|
prometey1982
|
 |
« Reply #2205 on: March 06, 2023, 10:05:44 PM »
|
|
|
Could you please point me to where I could find CDTES (and CDLDP?) in a QKHJ file? I haven't come across an EU QKHJ bin yet to compare with either... My ESKONF looks like this: My QKHJ US
0C 00 0C F0 00 FC 00
GPHJ US:
0C 00 3C F0 00 FC 00
GPHJ EU:
0C 00 3C FC 00 FC 33
Would changing the 4th byte to FC and 7th byte to 33 do the trick? Thanks! Set ESKONF from EN version fully. But CDTES is not inside ESKONF. It's inside 0x18000-0x180XX configuration block. |
|
|
|
|
Logged
|
|
|
|
Cheekano
Full Member
Karma: +4/-1
 Offline
Posts: 60
|
|
« Reply #2206 on: March 07, 2023, 08:27:47 AM »
|
|
|
deleted-
|
|
|
|
« Last Edit: March 07, 2023, 08:45:41 AM by Cheekano »
|
Logged
|
|
|
|
t6
Full Member
Karma: +0/-5
Offline
Posts: 54
|
|
« Reply #2207 on: March 11, 2023, 05:59:33 AM »
|
|
|
Does anyone have RAM variables for QKHJ?
|
|
|
|
|
Logged
|
|
|
|
dikidera
Full Member
Karma: +7/-6
Offline
Posts: 131
|
|
« Reply #2208 on: March 11, 2023, 06:33:20 AM »
|
|
|
US version e.g. has Leak Detection Pump, EU doesn't have.
DTC: ECM-4010, ECM-4024
This was useful information to know. At least for me. |
|
|
|
|
Logged
|
|
|
|
rkam
Full Member
Karma: +4/-0
Offline
Posts: 55
|
|
« Reply #2209 on: March 11, 2023, 03:35:58 PM »
|
|
|
Detected RAM from A6 identifier offset table at C4DA in Volvo S60R 2003-4 Man (Original).bin
|
|
|
|
|
Logged
|
|
|
|
t6
Full Member
Karma: +0/-5
Offline
Posts: 54
|
|
« Reply #2210 on: March 12, 2023, 04:47:51 AM »
|
|
|
You can just disable leaks diagnostics. Or check US and EN ESKONFs. I just set CDTES to 0.
Thanks, changed ESKONF everything works as in EU |
|
|
|
« Last Edit: March 12, 2023, 05:07:32 AM by t6 »
|
Logged
|
|
|
|
t6
Full Member
Karma: +0/-5
Offline
Posts: 54
|
|
« Reply #2211 on: March 12, 2023, 04:49:31 AM »
|
|
|
Detected RAM from A6 identifier offset table at C4DA in Volvo S60R 2003-4 Man (Original).bin
Thank you |
|
|
|
|
Logged
|
|
|
|
rlinewiz
Jr. Member
Karma: +12/-1
Offline
Posts: 42
|
|
« Reply #2212 on: March 12, 2023, 08:14:50 AM »
|
|
|
Detected RAM from A6 identifier offset table at C4DA in Volvo S60R 2003-4 Man (Original).bin
such a treasure trove of information, is there one like this for any of the GxHJ bins? or rather how you extrapolated this information? |
|
|
|
« Last Edit: March 12, 2023, 08:23:14 AM by rlinewiz »
|
Logged
|
2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
|
|
|
rkam
Full Member
Karma: +4/-0
Offline
Posts: 55
|
|
« Reply #2213 on: March 12, 2023, 10:22:16 AM »
|
|
|
See post #2050
|
|
|
|
|
Logged
|
|
|
|
rlinewiz
Jr. Member
Karma: +12/-1
Offline
Posts: 42
|
|
« Reply #2214 on: March 12, 2023, 10:33:24 AM »
|
|
|
See post #2050
huge thanks. i'm still trying to learn c167 but this is all fascinating [edit] i got the first part figured out, but the data im getting appears strange and doesn't correlate to subroutines.. 1000: 37EC 1001: 0024 1002: 002A 1003: 0032 1004: 0042 1005: 0048 and so on [edit again] I see now they are offsets, how clever |
|
|
|
« Last Edit: March 12, 2023, 11:50:11 AM by rlinewiz »
|
Logged
|
2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
|
|
|
rkam
Full Member
Karma: +4/-0
Offline
Posts: 55
|
|
« Reply #2215 on: March 12, 2023, 02:23:56 PM »
|
|
|
I've probably reinstalled Windows XP a few times since I wrote the explanation in Post #2050 sending it to John,
so I couldn't find the file it was related to.
But I found another file test7.bin in my readme7 folder that was similar.
These files had direct addresses, and not offsets.
The QKHJ has an offset table.
Edit. Or maybe they are the same. Just different starting point and position.
