nyet
|
|
« Reply #90 on: August 24, 2018, 08:31:22 AM »
|
|
|
This is FANTASTIC... i'd prefer a (working) pull request over a patch though
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #91 on: August 24, 2018, 08:31:55 AM »
|
|
|
Fixed the missing detection of multipoint, it was I need to correct the mask on the segment !
const unsigned char mask_3[] = {
MASK, MASK, SKIP, SKIP, // mov r4, var_Y MASK, MASK, SKIP, SKIP, // mov r5, var_Y MASK, MASK, SKIP, SKIP, // extp #XXXXh, #2 <--- * this is the segment offset (should be 0x21f in 512kb & 0x23f in 1024kb ROM)
Just change 3rd line for SKIP SKIP on last 2 entries... and it works for both 512kbyte and 1024kbyte roms...
Opening '06A906032DS 0261207080 360930' file Succeded loading file.
>>> Scanning for Main ROM Checksum sub-routine #1 [to extract Start/End regions] main checksum byte sequence #1 found at offset=0x880b8.
Main Region Block #1: lo:0x1dfc0 hi:0x1dfc2 (seg: 0x207 phy:0x81dfc0) : 0x800000 lo:0x1dfc4 hi:0x1dfc6 (seg: 0x207 phy:0x81dfc4) : 0x80fbff sum=48cf9ca6 ~sum=b7306359 : acc_sum=0 Main Region Block #2: lo:0x1dfc8 hi:0x1dfca (seg: 0x207 phy:0x81dfc8) : 0x820000 lo:0x1dfcc hi:0x1dfce (seg: 0x207 phy:0x81dfcc) : 0x8fffff sum=4851122c ~sum=b7aeedd3 : acc_sum=48cf9ca6
Final Main ROM Checksum calculation: 0x9120aed2 (after 2 rounds) Final Main ROM Checksum calculation: ~0x6edf512d
>>> Scanning for Main ROM Checksum sub-routine #2 [to extract stored checksums and locations in ROM] main checksum byte sequence #2 block found at offset=0x88160.
Stored Main ROM Block Checksum: lo:0xfffe0 hi:0xfffe2 (seg: 0x23f phy:0x8fffe0) : 0x9120aed2 Stored Main ROM Block ~Checksum: lo:0xfffe4 hi:0xfffe6 (seg: 0x23f phy:0x8fffe4) : 0x6edf512d MAIN STORED ROM CHECKSUM: 9120aed2 ? 9120aed2 : OK! ~CHECKSUM: 6edf512d ? 6edf512d : OK!
>>> Scanning for Multipoint Checksum sub-routine #1 [to extract stored checksum list location in ROM] Multipoint byte sequence #1 block found at offset=0x8b854.
Blk #01: lo:0x1fbde (seg: 0x207 phy:0x81fbde) : Start: 0x00000000 lo:0x1fbe2 (seg: 0x207 phy:0x81fbe2) : End: 0x00003fff lo:0x1fbe6 (seg: 0x207 phy:0x81fbe6) : CRC32: 0x0fa0f5cf lo:0x1fbea (seg: 0x207 phy:0x81fbea) : ~CRC32 0xf05f0a30 Bootblock #1 ram/rom offset: 0x00000000 len=0x3fff Blk #02: lo:0x1fbee (seg: 0x207 phy:0x81fbee) : Start: 0x00004000 lo:0x1fbf2 (seg: 0x207 phy:0x81fbf2) : End: 0x00007fff lo:0x1fbf6 (seg: 0x207 phy:0x81fbf6) : CRC32: 0x0f4716b3 lo:0x1fbfa (seg: 0x207 phy:0x81fbfa) : ~CRC32 0xf0b8e94c Bootblock #2 ram/rom offset: 0x00004000 len=0x3fff Blk #03: lo:0x1fbfe (seg: 0x207 phy:0x81fbfe) : Start: 0x00800000 lo:0x1fc02 (seg: 0x207 phy:0x81fc02) : End: 0x00803fff lo:0x1fc06 (seg: 0x207 phy:0x81fc06) : CRC32: 0x0fa0f5cf lo:0x1fc0a (seg: 0x207 phy:0x81fc0a) : ~CRC32 0xf05f0a30 rom offset: 0x00000000 len=0x3fff
... cut ... cut ...
