hence why we looked it up in the first step...

--                   
Code:
DLSH_20ms+0    F2 F4 ** **                              mov     r4, cd_bits1_w  ; cd_bits1_w :  [PROKON DDST DHLSHK DIMC DKATLRS DKVS DLSH DLSU DMDLU DSWEC]
DLSH_20ms+4    66 F4 XX XX                              and     r4, #XXXXh      ; bit 4 : B_CDLSH
DLSH_20ms+8    EA .. .. ..                              jmpa    cc_X, locret_XXXX
DLSH_20ms+C    9A .. .. ..                              jnb     XXXX.Y, loc_ZZZZ
DLSH_20ms+10   E0 ..                                    mov     rX, #YY
DLSH_20ms+12   74 .. .. ..                              or      .., rY ; DLSHintbits :  [DLSH]
Here's we are searching for "f2fx****,66fxXXXX,ea20XXXX,9aXXXXXX,e0XX,74FxXXXX"

But first substitute **** for 328D then search for;

So we actually search for "f2fx328d,66fxXXXX,ea20XXXX,9aXXXXXX,e0XX,74FxXXXX"
   
This will match something like ;

Code:
0x0003F0A8:seg003: (+0   )  F2 F4 32 8D                  mov      r4, word_8D32
0x0003F0AC:seg003: (+4   )  66 F4 10 00                  and      r4, #0010h    <-------------- 1000  +6
0x0003F0B0:seg003: (+8   )  EA 20 88 F2                  jmpa     cc_UC, .loc_3F288
0x0003F0B4:seg003: (+12  )  9A 18 03 20                  jnb      word_FD30.2, loc_3F0BE
0x0003F0B8:seg003: (+16  )  E0 14                        mov      r4, #1
0x0003F0BA:seg003: (+18  )  74 F4 18 9B                  or       word_9B18, r4
   
where +6 = 0010h  <-----------
ZZZZ = 0010 (hex value). This is the bit value assigned by PROKON for the CDLSH variable. Again it varies across roms, hence why we are having to do this dance..

This is the bit hex value we now need to discover the address of...

---
So knowing that cd_bits1_w is 328D ,... call it YYYY

Search for the Prokon again but this time to match again to find actual address... but this time with hex value we are interested in, in this case 1000 () which was discovered in the DLSH function...

Code:
PROKON_IniVariablesFromControlWords+198  C2 FX XX XX                             movbz   r4, CDLSH       ; CDLSH : Codewort Sondendiagnose hinter Kat im OBDII-Mode (invers: Europa-Mode) [PROKON]
PROKON_IniVariablesFromControlWords+19C  68 XX                                   and     r4, #1
PROKON_IniVariablesFromControlWords+19E  2D XX                                   jmpr    cc_Z, _not_set
PROKON_IniVariablesFromControlWords+1A0  E6 FX YY YY                             mov     r4, #10h
PROKON_IniVariablesFromControlWords+1A4  74 FX ZZ ZZ                             or      cd_bits1_w, r4  ; cd_bits1_w :  [PROKON DDST DHLSHK DIMC DKATLRS DKVS DLSH DLSU DMDLU DSWEC]
PROKON_IniVariablesFromControlWords+1A8  0D XX                                   jmpr    cc_UC, _prk6
-------------------------------------------------
Search for "C2FxXXXX,68XX,2Dxx,E6FxZZZZ,74FxYYYY"

becomes.. "C2FxXXXX,68XX,2Dxx,E6Fx1000,74Fx328D"

Finally we find the correct entry in PROKON reference...

Code:
PROKON_IniVariablesFromControlWords+198  C2 F4 12 00                             movbz   r4, CDLSH       ; <------------- CDLSH 1200h
PROKON_IniVariablesFromControlWords+19C  68 41                                   and     r4, #1
PROKON_IniVariablesFromControlWords+19E  2D 05                                   jmpr    cc_Z, _prk5
PROKON_IniVariablesFromControlWords+1A0  E6 F4 10 00                             mov     r4, #10h
PROKON_IniVariablesFromControlWords+1A4  74 F4 32 8D                             or      cd_bits1_w, r4  ; cd_bits1_w :  [PROKON DDST DHLSHK DIMC DKATLRS DKVS DLSH DLSU DMDLU DSWEC]
PROKON_IniVariablesFromControlWords+1A8  0D 04                                   jmpr    cc_UC, _prk6
so... at offset +4, i.e. 1200 is CDLSH

0x204 (calibration start segment) * 0x4000 (segment size)
== 0x810000 + CDLSH
== 0x810000 + 0012
== 0x810012

so rom file offset is 0x10012  <=========== final offset to CDLSH in rom file in this specific case.

offset 0x10012 in the file is the boolean for CDLSH, this determines if Codeword for LSH (Secondary O2 is active or not)

It may seem long but it always automatically can discover any of the CDxxx variables if you approach it like this and you never need an original DAMOS / A2L .
Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #55 on: April 18, 2021, 04:41:31 PM »

And here it is running 'in action'...

