dikidera
Full Member
Karma: +10/-8
 Offline
Posts: 152
|
 |
« Reply #2010 on: January 08, 2023, 02:59:39 PM »
|
|
|
@dikidera
Here is an A6 list made from tables in your CPU and External Flash files.
I'm not sure what you have seen in your files.
You have experience with EDC and it's similarities to the params(and their layout) so you were better able to understand the data in the external memories. In Denso there were no references to the data, as the code is in the unmarked chip that handles the A6 command and most other CAN communication(my theory, but supported by the lack of code calling the HCAN controller beyond the PBL commands). Thank you for the compiled list. The Denso ECU has code in: SH7055 internal ROM - I have a dump External flash 29LV200BC - I have a dump The undocumented MCU - I do not have a dump. So I only have 2/3 of the picture. |
|
|
|
« Last Edit: January 08, 2023, 03:10:45 PM by dikidera »
|
Logged
|
|
|
|
rkam
Full Member
Karma: +4/-0
Offline
Posts: 56
|
|
« Reply #2011 on: January 08, 2023, 03:20:30 PM »
|
|
|
@dikidera
I have used your .idb. So at least what I call D2 protocol is there.
|
|
|
|
|
Logged
|
|
|
|
daniel2345
Full Member
Karma: +11/-8
Offline
Posts: 200
|
|
« Reply #2012 on: January 08, 2023, 03:23:05 PM »
|
|
|
You are one the wrong way. HCAN is referenced via indirect addressing in application layer. The unknown chip is external watchdog/external safety layer. Just because you can load a bin in IDA doesn't mean you get full understanding what's going on  @rkam: still on the Volvo path after all this years?  |
|
|
|
« Last Edit: January 08, 2023, 03:26:20 PM by daniel2345 »
|
Logged
|
|
|
|
rkam
Full Member
Karma: +4/-0
Offline
Posts: 56
|
|
« Reply #2013 on: January 08, 2023, 03:47:54 PM »
|
|
|
@daniel2345
Volvo is the best :-)
I have a 2007 XC70 now, so there is plenty to look into if I want.
But I've been spending more time on other activities some years now.
Once in a while I take a look at the 32kB Motronic 1.8 file from my 960, but then I get lost in other more interesting stuff.
The reason I started looking at an old Denso unit lying around was that I noticed the PBL commands in a Nissan X-trail was more or less identical.
|
|
|
|
|
Logged
|
|
|
|
rkam
Full Member
Karma: +4/-0
Offline
Posts: 56
|
|
« Reply #2014 on: January 08, 2023, 03:56:52 PM »
|
|
|
One problem with IDA is that there are many ways to jump to a program position that IDA cannot figure out.
One trick may be to change the return address while you are in a subroutine.
When you issue the return command, you then end up in a different spot than where you came from.
Jump tables are also not easy to view or follow.
This way it is difficult to figure out the program flow. At least for me.
But one day I will figure out the whole 32kB of M1.8 :-)
|
|
|
|
|
Logged
|
|
|
|
dikidera
Full Member
Karma: +10/-8
Offline
Posts: 152
|
|
« Reply #2015 on: January 08, 2023, 04:07:39 PM »
|
|
|
You are one the wrong way. HCAN is referenced via indirect addressing in application layer. The unknown chip is external watchdog/external safety layer. Just because you can load a bin in IDA doesn't mean you get full understanding what's going on @rkam: still on the Volvo path after all this years? Well thank you. I am no stranger to reverse engineering, but it was always on x86, and you *almost* cannot hide data from dynamic execution there, but it's different here. I cannot place breakpoints, I cannot single step, so indirect addressing if it happens, I cannot know it without executing. But I believe you, I have seen the sh compilers outputting code like so : address(say an IO register) and then rather than storing another adjacent MMIO, it does <address + 4>. |
|
|
|
|
Logged
|
|
|
|
t6
Full Member
Karma: +0/-5
Offline
Posts: 56
|
|
« Reply #2016 on: January 09, 2023, 01:12:54 PM »
|
|
|
Can any colleagues share maps.kp for QHHJ
|
|
|
|
|
Logged
|
|
|
|
|
|
rlinewiz
Jr. Member
Karma: +16/-1
Offline
Posts: 44
|
|
« Reply #2018 on: January 12, 2023, 02:16:58 PM »
|
|
|
woah thats high! makes me nervous  |
|
|
|
|
Logged
|
2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
|
|
|
dikidera
Full Member
Karma: +10/-8
Offline
Posts: 152
|
|
« Reply #2019 on: January 12, 2023, 02:33:28 PM »
|
|
|
woah thats high! makes me nervous It wouldn't like them? |
|
|
|
|
Logged
|
|
|
|
rlinewiz
Jr. Member
Karma: +16/-1
Offline
Posts: 44
|
|
« Reply #2020 on: January 13, 2023, 09:29:42 AM »
|
|
|
It wouldn't like them?
im just really paranoid.. the kind of person to baby my car, redline is where bad things always happen to me haha |
|
|
|
|
Logged
|
2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
|
|
|
t6
Full Member
Karma: +0/-5
Offline
Posts: 56
|
|
« Reply #2021 on: January 13, 2023, 11:33:37 AM »
|
|
|
Can any colleagues share maps.kp for QHHJ
maybe one of the colleagues has WinOLS file QHHJ manual EU |
|
|
|
|
Logged
|
|
|
|
BaxtR
Full Member
Karma: +17/-25
Offline
Posts: 68
|
|
« Reply #2022 on: January 13, 2023, 07:38:29 PM »
|
|
|
maybe one of the colleagues has WinOLS file QHHJ manual EU
sorry mate, looks like youre going to have to learn IDA... |
|
|
|
|
Logged
|
2007 Volvo S60R, PT6266 BB, 1700x ID Injectors, Walbro525. Halme Built manifold and exhaust #BaxtrPerformance
|
|
|
rlinewiz
Jr. Member
Karma: +16/-1
Offline
Posts: 44
|
|
« Reply #2023 on: January 16, 2023, 09:28:03 PM »
|
|
|
does anyone know the address for reading the clutch pedal sensor?
|
|
|
|
|
Logged
|
2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
|
|
|
|
prometey1982
|
|
« Reply #2024 on: January 16, 2023, 10:05:07 PM »
|
|
|
does anyone know the address for reading the clutch pedal sensor?
It depends on hardware. For example for EC.2 ECM it should be here: ROM:000408B8 mov r2, F_AD11 ; F_AD11 = 0xF2C6
ROM:000408BC and r2, #3FFh
ROM:000408C0 mov word_30198E, r2
Next is example from 50WRHJ software. This variable is used here: ROM:00076AA4 mov r4, word_30198E
ROM:00076AA8 shr r4, #2
ROM:00076AAA movb byte_3015C1, rl4
Then here: ROM:000CAD6E movb rl1, byte_3015C1
ROM:000CAD72 cmpb rl1, byte_1458D ; looks like threshold for clutch pressed state
ROM:000CAD76 jmpr cc_ULE, loc_CAD7C
And later B_kuppl bit is set: ROM:000CADC0 bset word_FD64.9 ; 9 - B_kuppl - clutch pressed
ROM:000CADC2 bset word_FD64.10 ; 9 - B_kuppl - clutch pressed
|
|
|
|
« Last Edit: January 16, 2023, 10:09:26 PM by prometey1982 »
|
Logged
|
|
|
|
|
