|
prj
|
 |
« Reply #45 on: January 02, 2013, 10:10:08 AM »
|
|
|
I looked at a few binaries. I think the CRC ranges are the same for almost all (if not all) 29F800BB ECU's. And also the same for 29F400BB ECU's. I looked at ME7.5, ME7.1.1, ME7.1 and so on. So I don't think a pattern is needed here  |
|
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
 Offline
Posts: 235
|
|
« Reply #46 on: January 02, 2013, 10:17:34 AM »
|
|
|
Not familiar at all with other variants of ME7 other than VAG.
I could not find any similar routines in 10 minutes.
The routines for the CRC checksumming in the VAG ECU's are in the flash, not in the processor ROM.
I don't know how this is solved on the Ferrari ECU. It is possible it has the CRC check, but implementation can be completely different.
Or maybe I am just blind.
Prj, Is there a possibility it doesn't actually have this checksum? If someone could patch a few bytes in the 360 dump and then run it through a working tool we should be able to binary diff the differences... At least we'd know then for sure if it actually has any extra checks! |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #47 on: January 02, 2013, 10:47:35 AM »
|
|
|
Sorry, I don't know much about the ECU in Ferraris, other than that it is a ME7.
I think the CRC checksum could be indeed vendor specific.
From the VAG side, the checksum plugin should assume the ranges, and then verify these ranges using pattern search before trying to compute a checksum.
Just to make sure. And if the range can not be found via pattern offset, then error out, rather than modify a wrong portion of the file.
|
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #48 on: January 02, 2013, 10:54:58 AM »
|
|
|
360: i changed a few things so it can compile with nmake/cl.exe as well.
|
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #49 on: January 02, 2013, 10:59:13 AM »
|
|
|
Also, we should maybe reorder the args so it can be
me7sum ini in.bin out.bin
so we can optionally do
me7sum ini in.bin
for "readonly" mode (see Config.readonly)...
ETA: i've changed my version to do that..
|
|
|
|
« Last Edit: January 02, 2013, 12:39:56 PM by nyet »
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #50 on: January 02, 2013, 01:34:06 PM »
|
|
|
Prj,
Is there a possibility it doesn't actually have this checksum?
If someone could patch a few bytes in the 360 dump and then run it through a working tool we should be able to binary diff the differences... At least we'd know then for sure if it actually has any extra checks!
Well, fortunately, the 360 bin you gave me has all 0xffffffff in the stored CRCs, so we can easily skip the CRC check if it sees 0xffffffff.. should i make that change? |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #51 on: January 02, 2013, 01:39:57 PM »
|
|
|
I looked at a few binaries. I think the CRC ranges are the same for almost all (if not all) 29F800BB ECU's. And also the same for 29F400BB ECU's. I looked at ME7.5, ME7.1.1, ME7.1 and so on. So I don't think a pattern is needed here My c-box is reporting Step #1: Reading main ROM CRC... Adr: 0x010002-0x013FFE @0x7a866 CRC: 0x4088F86A CalcCRC: 0x52FFEEB7 ** NOT OK ** Adr: 0x014252-0x017F4E @0x7a86c CRC: 0x4088362E CalcCRC: 0x7BBE718F ** NOT OK ** Adr: 0x018192-0x01FBB0 @0x7a872 CRC: 0xFDE63610 CalcCRC: 0x6DD1EF27 ** NOT OK ** |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #52 on: January 02, 2013, 01:49:47 PM »
|
|
|
29F400BB should be... (might be wrong, just having a quick look at a ME75 file)
0x810000 - 0x814000
0x814300 - 0x817F68
0x818191 - 0x81FC00
|
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #53 on: January 02, 2013, 01:53:02 PM »
|
|
|
F:
Step #1: Reading main ROM CRC...
Adr: 0x010002-0x013FFE @0x7a866 CRC: 0xF5E6700E CalcCRC: 0x77D806F1 ** NOT OK **
Adr: 0x014252-0x017F4E @0x7a86c CRC: 0xA696F564 CalcCRC: 0x72F852F7 ** NOT OK **
Adr: 0x018192-0x01FBB0 @0x7a872 CRC: 0x8EF7A691 CalcCRC: 0xDA302687 ** NOT OK **
G:
Step #1: Reading main ROM CRC...
