Read the Tricore documentation and understand the memory map.

Once you know the entry point you can disassemble code and from that xrefs to data will fall out.

There are no imports in a full firmware file since it is all of the code running on the ECU (besides the boot ROM) - there is no dynamic linker and nothing to import!

Find an A2L and you have a map of all RAM variables for application software. For the bootloaders you pretty much just have to disassemble and look around and start naming things.

Generally calibration is a fixed area within Flash on newer ECUs. EEPROM is volatile data like adaptations, immo, fault information, etc. The A2L will sometimes also tell you which Flash block area is called what which can be helpful.

A lot of Bosch RE people here also play on easy mode with leaked ELFs with symbols which can be cross correlated.

IDK if it helps you, but my logger will ram log and live tune this thing.
But not sure what you want to do.

yeah, to be quite honest im not sure if that would help me either; but i'd be interested to look into that more and see if it would! When you say that it will live tune my ECU, is that over CAN? I'm basically interested in reverse engineering the firmware update over CAN. At this point I have the Seed2Key algorithm to unlock the ECU for firmware update over CAN, and I'm just trying to learn about a few more of the details, i.e. encoding/encrypting the firmware, CRC formatting/algorithm and so on. Thanks to d3irb & k0mpressed I have a solid and trustworthy disassembly of the firmware now, and I'm trying to get through it while learning the TriCore assembly haha! I am not sure how to fit in the eeprom dump that k0mpressed posted but I know that's part of the picture.

Dynamic analysis of the firmware would help tons, but I'm conflicted to go at it from a hardware/JTAG perspective which I've already kinda started trying to figure out, or try to use qemu like d3irb has done with the Simos18, I've gotten as far as compiling qemu with d3irb's additions but i don't have any Simos18 firmware to test that out, and I may just go ahead and try to make a similar but different addition for ME17.8.5. Not sure if I know enough, since I'm not entirely certain where the eeprom would get mapped into memory.

Thanks again for all your replies d3irb & prj!

EDIT: i've tried to read TriCore docs to figure out where the EEPROM dump from k0mpressed would be mapped but I'm coming up short. Using Qemu would be useless if I can't figure out where this data would be mapped and provide it to Qemu somehow, even if I can get it to work with the firmware somehow, so at this point it seems like my best plan would be to keep hammering away at getting JTAG to work and then use that to at least just cross reference that with what I'm seeing in the EEPROM and find the correct mapping for that data. My best guess is that the EEPROM dump is some concatination of several data segments. I'll repost the files that I got from k0mpressed's dump here just for reference in case anyone wants to look.

Oh cool thats great to know thank you, yeah, I'm interested in checking out your logger - do you have it up somewhere or would you be down to send it to me? How does it log RAM? Also what is CBOOT? I'm assuming ASW is just application software, so you're talking about the main firmware logic that I've disassembled and is what I'm looking at.

When you talk about abusing the SID table, that would basically require me to patch the firmware and insert my own code that would write to RAM like you said, so I would flash some patched firmware and then inspect it with your logger? All this would require for me to find the SID table too.. Thats been one of the main targets I've been trying to find with the firmware RE I've been doing, I've spent some time reading through the KWP2000 documents and cross referencing with the SIDs I've seen BitBox use to flash firmware over CAN and there are several manufacturer specific SIDs, and I think they probably have to do with encryption and/or CRC. Maybe the SID table lives in the EEPROM though.

Thanks again prj, this is super helpful and I really appreciate it!

Can I ask what is a CBOOT? At first I thought you meant Cold Boot and someone is telling me it means Customer Boot? What is this?