|
masterj
|
 |
« Reply #75 on: December 11, 2012, 08:18:24 PM »
|
|
|
Hi, fellow nefmotoers! Is there on nefmoto definition file for ME7.5 binary that has defined ESKONF bytes ? I mean full definition like: 0. ZUE4 ZUE3 ZUE2 ZUE1
1. NC NC NC NC
2. EV4 EV3 EV2 EV1
3. LSHHK EFLA SU/LDR TEV
4. BKV NC AAV MIL
5. NC NC EKP SLP
6. ULT EAGR SLV NWS I have found ESKONF on my file (4B...DC) @ 10D34, but without example file I can't compare bytes to know their order (IIRC Phila_dot said that it is different on each binary). I suspect that first 4 bytes are actually these: 0. ZUE4 ZUE3 ZUE2 ZUE1
1. NC NC NC NC
2. EV4 EV3 EV2 EV1
3. LSHHK EFLA SU/LDR TEV but the other bytes doesn't look like they're same as in FR |
|
|
|
|
Logged
|
|
|
|
|
phila_dot
|
|
« Reply #76 on: December 12, 2012, 04:16:47 PM »
|
|
|
The bit pairs are laid out the same in all of the 2.7t S4 binaries that I have looked at.
The other files that I have looked at are definitely not.
I have concluded that ESKONF in the S4 files is actually 13 bytes starting at 10C75.
|
|
|
|
« Last Edit: December 12, 2012, 08:34:59 PM by phila_dot »
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #77 on: December 14, 2012, 02:19:03 AM »
|
|
|
The bit pairs are laid out the same in all of the 2.7t S4 binaries that I have looked at.
The other files that I have looked at are definitely not.
I have concluded that ESKONF in the S4 files is actually 13 bytes starting at 10C75.
Are you sure about 10C75? :O I have S4 file (8D0907551G 360855) and it is fully defined. @ 10C75 it is GAFGRO map... Anyway, in my file where I think ESKONF is: 10D34: AA FF 00 30 FF F8 30 but just after this there's: 10D3B: AA FF 00 30 3F F8 30 . Both portions of hex looks like ESKONF, no?  And If it is normally bigger that FR 7 bytes, then in my file it should be 14bytes... OR maybe there are two ESKONF versions? like ESKONF_0_A & ESKONF_1_A both in 7byte sizes? |
|
|
|
|
Logged
|
|
|
|
|
phila_dot
|
|
« Reply #78 on: December 14, 2012, 06:15:47 AM »
|
|
|
Are you sure about 10C75? :O I have S4 file (8D0907551G 360855) and it is fully defined. @ 10C75 it is GAFGRO map... Anyway, in my file where I think ESKONF is: 10D34: AA FF 00 30 FF F8 30 but just after this there's: 10D3B: AA FF 00 30 3F F8 30 . Both portions of hex looks like ESKONF, no? And If it is normally bigger that FR 7 bytes, then in my file it should be 14bytes... OR maybe there are two ESKONF versions? like ESKONF_0_A & ESKONF_1_A both in 7byte sizes? Ok...I wrote that post like an idiot. They are laid out the same, not all at the same location. M box is 10C75. What do you see in IDA? The AA FF's in yours are likely ZUE and EV. |
|
|
|
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #79 on: December 18, 2012, 06:13:30 PM »
|
|
|
Ok...I wrote that post like an idiot. They are laid out the same, not all at the same location. M box is 10C75.
What do you see in IDA?
The AA FF's in yours are likely ZUE and EV.
Hi, philla! Yes I think that AA FF are first two bytes as in FR, but what about the other ones? Here's all I see in IDA: seg003:10D34 db 0AAh ; ¬
seg003:10D35 db 0FFh
seg003:10D36 db 0
seg003:10D37 db 30h ; 0
seg003:10D38 db 0FFh
seg003:10D39 db 0F8h ; °
seg003:10D3A db 30h ; 0
seg003:10D3B db 0AAh ; ¬
seg003:10D3C db 0FFh
seg003:10D3D db 0
seg003:10D3E db 30h ; 0
seg003:10D3F db 3Fh ; ?
