Pages: 1 ... 5 6 [7] 8 9 10
Author Topic: Open Source Checker for ME7...  (Read 100794 times)
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #90 on: January 03, 2013, 05:00:51 PM »

360: it already detects the multipoint no problem; i just loosened the matching parameters some (see latest git checkin).. what i cant' find is the CRC blocks

Yes, but this way should be guarenteed for ANY variant, it derives it from the actual code init function, without using signatures which may or may not always work and could hit false positives.

Here's the full checksum routine incase anyone is interested, it requires fully commenting however...

Code:

Multipoint:
mov [-r0], r9
mov [-r0], r8
mov [-r0], r7
mov [-r0], r6
calls 86h, CHECK1
movb rl4, loop_counter
cmpb rl4, #1
jmpa cc_NZ, exit_chk
movb rl5, initvar3
cmpb rl5, #4
jmpr cc_NC, chk2
mov r8, MainRom_Checksum_START_Low_cpy
mov r9, MainRom_Checksum_START_High_cpy
mov r7, #0
jmpr cc_UC, Check_Done_1024

chk7:
exts r9, #1
mov r4, [r8]
mov r5, #0
add initvar1, r4
addc initvar2, r5
add r8, #2
addc r9, #0
add r7, #1

Check_Done_1024:
cmp r7, #1024
jmpr cc_NC, chk5
mov r4, r8
mov r5, r9
sub r4, MainRom_Checksum_End_Low_Cpy
subc r5, MainRom_Checksum_End_High_Cpy
jmpr cc_C, chk7

chk5:
mov MainRom_Checksum_START_Low_cpy, r8
mov MainRom_Checksum_START_High_cpy, r9
mov r4, r8
mov r5, r9
sub r4, MainRom_Checksum_End_Low_Cpy
subc r5, MainRom_Checksum_End_High_Cpy
jmpa cc_C, exit_chk
jmpr cc_UC, chk4

chk2:
mov r4, initvar1
mov r5, initvar2
extp #543, #2
sub r4, Checksum_Final_Hi
subc r5, Checksum_Final_Lo
jmpr cc_NZ, chk1
mov r4, #1B00h
mov r5, #0E0h
extp r5, #1
movb rl3, [r4]
orb rl3, #8
mov r4, #1B00h
mov r5, #0E0h
extp r5, #1
movb [r4], rl3
jmpr cc_UC, chk3

chk1:
mov r4, #1B00h
mov r5, #0E0h
extp r5, #1
movb rl3, [r4]
andb rl3, #0F7h
mov r4, #1B00h
mov r5, #0E0h
extp r5, #1
movb [r4], rl3

chk3:
movb loop_counter, ZEROS
jmpr cc_UC, exit_chk

chk4:
movb rl4, #2
addb initvar3, rl4
movbz r6, initvar3
shl r6, #2
extp #206h, #3
mov r4, [r6+3FE6h]
mov r5, [r6+3FE8h]
nop
mov MainRom_Checksum_START_Low_cpy, r4
mov MainRom_Checksum_START_High_cpy, r5
extp #206h, #3
mov r4, [r6+3FEAh]
mov r5, [r6+3FECh]
nop
mov MainRom_Checksum_End_Low_Cpy, r4
mov MainRom_Checksum_End_High_Cpy, r5

exit_chk:
mov r6, [r0+]
mov r7, [r0+]
mov r8, [r0+]
mov r9, [r0+]
rets
Logged
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12271


WWW
« Reply #91 on: January 03, 2013, 05:09:01 PM »

Success!

for 4 block, i just let the CRC accumulate through all 5 regions

Code:
0: Adr: 0x8183E9-0x8183F2                         CalcCRC: F9A70C59 (seed 00000000)
1: Adr: 0x810002-0x813FFE @0x90000 CRC: 13BFD815  CalcCRC: 13BFD815 (seed F9A70C59)  CRC OK
2: Adr: 0x814252-0x817F4E @0x90006 CRC: 8C92421A  CalcCRC: 8C92421A (seed 13BFD815)  CRC OK
3: Adr: 0x818192-0x81FBDC                         CalcCRC: 07E6F36A (seed 8C92421A)
4: Adr: 0x826A00-0x82FFFC @0x9000c CRC: C95513B5  CalcCRC: C95513B5 (seed 07E6F36A)  CRC OK


phila: i need a way to detect the 0x8183e9 range...

360: ok, i will try to use what you gave me to do a better job looking for start.

actually, if you can give me an exact needle/mask pair that would be ideal Smiley
« Last Edit: January 03, 2013, 05:37:05 PM by nyet » Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
phila_dot
Hero Member
*****

Karma: +173/-11
Offline Offline

Posts: 1709


« Reply #92 on: January 03, 2013, 05:34:42 PM »

This work?

