Pages: 1 [2]
Author Topic: 8d0907551A defn file  (Read 33496 times)
spen
Full Member
***

Karma: +43/-0
Offline Offline

Posts: 112


« Reply #15 on: November 05, 2010, 09:47:09 AM »


Mine works along the same principal as a virus scanner.  I known sig for a location which reads the target map.  I then scan through a target rom and note any direct matches excluding absolute addresses.

If that fails I move to byte / word swaps, using ram at page 0xe1, and finally a distance value from the current sig to the current chunk of the target rom - a bit like a spell checker.

When I get a hit, I parse the code looking for the scanning routine call, then locate the register loaded with the offset and DPR of the table.  Then I drop the result along with the program counter in to a data grid view.

Sometimes it doesn't work out and I have to do it manually.

Doing it automagically and getting the correct axis based on the machine code is hard, but I am getting there.

Checking work - I create from D rom.  I scan F, M, H and G roms and compare the results if there are any which don't line up I investigate.

There's no way to be 100%.  I catch errors in my own work.  I catch errors in Nyes!  There is even an error in an ASAP file out there.  Only the machine code is 100% accurate.


Logged
iznogoud
Full Member
***

Karma: +13/-0
Offline Offline

Posts: 104

Learning junkie


« Reply #16 on: November 05, 2010, 01:02:48 PM »

I see. good work.

So your primary assumption is that the addresses are pointing to maps that are identical, more or less. The more-or-less part is where you do the distance checking (or inner-product test if you are a real geek) like a spell-checker.

I see. I can also see how there are multiple sources of errors possible.
Logged

Audi S4 B5 2000 6sp Cactus Green
Audi A4 B6 Avant 1.8T 2001.5 5sp Santorin Blue
spen
Full Member
***

Karma: +43/-0
Offline Offline

Posts: 112


« Reply #17 on: November 05, 2010, 01:27:02 PM »

I see. good work.

So your primary assumption is that the addresses are pointing to maps that are identical, more or less. The more-or-less part is where you do the distance checking (or inner-product test if you are a real geek) like a spell-checker.

I see. I can also see how there are multiple sources of errors possible.

NO.  You misunderstand I think, I don't expect that addresses are pointing to maps that are identical.

I am assuming the code which looks for the specific map does not change much between revs of code.  The code moves location - so the addresses change always, both program counter and target addresses, but the function structure remains almost static.  When the structure of the routine changes the Levenshtein distance is not great FOR THE STRUCTURE OF THE FUNCTION AS A WHOLE, not it's location.  I search for 0 distance in routine structure first as it is fast.

I'm not assuming the map is identical, they aren't even if the function is the same. 

If I just assumed that because G rom, read data at program counter 0x88a43b, that in every rom a map is read at 0x88a43b I'd be off by miles on every single target.

Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +132/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #18 on: November 05, 2010, 02:10:07 PM »

There's no way to be 100%.  I catch errors in my own work.  I catch errors in Nyes!  There is even an error in an ASAP file out there.  Only the machine code is 100% accurate.

I've found bugs in the assembly code too. Machine code is 100% accurate, but doesn't necessarily do what the Bosch engineering intended.  Grin

As for finding maps and data in binary files. I agree with how spen does it. Use a reference file as a template. For each piece of data you are interested in, find the assembly code that accesses that data. Then generate a pattern for that piece of assembly code. Then in your new binary file, search for the matching pattern of assembly code, ignoring absolute addresses. Once you have found the matching pattern of assembly code, grab the new memory address of the data you want from the memory reference in the piece of the code you matched.

This is also the same way that Andy Whittaker's ECU Fix tool finds checksums in binary files.
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
iznogoud
Full Member
***

Karma: +13/-0
Offline Offline

Posts: 104

Learning junkie


« Reply #19 on: November 05, 2010, 02:38:51 PM »

OK. good discussion here.

Tangent question: do we want to write our own checksum-maker for files or keep using Andy's? I am hazy on the details of how to do all this right now, but if it is possible we'll find a way to do it.
Logged

Audi S4 B5 2000 6sp Cactus Green
Audi A4 B6 Avant 1.8T 2001.5 5sp Santorin Blue
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +132/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #20 on: November 05, 2010, 02:43:47 PM »

OK. good discussion here.

Tangent question: do we want to write our own checksum-maker for files or keep using Andy's? I am hazy on the details of how to do all this right now, but if it is possible we'll find a way to do it.

After a few more small releases, I plan on working on a checksum tool. I already have the code to correct the checksums, and I just need to write the code to locate the checksums. So I will need to write some assembly code pattern matching to do that. Should be fun. Grin
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
spen
Full Member
***

Karma: +43/-0
Offline Offline

Posts: 112


« Reply #21 on: November 06, 2010, 01:33:13 AM »

chksum shouldn't be hard.  I can post the routines which calc the checksum blocks.  Andy Whitaker posted most of the 'how'.

There is even a codeword to ignore the checksum routine.  However someone inserted two NOP instructions over the jmp in the checksum routine, effectively breaking the codeword function.

It shouldn't be too hard to work out where the jmp_nz should jump to, then we can forget about checksums - useful for those of us with an eprom emulator who want to map the car live.
Logged
spen
Full Member
***

Karma: +43/-0
Offline Offline

Posts: 112


« Reply #22 on: November 06, 2010, 01:53:16 AM »


link to ignore checksum codeword thread:

http://www.nefariousmotorsports.com/forum/index.php?topic=274.0title=
Logged
Pages: 1 [2]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.018 seconds with 17 queries. (Pretty URLs adds 0s, 0q)