Hello people, as a owner of a succesful VW 1.4 16v stage 2 I wanted to dig deeper into my ECU and retrieve RAM addresses so I can fully log all the values I need with ME7logger. Unfortunately for me. This whole trend ended with the 1.8t ME7.5 and nothing is to be found online past that. My ECU is 036906032G 0261207190 1037363461 SW: 4411 .

My first question is if ME7.5.10 (C167CR_SR) follows the same procedure like other me7 with disassembly.
I followed these steps:

• I loaded 32kb IROM file first as base with the range 0x0 - 0x7FFF, choose C167CR_SR in IDA and untick all the auto segments.
• I created IRAM segment of 0xE000-0xFFFF with "Create Segment" option
• Created EXT_RAM segment of 0x380000 - 0x38FFFFF with same way.
• Additional Bin load my flash file which is 512kb (AM29F400BB) ... not like most 1MB files as most posts mention here, set segment to 0x800000 - 0x8FFFFF.
• Set DPP blocks: dpp0:0x0204, dpp1:0x0205, dpp2:0x00E0, dpp3:0x003

After I did this i ran Andys script and it seems like it worked .. kind of. I was able to search for bytes/words and cross reference some addresses which Me7Info provides in the ECU files but alot of them I wasn't able to find.

The CPU 32K file which I'm using is the same ECU OE number but it's from the internet and it's a different SW version 4433. But when i created an ECU file with it. The addresses were the same, just one was different.

I have a strong feeling i'm doing a wrong step somewhere, because alot of the functions end with empty paths that don't link up properly. I also have a slight suspicion i'm doing segments wrong. Because creating for example the IRAM segment just creates a full block of ?? ?? ?? ?? HEX... so basically empty.
I also found out about the AutoIT script but i wasn't able to run any of it as my IDA version is 9.2.

I'm currently looking for fr_w, fra_w, gangi(idk if my ecu has it), lamsbg_w, lamsoni_w, ti_b1
If anyone would be nice enough to tell me if i'm going the right track or if i'm doing something wrong / provide some tips. I would really appreciate it as ive been stuck for 14 days already trying to find methods how to do it properly and i'm just stuck browsing empty forums for hours...

I will provide my original bin file and the MPC 32K file. (I also have 512b SFR file... idk what to do with it..)

Thank you for the response and tips!...

Basically i've been stuck on this for the past 14 days... hours of my day just stuck on loading in binaries and hitting a dead end 
I don't know what i am doing wrong, but i've not been able to cross reference any values found in the a2l or the ECU file.

As i said i have a strong feeling i'm doing a wrong step somewhere because every single script or tutorial online is made for the 1MB files 29f800bb reads, and mine is a 29f400bb. Would you happen to know the right memory layout for this 512kb version?.

It's also a huuge pain in the butt with IDA and loading multiple files and segmenting them. Its such a hassle. I've made a connected CPU+FLASH file that i use so it's easier to segment but then again none of the scrips work if i use that bigger file. I had better splitting options in Ghirda... IDA just doesnt allow you to split segments easily.

Also i noticed IDA for some reason loads the memory segments of C167 right one every 3 loads or such. Once it puts the RAM at 0x38000 and once it doesnt even create that.
My brain has been filled with letters and numbers and load binary file 

And do you have any idea what could be a 284kb file made from the full BDM read? I have 512kb flash, 32kb CPU, 512byte EEPROM and some weird no extension 284kb file thats filled with bytes till 46Cxx. I wasn't able to find this whole segment in my FLASH so dont think it's a mirror. What component makes a 284kb file on the BDM.... weird.

Wow, Thank you so much for taking your time to explain it in steps for me and even send the files. This really helped me alot. I learn the best when it's given like this. If i get a better defined file I will be sure to test and post it here afterwards.