Pages: 1 ... 5 6 [7]
Author Topic: ME7Sum: Open Source Checker/Corrector for ME7  (Read 57887 times)
nyet
Administrator
Hero Member
*****

Karma: +392/-47
Offline Offline

Posts: 8982


WWW
« Reply #90 on: August 24, 2018, 08:31:22 AM »

This is FANTASTIC... i'd prefer a (working) pull request over a patch though Smiley
Logged

ME7.1 tuning guide (READ FIRST)
ECUx Plot
ME7Sum checksum checker/corrrector for ME7.x

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience.
360trev
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 122


« Reply #91 on: August 24, 2018, 08:31:55 AM »

Fixed the missing detection of multipoint, it was I need to correct the mask on the segment !

const unsigned char mask_3[] = {

 MASK, MASK, SKIP, SKIP,     // mov r4, var_Y
 MASK, MASK, SKIP, SKIP,     // mov r5, var_Y
MASK, MASK, SKIP, SKIP,    // extp #XXXXh, #2                <--- * this is the segment offset (should be 0x21f in 512kb & 0x23f in 1024kb ROM)


Just change 3rd line for SKIP SKIP on last 2 entries... and it works for both 512kbyte and 1024kbyte roms...

Opening '06A906032DS 0261207080 360930' file
Succeded loading file.

>>> Scanning for Main ROM Checksum sub-routine #1 [to extract Start/End regions]
main checksum byte sequence #1 found at offset=0x880b8.

Main Region Block #1:
        lo:0x1dfc0 hi:0x1dfc2 (seg: 0x207 phy:0x81dfc0) : 0x800000
        lo:0x1dfc4 hi:0x1dfc6 (seg: 0x207 phy:0x81dfc4) : 0x80fbff sum=48cf9ca6 ~sum=b7306359 : acc_sum=0
Main Region Block #2:
        lo:0x1dfc8 hi:0x1dfca (seg: 0x207 phy:0x81dfc8) : 0x820000
        lo:0x1dfcc hi:0x1dfce (seg: 0x207 phy:0x81dfcc) : 0x8fffff sum=4851122c ~sum=b7aeedd3 : acc_sum=48cf9ca6

Final Main ROM Checksum calculation:  0x9120aed2 (after 2 rounds)
Final Main ROM Checksum calculation: ~0x6edf512d



>>> Scanning for Main ROM Checksum sub-routine #2 [to extract stored checksums and locations in ROM]
main checksum byte sequence #2 block found at offset=0x88160.

Stored Main ROM Block Checksum:
        lo:0xfffe0 hi:0xfffe2 (seg: 0x23f phy:0x8fffe0) : 0x9120aed2
Stored Main ROM Block ~Checksum:
        lo:0xfffe4 hi:0xfffe6 (seg: 0x23f phy:0x8fffe4) : 0x6edf512d
MAIN STORED ROM  CHECKSUM: 9120aed2 ? 9120aed2 : OK!     ~CHECKSUM: 6edf512d ? 6edf512d : OK!


>>> Scanning for Multipoint Checksum sub-routine #1 [to extract stored checksum list location in ROM]
Multipoint byte sequence #1 block found at offset=0x8b854.

Blk #01:
        lo:0x1fbde (seg: 0x207 phy:0x81fbde) : Start: 0x00000000
        lo:0x1fbe2 (seg: 0x207 phy:0x81fbe2) : End:   0x00003fff
        lo:0x1fbe6 (seg: 0x207 phy:0x81fbe6) : CRC32: 0x0fa0f5cf
        lo:0x1fbea (seg: 0x207 phy:0x81fbea) : ~CRC32 0xf05f0a30 Bootblock #1 ram/rom offset: 0x00000000 len=0x3fff
Blk #02:
        lo:0x1fbee (seg: 0x207 phy:0x81fbee) : Start: 0x00004000
        lo:0x1fbf2 (seg: 0x207 phy:0x81fbf2) : End:   0x00007fff
        lo:0x1fbf6 (seg: 0x207 phy:0x81fbf6) : CRC32: 0x0f4716b3
        lo:0x1fbfa (seg: 0x207 phy:0x81fbfa) : ~CRC32 0xf0b8e94c Bootblock #2 ram/rom offset: 0x00004000 len=0x3fff
Blk #03:
        lo:0x1fbfe (seg: 0x207 phy:0x81fbfe) : Start: 0x00800000
        lo:0x1fc02 (seg: 0x207 phy:0x81fc02) : End:   0x00803fff
        lo:0x1fc06 (seg: 0x207 phy:0x81fc06) : CRC32: 0x0fa0f5cf
        lo:0x1fc0a (seg: 0x207 phy:0x81fc0a) : ~CRC32 0xf05f0a30 rom offset: 0x00000000 len=0x3fff

