NefMoto > Technical > Reverse Engineering > Disassembling MED/EDC17
Pages: [1] 2 3 ... 7
« previous next »
Author Topic: Disassembling MED/EDC17  (Read 83719 times)
MIL_on
Full Member
***

Karma: +12/-2
Offline Offline

Posts: 119
« on: October 07, 2014, 02:43:27 AM »
Hi Guys,
i'm quite sure that this might be a interesting topic not only for me.
I tried to disassemble a known EDC17 File to find stuff like the DPF-switch and so on. But i couldnt find any Cross-references nor different adressing modes. So there are 2 possible faults: I did a fault while loading the stuff into IDA or i didnt understand the adressing yet.

Here is my route to this point:
I decided to analyze the EDC17CP14 File you find attached to this post (03L906022LH 504907 P680_I3WF).

While looking into an A2L of another EDC17CP14 we find the following adress ranges:

Code:
/begin MOD_PAR "EDC17CP14"
    VERSION "C750V3W4"
    ADDR_EPK 0x801A0A10
    EPK "35/1/EDC17_CP14/5/P750//C750V3W4///"
    CUSTOMER_NO "5"
    USER ""
    PHONE_NO ""
    ECU "EDC17_CP14"
    CPU_TYPE "TriCore"
    /begin MEMORY_SEGMENT Pst80004000 "" RESERVED FLASH INTERN 0x80004000 0xBC78 -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x80004000
                /* mapping addr */ 0x4000
                /* length       */ 0xBC78
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst8000FC78 "" RESERVED FLASH INTERN 0x8000FC78 0x8C -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x8000FC78
                /* mapping addr */ 0xFC78
                /* length       */ 0x8C
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst80010000 "" RESERVED FLASH INTERN 0x80010000 0x3F74 -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x80010000
                /* mapping addr */ 0x10000
                /* length       */ 0x3F74
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst80013F74 "" RESERVED FLASH INTERN 0x80013F74 0x8C -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x80013F74
                /* mapping addr */ 0x13F74
                /* length       */ 0x8C
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst80020000 "" CODE FLASH INTERN 0x80020000 0x15FF74 -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x80020000
                /* mapping addr */ 0x20000
                /* length       */ 0x15FF74
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst8017FF74 "" RESERVED FLASH INTERN 0x8017FF74 0x8C -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x8017FF74
                /* mapping addr */ 0x17FF74
                /* length       */ 0x8C
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst801FFF74 "" RESERVED FLASH INTERN 0x801FFF74 0x8C -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x801FFF74
                /* mapping addr */ 0x1FFF74
                /* length       */ 0x8C
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst80180000 "" RESERVED FLASH INTERN 0x80180000 0x1FE74 -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x80180000
                /* mapping addr */ 0x180000
                /* length       */ 0x1FE74
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst8019FE74 "" RESERVED FLASH INTERN 0x8019FE74 0x8C -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x8019FE74
                /* mapping addr */ 0x19FE74
                /* length       */ 0x8C
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst80018000 "" RESERVED FLASH INTERN 0x80018000 0x7E74 -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x80018000
                /* mapping addr */ 0x18000
                /* length       */ 0x7E74
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst8001FE74 "" RESERVED FLASH INTERN 0x8001FE74 0x18C -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x8001FE74
                /* mapping addr */ 0x1FE74
                /* length       */ 0x18C
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst80014000 "" RESERVED FLASH INTERN 0x80014000 0x3E74 -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x80014000
                /* mapping addr */ 0x14000
                /* length       */ 0x3E74
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst80017E74 "" RESERVED FLASH INTERN 0x80017E74 0x18C -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x80017E74
                /* mapping addr */ 0x17E74
                /* length       */ 0x18C
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst8000FD04 "" RESERVED FLASH INTERN 0x8000FD04 0x2FC -1 -1 -1 -1 -1 

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x8000FD04
                /* mapping addr */ 0xFD04
                /* length       */ 0x2FC
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Dst801A0000 "" DATA FLASH INTERN 0x801A0000 0x5FF74 -1 -1 -1 -1 -1 

        /begin IF_DATA ETK
            ADDRESS_MAPPING
                /* origin addr  */ 0x801A0000
                /* mapping addr */ 0x82120000
                /* length       */ 0x5FF74
        /end IF_DATA

        /* AsapMLCFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x801A0000
                /* mapping addr */ 0x1A0000
                /* length       */ 0x5FF74
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Ram82100000 "" VARIABLES RAM EXTERN 0x82100000 0x3000 -1 -1 -1 -1 -1 

