Pages: [1]
Author Topic: im an ida n00b and i know nothing about coding. but i have a question.  (Read 12055 times)
k0mpresd
Hero Member
*****

Karma: +146/-54
Offline Offline

Posts: 1655



so im curious here. lets say instead of 00'ing the dtc table or specific bytes in the dtc table to keep the ecu from setting a dtc, is it possible to delete the code that calls the dtc to be thrown to start with?

i could be way off here, which is why im asking.

for example:

dtc call function start and finish in ida:





and in winols:





all i did obviously was 00 the setdtc function code. is this right or will this work or am i dumb?
« Last Edit: August 30, 2010, 08:52:13 AM by k0mpresd » Logged
thom337
Full Member
***

Karma: +15/-1
Offline Offline

Posts: 81


« Reply #1 on: August 30, 2010, 02:59:43 PM »

Have you tried this on a vehicle yet? I'm not 100% sure what would happen here, although it seems as long no where else in the code is instructing the processor to execute this memory range or reference it,  it should just never use it. I do wonder if the processor is executing the "firmware" so to speak, and it finishes the function before it without having a command to continue/jump to a fixed memory location...and then it runs into a segment of all 0's...what will it do? I don't know enough about asm to answer that question with any confidence...Do you know where the function before it "points" to when it is done and do any other functions point to the beginning of the DTC subroutine?

Not sure how valuable it is to disable this though, as most of the diagnostics that cause problems can be disabled and the useful ones which are helpful can be retained.
Logged
k0mpresd
Hero Member
*****

Karma: +146/-54
Offline Offline

Posts: 1655


« Reply #2 on: August 30, 2010, 07:26:01 PM »

i havent tried it on an ecu yet. i was just messing around in between classes. i want to look through ida some more.
Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +132/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #3 on: September 02, 2010, 03:06:40 PM »

Anything is possible.  Grin

Do you want to prevent the ECU from recognizing the DTC at all, or just prevent it from storing it?

Basically find the "set DTC function", then select the memory address for the start of the function, and then open the cross references window. This way you can find everywhere that calls this function. Then you need to dig through the code and find the place that calls your "set DTC" function with the DTC number you want to prevent. Then edit that place in the code to use the NOP instruction instead of calling the function.
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
elRey
Hero Member
*****

Karma: +32/-1
Offline Offline

Posts: 565


« Reply #4 on: September 11, 2010, 11:49:08 PM »

I'm curious why you would do this. It would also prevent useful DTCs from being set, right?

And when you say DTC table, are you referring to the fault classes or the code words?
Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +132/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #5 on: September 12, 2010, 01:55:19 PM »

You would do this to disable DTCs for some systems you don't want. Such as: catalytic convertor efficiency, secondary air injection, requiring rear oxygen sensors, etc.
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
elRey
Hero Member
*****

Karma: +32/-1
Offline Offline

Posts: 565


« Reply #6 on: September 13, 2010, 10:18:29 AM »

But deleting the dtc call FUNCTION will prevent ANY DTC from being set, right?
i.e. like o2 bank 1/2 too lean/rich or misfires pre cylinder... etc)

useful DTCs
Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +132/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #7 on: September 13, 2010, 10:20:19 AM »

Yes, if you remove or disable the "store DTC" function, then you would not get any DTCs. It would be better to edit the DTC table to disable individual DTCs, or change the DTC class to one that does not set the check engine light.
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
spen
Full Member
***

Karma: +43/-0
Offline Offline

Posts: 112


« Reply #8 on: September 22, 2010, 08:20:50 AM »

Guys, IMHO you shouldn't do this.  You should deactivate the DTC using the proper codewords given by Bosch.  That's what they're for!

Remember that even though the DTC will be avoided, other parts of the code will check for the internal error state bits.  The functions don't read the DTC before they fall on to their failover routines.  ie  you have a broken MAF sensor but won't generate a DTC, but the code knows it's broken and will use other means of ascertaining airflow.  

You'll never know about it though :O
« Last Edit: September 23, 2010, 04:16:19 PM by spen » Logged
Acki
Full Member
***

Karma: +1/-1
Offline Offline

Posts: 75


« Reply #9 on: January 14, 2013, 05:05:10 AM »

Sorry for bringing up this old thread.

I'm working at the disassembling of a M2.4.1 dataset (Audi 100 S4 4.2 V8).
How ever, there are a lot of code functions etc. but nothing namend like "setDTC".

Why this is set here? Any explaination? Special "add on" from IDA?
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #10 on: January 14, 2013, 07:58:40 AM »

Sorry for bringing up this old thread.

I'm working at the disassembling of a M2.4.1 dataset (Audi 100 S4 4.2 V8).
How ever, there are a lot of code functions etc. but nothing namend like "setDTC".

Why this is set here? Any explaination? Special "add on" from IDA?

It was added by Andy Whittaker's plugin.
There is also a setDTC function in it, but you will have to find it yourself Wink
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Acki
Full Member
***

Karma: +1/-1
Offline Offline

Posts: 75


« Reply #11 on: January 14, 2013, 09:10:30 AM »

Hrhr... Ok.

Is difficult because there aren't so many examples available for the "shitty old motronic" ;-)

RAM I don't have at the M2.4.1 which I have to "check" or?
I only have the ROM bin-file which I can analyse.
Adresse from this bin-file (line 1234h etc) are similar to "memory adresses" or?
I only have to take care about registers etc?

Is it a good idea to use a 8051-ASM to C converter?
The flowcharts in IDA looking very impressive, found some codes where it's pretty big.
But no helpful thinks I found there - I know map adresses but I don't find them in any function.
Everything "happens" in the area till 8000h for example but at A...h and B...h I have my tables but nothing point to them.
Is it possible that I have used "wrong" settings for the IDA-pro disassembling work?
8051 CPU and at analyze I left everything at the defaults (a lot of "functions")...

Hmm sure not a easy work but seems te be no other possibility to get the information Wink
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #12 on: January 14, 2013, 09:15:21 AM »

There is nothing to do wrong, you select 80C535, and open the bin.
Table access is done differently. Have a look at the BoschDME group, it has the routine posted up and explained.
It's done through two tables... But at least there are only two lookup routines, with interpolation and without.
Unlike ME7 where there is a million of them.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Acki
Full Member
***

Karma: +1/-1
Offline Offline

Posts: 75


« Reply #13 on: January 14, 2013, 09:20:35 AM »

80C535??
I selected 8051 - makes this any difference? Isn't this the same? (same "family"?)
Maybe a stupid question but I only know 80x86 CPUs since some days Cheesy

BoschDME I know - any "key word" to find this thread?
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.048 seconds with 18 queries. (Pretty URLs adds 0.008s, 0q)