... cut ... cut ...
Logged
360trev
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 122


« Reply #92 on: August 24, 2018, 08:33:56 AM »

This is FANTASTIC... i'd prefer a (working) pull request over a patch though Smiley

Just going out to dinner now but I will come back to you...

I'm going to need to work out how to do it on the old ME7sum (your version) since this is completely new code. Shouldn't be too hard though...
Logged
360trev
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 122


« Reply #93 on: August 29, 2018, 01:36:04 AM »

@ Nyet... Haven't been sleeping. Noticed that there are a few more variants of the checksum routines I could support so I've now got it working with Volvo roms too which took a little bit more effort since they don't use the same rombase addressing so I had to work out a way to do it without using hardcoded rombase addresses!!

Here's a sample output on a Volvo ROM I downloaded from here..


Ý Opening 'VOLVO S60R_AUT 2.5L B5254T4 300HP NoCarPartNo 0261208289 30684626A.bin' file
Succeded loading file.

Loaded ROM: Tool in 1Mb Mode

>>> Scanning for Main ROM Checksum sub-routine #1 [to extract Start/End regions]
main checksum byte sequence #1 found at offset=0xe3040.

Main Region Block #1:
        lo:0x2c882 hi:0x2c884 (seg: 0xb phy:0x2c882) : 0xc000
        lo:0x2c886 hi:0x2c888 (seg: 0xb phy:0x2c886) : 0xdfff sum=41c6b73 ~sum=fbe3948c : acc_sum=0
Main Region Block #2:
        lo:0x2c88a hi:0x2c88c (seg: 0xb phy:0x2c88a) : 0x10b00
        lo:0x2c88e hi:0x2c890 (seg: 0xb phy:0x2c88e) : 0x1f7ff sum=1ba41a95 ~sum=e45be56a : acc_sum=41c6b73
Main Region Block #3:
        lo:0x2c892 hi:0x2c894 (seg: 0xb phy:0x2c892) : 0x1fc00
        lo:0x2c896 hi:0x2c898 (seg: 0xb phy:0x2c896) : 0xfffef sum=facf8c86 ~sum=5307379 : acc_sum=1fc08608

Final Main ROM Checksum calculation:  0x1a90128e (after 3 rounds)
Final Main ROM Checksum calculation: ~0xe56fed71



>>> Scanning for Main ROM Checksum sub-routine #2 variant #A [to extract stored checksums and locations in ROM] No match found
main checksum byte sequence #2 not found
Trying different variant.

>>> Scanning for Main ROM Checksum sub-routine #2 variant #B [to extract stored checksums and locations in ROM]
main checksum byte sequence #2 variant #B block found at offset=0xe30ce.

Stored Main ROM Block Checksum:
        lo:0xffff0 hi:0xffff2 (seg: 0x3f phy:0xffff0) : 0x1a90128e
Stored Main ROM Block ~Checksum:
        lo:0xffff4 hi:0xffff6 (seg: 0x3f phy:0xffff4) : 0xe56fed71
MAIN STORED ROM  CHECKSUM: 1a90128e ? 1a90128e : OK!     ~CHECKSUM: e56fed71 ? e56fed71 : OK!
Logged
DT
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 138


« Reply #94 on: August 29, 2018, 02:48:28 PM »

Nice, this needle mask routine could be very useful for finding other routines between different files too.
Logged
360trev
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 122


« Reply #95 on: August 29, 2018, 02:59:52 PM »

Nice, this needle mask routine could be very useful for finding other routines between different files too.

