Pages: 1 [2]
Author Topic: Identify RAM variable  (Read 2141 times)
totti
Full Member
***

Karma: +11/-23
Offline Offline

Posts: 221


« Reply #15 on: August 06, 2021, 02:20:25 PM »

Its basically:

if(FD10.2 == 1(S_fgrhs - Main switch on the FGR control lever))
{
  movb RAM:380AC4 ( nwe - Wiedereinsetzdrehzahl) , whatever is in rl6)
}
else
FF rl6
FF'd RAM:380AC4 with rl6
unconditional jump to A19EA -> return

I understand the code, the problem was with the variables. But thank you to described it
Logged
totti
Full Member
***

Karma: +11/-23
Offline Offline

Posts: 221


« Reply #16 on: August 13, 2021, 02:07:28 PM »

8AC4 is the short adressing for 380AC4
program flow looks sooo nooby

I've modified it
Code:
ROM:000A592A                 jb      word_FD10.4, loc_A5932
ROM:000A592E                 movb    rl6, #0FFh
ROM:000A5932
ROM:000A5932 loc_A5932:                              ; CODE XREF: ROM:000A592A↑j
ROM:000A5932                 exts    #38h, #1 ; '8'
ROM:000A5936                 movb    0ADAh, rl6 ; 380ADAh
ROM:000A593A                 rets
ROM:000A593A ; ---------------------------------------------------------------------------
ROM:000A593C                 db 0FFh
ROM:000A593D                 db 0FFh
ROM:000A593E                 db 0FFh
ROM:000A593F                 db 0FFh
ROM:000A5940 ; ---------------------------------------------------------------------------
ROM:000A5940                 jb      word_FD10.4, loc_A5960
ROM:000A5944                 movb    rl4, nmot
ROM:000A5948                 cmpb    rl4, #3Eh ; '>'
ROM:000A594C                 jmpr    cc_ULE, loc_A5960
ROM:000A594E                 exts    #38h, #1 ; '8'
ROM:000A5952                 movb    rl4, 9B1h ; 3809B1h
ROM:000A5956                 cmpb    rl4, #0
ROM:000A5958                 jmpr    cc_NZ, loc_A5960
ROM:000A595A                 movb    rl4, #0E8h
ROM:000A595E                 movb    [r12], rl4
ROM:000A5960
ROM:000A5960 loc_A5960:                              ; CODE XREF: ROM:000A5940↑j
ROM:000A5960                                         ; ROM:000A594C↑j ...
ROM:000A5960                 movb    zwout, [r12]
ROM:000A5964                 rets
Logged
totti
Full Member
***

Karma: +11/-23
Offline Offline

Posts: 221


« Reply #17 on: September 14, 2021, 01:46:16 PM »

I would like to modify lamfa when the different conditions are true.
I have HN 0001 ECU. This is my ecu file
lamfa_w         , {TargetAFRDriverRequest}          , 0x384ACE,  2,  0x0000, {-}       , 0, 0,  0.000244141,      0, {Lambdasoll Fahrerwunsch (word)}
lamfaw_w        , {}                                , 0x384ACC,  2,  0x0000, {-}       , 0, 0,  0.000244141,      0, {Lambdasoll Fahrerwunsch Anteil aus Kennfeld LAMFA}

I searched for lamfa and lamfaw but I could not find any movb functions to them. How can I find where these variables are written in the code?

Thank you
Logged
fukenbroken
Hero Member
*****

Karma: +134/-10
Offline Offline

Posts: 1060


mk4 1.8T AUM


« Reply #18 on: September 14, 2021, 11:46:58 PM »

After the lamfa map as usual
Screenshot from another file but its the same as yours

any movb

its a word so..
Logged
DT
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 155


« Reply #19 on: September 15, 2021, 01:39:13 PM »

I searched for lamfa and lamfaw but I could not find any movb functions to them. How can I find where these variables are written in the code?
As fukenbroken said, they are words.

With me7idatool the following pictures show what you can produce in IDA in less than 10min without an a2l/dam for your specific revision.  Shocked  Grin
There are 5+2 positions for lamfa_w and lamfaw_w respectively.
Logged
totti
Full Member
***

Karma: +11/-23
Offline Offline

Posts: 221


« Reply #20 on: September 16, 2021, 12:36:00 AM »

Thank you for all of you. I just start with IDA and I don't know which plugin, tool is needed. Currently I just loaded the bin and try to manually find the code and variables. Can you tell me where can I fond the me7idatool?

Thank you
Logged
totti
Full Member
***

Karma: +11/-23
Offline Offline

Posts: 221


« Reply #21 on: September 16, 2021, 06:55:07 AM »

As fukenbroken said, they are words.

With me7idatool the following pictures show what you can produce in IDA in less than 10min without an a2l/dam for your specific revision.  Shocked  Grin
There are 5+2 positions for lamfa_w and lamfaw_w respectively.


I found where I can modify lamfaw_w. What I don't know is what to do with extp command. Change it to calls and the mov command to NOP or the extp can stay and change mov to calls?
Logged
fukenbroken
Hero Member
*****

Karma: +134/-10
Offline Offline

Posts: 1060


mk4 1.8T AUM


« Reply #22 on: September 16, 2021, 07:12:00 AM »

Nop extp and change mov with calls
Logged
totti
Full Member
***

Karma: +11/-23
Offline Offline

Posts: 221


« Reply #23 on: September 16, 2021, 09:41:46 AM »

8AC4 is the short adressing for 380AC4
program flow looks sooo nooby

Is there any benefit to use short or long address?
Logged
fukenbroken
Hero Member
*****

Karma: +134/-10
Offline Offline

Posts: 1060


mk4 1.8T AUM


« Reply #24 on: September 16, 2021, 10:37:50 AM »

Less operations = les cpu load
Pretty sure unnecessary in that case but optimization skill is always counts
Logged
totti
Full Member
***

Karma: +11/-23
Offline Offline

Posts: 221


« Reply #25 on: September 16, 2021, 12:51:35 PM »

Less operations = les cpu load
Pretty sure unnecessary in that case but optimization skill is always counts


Thank you.  I will read about the C166 to understand why ram is mapped into 2 space.
Logged
Pages: 1 [2]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.02 seconds with 18 queries. (Pretty URLs adds 0s, 0q)