Adr: 0x010002-0x013FFE @0x7a866 CRC: 0x25804ED4 CalcCRC: 0xFB8B3F8F ** NOT OK **
Adr: 0x014252-0x017F4E @0x7a86c CRC: 0x25A4FCE6 CalcCRC: 0x1575B32F ** NOT OK **
Adr: 0x018192-0x01FBB0 @0x7a872 CRC: 0xCE000207 CalcCRC: 0xD65C0509 ** NOT OK **
K:
Step #1: Reading main ROM CRC...
Adr: 0x010002-0x013FFE @0x7a866 CRC: 0x5088F800 CalcCRC: 0xA13F9F2B ** NOT OK **
Adr: 0x014252-0x017F4E @0x7a86c CRC: 0x50888A40 CalcCRC: 0xC52D9DB4 ** NOT OK **
Adr: 0x018192-0x01FBB0 @0x7a872 CRC: 0xF5E622C0 CalcCRC: 0xABABDCAD ** NOT OK **
T:
Step #1: Reading main ROM CRC...
Adr: 0x010002-0x013FFE @0x7a866 CRC: 0x8056F3F6 CalcCRC: 0x0B927F86 ** NOT OK **
Adr: 0x014252-0x017F4E @0x7a86c CRC: 0xF1F20207 CalcCRC: 0x9070CCBA ** NOT OK **
Adr: 0x018192-0x01FBB0 @0x7a872 CRC: 0x020750D7 CalcCRC: 0x14D9A89C ** NOT OK **
|
|
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #54 on: January 02, 2013, 02:08:27 PM »
|
|
|
This is getting confusing  |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #55 on: January 02, 2013, 02:14:57 PM »
|
|
|
prj/phila: one of you mentioned that the CRC check isn't actually done most of the time? Can you elaborate? Maybe I can ditch it altogether for now, and concentrate on auto-finding the multipoint and main checksum areas.
|
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #56 on: January 02, 2013, 06:17:17 PM »
|
|
|
Nye, the CRC locations are wrong too, you can't use the ones from 29F800.
On 29F400 they are 0x86693C, 0x866942 and 0x866948.
Checksum algorithms are not exactly my strong suite, so if there is anything else you need to calculate those CRC's let me know ...
|
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #57 on: January 02, 2013, 06:47:50 PM »
|
|
|
Well i am hoping they aren't important... BUT alternately, if they are, i need some sort of pseudo code that describes how I might automatically find them.. Same goes for multipoint and main, if you have an opinion on either My basic idea is to look for 1) block start/stop patterns (they seem to be 0x4000 aligned most of the time) 2) csum/inv-csum pairs the CRC blocks start/stop seem to be somewhat arbitrary, and the CRC value locations don't seem to be paired with inverse CRC values  |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #58 on: January 02, 2013, 06:52:57 PM »
|
|
|
Nye, the CRC locations are wrong too, you can't use the ones from 29F800.
On 29F400 they are 0x86693C, 0x866942 and 0x866948.
Checksum algorithms are not exactly my strong suite, so if there is anything else you need to calculate those CRC's let me know ...
no joy on C-box Step #1: Reading main ROM CRC... Adr: 0x010000-0x014000 @0x6693c CRC: 0xF4F209DD CalcCRC: 0xEB231C60 ** NOT OK ** Adr: 0x014300-0x017F68 @0x66942 CRC: 0xA5A2F442 CalcCRC: 0xDDE14F6C ** NOT OK ** Adr: 0x018191-0x01FC00 @0x66948 CRC: 0xF57425E0 CalcCRC: 0xA2562CE0 ** NOT OK ** Step #1: Reading main ROM CRC... Adr: 0x010000-0x013FFF @0x6693c CRC: 0xF4F209DD CalcCRC: 0x22402F9B ** NOT OK ** Adr: 0x014300-0x017F67 @0x66942 CRC: 0xA5A2F442 CalcCRC: 0xE359D549 ** NOT OK ** Adr: 0x018191-0x01FBFF @0x66948 CRC: 0xF57425E0 CalcCRC: 0x3E37E205 ** NOT OK ** which 400 are you looking at? |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #59 on: January 02, 2013, 07:37:00 PM »
|
|
|
ME7.5 8N...somethingAC.
I guess that pattern searcher might come in handy after all.
I will disassemble the 551C later.
|
|
|
|
|
Logged
|
|
|
|
|