That's exactly the way I'm using it. My latest ME7Sum tool is now working across multiple different (normally incompatible) checksummed rom's including both 512kbyte and 1024kbyte. Each with different rom base addresses, etc. Totally different locations, numbers of multipoint sums and numbers of entries. I now extract EVERYTHING directly out of the machine code include number of entries in the tables. Check out the latest log output on a Volvo rom (originally unsupported) but also working on Ferrari, Alfa, VAG, etc... Pretty much everything that's built with Siemens C167 that I've tried so far...


Opening 'VOLVO S60R_AUT 2.5L B5254T4 300HP NoCarPartNo 0261208289 30684626A.bin' file
Succeded loading file.

Loaded ROM: Tool in 1Mb Mode

>>> Scanning for Main ROM Checksum sub-routine #1 [to extract number of entries in table]
main checksum byte sequence #1 found at offset=0xe307c.
Found #3 Regional Block Entries in table

>>> Scanning for Main ROM Checksum sub-routine #2 [to extract Start/End regions]

main checksum byte sequence #1 found at offset=0xe3040.

Main Region Block #1:
        lo:0x2c882 hi:0x2c884 (seg: 0xb phy:0x2c882) : 0xc000
        lo:0x2c886 hi:0x2c888 (seg: 0xb phy:0x2c886) : 0xdfff sum=41c6b73 ~sum=fbe3948c : acc_sum=0
Main Region Block #2:
        lo:0x2c88a hi:0x2c88c (seg: 0xb phy:0x2c88a) : 0x10b00
        lo:0x2c88e hi:0x2c890 (seg: 0xb phy:0x2c88e) : 0x1f7ff sum=1ba41a95 ~sum=e45be56a : acc_sum=41c6b73
Main Region Block #3:
        lo:0x2c892 hi:0x2c894 (seg: 0xb phy:0x2c892) : 0x1fc00
        lo:0x2c896 hi:0x2c898 (seg: 0xb phy:0x2c896) : 0xfffef sum=facf8c86 ~sum=5307379 : acc_sum=1fc08608

Final Main ROM Checksum calculation:  0x1a90128e (after 3 rounds)
Final Main ROM Checksum calculation: ~0xe56fed71


>>> Scanning for Main ROM Checksum sub-routine #3 variant #A [to extract stored checksums and locations in ROM]
No match found
main checksum byte sequence #3 variant #A not found
Trying different variant.

>>> Scanning for Main ROM Checksum sub-routine #3 variant #B [to extract stored checksums and locations in ROM]

main checksum byte sequence #3 variant #B block found at offset=0xe30ce.

Stored Main ROM Block Checksum:
        lo:0xffff0 hi:0xffff2 (seg: 0x3f phy:0xffff0) : 0x1a90128e
Stored Main ROM Block ~Checksum:
        lo:0xffff4 hi:0xffff6 (seg: 0x3f phy:0xffff4) : 0xe56fed71

MAIN STORED ROM  CHECKSUM: 0x1a90128e ? 0x1a90128e : OK!         ~CHECKSUM: 0xe56fed71 ? 0xe56fed71 : OK!



>>> Scanning for Multipoint Checksum sub-routine #1 [to extract number entries in stored checksum list in ROM]
Multipoint byte sequence #1 block found at offset=0xe151e.
Found #64 Multipoint Entries in table
>>> Scanning for Multipoint Checksum sub-routine #2 [to extract address of stored checksum list location in ROM]
Multipoint byte sequence #2 block found at offset=0xe17a0.

Blk #01:
        lo:0x1f800 (seg: 0x7 phy:0x1f800) : Start: 0x00000000
        lo:0x1f804 (seg: 0x7 phy:0x1f804) : End:   0x000001ff
        lo:0x1f808 (seg: 0x7 phy:0x1f808) : CRC32: 0x00407600
        lo:0x1f80c (seg: 0x7 phy:0x1f80c) : ~CRC32 0xffbf89ff
Blk #02:
        lo:0x1f810 (seg: 0x7 phy:0x1f810) : Start: 0x00000000
        lo:0x1f814 (seg: 0x7 phy:0x1f814) : End:   0x000001ff
        lo:0x1f818 (seg: 0x7 phy:0x1f818) : CRC32: 0x00407600
        lo:0x1f81c (seg: 0x7 phy:0x1f81c) : ~CRC32 0xffbf89ff
Blk #03:
        lo:0x1f820 (seg: 0x7 phy:0x1f820) : Start: 0x00008000
        lo:0x1f824 (seg: 0x7 phy:0x1f824) : End:   0x0000bfff
        lo:0x1f828 (seg: 0x7 phy:0x1f828) : CRC32: 0x0ec1a3cb
        lo:0x1f82c (seg: 0x7 phy:0x1f82c) : ~CRC32 0xf13e5c34

