Pages: [1] 2
Author Topic: The correct way of loading a ECU stock file to IDA  (Read 40275 times)
zibbo
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 12


« on: June 28, 2011, 07:55:26 AM »

Hi everybody,

I was reading the 'Bosch Me7 IDA plugin' topic very thoroughly starting from here http://nefariousmotorsports.com/forum/index.php/topic,35.msg976.html#msg976 and got confused about who is right.

So, Andy's  suggestion is (http://www.andywhittaker.com/en-us/ecu/disassemblingaboschme755.aspx):
1. Load lower 64K of ECU stock file to 0x0000
2. Create 64K of RAM at 0x380000
3. Load the rest of ECU stock file to 0x810000
4. Set DPP0 = 204h, DPP1 = 205h, DPP2 = E0h, DPP3 = 3

From other side, Tony's and Spen's suggestions coincide:
1. Load all ECU stock file to 0x800000
2. Set DPP0 = 204h, DPP1 = 205h, DPP2 = E0h, DPP3 = 3

Now, let's take into account the following facts:
1. ECU ROM is 512K, so it's impossible to fit 1Mb ECU stock file size in ECU ROM starting at 0x800000.
2. Interrupt vectors start at 0, so it looks like at least 1-st 64K really should be loaded to 0, not 0x800000
3. RESET_handler sets DPP0 = 0, so where 204h is taken from at all?
So, who is right here and what is exact correct way of loading a ECU stock file to disassembler?

Thanks in advance.
Logged
zibbo
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 12


« Reply #1 on: June 28, 2011, 09:50:14 AM »

During my consequent investigation I found out that Me7.1 has 1Mb ROM so question #1 is solved now.

Also I found out that interruptions often set DPP0 = 204h and then call routines from 0x820000-* area, so maybe DPP0 should be 0 for segment #0 and 204h for segments starting #82 and further?

It also looked correct to me when I loaded first 64K of ECU stock file to segment #0 and #80, i.e. duplicated it, and then I found references from segment #82 to both segments #0 and #80.

Please, correct me if I'm wrong. Thanks
Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 655


« Reply #2 on: June 28, 2011, 02:39:46 PM »

...
1. Load lower 64K of ECU stock file to 0x0000
...

No.
First you must load C167 CPU 32K-dump to address area 0000...7FFF.
Than create and add other RAM-ROM segments as additional files.
Logged
zibbo
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 12


« Reply #3 on: June 29, 2011, 03:06:57 AM »

Thanks, Gremlin!

Could you please clarify what to do with the rest 32K of segement #0? I mean, the stock file does contain something in the range 0x8000-0x10000 and this data doesn't look like it should be ignored.
Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 655


« Reply #4 on: June 29, 2011, 04:23:05 AM »

Could you please clarify what to do with the rest 32K of segement #0? I mean, the stock file does contain something in the range 0x8000-0x10000 and this data doesn't look like it should be ignored.

Clarificatoin about 32-kb dump of CPU programm.
It isn't first 32k of main stock dump that contain flash chip. It's internal content of CPU and it differs from content of start part of flash.
The rest of segment (8000...FFFF) is internal registers and internal CPU RAM. See datasheets for C167 processor for details.
External RAM and ROM are mapped on 380000 and 800000  respectively.
 
Logged
zibbo
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 12


« Reply #5 on: June 29, 2011, 05:50:57 AM »

Ok, I guess I know the point where I got confused. I used Andy Whitttaker's video tutorials to get familiar with essentials. In patr 1 Andy loads a binary to address 0x00000000 and IDA correctly shows interruption vectors, in particular RESET_handler with correct code for setting up CPU parameters. I guess that was internal CPU ROM, correct? I saw several stock files that when loaded 64K of which to 0, the code looks correctly.

But, there is a stock file example on Andy's site http://andywhittaker.com/LinkClick.aspx?link=software%2fS4TT-108.bin&tabid=68, and if I load lower 32K or 64K of this file to 0, then I got a mess, so it doesn't really look like it should be loaded this way. And I saw many other similar stocks,  including samples on Nyet's site - http://nyet.org/cars/files/stock/.

So, I guess the problem is in different stock file format, correct?

Thanks.
Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 655


« Reply #6 on: June 29, 2011, 12:37:40 PM »

So, I guess the problem is in different stock file format, correct?

The problem is that both people doesn't take in account CPU internal programm code.
When you disasm main flash code you will see some "jumps" and "calls" addressing to 0000...7FFF.
But if you see these addrs remapped from 800000 to 0000 these calls and jumps will be targeted to wrong subroutines entry points.
What software dump do you plan to disasm?
Give me SW number and I wiil post CPU internal dump for this ECU.
Than you try to disasm using the method described above.

 
Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 655


« Reply #7 on: June 29, 2011, 04:02:58 PM »

PS: In some cases low 32K of flash dump are equal to internal CPU ROM dump.
But only "sometimes" not "allways".
From this point of view allways use real CPU dump to avoid possible errors by disasm.
See example.
Logged
zibbo
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 12


« Reply #8 on: June 30, 2011, 02:11:48 AM »

Gremlin, thank you very much for clarification and example! To summarize, the 0x800000-0x808000 range can either duplicate CPU ROM or contain come code using during boot, correct?