Code:
-[ PROKON Codewords for Diagnostics (CEL) ]-------------------------------------

>>> Scanning for 'PO2' Post O2 Cat Sensor disable
CDHSH   : From 1 to 0 @ offset=0x10007 : 'O2 Sensor Heating Diagnosis' Downstream of cat (after CAT) (OBDII Mode)
CDHSHE  : From 1 to 0 @ offset=0x10008 : 'O2 Sensor Heating Diagnosis' Downstream of cat (after CAT) (EU-coding)
CDKAT   : From 1 to 0 @ offset=0x1000B : 'Catalyst Diagnosis' (OBDII Mode)
CDLASH  : From 1 to 0 @ offset=0x1000D : 'O2 Sensor Aging Diagnosis' (SHK) (OBDII Mode)
CDLSH   : From 1 to 0 @ offset=0x10012 : 'Readiness' of O2 Sensor downstream of cat (after CAT) (OBDII Mode)

>>> Scanning for CWKONLS [Codeword for configuration of Lambda sensors]

found at offset=0x22d72 CWKONLS @ ADR:0x810020

[Forced PO2 Disable]
                   7 6 5 4 3 2 1 0  bits
                   ---------------
CWKONLS:     0X03  0 0 0 0 0 0 1 1
                   | | | | | | | |
                   | | | | | | | +--- b_lsv       Bit 0 : (Bank 1) Condition [1]. Lambda sensor installed upstream of cat downstream of outlet
                   | | | | | | +----- b_lsh       Bit 1 : (Bank 1) Condition [2]. Lambda sensor installed downstream of cat downstream of outlet
                   | | | | | +------- b_ls3       Bit 2 : (Bank 1) Condition [3]. Lambda sensor installed downstream of outlet
                   | | | | +--------- b_ls4       Bit 3 : (Bank 1) Condition [4]. Lambda sensor installed downstream of outlet
                   | | | +----------- b_lsv2      Bit 4 : (Bank 2) Condition [1]. Lambda sensor installed upstream of cat downstream of outlet
                   | | +------------- b_lsh2      Bit 5 : (Bank 2) Condition [2]. Lambda sensor installed downstream of cat downstream of outlet
                   | +--------------- b_ls32      Bit 6 : (Bank 2) Condition [3]. Lambda sensor installed downstream of outlet
                   +----------------- b_ls42      Bit 7 : (Bank 2) Condition [4]. Lambda sensor installed downstream of outlet

                   7 6 5 4 3 2 1 0  bits
                   ---------------
CWKONLS:     0X01  0 0 0 0 0 0 0 1
                   | | | | | | | |
                   | | | | | | | +--- b_lsv       Bit 0 : (Bank 1) Condition [1]. Lambda sensor installed upstream of cat downstream of outlet
                   | | | | | | +----- b_lsh       Bit 1 : (Bank 1) Condition [2]. Lambda sensor installed downstream of cat downstream of outlet
                   | | | | | +------- b_ls3       Bit 2 : (Bank 1) Condition [3]. Lambda sensor installed downstream of outlet
                   | | | | +--------- b_ls4       Bit 3 : (Bank 1) Condition [4]. Lambda sensor installed downstream of outlet
                   | | | +----------- b_lsv2      Bit 4 : (Bank 2) Condition [1]. Lambda sensor installed upstream of cat downstream of outlet
                   | | +------------- b_lsh2      Bit 5 : (Bank 2) Condition [2]. Lambda sensor installed downstream of cat downstream of outlet
                   | +--------------- b_ls32      Bit 6 : (Bank 2) Condition [3]. Lambda sensor installed downstream of outlet
                   +----------------- b_ls42      Bit 7 : (Bank 2) Condition [4]. Lambda sensor installed downstream of outlet