... cut .... cut ...... cut .... cut ...... cut .... cut ...... cut .... cut ...


Logged
360trev
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 122


« Reply #96 on: August 29, 2018, 03:59:42 PM »

Its pretty much still a work in progress (the new code will be retrofitted into latest Nyet ME7sum soon). If you want to try it out (or look at the source-code) here's a google drive share to it...

https://drive.google.com/open?id=1ajZYirUtiD7XBqXVrtv2flcoGsroUxZm

Logged
nyet
Administrator
Hero Member
*****

Karma: +392/-47
Offline Offline

Posts: 8982


WWW
« Reply #97 on: August 29, 2018, 04:06:31 PM »

Please, do not do it this way. Github exists for a reason, and posting source code in dropbox or gdrive is pure insanity.
Logged

ME7.1 tuning guide (READ FIRST)
ECUx Plot
ME7Sum checksum checker/corrrector for ME7.x

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience.
nyet
Administrator
Hero Member
*****

Karma: +392/-47
Offline Offline

Posts: 8982


WWW
« Reply #98 on: August 29, 2018, 04:07:23 PM »

You should already be making these changes, incrementally, under source control, based on an upstream repository.
Logged

ME7.1 tuning guide (READ FIRST)
ECUx Plot
ME7Sum checksum checker/corrrector for ME7.x

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience.
360trev
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 122


« Reply #99 on: August 29, 2018, 08:32:57 PM »

nyet, your absolutely right, it actually is already under github, just didn't yet check latest version upsteam. Done now.

Here it is here;

https://github.com/360trev/ME7RomTool_Ferrari

Its not the same tool as me7sum as its going to do more than sum. I think we need to make a option to build the summing code as a shared library to be used by other kinds of tools in the future.
Logged
nyet
Administrator
Hero Member
*****

Karma: +392/-47
Offline Offline

Posts: 8982


WWW
« Reply #100 on: August 30, 2018, 08:52:22 AM »

Thanks, looking over it now. Merging is not going to be easy :/
Logged

ME7.1 tuning guide (READ FIRST)
ECUx Plot
ME7Sum checksum checker/corrrector for ME7.x

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your experience.
360trev
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 122


« Reply #101 on: August 30, 2018, 10:41:55 PM »

Thanks, looking over it now. Merging is not going to be easy :/

I'd recommend just taking the sections of code which deal with the needles and substitue the hard coded assumed addresses.
Really this is the biggest difference between original and the new approach. Every address is discovered from probing the machine code itself and pulling out the necessary information.
Logged
360trev
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 122


« Reply #102 on: September 03, 2018, 03:53:55 PM »

Done quite a few updates today!

It can now identify a few more variants/strains of routine as well as detecting and then pulling the correct DPPx register out of a given rom. This makes it quite a bit easier to set things up for correct reversing. Also added the ability to do the calculations of the multipoints now too as well as finding the xorCalcuationTable in a given rom (if it exists) and dumping its xortable too Wink...

Have fun Wink

Here's what dppx analysis looks like...

Loaded ROM: Tool in 1Mb Mode

-[ DPPx Setup Analysis ]-----------------------------------------------------------------

>>> Scanning for Main ROM DPPx setup #1 [to extract dpp0, dpp1, dpp2, dpp3 from rom]
main rom dppX byte sequence #1 found at offset=0x64a6.

dpp0: 0x0000
dpp1: 0x0205
dpp2: 0x00e0
dpp3: 0x0003 (DPP3 is always 3, otherwise accessing CPU register area not possible)

Logged
Pages: 1 ... 5 6 [7]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.023 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)