Pages: 1 [2]
Author Topic: The correct way of loading a ECU stock file to IDA  (Read 22517 times)
automan001
Full Member
***

Karma: +39/-0
Offline Offline

Posts: 151


« Reply #15 on: September 26, 2013, 11:55:11 PM »

This is the memory layout of the ME7.1:
0x0-0x7FFF: Internal ROM on the C167 processor
0xE000-0xFFFF: Internal RAM on the C167 processor
Found some good pictures with detailed description of these blocks content in C167CR User's Manual

The C167CR provides a total addressable memory space of 16 MBytes. This address
space is arranged as 256 segments of 64 KBytes each, and each segment is again
subdivided into four data pages of 16 KBytes each
Most internal memory areas are mapped into segment 0, the system segment. The
upper 4 KByte of segment 0 (00’F000H … 00’FFFFH) hold the Internal RAM and Special
Function Register Areas (SFR and ESFR).
The lower 32 KByte of segment 0
(00’0000H… 00’7FFFH) may be occupied by a part of the on-chip ROM/Flash/OTP
memory and is called the Internal ROM area. This ROM area can be remapped to
segment 1 (01’0000H … 01’7FFFH), to enable external memory access in the lower half
of segment 0, or the internal ROM may be disabled at all.
Code and data may be stored in any part of the internal memory areas, except for the
SFR blocks, which may be used for control/data, but not for instructions.

The C167CR may reserve an address area of variable size (depending on the version)
for on-chip mask-programmable ROM/Flash/OTP memory (organized as X × 32). The
lower 32 KByte of this on-chip memory block are referred to as “Internal ROM Area”.
Internal ROM accesses are globally enabled or disabled via bit ROMEN in register
SYSCON. This bit is set during reset according to the level on pin EA, or may be altered
via software. If enabled, the internal ROM area occupies the lower 32 KByte of either
segment 0 or segment 1 (alternate ROM area). This mapping is controlled by bit ROMS1
in register SYSCON.
« Last Edit: September 27, 2013, 12:02:04 AM by automan001 » Logged
ktm733
Hero Member
*****

Karma: +14/-4
Offline Offline

Posts: 634



« Reply #16 on: November 26, 2015, 08:18:52 PM »

I'm newbie with ida pro and assembler, but after watching andy videos and reading this, cant understand how to load whole bin file to 0x800000 address without splitting.
Could someone tell me what values to write into window (attached image)? I've checked my DPP0...3 and they're same in Andy video. But after identifying DPP... He splits file into two parts and then sets RAM start address @ 0x380000and uses default for ROM...

anybody?
Logged
adam-
Hero Member
*****

Karma: +105/-26
Offline Offline

Posts: 1965


« Reply #17 on: November 27, 2015, 01:53:58 AM »

Subscribed.  I played with this the other day and the AutoIT script works pretty well.  Still need to get my head around it.

I just split the file, wasn't too hard to do. 
Logged
ktm733
Hero Member
*****

Karma: +14/-4
Offline Offline

Posts: 634



« Reply #18 on: November 27, 2015, 10:36:02 AM »

I did the auto script but it doesn't seem correct is why I'm questioning it.
Logged
chacarita
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 14


« Reply #19 on: July 29, 2020, 11:04:58 PM »

This is the memory layout of the ME7.1:
0x0-0x7FFF: Internal ROM on the C167 processor
0xE000-0xFFFF: Internal RAM on the C167 processor
0x380000-0x38FFFF: External RAM
0x800000-0x8FFFFF: External Flash

The bin files that everyone reads off of their ECU are the external flash memory in the starting at 0x800000.

The only way to read the internal ROM from 0x0 to 0x7FFF is in boot mode. All of the OBD communication protocols prevent reading the internal ROM memory region.

The code in the internal ROM forwards some interrupts to the code in the external Flash. That is why it looks like there are interrupt vectors at 0x800000, because the internal ROM code forwards to there.

I can 100% guarantee the DPP registers are set as such:
DPP0: 0x0204
DPP1: 0x0205
DPP2: 0x00E0
DPP3: 0x0003

Sorry for the noob question, but I want to learn and I get mixed up with so many posts going on about the same thing, I thought I'd keep in under the same thread. . Having no background in IT, I have basically no idea what I am doing when trying to load the file. From what you posted I do understand that files not read via boot mode are the external flash. I tried downloading automan001's disassembled project but cant even start to open it. I understand that I have to use loading at 0x800000 because that is the ExtFlash location. How do I tell IDA not to bother ? I get this error. It is expecting me to fill out the layout of the whole ecu but i am loading a smaller file on it (bin) ? Thanks in advance  Wink
Logged
Pages: 1 [2]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.018 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)