*before* : val=0x01
*after* .0: state=TRUE  & 01    PROKON_FD02.4  b_lsv  : Condition 1. Lambda sensor installed upstream   of cat (Bank1)
*after* .1: state=false & 02    PROKON_FD02.2  b_lsh  : Condition 2. Lambda sensor installed downstream of cat (Bank1)
*after* .2: state=false & 04    PROKON_FD00.14 b_ls3  : Condition 3. Lambda sensor installed downstream of cat (Bank1)
*after* .3: state=false & 08    PROKON_FD02.0  b_ls4  : Condition 4. Lambda sensor installed downstream of cat (Bank1)
*after* .4: state=false & 10    PROKON_FD02.5  b_lsv2 : Condition 1. Lambda sensor installed upstream   of cat (Bank2)
*after* .5: state=false & 20    PROKON_FD02.3  b_lsh2 : Condition 2. Lambda sensor installed downstream of cat (Bank2)
*after* .6: state=false & 40    PROKON_FD00.15 b_ls32 : Condition 3. Lambda sensor installed downstream of cat (Bank2)
*after* .7: state=false & 80    PROKON_FD02.1  b_ls42 : Condition 4. Lambda sensor installed downstream of cat (Bank2)

---------[ ROM #1 ]----------------------

-[ ESKONF Configuration of power stage (actuators) ]-------------------------------------------

>>> Scanning for ESKONF Lookup code sequence...

found needle at offset=0x58336
*** Deactivating ESKONF_L : LH Rear O2 heater output        ***, orig = 0x33
*** Deactivating ESKONF_L : LH Rear O2 heater output        ***, new  = 0xf3

*** Deactivating ESKONF_R : RH Rear O2 heater output        ***, orig = 0x33
*** Deactivating ESKONF_R : RH Rear O2 heater output        ***, new  = 0xf3
Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #56 on: April 18, 2021, 04:58:06 PM »

And here's the ME9 version (still WIP!) dumping the Errorclass and p-codes table from a Ferrari 458 (PowerPC) rom. I guess people will be more interested when I release my Tricore version Smiley

0) [search=1] All Buffer                Start:00000000 Length:00200000 2048.0 KBytes
        (1) found reference to sig @ byte_offset=0x47CC0

00047CC0: 88 8D AD 66   lbz         r4, -0x529A (r13)             ; +   0 (0x0000)
00047CC4: 3D 80 00 5E   lis         r12, 0x005E                   ; +   4 (0x0004)
00047CC8: 39 8C 90 F3   subi        r12, r12, 0x6F0D              ; +   8 (0x0008)
00047CCC: 3D 60 00 5E   lis         r11, 0x005E                   ; +  12 (0x000C)
00047CD0: 7D 8C 22 14   add         r12, r12, r4                  ; +  16 (0x0010)
00047CD4: 3C 60 00 5E   lis         r3, 0x005E                    ; +  20 (0x0014)
00047CD8: 39 6B A4 38   subi        r11, r11, 0x5BC8              ; +  24 (0x0018)
00047CDC: 7D 44 22 14   add         r10, r4, r4                   ; +  28 (0x001C)
00047CE0: 38 63 93 18   subi        r3, r3, 0x6CE8                ; +  32 (0x0020)
00047CE4: 54 84 18 38   rlwinm      r4, r4, 3, 0, 28              ; +  36 (0x0024)

        CLAAAA: seg=0x1D valu=0x90F3  file-offset=0x1D90F3  phy=0x5D90F3


--(Dumped Error Class Table [548 bytes] )
(001) 0x1D90F3:00 0x1D90F4:00
(002) 0x1D90F5:06 0x1D90F6:06
(003) 0x1D90F7:00 0x1D90F8:00
(004) 0x1D90F9:00 0x1D90FA:06
(005) 0x1D90FB:03 0x1D90FC:03
(006) 0x1D90FD:03 0x1D90FE:03
(007) 0x1D90FF:03 0x1D9100:03
(008) 0x1D9101:03 0x1D9102:03
(009) 0x1D9103:06 0x1D9104:06

.. cut ..