        /* AsapMLRFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0x82100000
                /* mapping addr */ 0x700000
                /* length       */ 0x3000
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT RamC0000000 "" VARIABLES RAM INTERN 0xC0000000 0x10000 -1 -1 -1 -1 -1 

        /* AsapMLRFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0xC0000000
                /* mapping addr */ 0x400000
                /* length       */ 0x10000
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT RamC03FC000 "" VARIABLES RAM INTERN 0xC03FC000 0x4000 -1 -1 -1 -1 -1 

        /* AsapMLRFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0xC03FC000
                /* mapping addr */ 0x4FC000
                /* length       */ 0x4000
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT RamD0000000 "" VARIABLES RAM INTERN 0xD0000000 0xE000 -1 -1 -1 -1 -1 

        /* AsapMLRFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0xD0000000
                /* mapping addr */ 0x500000
                /* length       */ 0xE000
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT RamD000E000 "" VARIABLES RAM INTERN 0xD000E000 0x2000 -1 -1 -1 -1 -1 

        /* AsapMLRFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0xD000E000
                /* mapping addr */ 0x50E000
                /* length       */ 0x2000
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT RamD4000000 "" VARIABLES RAM INTERN 0xD4000000 0xC000 -1 -1 -1 -1 -1 

        /* AsapMLRFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0xD4000000
                /* mapping addr */ 0x600000
                /* length       */ 0xC000
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT RamF0060000 "" VARIABLES RAM INTERN 0xF0060000 0x8000 -1 -1 -1 -1 -1 

        /* AsapMLRFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0xF0060000
                /* mapping addr */ 0x660000
                /* length       */ 0x8000
        /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT RamF0050000 "" VARIABLES RAM INTERN 0xF0050000 0x4000 -1 -1 -1 -1 -1 

        /* AsapMLRFm - KWP2000 */
        /begin IF_DATA ASAP1B_KWP2000
            ADDRESS_MAPPING
                /* origin addr  */ 0xF0050000
                /* mapping addr */ 0x650000
                /* length       */ 0x4000
        /end IF_DATA
    /end MEMORY_SEGMENT

continues in second post
Logged
MIL_on
Full Member
***

Karma: +12/-2
Offline Offline

Posts: 119
« Reply #1 on: October 07, 2014, 02:55:14 AM »
So based on this i loaded my bin into IDA the first time with the following Specs:
I chose Tricore out of the list and loaded my whole file to 0x80000000.
Afterwards i created all RAM-Adress ranges which where defined in the A2L. After IDA had gone through it once i only found 2 RAM-Blocks which were really used:
0xC0000000
and
0xD0000000
and only up to a Range till 0xC0003xxx (same for 0xD...). So i decided that it would be enough to create only these two blocks of RAM like this:


Question: is it correct to create it as a 16 bit segment or is 32 bit needed in any way?

Later i found a quite easy overview of the Tricore Architecture which i would say confirmed this assumption:


Also mentioned in the doc and the Tricore User Manual is the adressing:



It is also more detailed in the Full User Manual, but rough said this is the reason why i chose my Default segment as 0x02. correct?

The whole doc is also attached.

Now back to the analysis:

The DPF-Switch is located @ 801EFED4. Looking into IDA theres no cross-referencing:



also searching for segment and offset didnt lead to success. Maybe i did something wrong there?

To those who might be sitting laughing in front of their screens now: I hope you recognize that i dont want to be spoon-fed, but a good hint could be used quite good here :/
« Last Edit: October 07, 2014, 02:58:00 AM by MIL_on » Logged
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49
« Reply #2 on: October 08, 2014, 04:41:25 AM »
Hi
Where IDA project? Smiley
Logged
MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
MIL_on
Full Member
***

Karma: +12/-2
Offline Offline

Posts: 119
« Reply #3 on: October 08, 2014, 05:04:24 AM »
heres my idb File Smiley
IDA-Project
Logged
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49
« Reply #4 on: December 30, 2014, 01:54:11 PM »
How about entry point?
Flash memory from 0x80000000h mirrored with 0xA0000000H
In user manual written : Start from internal PFLASH 0xA0000000H ....
but at this address not working programm code Sad
Logged
MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49
« Reply #5 on: March 02, 2015, 02:39:57 PM »
I found cross-reference to DPF-Switch.
In EDC17/MED17 using double index link.

