totti
Full Member
Karma: +15/-29
 Offline
Posts: 227
|
 |
« on: August 04, 2021, 01:40:00 AM »
|
|
|
Hi,
I started to disassembly binary files. I'm using .ecu file to identify the RAM variables. But I found some which are not listed in the ecu file. Is there any way to identify these?
thank you
|
|
|
|
|
Logged
|
|
|
|
timus
Jr. Member
Karma: +6/-0
Offline
Posts: 35
Polo 86c2f 1.8T AUM
|
|
« Reply #1 on: August 04, 2021, 02:21:24 AM »
|
|
|
You can use damos file for your bin, its contains all important ram variables and maps.
If you don't have damos you can analyze code and read funktionsrahmen and try to find out which variable you are looking at.
|
|
|
|
|
Logged
|
|
|
|
totti
Full Member
Karma: +15/-29
Offline
Posts: 227
|
|
« Reply #2 on: August 04, 2021, 03:15:44 AM »
|
|
|
You can use damos file for your bin, its contains all important ram variables and maps.
If you don't have damos you can analyze code and read funktionsrahmen and try to find out which variable you are looking at.
I dont have damos for 8N0906018BH 0001. The variable is what I'm searching is 0x380AC4. It is somehow related to pops and bangs unique code. The code sets it to 0xFF. |
|
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +185/-23
Offline
Posts: 1454
mk4 1.8T AUM
|
|
« Reply #3 on: August 04, 2021, 04:11:41 AM »
|
|
|
Search for crosslinks (x key)
Trace it to known ones
|
|
|
|
|
Logged
|
|
|
|
timus
Jr. Member
Karma: +6/-0
Offline
Posts: 35
Polo 86c2f 1.8T AUM
|
|
« Reply #4 on: August 04, 2021, 04:44:58 AM »
|
|
|
The variable is what I'm searching is 0x380AC4. It is somehow related to pops and bangs unique code.
If it's some unique code all you can do is to analyze what it do and where it come from and come with name for it by yourself. |
|
|
|
|
Logged
|
|
|
|
|
gremlin
|
|
« Reply #5 on: August 04, 2021, 12:20:04 PM »
|
|
|
The variable is what I'm searching is 0x380AC4.
380AC4 - nwe [Wiedereinsetzdrehzahl] Full RAM and BITs list in attachment. |
|
|
|
|
Logged
|
|
|
|
totti
Full Member
Karma: +15/-29
Offline
Posts: 227
|
|
« Reply #6 on: August 04, 2021, 12:39:55 PM »
|
|
|
380AC4 - nwe [Wiedereinsetzdrehzahl]
Full RAM and BITs list in attachment.
Thank you very much. I have not found these kind of documents. Do you have it for 06A906032HN 0001? |
|
|
|
|
Logged
|
|
|
|
totti
Full Member
Karma: +15/-29
Offline
Posts: 227
|
|
« Reply #7 on: August 04, 2021, 02:15:08 PM »
|
|
|
Now I'm totally don't understand what happened in the bin file.
Original bin contains:
movb byte_8AC4, rl6
The modified bin which contains a function what I would like understand(cruise control switched pops and bangs)
The original line replaced with calls 8Ah, 19D0h ; 8A19D0h
At 8A19D0 this is the code
ROM:000A19D0 jb word_FD10.2, loc_A19E2
ROM:000A19D4 movb rl6, #0FFh
ROM:000A19D8 exts #38h, #1 ; '8'
ROM:000A19DC movb 0AC4h, rl6 ; 380AC4h
ROM:000A19E0 jmpr cc_UC, locret_A19EA
ROM:000A19E2 ; ---------------------------------------------------------------------------
ROM:000A19E2
ROM:000A19E2 loc_A19E2: ; CODE XREF: ROM:000A19D0↑j
ROM:000A19E2 exts #38h, #1 ; '8'
ROM:000A19E6 movb 0AC4h, rl6 ; 380AC4h
ROM:000A19EA
ROM:000A19EA locret_A19EA: ; CODE XREF: ROM:000A19E0↑j
ROM:000A19EA rets
So for me it seems that the original 8AC4 adress changed to 0AC4.
|
|
|
|
|
Logged
|
|
|
|
|
Blazius
|
|
« Reply #8 on: August 04, 2021, 03:06:37 PM »
|
|
|
Post the file.
|
|
|
|
|
Logged
|
|
|
|
|
gremlin
|
|
« Reply #9 on: August 04, 2021, 03:37:39 PM »
|
|
|
Now I'm totally don't understand what happened in the bin file.
It's simple. If the CCS key is pressed (flag FFD0.2 = 1), we set the fuel supply resumption engine speed to unrealistically high 256 * 40 = 10240rpm It actually means that fuel is switch off. Not pressed - leave the value as was in the original code. |
|
|
|
|
Logged
|
|
|
|
totti
Full Member
Karma: +15/-29
Offline
Posts: 227
|
|
« Reply #10 on: August 04, 2021, 11:30:14 PM »
|
|
|
It's simple.
If the CCS key is pressed (flag FFD0.2 = 1), we set the fuel supply resumption engine speed to unrealistically high 256 * 40 = 10240rpm
It actually means that fuel is switch off.
Not pressed - leave the value as was in the original code.
The first part is ok. My problem is that in the original file the 8AC4 value get the rl6 register value, in the custom code the 0AC4. |
|
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +185/-23
Offline
Posts: 1454
mk4 1.8T AUM
|
|
« Reply #11 on: August 05, 2021, 12:04:25 AM »
|
|
|
8AC4 is the short adressing for 380AC4
program flow looks sooo nooby
|
|
|
|
« Last Edit: August 05, 2021, 12:10:17 AM by fukenbroken »
|
Logged
|
|
|
|
totti
Full Member
Karma: +15/-29
Offline
Posts: 227
|
|
« Reply #12 on: August 05, 2021, 12:52:48 AM »
|
|
|
8AC4 is the short adressing for 380AC4
program flow looks sooo nooby
Ahh ok. Thanks for the info. I just received the bin with the function and try to understand what is implemented inside. |
|
|
|
|
Logged
|
|
|
|
totti
Full Member
Karma: +15/-29
Offline
Posts: 227
|
|
« Reply #13 on: August 06, 2021, 05:34:30 AM »
|
|
|
Post the file.
Here is the cutted part of the bin |
|
|
|
|
Logged
|
|
|
|
|
Blazius
|
|
« Reply #14 on: August 06, 2021, 12:50:03 PM »
|
|
|
Here is the cutted part of the bin
Its basically: if(FD10.2 == 1(S_fgrhs - Main switch on the FGR control lever)) { movb RAM:380AC4 ( nwe - Wiedereinsetzdrehzahl) , whatever is in rl6) } else FF rl6 FF'd RAM:380AC4 with rl6 unconditional jump to A19EA -> return |
|
|
|
|
Logged
|
|
|
|
|