E6 FC LL LL E6 FD HH HH E0 sE DA XX XX XX F6 F4

s == length in bytes
Logged
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12271


WWW
« Reply #93 on: January 03, 2013, 05:39:09 PM »

Phila, trying it now.

Are you sure the other two regions aren't checked anywhere?
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
phila_dot
Hero Member
*****

Karma: +173/-11
Offline Offline

Posts: 1709


« Reply #94 on: January 03, 2013, 05:49:50 PM »

Phila, trying it now.

Are you sure the other two regions aren't checked anywhere?

Other two as in 0 and 3 in your previous post? Not checked.
Logged
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12271


WWW
« Reply #95 on: January 03, 2013, 06:26:16 PM »

F K and Q all work now, which leaves ferrari's bin, and

4Z7907551S
8D0907551C
8D0907551T

T is curious, there seems to be a false match

8D0907551T:
Code:
Found CRC #1 at 0x81b494
Found CRC #2 at 0x87d94c
Found CRC #3 at 0x87d952
Found CRC #4 at 0x87d958
Found CRC #5 at 0x87e350

0: Adr: 0x81840A-0x818413                         CalcCRC: 7232DBBC (seed 00000000)
1: Adr: 0x810002-0x813FFE @0x1b494 CRC: 00800000  CalcCRC: F57794F2 (seed 7232DBBC)  ** NOT OK **
2: Adr: 0x814252-0x817F4E @0x7d94c CRC: F57794F2  CalcCRC: 0E24D8DF (seed F57794F2)  ** NOT OK **
3: Adr: 0x818192-0x81FBAC                         CalcCRC: 891D9138 (seed 0E24D8DF)
4: Adr: 0x81FBAE-0x81FBB0 @0x7d952 CRC: 0E24D8DF  CalcCRC: DEDB9C23 (seed 891D9138)  ** NOT OK **

4Z7907551S.bin cant find offsets at all

« Last Edit: January 03, 2013, 06:35:07 PM by nyet » Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12271


WWW
« Reply #96 on: January 03, 2013, 06:37:43 PM »

err after some code tweaking:

Code:
Found CRC #1 at 0x81b494
Found CRC #2 at 0x87d94c
Found CRC #3 at 0x87d952
Found CRC #4 at 0x87d958
Found CRC #5 at 0x87e350
0: Adr: 0x81840A-0x818413                         CalcCRC: 7232DBBC (seed 00000000)
1: Adr: 0x810002-0x813FFE @0x1b494 CRC: 00800000  CalcCRC: F57794F2 (seed 7232DBBC)  ** NOT OK **
2: Adr: 0x814252-0x817F4E @0x7d94c CRC: F57794F2  CalcCRC: 0E24D8DF (seed F57794F2)  ** NOT OK **
3: Adr: 0x818192-0x81FBAC @0x7d952 CRC: 0E24D8DF  CalcCRC: 891D9138 (seed 0E24D8DF)  ** NOT OK **
4: Adr: 0x81FBAE-0x81FBB0 @0x7d958 CRC: DEDB9C23  CalcCRC: DEDB9C23 (seed 891D9138)  CRC OK

ETA: works with this search pattern, but that pattern doesn't work with the other boxes Sad

Code:
uint8_t needle[] = {0xEA, 0xA5, 0xE6, 0xF4, 0x00, 0x00, 0xE6, 0xF5, 0x00, 0x00, 0xDA, 0x00, 0xD8, 0x7E};
uint8_t   mask[] = {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff};

Code:
Found CRC #1 at 0x87d94c
Found CRC #2 at 0x87d952
Found CRC #3 at 0x87d958
0: Adr: 0x81840A-0x818413                         CalcCRC: 7232DBBC (seed 00000000)
1: Adr: 0x810002-0x813FFE @0x7d94c CRC: F57794F2  CalcCRC: F57794F2 (seed 7232DBBC)  CRC OK
2: Adr: 0x814252-0x817F4E @0x7d952 CRC: 0E24D8DF  CalcCRC: 0E24D8DF (seed F57794F2)  CRC OK
3: Adr: 0x818192-0x81FBAC                         CalcCRC: 891D9138 (seed 0E24D8DF)
4: Adr: 0x81FBAE-0x81FBB0 @0x7d958 CRC: DEDB9C23  CalcCRC: DEDB9C23 (seed 891D9138)  CRC OK
« Last Edit: January 03, 2013, 07:24:53 PM by nyet » Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
jooo
Jr. Member
**

Karma: +0/-1
Offline Offline

Posts: 30


« Reply #97 on: January 03, 2013, 07:44:36 PM »