PFLASH:8005901A loc_8005901A:                           ; CODE XREF: sub_80058FCE+3Aj
PFLASH:8005901A                 movh.a          a15, #@HIS(unk_D0004254)
PFLASH:8005901E                 ld32.a          a2, [a9]0x97C

//a9  contains base address for table with references (0x80153DDC)
//a2 contains address of near link to DPF-Switch (0x801EFED2)
// 0x80153DDC+0x97C=0x80154758
//[0x80154758]=0x801EFED2

PFLASH:80059022                 lea             a15, [a15]@LOS(unk_D0004254)
PFLASH:80059026                 ld16.bu         d15, [a15]0xA
PFLASH:80059028                 extr.u          d0, d15, #0, #8
PFLASH:8005902C                 movh.a          a15, #@HIS(unk_C0007D2A)
PFLASH:80059030                 lea             a15, [a15]@LOS(unk_C0007D2A)
PFLASH:80059034                 st16.b          [a15]0, d15
PFLASH:80059036                 movh.a          a15, #@HIS(unk_C0007D2B)
PFLASH:8005903A                 lea             a15, [a15]@LOS(unk_C0007D2B)
PFLASH:8005903E                 st16.b          [a15]0, d0
PFLASH:80059040                 ld16.bu         d15, [a2]2 ; dpf-switch

//and [a2]2 reference to DPF-Switch Smiley

PFLASH:80059042                 jeq16           d15, #1, loc_80059052
PFLASH:80059044                 jge             d15, #2, loc_8005904C
PFLASH:80059048                 jz16            d15, loc_80059058
PFLASH:8005904A                 j16             loc_80059056

A slightly confusing Smiley
Logged
MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
MIL_on
Full Member
***

Karma: +12/-2
Offline Offline

Posts: 119
« Reply #6 on: March 09, 2015, 12:35:18 AM »
wow, this is great! Thank you!
Unfortunately i didnt have quite a lot of time in the past to do anything related to tricore disasm Sad
The biggest problem for me was or better said is to find the entry of the table stored in a register. Can you tell me how you found out that a9 holds it? I was in the thinking that it might be stored in d4, but couldnt find the point where it is stored/built.
Logged
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49
« Reply #7 on: March 11, 2015, 10:29:00 AM »
Directly I could not find it.
I had to use a trick. I have DAMOS from another MED17 ECU.
From him I learned addresses of variables and maps: nmot_w, rlmaxmd_w, LDRXN and LDRXNZK.
Then I began to search for a subroutine which according rlmaxmd_w retrieves the value from map LDRXNZK.
I found one subroutine and in it i see algorithm to obtain pointers to maps:)
According to the internal structure of the blocks MED17 and EDC17 similar.
Knowing the algorithm, it was easy to find a reference to a codewort in your flash:)
Logged
MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
Ionut
Full Member
***

Karma: +4/-3
Offline Offline

Posts: 89
« Reply #8 on: April 05, 2015, 03:16:31 PM »
Hello. I have an Audi A4 with EDC17CP20 ecu.
I`ve loaded BIN to 0x80000000m created RAM segments and converted to code. Now what? Cheesy How can i convert references to actual address? For example, i have this piece of code:
Code:
0000:800C213C loc_800C213C:                           ; CODE XREF: sub_800C20BC+76j
0000:800C213C                 movh.a          a15, #0xC000
0000:800C2140                 ld32.h          d2, unk_D000029A
0000:800C2144                 ld32.h          d15, unk_D0001A7A
0000:800C2148                 lea             a15, [a15]0x565A
0000:800C214C                 st16.h          [a15]0, d2
0000:800C214E                 jz1

On my file, at 0xC000 address value is 0x56D (1389)
[a15]0x565A means 0xC000 + 0x565A (0x1165A) or 0x56D + 0x565A (0x5BC7) or other thing?
All my maps are located between 0x180000 and 0x1FFFFF in WinOLS.
Logged
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49
« Reply #9 on: April 06, 2015, 04:55:44 AM »
movh.a          a15, #0xC000
......
lea             a15, [a15]0x565A

this mean a15=0xC000565A Smiley
Logged
MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
Ionut
Full Member
***

Karma: +4/-3
Offline Offline

Posts: 89
« Reply #10 on: April 06, 2015, 06:06:44 AM »
Ok, so that is a RAM value. But what should i search in disassembled code to find reference to maps?
0xC0000000 and 0xD0000000 are outside my maps area.

Thanks in advance
Logged
marrakech
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 30
« Reply #11 on: June 15, 2015, 04:56:50 AM »
Thanks in advance  or this topic!  Wink
Logged
MIL_on
Full Member
***

Karma: +12/-2
Offline Offline

Posts: 119
« Reply #12 on: August 13, 2015, 04:14:07 AM »
instead of starting a new topic, i would like to go on here! One more time i am searching something without success Cheesy
i am trying to find a solution for patching tprot 5-7 in BMW EDC17 of the E-Models EDC17C06, EDC17CP02 to write them via OBD once you unlocked them. Should be managable i thought....but i failed with this assumption.

