Pages: 1 2 3 [4] 5 6 7
Author Topic: Disassembling MED/EDC17  (Read 83744 times)
dream3R
Hero Member
*****

Karma: +18/-8
Offline Offline

Posts: 1194


« Reply #45 on: May 02, 2016, 06:50:25 PM »

correct, I was talking with the owner of mpps last week not sure I said was correct about tools, but this is tricore and we were discussing an older ecu.

Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
kuebk
Jr. Member
**

Karma: +3/-0
Offline Offline

Posts: 47



« Reply #46 on: May 07, 2016, 12:36:49 PM »

I was asking about EDC17.
Logged

VAG immo solutions (clone, immo off, repair) MEDC17, SIMOS, SDI, BCM2, ELV, DQ/DL/VL gearboxes, INVCON, MED9.x crypto
dream3R
Hero Member
*****

Karma: +18/-8
Offline Offline

Posts: 1194


« Reply #47 on: May 07, 2016, 01:07:50 PM »

I was asking about EDC17.

My bad, some GNU toolchain for Tricore will have been used, why do you want to know?

Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
kuebk
Jr. Member
**

Karma: +3/-0
Offline Offline

Posts: 47



« Reply #48 on: June 14, 2016, 03:05:08 PM »

I would like to know what hardware/software is required to do RAM logging on EDC17, the informations which are available on the web are not much friendly for non experienced people.
Logged

VAG immo solutions (clone, immo off, repair) MEDC17, SIMOS, SDI, BCM2, ELV, DQ/DL/VL gearboxes, INVCON, MED9.x crypto
dream3R
Hero Member
*****

Karma: +18/-8
Offline Offline

Posts: 1194


« Reply #49 on: June 14, 2016, 06:04:37 PM »

Can controller/transceiver and software and knowledge of the diag session and seeds.
Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
kuebk
Jr. Member
**

Karma: +3/-0
Offline Offline

Posts: 47



« Reply #50 on: January 13, 2017, 09:21:57 AM »

I the RAM logging is done (no idea why did I wrote about that in this thread), but back to topic got a question regarding ASM:
Code:
mul32           e0, d0, d2

Ex register is 64bit, but what does mul32 mean in that case? Will it strip 64bit result to 32bit and put it to d0 without touching d1, or maybe different way?
« Last Edit: January 13, 2017, 09:34:39 AM by kuebk » Logged

VAG immo solutions (clone, immo off, repair) MEDC17, SIMOS, SDI, BCM2, ELV, DQ/DL/VL gearboxes, INVCON, MED9.x crypto
superglitch
Jr. Member
**

Karma: +4/-0
Offline Offline

Posts: 45


« Reply #51 on: February 18, 2017, 06:34:21 PM »

Anyone know where the jump table is for the logging is on any med17's?

EDIT: Figured it out.  Most things that you'd want to log for tuning or code hacks already exists, can all be adjusted in WinOLS no need for IDA.
« Last Edit: February 27, 2017, 04:29:40 PM by superglitch » Logged
jcsbanks
Full Member
***

Karma: +19/-3
Offline Offline

Posts: 146


« Reply #52 on: February 26, 2017, 05:41:57 AM »

mul32 is a 32 bit instruction length. When you assemble with Tricore you just write mul.
Logged
vwphun
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


« Reply #53 on: July 09, 2018, 01:18:01 AM »

What about crypted ImmoData in EEPROM? CRC is clear now (thanks ozzy_rp and H2DeeToo) espec. data block ID 0x08 0x09 0x0A? How are crypted CS, PIN, MAC in eeprom with data from flash OTP sector?
Logged
navatar_
Newbie
*

Karma: +1/-1
Offline Offline

Posts: 18


« Reply #54 on: November 22, 2019, 11:42:05 AM »

What about crypted ImmoData in EEPROM? CRC is clear now (thanks ozzy_rp and H2DeeToo) espec. data block ID 0x08 0x09 0x0A? How are crypted CS, PIN, MAC in eeprom with data from flash OTP sector?


Have been looking for this answer for the last few days. I think I am correct in saying the relevant OTP data is stored at 0x17f00 - 0x17f7f and is somehow crypted with immodata. Initially I thought it would be a simple xor substitution based cipher but now I'm not so sure.
Logged
AngelPowy
Full Member
***

Karma: +1/-0
Offline Offline

Posts: 55


« Reply #55 on: January 27, 2020, 05:07:55 AM »

Ionut: Make sure you understand how the map-adresses are called:
1. You have the Table which is filled with Adresses of "areas" but not each single map-adress is stored here, otherwise it might become too big.
2. from the Adress stored in the table you are able to take short offsets which can be stored in 16 bit.

Adresses for better understanding:
rlmx_w = D0001662
Axis Length(0x0012) = 0x8005B05C
Axis = 0x8005B05E - 0x8005B081
LDRXNZK = 0x8005B082 -  0x8005B0A5

so if you are going to reverse the whole mechanism you would start like this:
-you know where your LDRXN-Map and Axis starts and you know which variable gets stored in the routine which uses these maps (rlmx_w). So you take your RAM-Adress of the Variable (rlmx_w) and use the Cross-Reference function. There are 2 Routines which write into that ram cell and 1 reading it. You know that it gets written by the LDRXN Routine, so you are going down one of those 2 paths.
in this routine you will find the following Code:

This is based on the 5K0907115, 0261204474, 1037500440  File!