(273) 0x1D9313:03 0x1D9314:03
(274) 0x1D9315:00 0x1D9316:00
--
        CDCAAA: seg=0x1D valu=0x9318  file-offset=0x1D9318  phy=0x5D9318



--(Dumped Fault Code PID Table [4384 bytes] )
1D9318: (001) P0000 P0000 P0000 P0000   P0000 P0000 P0000 P0000   # +   0 (0x0000)
1D9320: (002) P0478 P0477 P0475 P0000   P1460 P1462 P1461 P0000   # +   8 (0x0008)
1D9328: (003) P0000 P0000 P0000 P0000   P0000 P0000 P0000 P0000   # +  16 (0x0010)
1D9330: (004) P0000 P0000 P0000 P0000   P145D P145E P145F P0000   # +  24 (0x0018)
1D9338: (005) P0000 P0000 P0000 P102E   P0000 P0000 P0000 P102F   # +  32 (0x0020)
1D9340: (006) P0000 P0000 P0014 P000B   P0000 P0000 P0024 P000D   # +  40 (0x0028)
1D9348: (007) P1526 P1527 P1528 P0000   P1534 P1535 P1536 P0000   # +  48 (0x0030)
1D9350: (008) P0338 P0000 P0339 P0336   P0388 P0000 P0389 P0386   # +  56 (0x0038)
1D9358: (009) P0000 P0000 P0000 P0571   P0000 P0000 P0000 P1569   # +  64 (0x0040)

.. cut ..

1D9B90: (272) P0000 P0000 P0000 P0000   P0000 P0000 P0000 P0000   # +2168 (0x0878)
1D9B98: (273) P1607 P160C P060A P0000   P1608 P160D P160A P0000   # +2176 (0x0880)
1D9BA0: (274) P0000 P0000 P0000 P0000   P0000 P0000 P0000 P0000   # +2184 (0x0888)
--
        (2) found reference to sig @ byte_offset=0x177A8C

00177A8C: 88 8D AD 66   lbz         r4, -0x529A (r13)             ; +   0 (0x0000)
00177A90: 3D 80 00 5E   lis         r12, 0x005E                   ; +   4 (0x0004)
00177A94: 39 8C 90 F3   subi        r12, r12, 0x6F0D              ; +   8 (0x0008)
00177A98: 3D 60 00 5E   lis         r11, 0x005E                   ; +  12 (0x000C)
00177A9C: 7D 8C 22 14   add         r12, r12, r4                  ; +  16 (0x0010)
00177AA0: 3C 60 00 5E   lis         r3, 0x005E                    ; +  20 (0x0014)
00177AA4: 39 6B A4 38   subi        r11, r11, 0x5BC8              ; +  24 (0x0018)
00177AA8: 7D 44 22 14   add         r10, r4, r4                   ; +  28 (0x001C)
00177AAC: 38 63 93 18   subi        r3, r3, 0x6CE8                ; +  32 (0x0020)
00177AB0: 54 84 18 38   rlwinm      r4, r4, 3, 0, 28              ; +  36 (0x0024)

« Last Edit: April 18, 2021, 05:19:23 PM by 360trev » Logged
IamwhoIam
Hero Member
*****

Karma: +43/-99
Offline Offline

Posts: 1030


« Reply #57 on: April 19, 2021, 03:34:52 AM »

Very nice work, Trev!
Logged

I have no logs because I have a boost gauge (makes things easier)
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #58 on: April 21, 2021, 05:01:47 AM »

Very nice work, Trev!

I'd forgotten just how much I'd done actually. For instance, I just downloaded a random ME7 file for test purposes, in this case '06A906032HN.bin'.
Ran it on it and found 'free' space for code injection purposes (fully automatically)..

SSECUHN      : 0261207440               : systemSupplierECUHardwareNumber
SSECUSN      : 1037360646               : systemSupplierECUSoftwareNumber
DIF          : 06A906032HN              : ..
BRIF         : 0001                     : ..
OTHERID      : 1.8L R4/5VT              : ..

>>> Scanning for McMess EPK String information [info]
found KWP2000 needle @ offset:0x0002374A  (val=0005,seg=0204).
EPK: @ 0x10005 -> 0x10057 (39 bytes) { /1/ME7.5/5/4019.02//24b/Dst01o/210201// }
{
    "readECUIdentification": {
        "SSECUHN": "0261207440",
        "SSECUSN ": "1037360646",
        "DIF": "06A906032HN ",
        "BRIF": "0001",
        "OTHERID": "1.8L R4\/5VT     ",
        "EPK": "\/1\/ME7.5\/5\/4019.02\/\/24b\/Dst01o\/210201\/\/"
    }
}
Serialize readECUIdentification to file 'readECUIdentification.json' ..