 It seems that it isnt implemented the same way it is in the VAG Ecus.
I decided to compare it with a MED17.5 which should be the best comparison as it has the same Tprot-Stage and the same Processor.
In those VAG Versions theres always a jump to a subroutine zeroed:
2B3Ch - 0000:8000ACD8                 j16             loc_8000AD2E ; Jump to TPROT
by writing 2B3C to 0000 you disable the whole jump.

the subroutine which gets blocked this way looks like this:
0000:8000AD2E loc_8000AD2E:                           ; CODE XREF: sub_8000AC60+78j
0000:8000AD2E                 movh.a          a2, #0xD001  load a2 with 0xD001000
0000:8000AD32                 mov16           d1, #0           load d1 0x01
0000:8000AD34                 mov32           d0, #0x10      load d0  0x10
0000:8000AD38                 lea             a15, [a0]0x19A3
0000:8000AD3C                 mov16           d2, #1           load d2 0x01
0000:8000AD3E                 st16.b          [a12], d0
0000:8000AD40                 lea             a2, [a2]-0x34CE   build effective address: 0xD0010000-0x34CE = 0xD000CB32
0000:8000AD44                 st16.b          [a13], d1
0000:8000AD46                 st16.b          [a15]0, d1
0000:8000AD48                 st16.b          [a2], d2            put 0x01 to Adresse which is hold in RAM-Cell 0xD000CB32
0000:8000AD4A                 j32             loc_8000B076      jump back to ret

the call of this subroutine is based on what d2 holds before:
d2=0 --> jump to 8000ACDA
d2=2 --> jump to 8000B076
otherwise jump to the [now blocked] subroutine 8000AD2E. At its end this also just jumps to 8000B076. So by simply preventing to write this 0x01 to the Address which is hold by 0xD000CB32 and 0x0 to the address which is held by a15 the tprot isnt active. I think that this procedure should be quiet similar regardless of the manufacturer?
Comparing Op-Code did lead to a few assumptions of course, but none of them was proven to be correct. I also tried to check if Magic Motorsport Tprot off for VAG Ecus might work in this case, but i guess the jump which got modified is wrong as you can find the same sequence in another part of the VAG File!
I attached the two files i used to compare and also the working tprot off file for VAG and the automatic created (wrong?) tprot off file for the bmw
Logged
tobygolf66
Jr. Member
**

Karma: +0/-1
Offline Offline

Posts: 40
« Reply #13 on: September 25, 2015, 01:38:09 AM »
MIL_On , did you have tested now your Exx Tprot off solution ??

Is it working ?

Rgds
Logged
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49
« Reply #14 on: October 04, 2015, 04:40:32 AM »
Some useful information for disasembling MED17.5
1. Calibration area start 0x80040000 size 0x40000. In some units size 0x30000. Other space used for code.
2. The main code is executed directly from the flash. But there is a piece of code that is loaded into RAM.
3.To access the data using different addressing modes:
a:
movh.a          a15, #@HIS(CRC_end_addr) ;
st32.w          [a15]@LOS(CRC_end_addr), d0 ;

b:
sha16           d15, #4
movh.a          a3, #@HIS(RAM_crc_table) ;
lea             a3, [a3]@LOS(RAM_crc_table) ;
addsc16.a       a2, a3, d15, #0 ;

c:
movh            d15, #0xF000
addi            d15, d15, #0x4000 ; Load 0xF0004000

d:
ld32.w          d15, [a0]-0x5F10

4. The main addressing modes is an indirect addressing with address register.
These registers contain base addresses for FLASH, RAM and Calibration.
Address register a1 used to access data in FLASH.
lea             a15, [a1]0x52BA
ld.hu           d15, [a15]0

Address register a0 used to access data in RAM.
st32.w          [a0]0x414, d10 ; Store to 0xD000B394
                        ; Can ID

Address register a9 used to access data in Calibration Area.
ld32.w          d15, [a9]0x638 ;
mov16.a         a15, d15
lea             a4, [a15]0x69E ;
Logged
MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
Pages: [1] 2 3 ... 7
  Print  
« previous next »
 
Jump to:  

Navigation
Personal Tools
  • November 22, 2024, 11:16:05 AM
  • Welcome, Guest. Please login or register.
    Did you miss your activation email?

    Login with username, password and session length
Search
 
Advanced Search
About Disclaimer
All Rights Reserved 2010 Nefarious Motosports
Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.027 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)