If so, then the meaning of next 32k can vary as well depending on what first 32k means, correct? And what is the purpose of this area at all?

Thanks
Logged
zibbo
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 12


« Reply #9 on: July 03, 2011, 08:29:42 AM »

Btw, is it known how CPU ROM depends on SW? Is it possible that CPU ROM from one ECU will be good for another one, or every SW actually indicates changes in CPU ROM?

Thanks.
Logged
gremlin
Hero Member
*****

Karma: +196/-9
Offline Offline

Posts: 655


« Reply #10 on: July 03, 2011, 09:40:59 AM »

Btw, is it known how CPU ROM depends on SW? Is it possible that CPU ROM from one ECU will be good for another one, or every SW actually indicates changes in CPU ROM?

Thanks.

AFAIK there is 4 version of CPU dumps for VAG ME7.x ECUs family for turbo engines.
Unfortunately CPU chip marking can be different for chips having inside equal dumps.
But it's no problem to read CPU content using boot-mode and C167 software tools like minimon for example.
 
Logged
phila_dot
Hero Member
*****

Karma: +173/-11
Offline Offline

Posts: 1709


« Reply #11 on: July 05, 2011, 10:46:42 PM »

How do we determine all of these settings accurately?

Are you getting it all from the datasheet? Or is there a method to ascertain it from the binary?
Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +132/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #12 on: September 18, 2011, 07:37:26 PM »

This is the memory layout of the ME7.1:
0x0-0x7FFF: Internal ROM on the C167 processor
0xE000-0xFFFF: Internal RAM on the C167 processor
0x380000-0x38FFFF: External RAM
0x800000-0x8FFFFF: External Flash

The bin files that everyone reads off of their ECU are the external flash memory in the starting at 0x800000.

The only way to read the internal ROM from 0x0 to 0x7FFF is in boot mode. All of the OBD communication protocols prevent reading the internal ROM memory region.

The code in the internal ROM forwards some interrupts to the code in the external Flash. That is why it looks like there are interrupt vectors at 0x800000, because the internal ROM code forwards to there.

I can 100% guarantee the DPP registers are set as such:
DPP0: 0x0204
DPP1: 0x0205
DPP2: 0x00E0
DPP3: 0x0003
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
broken_down
Newbie
*

Karma: +1/-0
Offline Offline

Posts: 1


« Reply #13 on: February 27, 2012, 11:31:45 AM »

Hi,

I have a Renault clio sport with a sirius 32n ecu.
It uses the c167 processor and a am29f200bb flash.
If i have a full readout using bootmode from the flash it is 256kb.
Since the file is so much smaller then the file you are giving example about what would be the correct addressing
for the :
Internal ROM on the C167 processor :Always the same size?
Internal RAM on the C167 processor :Always the same size?
External RAM
External Flash

and the ddp registers?

I would be ever so happy if you can help me out.

Best regards
Daniel Ohde
« Last Edit: March 21, 2012, 06:09:55 AM by broken_down » Logged
masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #14 on: March 05, 2012, 03:05:07 PM »

Hi everybody,

I was reading the 'Bosch Me7 IDA plugin' topic very thoroughly starting from here http://nefariousmotorsports.com/forum/index.php/topic,35.msg976.html#msg976 and got confused about who is right.

So, Andy's  suggestion is (http://www.andywhittaker.com/en-us/ecu/disassemblingaboschme755.aspx):
1. Load lower 64K of ECU stock file to 0x0000
2. Create 64K of RAM at 0x380000
3. Load the rest of ECU stock file to 0x810000
4. Set DPP0 = 204h, DPP1 = 205h, DPP2 = E0h, DPP3 = 3

From other side, Tony's and Spen's suggestions coincide:
1. Load all ECU stock file to 0x800000
2. Set DPP0 = 204h, DPP1 = 205h, DPP2 = E0h, DPP3 = 3

Now, let's take into account the following facts:
1. ECU ROM is 512K, so it's impossible to fit 1Mb ECU stock file size in ECU ROM starting at 0x800000.
2. Interrupt vectors start at 0, so it looks like at least 1-st 64K really should be loaded to 0, not 0x800000
3. RESET_handler sets DPP0 = 0, so where 204h is taken from at all?
So, who is right here and what is exact correct way of loading a ECU stock file to disassembler?

Thanks in advance.

I'm newbie with ida pro and assembler, but after watching andy videos and reading this, cant understand how to load whole bin file to 0x800000 address without splitting.
Could someone tell me what values to write into window (attached image)? I've checked my DPP0...3 and they're same in Andy video. But after identifying DPP... He splits file into two parts and then sets RAM start address @ 0x380000and uses default for ROM...
Logged

Pages: [1] 2
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.024 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)