The question now is how to convert the asm instruction relative offsets to byte offsets in the file?
...I believe a clue is to do with the segmented memory model of the C167, [c167 asm guys help me out here!].
Somewhat described here
http://nefariousmotorsports.com/forum/index.php?topic=1735.0
and some other threads in Reverse Engineering board
Logged
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12271


WWW
« Reply #98 on: January 03, 2013, 07:49:37 PM »

For those of you looking for patterns, here are the hexdumps near the matched areas

M box:
Code:
Found possible CRC offset #1 at 0x87a866 (from 0x7ac96)
f6 f5 4a aa [ e6 f4 66 a8 e6 f5 87 00 da 00 d8 7e ] f4 66 a8 e6
Found possible CRC offset #2 at 0x87a86c (from 0x7ad28)
f6 f5 4e aa [ e6 f4 6c a8 e6 f5 87 00 da 00 d8 7e ] f4 6c a8 e6
Found possible CRC offset #3 at 0x87a872 (from 0x7adb8)
f6 f5 52 aa [ e6 f4 72 a8 e6 f5 87 00 da 00 d8 7e ] f4 72 a8 e6
Found CRC #1 at 0x87a866
Found CRC #2 at 0x87a86c
Found CRC #3 at 0x87a872
1: Adr: 0x810002-0x813FFE @0x7a866 CRC: 214CD272  CalcCRC: 214CD272 (seed 00000000)  CRC OK
2: Adr: 0x814252-0x817F4E @0x7a86c CRC: 17B90F53  CalcCRC: 17B90F53 (seed 00000000)  CRC OK
3: Adr: 0x818192-0x81FBB0 @0x7a872 CRC: 7DE91383  CalcCRC: 7DE91383 (seed 00000000)  CRC OK

K box:
Code:
Searching for main ROM CRC offsets...
Found possible CRC offset #1 at 0x890000 (from 0x904a2)
f6 f5 da a8 [ e6 f4 00 00 e6 f5 89 00 da 00 d8 7e ] f4 00 00 e6
Found possible CRC offset #2 at 0x890006 (from 0x90522)
f6 f5 da a8 [ e6 f4 06 00 e6 f5 89 00 da 00 d8 7e ] f4 06 00 e6
Found possible CRC offset #3 at 0x89000c (from 0x905aa)
f6 f5 da a8 [ e6 f4 0c 00 e6 f5 89 00 da 00 d8 7e ] f4 0c 00 e6
Found CRC #1 at 0x890000
Found CRC #2 at 0x890006
Found CRC #3 at 0x89000c
0: Adr: 0x8183E9-0x8183F2                         CalcCRC: F9A70C59 (seed 00000000)
1: Adr: 0x810002-0x813FFE @0x90000 CRC: 13BFD815  CalcCRC: 13BFD815 (seed F9A70C59)  CRC OK
2: Adr: 0x814252-0x817F4E @0x90006 CRC: 8C92421A  CalcCRC: 8C92421A (seed 13BFD815)  CRC OK
3: Adr: 0x818192-0x81FBDC                         CalcCRC: 07E6F36A (seed 8C92421A)
4: Adr: 0x826A00-0x82FFFC @0x9000c CRC: C95513B5  CalcCRC: C95513B5 (seed 07E6F36A)  CRC OK

T box:
Code:
Found possible CRC offset #1 at 0x81b494 (from 0x37de6)
f7 8e 0f 97 [ e6 f4 94 b4 e6 f5 81 00 da 00 d8 7e ] f4 94 b4 e6
Found possible CRC offset #2 at 0x87d94c (from 0x7df06)
f6 f5 ea a5 [ e6 f4 4c d9 e6 f5 87 00 da 00 d8 7e ] f4 4c d9 e6
Found possible CRC offset #3 at 0x87d952 (from 0x7df86)
f6 f5 ea a5 [ e6 f4 52 d9 e6 f5 87 00 da 00 d8 7e ] f4 52 d9 e6
Found possible CRC offset #4 at 0x87d958 (from 0x7e00e)
f6 f5 ea a5 [ e6 f4 58 d9 e6 f5 87 00 da 00 d8 7e ] f4 58 d9 e6
Found possible CRC offset #5 at 0x87e350 (from 0x7e1dc)
e4 a0 04 00 [ e6 f4 50 e3 e6 f5 87 00 da 00 d8 7e ] f4 50 e3 e6
Found CRC #1 at 0x81b494
Found CRC #2 at 0x87d94c
Found CRC #3 at 0x87d952
Found CRC #4 at 0x87d958
Found CRC #5 at 0x87e350
Did not find exactly 3 matches (got 5). CRC offset find failed
0: Adr: 0x81840A-0x818413                         CalcCRC: 7232DBBC (seed 00000000)
1: Adr: 0x810002-0x813FFE @0x1b494 CRC: 00800000  CalcCRC: F57794F2 (seed 7232DBBC)  ** NOT OK **
2: Adr: 0x814252-0x817F4E @0x7d94c CRC: F57794F2  CalcCRC: 0E24D8DF (seed F57794F2)  ** NOT OK **
3: Adr: 0x818192-0x81FBAC @0x7d952 CRC: 0E24D8DF  CalcCRC: 891D9138 (seed 0E24D8DF)  ** NOT OK **
4: Adr: 0x81FBAE-0x81FBB0 @0x7d958 CRC: DEDB9C23  CalcCRC: DEDB9C23 (seed 891D9138)  CRC OK


