Definitely curious.
The signal table refer to the %TKMWL Testerkommunikation; Meßwerte lesen
To create your initial signature / pattern to find the table, I look where TKMWLMW is being used. Then I can see the function that push the measurement value to the table
I named it for PUSH_TO_TABLE. By looking at the first reference to this function, you can find the function that compute this table.
That function looks very similar for all ME7 and even the MED9 (of course different instruction set). You can now identify NA_nr, NORMWERT and the variable that hold the value of the measurement
Under the Jump indirect, you can find your signal table
I added some comments, but it is self-explanatory. When a Nr get skipped, it is being processed in the same location (dual-bank system, etc)
If you work on one engine or very similar controller, you could make a script that identify the location of your signal table, then parse it and use signatures to identify your RAM locations. I think this would be the shortest path to achieve what you want
There are surely other ideas out there. Personally, I was looking into making an interpreter for C166 instructions that would go through the function to properly find variables and their RAM location. This way it would support all ME7
This code is also stored into the AM29F800 on the ST10 ECUs which make it convenient as no readout of the processor is required
Those are rough explanations, I am not that great to explain stuff. I hope this helps
Unrelated, but it might also interest you. For reading ECU that are "locked", you can use the checksum routine to map the whole file. There are clever ways to optimize it and have quick readouts as well