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #92 on: August 24, 2018, 08:33:56 AM »
|
|
|
This is FANTASTIC... i'd prefer a (working) pull request over a patch though Just going out to dinner now but I will come back to you... I'm going to need to work out how to do it on the old ME7sum (your version) since this is completely new code. Shouldn't be too hard though...
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #93 on: August 29, 2018, 01:36:04 AM »
|
|
|
@ Nyet... Haven't been sleeping. Noticed that there are a few more variants of the checksum routines I could support so I've now got it working with Volvo roms too which took a little bit more effort since they don't use the same rombase addressing so I had to work out a way to do it without using hardcoded rombase addresses!!
Here's a sample output on a Volvo ROM I downloaded from here..
Ý Opening 'VOLVO S60R_AUT 2.5L B5254T4 300HP NoCarPartNo 0261208289 30684626A.bin' file Succeded loading file.
Loaded ROM: Tool in 1Mb Mode
>>> Scanning for Main ROM Checksum sub-routine #1 [to extract Start/End regions] main checksum byte sequence #1 found at offset=0xe3040.
Main Region Block #1: lo:0x2c882 hi:0x2c884 (seg: 0xb phy:0x2c882) : 0xc000 lo:0x2c886 hi:0x2c888 (seg: 0xb phy:0x2c886) : 0xdfff sum=41c6b73 ~sum=fbe3948c : acc_sum=0 Main Region Block #2: lo:0x2c88a hi:0x2c88c (seg: 0xb phy:0x2c88a) : 0x10b00 lo:0x2c88e hi:0x2c890 (seg: 0xb phy:0x2c88e) : 0x1f7ff sum=1ba41a95 ~sum=e45be56a : acc_sum=41c6b73 Main Region Block #3: lo:0x2c892 hi:0x2c894 (seg: 0xb phy:0x2c892) : 0x1fc00 lo:0x2c896 hi:0x2c898 (seg: 0xb phy:0x2c896) : 0xfffef sum=facf8c86 ~sum=5307379 : acc_sum=1fc08608
Final Main ROM Checksum calculation: 0x1a90128e (after 3 rounds) Final Main ROM Checksum calculation: ~0xe56fed71
>>> Scanning for Main ROM Checksum sub-routine #2 variant #A [to extract stored checksums and locations in ROM] No match found main checksum byte sequence #2 not found Trying different variant.
>>> Scanning for Main ROM Checksum sub-routine #2 variant #B [to extract stored checksums and locations in ROM] main checksum byte sequence #2 variant #B block found at offset=0xe30ce.
Stored Main ROM Block Checksum: lo:0xffff0 hi:0xffff2 (seg: 0x3f phy:0xffff0) : 0x1a90128e Stored Main ROM Block ~Checksum: lo:0xffff4 hi:0xffff6 (seg: 0x3f phy:0xffff4) : 0xe56fed71 MAIN STORED ROM CHECKSUM: 1a90128e ? 1a90128e : OK! ~CHECKSUM: e56fed71 ? e56fed71 : OK!
|
|
|
Logged
|
|
|
|
DT
Full Member
Karma: +20/-1
Offline
Posts: 184
|
|
« Reply #94 on: August 29, 2018, 02:48:28 PM »
|
|
|
Nice, this needle mask routine could be very useful for finding other routines between different files too.
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #95 on: August 29, 2018, 02:59:52 PM »
|
|
|
Nice, this needle mask routine could be very useful for finding other routines between different files too.
That's exactly the way I'm using it. My latest ME7Sum tool is now working across multiple different (normally incompatible) checksummed rom's including both 512kbyte and 1024kbyte. Each with different rom base addresses, etc. Totally different locations, numbers of multipoint sums and numbers of entries. I now extract EVERYTHING directly out of the machine code include number of entries in the tables. Check out the latest log output on a Volvo rom (originally unsupported) but also working on Ferrari, Alfa, VAG, etc... Pretty much everything that's built with Siemens C167 that I've tried so far... Opening 'VOLVO S60R_AUT 2.5L B5254T4 300HP NoCarPartNo 0261208289 30684626A.bin' file Succeded loading file.