maybe that f6 f5 XX XX sequence?
« Last Edit: January 03, 2013, 07:52:10 PM by nyet » Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12271


WWW
« Reply #99 on: January 03, 2013, 08:02:54 PM »

This seems to work for everything but 8D0907551C and 4Z7907551S

comments?

Code:
//                                                        LL    LL                HH    HH
uint8_t needle[] = {0xF6, 0xF5, 0x00, 0x00, 0xE6, 0xF4, 0x00, 0x00, 0xE6, 0xF5, 0x00, 0x00, 0xDA, 0x00, 0xD8, 0x7E};
uint8_t   mask[] = {0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff};
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
phila_dot
Hero Member
*****

Karma: +173/-11
Offline Offline

Posts: 1709


« Reply #100 on: January 03, 2013, 08:40:50 PM »

This seems to work for everything but 8D0907551C and 4Z7907551S

comments?

Code:
//                                                        LL    LL                HH    HH
uint8_t needle[] = {0xF6, 0xF5, 0x00, 0x00, 0xE6, 0xF4, 0x00, 0x00, 0xE6, 0xF5, 0x00, 0x00, 0xDA, 0x00, 0xD8, 0x7E};
uint8_t   mask[] = {0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff};

Different ROM?

That's a call to ROM function at the end. Hardcoding addresses isn't always a good idea.
Logged
phila_dot
Hero Member
*****

Karma: +173/-11
Offline Offline

Posts: 1709


« Reply #101 on: January 03, 2013, 08:48:39 PM »

This works in four files I checked real quick.


E6 F4 XX XX E6 F5 XX XX DA 00 XX XX E6 00 04 02
Logged
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12271


WWW
« Reply #102 on: January 03, 2013, 09:01:49 PM »

Do you mean:

ETA: err nvm gimme a sec
« Last Edit: January 03, 2013, 09:06:52 PM by nyet » Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12271


WWW
« Reply #103 on: January 03, 2013, 09:08:54 PM »

Doesn't work for t-box

Code:
Found possible CRC offset #1 at 0x81b494 (from 0x37de6)
f7 8e 0f 97 [e6 f4 94 b4 e6 f5 81 00 da 00 d8 7e e6 00 04 02] f4 94 b4 e6
Found possible CRC offset #2 at 0x87d94c (from 0x7df06)
f6 f5 ea a5 [e6 f4 4c d9 e6 f5 87 00 da 00 d8 7e e6 00 04 02] f4 4c d9 e6
Found possible CRC offset #3 at 0x87d952 (from 0x7df86)
f6 f5 ea a5 [e6 f4 52 d9 e6 f5 87 00 da 00 d8 7e e6 00 04 02] f4 52 d9 e6
Found possible CRC offset #4 at 0x87d958 (from 0x7e00e)
f6 f5 ea a5 [e6 f4 58 d9 e6 f5 87 00 da 00 d8 7e e6 00 04 02] f4 58 d9 e6
Found possible CRC offset #5 at 0x87e350 (from 0x7e1dc)
e4 a0 04 00 [e6 f4 50 e3 e6 f5 87 00 da 00 d8 7e e6 00 04 02] f4 50 e3 e6
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12271


WWW
« Reply #104 on: January 03, 2013, 09:11:40 PM »

This does though (prepend f6 f5 xx xx)

Code:
needle[] = {0xF6, 0xF5, 0x00, 0x00, 0xE6, 0xF4, 0x00, 0x00, 0xE6, 0xF5, 0x00, 0x00, 0xDA, 0x00, 0x00, 0x00, 0xe6, 0x00, 0x04, 0x02};
  mask[] = {0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff};

4Z7907551S is still broken, of course

ETA: with the F6 F5 XX XX i dont even seem to need the e6 00 04 02 tail...
« Last Edit: January 03, 2013, 09:17:07 PM by nyet » Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
Pages: 1 ... 5 6 [7] 8 9 10
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.025 seconds with 18 queries. (Pretty URLs adds 0.001s, 0q)