-[ Free Space Analysis ]-----------------------------------

Searching for free space in firmware...

 1 ) Unused bytes @ 0x008040 - 0x008318 : length      728 (0x2D8   ) bytes
 2 ) Unused bytes @ 0x009A92 - 0x009DE6 : length      852 (0x354   ) bytes
 3 ) Unused bytes @ 0x00CB34 - 0x00DB00 : length    4,044 (0xFCC   ) bytes
 4 ) Unused bytes @ 0x00DF50 - 0x00F002 : length    4,274 (0x10B2  ) bytes
 5 ) Unused bytes @ 0x00F380 - 0x00FC00 : length    2,176 (0x880   ) bytes
 6 ) Unused bytes @ 0x00FC2E - 0x00FFFE : length      976 (0x3D0   ) bytes
 7 ) Unused bytes @ 0x0202E2 - 0x021B00 : length    6,174 (0x181E  ) bytes
 8 ) Unused bytes @ 0x028ABA - 0x030000 : length   30,022 (0x7546  ) bytes
 9 ) Unused bytes @ 0x032EA0 - 0x033A00 : length    2,912 (0xB60   ) bytes
10 ) Unused bytes @ 0x0A5848 - 0x0FFFE0 : length  370,584 (0x5A798 ) bytes

Discovered 422,742 bytes (412.0 KBytes) unused in firmware [40.3%].

Largest free chunk region : 0xA5848, length  370,584 bytes.

--
Yes easy stuff but useful..

Or how about detecting VSV?

>>> Scanning for ROM VerstellSystem Variables table...

Num of entries: 17
VSV             @ ROM:0X813282 RAM:0X6E32A2 File-Offset:0X13282 (seg=0x0204 [segadr=0x810000] val=0x3282)

 1 ) vszw             | 0x3808A5 | Ignition timing           | 0 KW  | Byte |-96..95.25 KW       | 0.75 KW   | ZUE
 2 ) vsfrk            | 0x38089E | Mixture factor            | 1,0   | Byte | 0.75..1.25         | 0.001953  | ESGRU
 3 ) vsvw             | 0x3808A3 | Advancement angle         | 0 KW  | Byte | -768...762         | 6 KW      | ESVW
 4 ) vsns             | 0x3808A1 | Nominal speed             | 0 RPM | Byte | 0..2550/min        | 10 RPM    | LLRNS
 5 ) vszwkr_0_A       | 0x3808A6 | Ignition timing firing 1  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
 6 ) vszwkr_1_A       | 0x3808A7 | Ignition timing firing 2  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
 7 ) vszwkr_2_A       | 0x3808A8 | Ignition timing firing 3  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
 8 ) vszwkr_3_A       | 0x3808A9 | Ignition timing firing 4  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
 9 ) vszwkr_4_A       | 0x3808AA | Ignition timing firing 5  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
10 ) vszwkr_5_A       | 0x3808AB | Ignition timing firing 6  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
11 ) vszwkr_6_A       | 0x3808AC | Ignition timing firing 7  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
12 ) vszwkr_7_A       | 0x3808AD | Ignition timing firing 8  | 0     | Byte |-96..95.25 KW       | 0.75 KW   | KRRA
13 ) vske             | 0x38089F | Knock detection threshold | 0     | Byte | -8..8              | 0,0627    | KRKE
14 ) vsdmr            | 0x38089C | Torque reserve            | 0 %   | Byte | 0..99.6%           | 0.3906%   | MDKOL
15 ) vsfpses          | 0x38089D | Manifold air pressure     | 1     | Byte | 0..2               | 0,0078    | AES
16 ) vsrlmx           | 0x3808A2 | max.rl for LDR            | 0%    | Byte | rel sb q0p75                   | LDRLMX  ** Note: This is a SY_Turbo=true Application**
17 ) vsldtv           | 0x3808A0 | TV LDR for appl. control  | 0%    | Byte | tv ub q0p64                    | LDTVMA  ** Note: This is a SY_Turbo=true Application**


The list of things it can do is quite extensive these days...

Logged
360trev
Full Member
***

Karma: +66/-2
Offline Offline

Posts: 235


« Reply #59 on: April 21, 2021, 05:18:23 AM »

Or if thats a bit 'meh'... what about this feature? Automated CAN analysis.