Loaded ROM: Tool in 1Mb Mode
>>> Scanning for Main ROM Checksum sub-routine #1 [to extract number of entries in table] main checksum byte sequence #1 found at offset=0xe307c. Found #3 Regional Block Entries in table
>>> Scanning for Main ROM Checksum sub-routine #2 [to extract Start/End regions]
main checksum byte sequence #1 found at offset=0xe3040.
Main Region Block #1: lo:0x2c882 hi:0x2c884 (seg: 0xb phy:0x2c882) : 0xc000 lo:0x2c886 hi:0x2c888 (seg: 0xb phy:0x2c886) : 0xdfff sum=41c6b73 ~sum=fbe3948c : acc_sum=0 Main Region Block #2: lo:0x2c88a hi:0x2c88c (seg: 0xb phy:0x2c88a) : 0x10b00 lo:0x2c88e hi:0x2c890 (seg: 0xb phy:0x2c88e) : 0x1f7ff sum=1ba41a95 ~sum=e45be56a : acc_sum=41c6b73 Main Region Block #3: lo:0x2c892 hi:0x2c894 (seg: 0xb phy:0x2c892) : 0x1fc00 lo:0x2c896 hi:0x2c898 (seg: 0xb phy:0x2c896) : 0xfffef sum=facf8c86 ~sum=5307379 : acc_sum=1fc08608
Final Main ROM Checksum calculation: 0x1a90128e (after 3 rounds) Final Main ROM Checksum calculation: ~0xe56fed71
>>> Scanning for Main ROM Checksum sub-routine #3 variant #A [to extract stored checksums and locations in ROM] No match found main checksum byte sequence #3 variant #A not found Trying different variant.
>>> Scanning for Main ROM Checksum sub-routine #3 variant #B [to extract stored checksums and locations in ROM]
main checksum byte sequence #3 variant #B block found at offset=0xe30ce.
Stored Main ROM Block Checksum: lo:0xffff0 hi:0xffff2 (seg: 0x3f phy:0xffff0) : 0x1a90128e Stored Main ROM Block ~Checksum: lo:0xffff4 hi:0xffff6 (seg: 0x3f phy:0xffff4) : 0xe56fed71
MAIN STORED ROM CHECKSUM: 0x1a90128e ? 0x1a90128e : OK! ~CHECKSUM: 0xe56fed71 ? 0xe56fed71 : OK!
>>> Scanning for Multipoint Checksum sub-routine #1 [to extract number entries in stored checksum list in ROM] Multipoint byte sequence #1 block found at offset=0xe151e. Found #64 Multipoint Entries in table >>> Scanning for Multipoint Checksum sub-routine #2 [to extract address of stored checksum list location in ROM] Multipoint byte sequence #2 block found at offset=0xe17a0.
Blk #01: lo:0x1f800 (seg: 0x7 phy:0x1f800) : Start: 0x00000000 lo:0x1f804 (seg: 0x7 phy:0x1f804) : End: 0x000001ff lo:0x1f808 (seg: 0x7 phy:0x1f808) : CRC32: 0x00407600 lo:0x1f80c (seg: 0x7 phy:0x1f80c) : ~CRC32 0xffbf89ff Blk #02: lo:0x1f810 (seg: 0x7 phy:0x1f810) : Start: 0x00000000 lo:0x1f814 (seg: 0x7 phy:0x1f814) : End: 0x000001ff lo:0x1f818 (seg: 0x7 phy:0x1f818) : CRC32: 0x00407600 lo:0x1f81c (seg: 0x7 phy:0x1f81c) : ~CRC32 0xffbf89ff Blk #03: lo:0x1f820 (seg: 0x7 phy:0x1f820) : Start: 0x00008000 lo:0x1f824 (seg: 0x7 phy:0x1f824) : End: 0x0000bfff lo:0x1f828 (seg: 0x7 phy:0x1f828) : CRC32: 0x0ec1a3cb lo:0x1f82c (seg: 0x7 phy:0x1f82c) : ~CRC32 0xf13e5c34
... cut .... cut ...... cut .... cut ...... cut .... cut ...... cut .... cut ...
