I was asking about EDC17.

Ionut: Make sure you understand how the map-adresses are called:
1. You have the Table which is filled with Adresses of "areas" but not each single map-adress is stored here, otherwise it might become too big.
2. from the Adress stored in the table you are able to take short offsets which can be stored in 16 bit.

Adresses for better understanding:
rlmx_w = D0001662
Axis Length(0x0012) = 0x8005B05C
Axis = 0x8005B05E - 0x8005B081
LDRXNZK = 0x8005B082 -  0x8005B0A5

so if you are going to reverse the whole mechanism you would start like this:
-you know where your LDRXN-Map and Axis starts and you know which variable gets stored in the routine which uses these maps (rlmx_w). So you take your RAM-Adress of the Variable (rlmx_w) and use the Cross-Reference function. There are 2 Routines which write into that ram cell and 1 reading it. You know that it gets written by the LDRXN Routine, so you are going down one of those 2 paths.
in this routine you will find the following Code:

This is based on the 5K0907115, 0261204474, 1037500440  File!

0000:80106C62                 ld32.w          d15, [a9]0x638             // Table-Index = a9+offset --> Take adress from [Tablestart+0x638]
0000:80106C66                 madd            d15, d15, d0, #0x4A     // choose LDRXN-Map based on Gearbox-Variant ( 0x4A is the length of one complete Table+Axis+Axis Description!) and store it in d15 again. Lets guess we have a manual trans, so d0 will be 0.
0000:80106C6A                 ld.hu           d4, nmot_w
0000:80106C6E                 mov16.a         a15, d15                   // store Adress in adress-register
0000:80106C70                 lea             a4, [a15]0x69E             // load effective adress: a15 holds at that moment [Table-entry+0*0x4A] and we add another 0x69E to that Adress and store it in a4. if you dive into the subfunction which gets called in the next line you will find that a4 has to hold the length of the axis and this is @ Adress 8005B05C.
0000:80106C74                 call32          sub_800FDC72
0000:80106C78                 st32.h          rlmx_w, d2
0000:80106C7C                 j16             loc_80106C86

So as you know that the end of the calculation has to be 0x8005B05C you can go reverse by: 0x8005B5C - 0x69E = 0x8005A9BE. Search for 8005A9BE in your Hex-Editor in 32bit mode and you will find it @ 0x8016E020. From here you know that you have to subtract 0x638 to get to the table-start! This delivers 0x8016D9E8 which you can use now for all other equations!


Subroutine not explained:
0000:800FDC72 sub_800FDC72:                           ; CODE XREF: ROM:80071FA8p
0000:800FDC72                                         ; ROM:80072004p ...
0000:800FDC72                 mov16           d5, d4
0000:800FDC74                 mov16.aa        a15, a4
0000:800FDC76                 ld.hu           d15, [a15+]2
0000:800FDC7A                 mov16           d4, d15
0000:800FDC7C                 mov16.aa        a4, a15
0000:800FDC7E                 call32          sub_80121FDC
0000:800FDC82                 addsc16.a       a4, a15, d15, #1
0000:800FDC84                 mov16           d4, d2
0000:800FDC86                 j32             sub_800FA5EE
0000:800FDC86 ; End of function sub_800FDC72

I found some registers like "e2" in MEDC17:

It looks like no connection with the whole subroutine, i think i must miss something, could you guys give me a tip?

What i confused is after the register e2 loads the divided value, there is no next step(load it to a memory address or ...) that i can find.