Pages: [1] 2
Author Topic: Identify RAM variable  (Read 10480 times)
totti
Full Member
***

Karma: +15/-29
Offline Offline

Posts: 227


« on: August 04, 2021, 01:40:00 AM »

Hi,

I started to disassembly binary files. I'm using .ecu file to identify the RAM variables. But I found some which are not listed in the ecu file. Is there any way to identify these?


thank you
Logged
timus
Jr. Member
**

Karma: +6/-0
Offline Offline

Posts: 35

Polo 86c2f 1.8T AUM


« Reply #1 on: August 04, 2021, 02:21:24 AM »

You can use damos file for your bin, its contains all important ram variables and maps.

If you don't have damos you can analyze code and read funktionsrahmen and try to find out which variable you are looking at.
Logged
totti
Full Member
***

Karma: +15/-29
Offline Offline

Posts: 227


« Reply #2 on: August 04, 2021, 03:15:44 AM »

You can use damos file for your bin, its contains all important ram variables and maps.

If you don't have damos you can analyze code and read funktionsrahmen and try to find out which variable you are looking at.

I dont have damos for 8N0906018BH 0001. The variable is what I'm searching is 0x380AC4. It is somehow related to pops and bangs unique code. The code sets it to 0xFF.
Logged
fknbrkn
Hero Member
*****

Karma: +186/-24
Offline Offline

Posts: 1454


mk4 1.8T AUM


« Reply #3 on: August 04, 2021, 04:11:41 AM »

Search for crosslinks (x key)
Trace it to known ones

Logged
timus
Jr. Member
**

Karma: +6/-0
Offline Offline

Posts: 35

Polo 86c2f 1.8T AUM


« Reply #4 on: August 04, 2021, 04:44:58 AM »

The variable is what I'm searching is 0x380AC4. It is somehow related to pops and bangs unique code.
If it's some unique code all you can do is to analyze what it do and where it come from and come with name for it by yourself.
Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 654


« Reply #5 on: August 04, 2021, 12:20:04 PM »

The variable is what I'm searching is 0x380AC4.

380AC4 - nwe [Wiedereinsetzdrehzahl]
Full RAM and BITs list in attachment.

Logged
totti
Full Member
***

Karma: +15/-29
Offline Offline

Posts: 227


« Reply #6 on: August 04, 2021, 12:39:55 PM »

380AC4 - nwe [Wiedereinsetzdrehzahl]
Full RAM and BITs list in attachment.



Thank you very much. I have not found these kind of documents. Do you have it for 06A906032HN 0001?
Logged
totti
Full Member
***

Karma: +15/-29
Offline Offline

Posts: 227


« Reply #7 on: August 04, 2021, 02:15:08 PM »

Now I'm totally don't understand what happened in the bin file.
Original bin contains:
movb    byte_8AC4, rl6

The modified bin which contains a function what I would like understand(cruise control switched pops and bangs)
The original line replaced with calls   8Ah, 19D0h ; 8A19D0h
At 8A19D0 this is the code
ROM:000A19D0                 jb      word_FD10.2, loc_A19E2
ROM:000A19D4                 movb    rl6, #0FFh
ROM:000A19D8                 exts    #38h, #1 ; '8'
ROM:000A19DC                 movb    0AC4h, rl6 ; 380AC4h
ROM:000A19E0                 jmpr    cc_UC, locret_A19EA
ROM:000A19E2 ; ---------------------------------------------------------------------------
ROM:000A19E2
ROM:000A19E2 loc_A19E2:                              ; CODE XREF: ROM:000A19D0↑j
ROM:000A19E2                 exts    #38h, #1 ; '8'
ROM:000A19E6                 movb    0AC4h, rl6 ; 380AC4h
ROM:000A19EA
ROM:000A19EA locret_A19EA:                           ; CODE XREF: ROM:000A19E0↑j
ROM:000A19EA                 rets


So for me it seems that the original 8AC4 adress changed to 0AC4.
Logged
Blazius
Hero Member
*****

Karma: +89/-40
Offline Offline

Posts: 1282



« Reply #8 on: August 04, 2021, 03:06:37 PM »

Post the file.
Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 654


« Reply #9 on: August 04, 2021, 03:37:39 PM »

Now I'm totally don't understand what happened in the bin file.


It's simple.
If the CCS key is pressed (flag FFD0.2 = 1), we set the fuel supply resumption engine speed to unrealistically high 256 * 40 = 10240rpm
It actually means that fuel is switch off.
Not pressed - leave the value as was in the original code.
Logged
totti
Full Member
***

Karma: +15/-29
Offline Offline

Posts: 227


« Reply #10 on: August 04, 2021, 11:30:14 PM »

It's simple.
If the CCS key is pressed (flag FFD0.2 = 1), we set the fuel supply resumption engine speed to unrealistically high 256 * 40 = 10240rpm
It actually means that fuel is switch off.
Not pressed - leave the value as was in the original code.


The first part is ok. My problem is that in the original file the 8AC4 value get the rl6 register value, in the custom code the 0AC4.
Logged
fknbrkn
Hero Member
*****

Karma: +186/-24
Offline Offline

Posts: 1454


mk4 1.8T AUM


« Reply #11 on: August 05, 2021, 12:04:25 AM »

8AC4 is the short adressing for 380AC4
program flow looks sooo nooby
« Last Edit: August 05, 2021, 12:10:17 AM by fukenbroken » Logged
totti
Full Member
***

Karma: +15/-29
Offline Offline

Posts: 227


« Reply #12 on: August 05, 2021, 12:52:48 AM »

8AC4 is the short adressing for 380AC4
program flow looks sooo nooby

Ahh ok. Thanks for the info. I just received the bin with the function and try to understand what is implemented inside.
Logged
totti
Full Member
***

Karma: +15/-29
Offline Offline

Posts: 227


« Reply #13 on: August 06, 2021, 05:34:30 AM »

Post the file.

Here is the cutted part of the bin
Logged
Blazius
Hero Member
*****

Karma: +89/-40
Offline Offline

Posts: 1282



« Reply #14 on: August 06, 2021, 12:50:03 PM »

Here is the cutted part of the bin

Its basically:

if(FD10.2 == 1(S_fgrhs - Main switch on the FGR control lever))
{
  movb RAM:380AC4 ( nwe - Wiedereinsetzdrehzahl) , whatever is in rl6)
}
else
FF rl6
FF'd RAM:380AC4 with rl6
unconditional jump to A19EA -> return
Logged
Pages: [1] 2
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.021 seconds with 17 queries. (Pretty URLs adds 0s, 0q)