Hi Guys. i'm new to reverse ECU frimware and i trying to  find a seed/key algorithm.
in a part of the file i saw a variable that located in XRAM mov to accumulator registers and finally xor with other registers. as below:

mov     r1, word_E1C4
mov     r2, word_E1C6
cpl     r1
cpl     r2
xor     r12, r1
xor     r13, r2


i guess this value (word_E1C4 and word_E1C6) create the required constant value(public Key) for Seed/Key algorithm.
so i search this values in dump(file) and i found this instructions :

mov     r4, #0
mov     r5, #0Fh
calls   0Fh, 428Ch ; 0F428Ch
mov     word_E1C4, r10
mov     word_E1C6, r11


so it seems r10 and r11 have the constant value inside them and these values are created in calls   0Fh, 428Ch ; 0F428Ch !!!!
But what is Call's instruction? this instruction refer to incorrect address 
How can I find these values?
any body can help me about this ?

Hi woj.
how i can find this area? it would be very hard. do you help me?

Awesome. But my question was about memory reference issue,
As you see two variable call from RAM. I found them but there are not related to these addresses.