360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #30 on: January 20, 2013, 03:26:09 AM »
|
|
|
Using this technique I discovered there are around 3800 functions in the typical rom dump of these ecu's and that at very large proportion of routines are shared across many of the variants... I.e. identical apart from location and reloc information...
|
|
|
Logged
|
|
|
|
Joe_Jinkx
Newbie
Karma: +1/-0
Offline
Posts: 9
|
|
« Reply #31 on: January 25, 2013, 03:29:23 PM »
|
|
|
You use a hex editor to separate the file into two parts according to Andy.
I disagree with Andy on this, and I think he is completely wrong. In my opinion the entire flash memory image is mapped to address 0x800000, and you don't split it at all. I don't think he sets up the DPP registers correctly, and he never maps in the internal ROM on the processor.
If you ask me, you should load the entire flash memory image to address 0x800000 and set DPP0 to 0x204, DPP1 to 0x205, DPP2 to 0x0E0, and DPP3 to 0x003. Then RAM is located at 0x380000, with size 0x8000.
Andy has always been hard to get a hold of, and I am not sure if he still works on ME7 projects.
I know this is a really old post to be be replying, but you are correct about the addressing. If you have the A2Ls you can verify this by looking for the Pst800000 and the Pst8E0000. The memory is contiguous so you don't really need to split it up. I do have a question about DPP0-DPP3. How do you figure out what the ECU is setting them to? I'm looking at the ME7.8.2 and I can't figure what those registers have been set to. Joe
|
|
|
Logged
|
|
|
|
fluke9
Full Member
Karma: +26/-1
Offline
Posts: 113
|
|
« Reply #32 on: April 08, 2013, 06:50:27 AM »
|
|
|
Anyone still working on this ? I just digged out an old harddisk which has an IDA plugin on it i wrote like 3 years ago as a quick hack. It parses a DAMOS and labels everything in the bin with comments... If anyone is interested in this i could probably fix it up in few days so its usable. (hardcoded filenames and stuff, didnt bother...)
|
|
|
Logged
|
|
|
|
Axis
Full Member
Karma: +4/-4
Offline
Posts: 91
|
|
« Reply #33 on: April 08, 2013, 10:55:55 AM »
|
|
|
That sounds really useful. Please fix it. Does it also add comments to bits in format like this FD00.1 ? From what I know the only way to name these is to add a comment to the line (extracted from damos). And since some of them appear MANY times it is a very time consuming manual task.
|
|
|
Logged
|
|
|
|
fluke9
Full Member
Karma: +26/-1
Offline
Posts: 113
|
|
« Reply #34 on: April 08, 2013, 12:31:08 PM »
|
|
|
That sounds really useful. Please fix it.
I will start a new thread when its done Does it also add comments to bits in format like this FD00.1 ?
Thats actually a bug i need to fix, currently it names the bitfield after the first bit it finds in the damos... I will change it to generate comments with all bits listed, if anyone knows a better way to do this please tell me.
|
|
|
Logged
|
|
|
|
Axis
Full Member
Karma: +4/-4
Offline
Posts: 91
|
|
« Reply #35 on: April 08, 2013, 12:38:30 PM »
|
|
|
I will start a new thread when its done Thats actually a bug i need to fix, currently it names the bitfield after the first bit it finds in the damos... I will change it to generate comments with all bits listed, if anyone knows a better way to do this please tell me. a comment with only the particular bit would be nice since they are easily identified as 1,2,3,4,10,20,30,40,100.... in the damos. Rather large comments if it should list all 16 everytime
|
|
|
Logged
|
|
|
|
Jerry Tunin
|
|
« Reply #36 on: February 25, 2015, 10:50:33 AM »
|
|
|
Anything new with these plugins? Didn't really want to dig up an old thread but it mentions a lot of good starting points.
|
|
|
Logged
|
|
|
|
lulu2003
Full Member
Karma: +11/-1
Offline
Posts: 242
|
|
« Reply #37 on: May 24, 2015, 05:16:34 AM »
|
|
|
User 360trev supplied some source of obvious nice IDA Plugs, but any compiled ready to use code?
|
|
|
Logged
|
|
|
|
lulu2003
Full Member
Karma: +11/-1
Offline
Posts: 242
|
|
« Reply #38 on: June 08, 2015, 05:46:08 AM »
|
|
|
It parses a DAMOS and labels everything in the bin with comments... If anyone is interested in this i could probably fix it up in few days so its usable. (hardcoded filenames and stuff, didnt bother...) yes, please. bitwise naming would be challanging
|
|
|
Logged
|
|
|
|
dragon187
Full Member
Karma: +13/-15
Offline
Posts: 106
|
|
« Reply #39 on: September 15, 2016, 09:48:05 AM »
|
|
|
Very interesting in that too
|
|
|
Logged
|
|
|
|
nubcake
|
|
« Reply #40 on: September 15, 2016, 01:38:25 PM »
|
|
|
Very interesting in that too
Actually it's fairly easy to implement basic (RAM vars & ROM values) renaming by "semi-manually" parsing the A2L for "name+offset", then feeding it into the modified "parse .ecu" of the autoit script. Or at least that's how I do it to create "reference" binaries. There are better ways ofc, i.e. using python.
|
|
|
Logged
|
|
|
|
unicornux
Full Member
Karma: +2/-6
Offline
Posts: 83
|
|
« Reply #41 on: December 19, 2019, 03:00:16 AM »
|
|
|
Bosch ME7 IDA Plugin
This was written by Andy Whittaker to help with initial disassembly setup when dealing with the ME7.
i downloded this file and copy in my ida plugin path but nothing shown in ida and plugin menu. what is problem. help me please. thanks.
|
|
|
Logged
|
|
|
|
fluke9
Full Member
Karma: +26/-1
Offline
Posts: 113
|
|
« Reply #42 on: December 23, 2019, 03:17:05 AM »
|
|
|
i downloded this file and copy in my ida plugin path but nothing shown in ida and plugin menu. what is problem. help me please. thanks. Does your IDA Version match ? Andys plugin is for older versions of IDA Pro, i think 6.x
|
|
|
Logged
|
|
|
|
|