|
|
|
|
« Last Edit: March 12, 2023, 03:02:08 PM by rkam »
|
Logged
|
|
|
|
rlinewiz
Jr. Member
Karma: +12/-1
Offline
Posts: 42
|
|
« Reply #2216 on: March 12, 2023, 06:34:41 PM »
|
|
|
Yeah I'm looking at GPHJ right now, seems the base address is 0x60000 and the table at C4FC returns a list of offsets. Whats more interesting is that IDA is screwing up the ram addresses: ROM:000603EA C2 F4 F8 96 movbz r4, 96F8h ; 31D6F8h
ROM:000603EE DB 00 rets
ROM:000603F0 ; ---------------------------------------------------------------------------
ROM:000603F0 C2 F4 F9 96 movbz r4, 96F9h ; 31D6F9h
ROM:000603F4 DB 00 rets
ROM:000603F6 ; ---------------------------------------------------------------------------
ROM:000603F6 C2 F4 FA 96 movbz r4, 96FAh ; 31D6FAh
ROM:000603FA DB 00 rets
ROM:000603FC ; ---------------------------------------------------------------------------
ROM:000603FC C2 F4 FB 96 movbz r4, 96FBh ; 31D6FBh
ROM:00060400 DB 00 rets
ROM:00060402 ; ---------------------------------------------------------------------------
ROM:00060402 C2 F4 FC 96 movbz r4, 96FCh ; 31D6FCh
ROM:00060406 DB 00 rets
ROM:00060408 ; ---------------------------------------------------------------------------
ROM:00060408 C2 F4 FD 96 movbz r4, 96FDh ; 31D6FDh
ROM:0006040C DB 00 rets
ROM:0006040E ; ---------------------------------------------------------------------------
ROM:0006040E C2 F4 00 97 movbz r4, 9700h ; 31D700h
ROM:00060412 DB 00 rets
ROM:00060414 ; ---------------------------------------------------------------------------
ROM:00060414 C2 F4 01 97 movbz r4, 9701h ; 31D701h
ROM:00060418 DB 00 rets
in any case, assembling all this into an excel sheet with all the parameter names taken from vida is a loooooong process |
|
|
|
|
Logged
|
2005 S60R M66-Swapped // Self-tuned @ 22psi
[[forever coding for the OpenMoose project]]
|
|
|
rkam
Full Member
Karma: +4/-0
Offline
Posts: 55
|
|
« Reply #2217 on: March 13, 2023, 12:29:07 AM »
|
|
|
I made a visual basic macro in excel to extract four bytes from each subroutine.
When the first two bytes are C2 F4, I calculate the RAM address from the next two.
This is done by extracting and removing the DPP number from the two address bytes.
(The two highest bits in the two-byte address if I remember correctly. C167 can be a bit annoying.)
Most will have DPP number 2 and some DPP number 3.
DPP2 is probably 0xC0. 0xC0 multiplied with 0x4000 is 0x300000
DPP3 is probably 0x03. 0x03 multiplied with 0x4000 is 0xC000
You then add 0x300000 to the remaining address (lowest 14 bits) for the values using DPP2, and 0xC000 for the ones using DPP3.
This should give you addresses like 30xxxx and Fxxx.
96FB: 1011 0000 0001 0110 1111 1011
DPP: 10 = 2
16FB: 0011 0000 0001 0110 1111 1011
Assuming DPP2=C0: 16FB+300000=3016FB
|
|
|
|
« Last Edit: March 13, 2023, 12:40:38 AM by rkam »
|
Logged
|
|
|
|
keichi
Full Member
Karma: +10/-2
Offline
Posts: 67
|
|
« Reply #2218 on: March 13, 2023, 01:59:48 AM »
|
|
|
Yeah I'm looking at GPHJ right now, seems the base address is 0x60000 and the table at C4FC returns a list of offsets. Whats more interesting is that IDA is screwing up the ram addresses: ROM:000603EA C2 F4 F8 96 movbz r4, 96F8h ; 31D6F8h
ROM:000603EE DB 00 rets
ROM:000603F0 ; ---------------------------------------------------------------------------
ROM:000603F0 C2 F4 F9 96 movbz r4, 96F9h ; 31D6F9h
ROM:000603F4 DB 00 rets
ROM:000603F6 ; ---------------------------------------------------------------------------
ROM:000603F6 C2 F4 FA 96 movbz r4, 96FAh ; 31D6FAh
ROM:000603FA DB 00 rets
ROM:000603FC ; ---------------------------------------------------------------------------
ROM:000603FC C2 F4 FB 96 movbz r4, 96FBh ; 31D6FBh
ROM:00060400 DB 00 rets
ROM:00060402 ; ---------------------------------------------------------------------------
ROM:00060402 C2 F4 FC 96 movbz r4, 96FCh ; 31D6FCh
ROM:00060406 DB 00 rets
ROM:00060408 ; ---------------------------------------------------------------------------
ROM:00060408 C2 F4 FD 96 movbz r4, 96FDh ; 31D6FDh
ROM:0006040C DB 00 rets
ROM:0006040E ; ---------------------------------------------------------------------------
ROM:0006040E C2 F4 00 97 movbz r4, 9700h ; 31D700h
ROM:00060412 DB 00 rets
ROM:00060414 ; ---------------------------------------------------------------------------
ROM:00060414 C2 F4 01 97 movbz r4, 9701h ; 31D701h
ROM:00060418 DB 00 rets
in any case, assembling all this into an excel sheet with all the parameter names taken from vida is a loooooong process Make sue you set default segment registers in IDA: Edit->Segment->Set default segment register value for every DPP (for Volvo its. 0x4, 0x5, 0xC0, 0x3) Then IDA can calculate physical addres from any long address for you (DPP addresing mode) by pointing value with mouse for example click on 96FBh value and press CTRL+R then select Type:DPP (other fields leave default). You will get 3016FBh. To get back to default value click it and choose Undefine operand. General DPP calculation pattern is: dword(DPPx SHL 14) || word(addr AND 0x3FFF) |
|
|
|
|
Logged
|
|
|
|
t6
Full Member
Karma: +0/-5
Offline
Posts: 54
|
|
« Reply #2219 on: March 13, 2023, 03:40:30 AM »
|
|
|
dla "WCKD"
ESKONF adres 10B0E
US 0C 00 0C F0 00 FC 00 EU 0C 00 0C FC 00 FC CC
US 12 0 12 240 0 252 0 EU 12 0 12 252 0 252 204
|
|
|
|
|
Logged
|
|
|
|
|