seg003:10D40 db 0F8h ; °
seg003:10D41 db 30h ; 0 No direct references and also no indirect references with the method I know (810D35h - 204h * 4000h). Searched for D35h in text mode and no results either.... Please advise... Thanks |
|
|
|
|
Logged
|
|
|
|
|
Bische
|
|
« Reply #80 on: February 07, 2013, 04:28:30 AM »
|
|
|
Just wanted to take 10min to make a reply here and thank everyone for the info, I have begun to invest time in IDA pro now and I have now aquired enough understanding to find desired RAM variables for logging.  The more I stare at the code the better "feel" I get, also gaining alot of speed at the same time. I found the graph view really good also for getting a better/faster understanding of code flow. I have also bought the IDA pro unofficial guide book by Chris Eagle. Here is a screenshot of my disassembly virgin taken, rkukg_w |
|
|
|
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #81 on: February 11, 2013, 11:31:43 AM »
|
|
|
Peeps, I started getting B1S1 malfunction dtc... Can someone tell me which functions is responsible for this? Also readiness is not passed for oxygen sensors and evap. Any ideas? Oxygen sensor is brand new
|
|
|
|
|
Logged
|
|
|
|
|
ddillenger
|
|
« Reply #82 on: February 11, 2013, 11:34:57 AM »
|
|
|
(kind of unrelated)
How are you checking readiness? It's been my experience that vcds reports PASSED for unsupported monitors. I've verified this with several scanners.
(end of OT)
|
|
|
|
|
Logged
|
Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience!
Email/Google chat:
DDillenger84(at)gmail(dot)com
Email>PM
|
|
|
|
phila_dot
|
|
« Reply #83 on: February 11, 2013, 12:17:40 PM »
|
|
|
(kind of unrelated)
How are you checking readiness? It's been my experience that vcds reports PASSED for unsupported monitors. I've verified this with several scanners.
(end of OT)
Ready bit is automatically set for unsupported functions. You have to check evsup1 for supported/unsupported. |
|
|
|
|
Logged
|
|
|
|
|
catbed
|
|
« Reply #84 on: February 11, 2013, 03:13:37 PM »
|
|
|
Hi, fellow nefmotoers! Is there on nefmoto definition file for ME7.5 binary that has defined ESKONF bytes ? I mean full definition like: 0. ZUE4 ZUE3 ZUE2 ZUE1
1. NC NC NC NC
2. EV4 EV3 EV2 EV1
3. LSHHK EFLA SU/LDR TEV
4. BKV NC AAV MIL
5. NC NC EKP SLP
6. ULT EAGR SLV NWS I have found ESKONF on my file (4B...DC) @ 10D34, but without example file I can't compare bytes to know their order (IIRC Phila_dot said that it is different on each binary). I suspect that first 4 bytes are actually these: 0. ZUE4 ZUE3 ZUE2 ZUE1
1. NC NC NC NC
2. EV4 EV3 EV2 EV1
3. LSHHK EFLA SU/LDR TEV but the other bytes doesn't look like they're same as in FR My 018CH file follows the FR for bit pair locations, just not the same factory values. I know this because I have an OTS 630 bin with SLS and SLV changed in ESKONF. The bit pairs changed match the FR diagrams. |
|
|
|
|
Logged
|
|
|
|
|
catbed
|
|
« Reply #85 on: February 11, 2013, 03:15:46 PM »
|
|
|
Peeps, I started getting B1S1 malfunction dtc... Can someone tell me which functions is responsible for this? Also readiness is not passed for oxygen sensors and evap. Any ideas? Oxygen sensor is brand new
I also have this B1S1 Malfunction. I reverted ESKONF to before I removed post-cat o2 but the B1S1 malfunction DTC is still there. Sorry I am not much help with disassembly, baby steps lol. |
|
|
|
|
Logged
|
|
|
|
fever
Newbie
Karma: +2/-0
 Offline
Posts: 23
|
|
« Reply #86 on: March 15, 2013, 06:19:01 AM »
|
|
|
Hi ! maybe someone could explain this a little please.
I am looking at AL/NLS posted on this forum and can't figure out something.
There is for example.
seg018:E808 exts #81h, #1 ; 'ь'
seg018:E80C mov r9, 7E00h ; 817E00h
(817E00h-7E00h)/4000h=204h
Why we set exts to #81h ? (so calculation will be 81h*10000h instead of 4000h)
How to calculate address right in this situation.
Many thanks!
|
|
|
|
|
Logged
|
|
|
|
fever
Newbie
Karma: +2/-0
Offline
Posts: 23
|
|
« Reply #87 on: March 18, 2013, 04:51:13 AM »
|
|
|
Think i got it. Page and segment.
But why used exts vs extp?
|
|
|
|
|
Logged
|
|
|
|
|
phila_dot
|
|
« Reply #88 on: March 18, 2013, 05:11:06 AM »
|
|
|
Just a different way to do it.
Doesn't make a difference, one way or the other.
|
|
|
|
|
Logged
|
|
|
|
fever
Newbie
Karma: +2/-0
Offline
Posts: 23
|
|
« Reply #89 on: March 18, 2013, 06:17:27 AM »
|
|
|
Just a different way to do it.
Doesn't make a difference, one way or the other.
As i thought, thank you for clarify. =) |
|
|
|
|
Logged
|
|
|
|
|