Code:
Discovered 1 CAN node transmission function:
        CAN_A @ 0x34280

CAN Signature matches: 24
CAN Receive Ids
------------------------------------------------------------------------------------

can_msgobj[00]: type RX, RxCount= 1 { 0x0316 (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] miist_b  : Indexed engine torque high-pressure phase value
        [ 1    ] mifa_b   : Indexed engine torque driver request
        [ 2    ] mrfa_b   : Relative driver's wish torque from FGR and Pedal
        [ 3    ] mdverl_b : Engine loss moment
        [ 4    ] mimax_b  : Maximum reachable indexed moment
        [ 5    ] mdnorm_b : Maximum indexed engine torque for moment normalization
        [ 6    ] .0 : word_FD4A.11  **FIXME**
                 .1 : word_FD76.12  **FIXME**
                 .2 : word_FD76.8   **FIXME**
                 .3 : word_FD52.14  **FIXME**
                 .4 : word_FD52.11  **FIXME**
                 .5 : word_FD5C.11  **FIXME**
                 .6 : sfpbrems     : Sfpbrems: Status Error Path Brake: Brake Switch
                 .7 : word_FD5C.5   **FIXME**
        [ 7    ] unused
 };
can_msgobj[01]: type RX, RxCount= 1 { 0x0329 (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0- 1 ] mdverl_w: Motor torque loss
        [ 2- 3 ] dmllri_w: Required change in torque from the LLR (I component)
        [ 4    ] unused
        [ 5    ] unused
        [ 6    ] unused
        [ 7    ] unused
 };
can_msgobj[02]: type RX, RxCount= 1 { 0x051F (8) @ CAN_A };
can_msgobj[03]: type RX, RxCount= 1 { 0x034A (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] mist_w    : Indexed engine torque high pressure phase
        [ 1    ] mifa_w    : Indexed engine torque driver request
        [ 2    ] mrfa_w    : Relative driver's wish torque from FGG and pedal
        [ 3    ] mdlover_w : Engine loss moment
        [ 4    ] mimax_w   : Maximum reachable indexed moment
        [ 5    ] mdnorm    : Maximum indexed engine torque for moment normalization
        [ 6    ] _bits_    : Various bits **FIXME**
        [ 7    ] unused
 };
can_msgobj[04]: type RX, RxCount= 1 { 0x037C (8) @ CAN_A };
can_msgobj[05]: type RX, RxCount= 1 { 0x058F (8) @ CAN_A };
can_msgobj[06]: type RX, RxCount= 1 { 0x0153 (8) @ CAN_A        ASR Anti-Slip };
can_msgobj[07]: type RX, RxCount= 1 { 0x0613 (8) @ CAN_A
        *** Dashboard/Body ECU ***
        [ 0    ] unused
        [ 1    ] unused
        [ 2    ] unused
        [ 3    ] tankfst   : Fuel Tank Level
        [ 4    ] unused
        [ 5    ] unused
        [ 6    ] unused
        [ 7    ] unused
 };
can_msgobj[08]: type RX, RxCount= 1 { 0x045F (8) @ CAN_A
        *** Transmission Control Unit (NCR) ***
        [ 0    ] mdnorm
        [ 1    ] mdnorm
        [ 2    ] .0 \
                 .1  + gang_kup       : From F1 gearbox NCR Received current gear (3 bits)
                 .2 /
                 .3 CAN_bits1_FD10.2  : **FIXME**
                 .4 word_FD14.13      : **FIXME**
                 .5 CAN_FLAGS_ERR.5   : **FIXME**
                 .6 word_FD14.15      : **FIXME**
                 .7 CAN_FLAGS_ERR.1   : **FIXME**
        [ 3    ] mdindkuc_w : Indexed engine torque Request from F1 gearbox
        [ 4    ] nsoll_kup  : Setpoint speed from F1 gearbox
        [ 5    ] unused
        [ 6    ] unused
        [ 7    ] .0 CAN_bits2_FD18.6  : **FIXME**
 };
can_msgobj[09]: type RX, RxCount= 1 { 0x05AF (8) @ CAN_A };
can_msgobj[10]: type RX, RxCount= 1 { 0x05CF (8) @ CAN_A        Secondary Air Mass };
can_msgobj[11]: type RX, RxCount= 1 { 0x01F0 (8) @ CAN_A
        *** ABS Wheel Speeds: Message Populated/Generated/Sent by ABS ECU *** ;
        [ 0 -1 ] vrad_vl_w  : Wheel speed Front left
        [ 2 -3 ] vrad_vr_w  : Wheel speed Front right
        [ 4 -5 ] vrad_hl_w  : Wheel speed Rear left
        [ 6 -7 ] vrad_hr_w  : Wheel speed Rear right
 };
can_msgobj[12]: type RX, RxCount= 1 { 0x05BF (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] unused
        [ 1    ] unused
        [ 2    ] unused
        [ 3    ] unused
        [ 4    ] unused
        [ 5    ] _bits_    : Various bits **FIXME**
        [ 6 -7 ] wpedc_w   : Pedal value shared between ME7 ECU's
 };
can_msgobj[13]: type RX, RxCount= 1 { 0x05D5 (8) @ CAN_A };
can_msgobj[14]: Unused
can_msgobj[15]: Unused