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #96 on: August 29, 2018, 03:59:42 PM »
|
|
|
Its pretty much still a work in progress (the new code will be retrofitted into latest Nyet ME7sum soon). If you want to try it out (or look at the source-code) here's a google drive share to it... https://drive.google.com/open?id=1ajZYirUtiD7XBqXVrtv2flcoGsroUxZm
|
|
|
Logged
|
|
|
|
nyet
|
|
« Reply #97 on: August 29, 2018, 04:06:31 PM »
|
|
|
Please, do not do it this way. Github exists for a reason, and posting source code in dropbox or gdrive is pure insanity.
|
|
|
Logged
|
|
|
|
nyet
|
|
« Reply #98 on: August 29, 2018, 04:07:23 PM »
|
|
|
You should already be making these changes, incrementally, under source control, based on an upstream repository.
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #99 on: August 29, 2018, 08:32:57 PM »
|
|
|
nyet, your absolutely right, it actually is already under github, just didn't yet check latest version upsteam. Done now. Here it is here; https://github.com/360trev/ME7RomTool_FerrariIts not the same tool as me7sum as its going to do more than sum. I think we need to make a option to build the summing code as a shared library to be used by other kinds of tools in the future.
|
|
|
Logged
|
|
|
|
nyet
|
|
« Reply #100 on: August 30, 2018, 08:52:22 AM »
|
|
|
Thanks, looking over it now. Merging is not going to be easy :/
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #101 on: August 30, 2018, 10:41:55 PM »
|
|
|
Thanks, looking over it now. Merging is not going to be easy :/
I'd recommend just taking the sections of code which deal with the needles and substitue the hard coded assumed addresses. Really this is the biggest difference between original and the new approach. Every address is discovered from probing the machine code itself and pulling out the necessary information.
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #102 on: September 03, 2018, 03:53:55 PM »
|
|
|
Done quite a few updates today! It can now identify a few more variants/strains of routine as well as detecting and then pulling the correct DPPx register out of a given rom. This makes it quite a bit easier to set things up for correct reversing. Also added the ability to do the calculations of the multipoints now too as well as finding the xorCalcuationTable in a given rom (if it exists) and dumping its xortable too ... Have fun Here's what dppx analysis looks like... Loaded ROM: Tool in 1Mb Mode
-[ DPPx Setup Analysis ]-----------------------------------------------------------------
>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom] main rom dppX byte sequence #1 found at offset=0x64a6.
dpp0: 0x0000 dpp1: 0x0205 dpp2: 0x00e0 dpp3: 0x0003 (DPP3 is always 3, otherwise accessing CPU register area not possible)
|
|
|
Logged
|
|
|
|
JKaunisto
Newbie
Karma: +0/-0
Offline
Posts: 1
|
|
« Reply #103 on: June 16, 2019, 12:27:01 PM »
|
|
|
Hi! New to this forum and ecu flashing, and now it hapeened. I'm facing a need for an answer.
So i started with babysteps, and was going to only delete the rear 02 sensors from my ecu. After fiquring out how to use Tunerpro, Nefmoto etc. i had the .bin file from my 4Z7907551N ecu. Used in Tunerpro the "R" box .xdf, and apparently succesfully modified the .bin.
So here it comes: when i pulled program from my ecu, i ran it through ME7Check. Result "OK". So after tweaking the file, i ran it through ME7Check again. Well, well, RSA signature error (from what i've understood, this is normal), but also checkusm errors etc. Total of 4 errors, including the RSA. So i ran the new file through me7sum. Found 7 bad checksums, corrected 7/7, everything ok.
After this pulled it again through ME7Check, still moaning about the 4 errors (3 if you drop the RSA away). So basically, what is normal, when i should be worried, and please help me to understand the basics of this.
|
|
|
Logged
|
|
|
|
nyet
|
|
« Reply #104 on: June 16, 2019, 02:43:24 PM »
|
|
|
This is why it is pointless to modify tuned ecus. You have no idea what the person was trying to do.
Revert to stock, start from there.
|
|
|
Logged
|
|
|
|
|