NefMoto > Technical > Reverse Engineering > ME7.5.10 Disassembly tips / help
Pages: [1]
« previous next »
Author Topic: ME7.5.10 Disassembly tips / help  (Read 204 times)
markus2900
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 19
« on: April 13, 2026, 12:35:19 PM »
Hello people, as a owner of a succesful VW 1.4 16v stage 2 I wanted to dig deeper into my ECU and retrieve RAM addresses so I can fully log all the values I need with ME7logger. Unfortunately for me. This whole trend ended with the 1.8t ME7.5 and nothing is to be found online past that. My ECU is 036906032G 0261207190 1037363461 SW: 4411 .

My first question is if ME7.5.10 (C167CR_SR) follows the same procedure like other me7 with disassembly.
I followed these steps:
  • I loaded 32kb IROM file first as base with the range 0x0 - 0x7FFF, choose C167CR_SR in IDA and untick all the auto segments.
  • I created IRAM segment of 0xE000-0xFFFF with "Create Segment" option
  • Created EXT_RAM segment of 0x380000 - 0x38FFFFF with same way.
  • Additional Bin load my flash file which is 512kb (AM29F400BB) ... not like most 1MB files as most posts mention here, set segment to 0x800000 - 0x8FFFFF.
  • Set DPP blocks: dpp0:0x0204, dpp1:0x0205, dpp2:0x00E0, dpp3:0x003

After I did this i ran Andys script and it seems like it worked .. kind of. I was able to search for bytes/words and cross reference some addresses which Me7Info provides in the ECU files but alot of them I wasn't able to find.

The CPU 32K file which I'm using is the same ECU OE number but it's from the internet and it's a different SW version 4433. But when i created an ECU file with it. The addresses were the same, just one was different.

I have a strong feeling i'm doing a wrong step somewhere, because alot of the functions end with empty paths that don't link up properly. I also have a slight suspicion i'm doing segments wrong. Because creating for example the IRAM segment just creates a full block of ?? ?? ?? ?? HEX... so basically empty.
I also found out about the AutoIT script but i wasn't able to run any of it as my IDA version is 9.2.

I'm currently looking for fr_w, fra_w, gangi(idk if my ecu has it), lamsbg_w, lamsoni_w, ti_b1
If anyone would be nice enough to tell me if i'm going the right track or if i'm doing something wrong / provide some tips. I would really appreciate it as ive been stuck for 14 days already trying to find methods how to do it properly and i'm just stuck browsing empty forums for hours...

I will provide my original bin file and the MPC 32K file. (I also have 512b SFR file... idk what to do with it..)
« Last Edit: April 13, 2026, 01:05:10 PM by markus2900 » Logged
fknbrkn
Hero Member
*****

Karma: +221/-24
Offline Offline

Posts: 1561


mk4 1.8T AUM
« Reply #1 on: Today at 06:10:51 AM »
in general yes youre on the right track

there are 1.4 a2l available so you have to dissasemble this public file, get a cross-reference of fr_w address for example and search for the similar code flow at your file.

the easiest way here is when this variable used by some map so you can find this map at your file and then find this map in ida and in most cases the code looks the same and youll find the

or

FR page 1555 about diagnostic variables
its possible to find some rare variable like mdverl_w and get a place where its listed one by one with formulas so its possible to track it up to yours ( youll see r6 r7 registers with formula values here)



not a 5 min job for a novice for sure
Logged
Pages: [1]
  Print  
« previous next »
 
Jump to:  

Navigation
Personal Tools
  • April 17, 2026, 03:10:56 PM
  • Welcome, Guest. Please login or register.
    Did you miss your activation email?

    Login with username, password and session length
Search
 
Advanced Search
About Disclaimer
All Rights Reserved 2010 Nefarious Motosports
Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.015 seconds with 16 queries. (Pretty URLs adds 0.001s, 0q)