0000:80106C62                 ld32.w          d15, [a9]0x638             // Table-Index = a9+offset --> Take adress from [Tablestart+0x638]
0000:80106C66                 madd            d15, d15, d0, #0x4A     // choose LDRXN-Map based on Gearbox-Variant ( 0x4A is the length of one complete Table+Axis+Axis Description!) and store it in d15 again. Lets guess we have a manual trans, so d0 will be 0.
0000:80106C6A                 ld.hu           d4, nmot_w
0000:80106C6E                 mov16.a         a15, d15                   // store Adress in adress-register
0000:80106C70                 lea             a4, [a15]0x69E             // load effective adress: a15 holds at that moment [Table-entry+0*0x4A] and we add another 0x69E to that Adress and store it in a4. if you dive into the subfunction which gets called in the next line you will find that a4 has to hold the length of the axis and this is @ Adress 8005B05C.
0000:80106C74                 call32          sub_800FDC72
0000:80106C78                 st32.h          rlmx_w, d2
0000:80106C7C                 j16             loc_80106C86

So as you know that the end of the calculation has to be 0x8005B05C you can go reverse by: 0x8005B5C - 0x69E = 0x8005A9BE. Search for 8005A9BE in your Hex-Editor in 32bit mode and you will find it @ 0x8016E020. From here you know that you have to subtract 0x638 to get to the table-start! This delivers 0x8016D9E8 which you can use now for all other equations!


Subroutine not explained:
0000:800FDC72 sub_800FDC72:                           ; CODE XREF: ROM:80071FA8p
0000:800FDC72                                         ; ROM:80072004p ...
0000:800FDC72                 mov16           d5, d4
0000:800FDC74                 mov16.aa        a15, a4
0000:800FDC76                 ld.hu           d15, [a15+]2
0000:800FDC7A                 mov16           d4, d15
0000:800FDC7C                 mov16.aa        a4, a15
0000:800FDC7E                 call32          sub_80121FDC
0000:800FDC82                 addsc16.a       a4, a15, d15, #1
0000:800FDC84                 mov16           d4, d2
0000:800FDC86                 j32             sub_800FA5EE
0000:800FDC86 ; End of function sub_800FDC72



Did you find your A2L on this forum? Or would you mind to share it?

Best regards
Logged
Jonny_Z
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 5


« Reply #56 on: February 08, 2020, 05:54:07 AM »

I found some registers like "e2" in MEDC17:
Code:
PFLASH:8009286A                 movh.a          a2, #@HIS(unk_D0009B74)
PFLASH:8009286E                 movh.a          a15, #@HIS(unk_D00089F5)
PFLASH:80092872                 ld32.bu         d0, [a12]0x1E
PFLASH:80092876                 ld32.w          d15, [a2]@LOS(unk_D0009B74)
PFLASH:8009287A                 mul16           d15, d0
PFLASH:8009287C                 lea             a15, [a15]@LOS(unk_D00089F5)
PFLASH:80092880                 dvinit.u        e2, d15, d8
PFLASH:80092884                 dvstep.u        e2, e2, d8
PFLASH:80092888                 dvstep.u        e2, e2, d8
PFLASH:8009288C                 dvstep.u        e2, e2, d8
PFLASH:80092890                 dvstep.u        e2, e2, d8
PFLASH:80092894                 mov16           d15, d2
PFLASH:80092896                 st16.b          [a15]0, d0 ; unk_D00089F5
PFLASH:80092898                 st32.w          [a2]@LOS(unk_D0009B74), d15

It looks like no connection with the whole subroutine, i think i must miss something, could you guys give me a tip?
Logged
gt-innovation
Sr. Member
****

Karma: +60/-91
Offline Offline

Posts: 449


« Reply #57 on: February 08, 2020, 06:26:47 AM »

I found some registers like "e2" in MEDC17:
Code:
PFLASH:8009286A                 movh.a          a2, #@HIS(unk_D0009B74)
PFLASH:8009286E                 movh.a          a15, #@HIS(unk_D00089F5)
PFLASH:80092872                 ld32.bu         d0, [a12]0x1E
PFLASH:80092876                 ld32.w          d15, [a2]@LOS(unk_D0009B74)
PFLASH:8009287A                 mul16           d15, d0
PFLASH:8009287C                 lea             a15, [a15]@LOS(unk_D00089F5)
PFLASH:80092880                 dvinit.u        e2, d15, d8
PFLASH:80092884                 dvstep.u        e2, e2, d8
PFLASH:80092888                 dvstep.u        e2, e2, d8
PFLASH:8009288C                 dvstep.u        e2, e2, d8
PFLASH:80092890                 dvstep.u        e2, e2, d8
PFLASH:80092894                 mov16           d15, d2
PFLASH:80092896                 st16.b          [a15]0, d0 ; unk_D00089F5
PFLASH:80092898                 st32.w          [a2]@LOS(unk_D0009B74), d15

It looks like no connection with the whole subroutine, i think i must miss something, could you guys give me a tip?

https://www.infineon.com/dgdl/tc_v131_instructionset_v138.pdf?fileId=db3a304412b407950112b409b6dd0352

page 162
Logged
Jonny_Z
Newbie
*

Karma: +0/-1
Offline Offline

Posts: 5


« Reply #58 on: February 08, 2020, 09:52:31 AM »


What i confused is after the register e2 loads the divided value, there is no next step(load it to a memory address or ...) that i can find.
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #59 on: February 11, 2020, 06:07:39 AM »

What i confused is after the register e2 loads the divided value, there is no next step(load it to a memory address or ...) that i can find.

Page 46.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Pages: 1 2 3 [4] 5 6 7
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.027 seconds with 17 queries. (Pretty URLs adds 0s, 0q)