CAN Transmit Ids
------------------------------------------------------------------------------------

can_msgobj[00]: type TX, RxCount= 1 { 0x0316 (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] miist_b  : Indexed engine torque high-pressure phase value
        [ 1    ] mifa_b   : Indexed engine torque driver request
        [ 2    ] mrfa_b   : Relative driver's wish torque from FGR and Pedal
        [ 3    ] mdverl_b : Engine loss moment
        [ 4    ] mimax_b  : Maximum reachable indexed moment
        [ 5    ] mdnorm_b : Maximum indexed engine torque for moment normalization
        [ 6    ] .0 : word_FD4A.11  **FIXME**
                 .1 : word_FD76.12  **FIXME**
                 .2 : word_FD76.8   **FIXME**
                 .3 : word_FD52.14  **FIXME**
                 .4 : word_FD52.11  **FIXME**
                 .5 : word_FD5C.11  **FIXME**
                 .6 : sfpbrems     : Sfpbrems: Status Error Path Brake: Brake Switch
                 .7 : word_FD5C.5   **FIXME**
        [ 7    ] unused
 };
can_msgobj[01]: type TX, RxCount= 1 { 0x0329 (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0- 1 ] mdverl_w: Motor torque loss
        [ 2- 3 ] dmllri_w: Required change in torque from the LLR (I component)
        [ 4    ] unused
        [ 5    ] unused
        [ 6    ] unused
        [ 7    ] unused
 };
can_msgobj[02]: type TX, RxCount= 1 { 0x051F (8) @ CAN_A };
can_msgobj[03]: type TX, RxCount= 1 { 0x034A (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] mist_w    : Indexed engine torque high pressure phase
        [ 1    ] mifa_w    : Indexed engine torque driver request
        [ 2    ] mrfa_w    : Relative driver's wish torque from FGG and pedal
        [ 3    ] mdlover_w : Engine loss moment
        [ 4    ] mimax_w   : Maximum reachable indexed moment
        [ 5    ] mdnorm    : Maximum indexed engine torque for moment normalization
        [ 6    ] _bits_    : Various bits **FIXME**
        [ 7    ] unused
 };
can_msgobj[04]: type TX, RxCount= 1 { 0x037C (8) @ CAN_A };
can_msgobj[05]: type TX, RxCount= 1 { 0x058F (8) @ CAN_A };
can_msgobj[06]: Unused
can_msgobj[07]: Unused
can_msgobj[08]: Unused
can_msgobj[09]: type TX, RxCount= 1 { 0x05AF (8) @ CAN_A };
can_msgobj[10]: type TX, RxCount= 1 { 0x05CF (8) @ CAN_A        Secondary Air Mass };
can_msgobj[11]: Unused
can_msgobj[12]: type TX, RxCount= 1 { 0x05BF (8) @ CAN_A
        *** NCM: Message Populated/Generated/Sent between Engine ECUs *** ;
        [ 0    ] unused
        [ 1    ] unused
        [ 2    ] unused
        [ 3    ] unused
        [ 4    ] unused
        [ 5    ] _bits_    : Various bits **FIXME**
        [ 6 -7 ] wpedc_w   : Pedal value shared between ME7 ECU's
 };
can_msgobj[13]: type TX, RxCount= 1 { 0x05D5 (8) @ CAN_A };
can_msgobj[14]: Unused
can_msgobj[15]: Unused
Logged
Pages: 1 2 3 [4] 5
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.041 seconds with 17 queries. (Pretty URLs adds 0s, 0q)