Shouldn't make much of a diff even though if the ECU is x64 architecture then tephra will sell you his evo for $10

 

no it shouldn't but I always used the 64bit version.. no idea why

 

Well then I guess you didn't have to sell him your evo for $10

 

*phew*

actually thats my next mod, 3d graphics for the heads up display :P

j/k

 

this is a great thread...always wanted to understand how to locate addresses instead of harassing others. Thanks.

 

Tephra, I'm a bit confused about the image you attached. When I follow your steps I get exactly what you did, but I don't understand how it corresponds to locating addresses in the rom.

You said this was for the high octane fuel map but when I look at the addresses for this map in the definition file I see:

address="6440"
address="6418"

what do "FFFF8844" and "FFFF8866" have to do with locating the High Octane Fuel Table?

 

ok so when the ECU runs the routine which grabs the value from the 3d table it will use FFFF8844 and FFFF8846 as the X and Y axis (maybe Y and X).

8844 and 8846 will be filled in by the proceeding axis lookup routine.

Look at the axis's at 0x6440 and 0x6418 and you should see 8844 and 8846 used as well as the original variable, ie load or rpm

 

Thanks, I found them:



But what if the addresses (FFFF6440 and FFFF6418) weren't defined in my xml file and I had to work backward from the FFFF8844 and FFFF8846? Logic says they should point to FFFF6440 and FFFF6418 but I don't see them:

 

ahh well thats where you need to find the references to the 3d table in the code..

then you find the routine which does the axis lookup before that and then that will reference your axis.

 

brr?...you lost me. I'll have to look this over when I'm more attentive. Thanks for the assistance though.

 

The address FFFF8844 is RAM address, this is where the ECU reads/writes the data to in volatile memory, like the RAM in your PC, you are looking at 00008844, which is an address in ROM, note no FFFF. You need to add a RAM segment, which is under Edit>Segments>add Segment

The ECU needs to know where the map header is for the code to run. The xml for ECUflash points to the start of the data for the map values , when we tune we are not really interested in the header, and to have it visible in ECUflash would be not help at all.

MB

 

I'm even more confused now.

I want to understand how to go about finding a map like 2byte rpm if it's not defined in my xml file. Do I need to basically compare the locations I see in other/similar rom IDs that have address and look in the same locations or is there a systematic process to definitively locating a specific map?

If the latter, what is this process?

I don't understand how people know ******** and ******** is the address for 2byte load in a rom and know exactly what it has to be changed to in order to be able to log it. This leads me to believe their is a systematic process for looking for these things.

For example I'm looking at the well known 94170008 rom. Based on this tutorial If I wanted to "switch on" 2 byte load I need to define the following addresses in EcuFlash:

38062
38066

Here's where I'm confused:

1. How does one know these address represent 2byte load in the first place?
2. How does one know these address must be changed from: 34959 to 35164 and from 34958 to 35165?

There must be some schema within IDA Pro to know these things time and time again.

 

Stuff like 2 byte load and 2byte RPM are not defined in the ROM, as they are not maps or code. They are RAM addresses where that information is stored when the ECU is operating.

What you have to do is look in the code and work out what RAM address you need to look at to log whats going on. Than you find the correct or spare MUT table and either log it directly, or mod the spare one and get your logger to recored the information from that.

MB

 

Ok, so how do you find the correct MUT Table which holds the load info when the ecu is operating? I apologize for my lack of knowledge on all this, I'm not from a programming background, but would really like to understand this.

 

ok finding the MUT_TABLE:
* start at the end of the rom and work backwards, you are looking for a huge block of data that looks like FF FF AA BB FF FF BB CC FF FF XX YY FF FF BA CE .. .. .. .. .. etc etc etc
* once you find that block you go to the first entry and in idapro there should be an xref to it

finding 2byte rpm:
* find the rpm axis for a 3dtable (like fuel), goto the axis and look at the header, one of the pairs of FF FF .. .. will be 2byte rpm