The Boschme7 plugin is helpful

I think i found something
-Could be this function to set MIL on/off?
-If it is, how to find in flash when ECU call this routine?
-Next step will be to bypass it, and make my own function for MIL?

Thank you very much. You gave me a lot of homework.

I am just curios, Is this file generated by some script, beacuse I have one tune from US tuner and functions are similar.

I don't know I just loaded bin in IDa, set procesor to C167 and that it is.

About script and plugins, I still didn't find way how to load them, install, use or whatsoever.  I have IDA 5.5 maybe that is a problem?

Aight. Here is how I do it.

1. Download the pack of scripts and stuff I included, since you already have Andy's plugin install I didnt include that.
2. Check what CPU you have if you dont know, just use the included CPU rom which is the most generic one.
3. Open loadbin_idaq autoit script , ofcourse you need autoit installed. Then start IDA, this script is for the idaq with the new qt stuff, instead of idag.exe which is an older version I am not sure which one is 5.5.

Click on Go, "work on your own", click load rom in the script -> select the cpu bin. It will automatically set the processor, set the segments such as IRAM and RAM.  After click load flash , which will be your binary file that you wanna disassemble.

4.Go to file-> Run script -> select import.ecu file script. Ofcourse you should generate an ECU file for your binary if you dont have an a2l , if you do you can load the a2l instead using a different script from prj's helper scripts. Find your .ecu file, it should load, then click on OK to load them. I like to save and restart at this point.

5. Open IDA, start up the project which you just created, then go to Edit-Plugins-BoschME7 plugin , Andy's plugin which you should have installed properly. Select all boxes except the 2 at the top, so it does not mess up your project. Let it do its thing ofcourse. Save again.

6.Open loadbin autoit script again, then start IDA, open your project. Go to File->Run script, select processrom.py, then at the bottom in the console type processrom(0x80000, 0x8FFFFF) this process the flash again.

7.Navigate to 0x80000 and click Start cleanup in the autoit script which will remove any unreferenced code which might have been created accidentaly etc.

This should produce a pretty decent and cohesive dissassembly project. I dont know if anyone got a better method feel free to share   Hope I didnt make any mistakes in writing this as I gotta go work right now, so will recheck in a few hours. Good luck.

6.1 32 bit ofcourse.

Soo the most secure metod is to copy this registers to some unused memory, and after my function to reverse tham back

Let say
1. My custom function start
2. Copy r4 to 81400, copy r5 to 8140A...
3. I use that r4 and r5 in my function so I can play with them
4. Before end of my function
5. Copy 81400 to r4, copy 8140A to r5
6. Return to main code


This will take a little more work but will make sure It safe