How do you even view the RAM addresses?

 

when i enter values like here i get error and when i press ok then it points to loading address like there mast make some changes?!

 

RAM not ROM!!!

leave the ROM numbers alone, and EDIT THE TOP BOX

hehe

 

now it works

thanx

 

Oh jeeze, i never checked the box to view ram addresses,lol.

 

Just wanted to tell Tephra thanks for the tutorial. I was able to figure out 2byte rpm for the most popular evo VII rom id by following your steps.

On to the next question: How would you recommend going about finding 2byte airflow?

 

Don't know

Never tried!

Is it worth logging?

 

hi guys, i need your help to use IDA.

When i save my work and try to re-open it, it writes "t4 processor unknown" or "can't dissassemble with such an extension ....idb".

I'm working on a 1mo file using an hitachi 7058. My setup:
- binary file
- SH4B
- ram from FFFF0000 and BFFF long

I opened the file with IDA32 and it doesn't work, i had to use IDA64 to be able to work on it (or it doesn't dissassemble).

So just tell me, please, if we can save.

Thank you very much. Math

 

u need to save it as .i64 or whatever it is in the 64bit one...

 

i found another version of IDA and it works. Thanks

 

After I read this post, and I tried on 94170008 rom, and I can sucessfully find the 2 byte RPM is 893A. But for the 2 byte load, why it is 895C? I read the load axis for fuel table, and I can only find it is 883E. Did I do anything wrong? Or I looked at wrong table?

Thanks.

 

iv started to disassemble a non mitsi rom.without any xmls for reference how do you go about finding addresses for tables such as hi octane fuel map etc?

 

When searching for these tables, it helps to know what byte alignment your table is represented in. you want to start searching for sequences of bytes that look like the load and RPM axis values.

Once you identify what you think is an axis, look for those values or the address of the axis throughout the ROM.

When you think you have found a table, change a table value, upload the modified rom and see what happens...

 

Hey guys. Say for instance I wanted to port over an address, how would I do that? I've got my rom (96940011) and the rom I want to switch to (96530006). What I'm trying to do is get an address for the "map scaling" table for the 96530006, and the "EGR MAP offset" tables to get the EGR to work. I've also got an OMNI 4 bar that I want to use.

 

There's a couple of approaches you can take. The easy (but less consistent) way to tackle this would be brute-force: find the table in your current ROM, and look for that pattern of bytes (or a subset of them) in the other ROM. If you find it, compare the table headers and the code that references the table and see if it's consistent. If it is, you've probably found your table. That works about 80% of the time.

Searching for an axis for the table is usually more likely to turn up hit, as the table contents can change from ROM to ROM (but the associated axis usually stays pretty similar), but once you have the axis, you can look through the code that refers to it and compare that to the ROM you know the locations for, meaning you can usually find the table itself pretty quickly. A lot of this is really just pattern-recognition; rather than trying to actually grok the code I'm looking at when trying to locate a table, I'm looking for a pattern of instructions and calls to known routines (like the table and axis lookup routines at sub_CC6, sub_C28, and sub_E02).

A more formal approach would be to pull up the ROM you have today, find the table you're looking for in IDA, and find the code that references it. (See my recent thread in here for the format of the table header.) The first byte of the header will have a comment next to it in IDA which refers to the chunk of code that uses it. Usually, if you click on that reference, it'll take you to a table of addresses; the reference to the right of THAT will take you to the code you care about. (I explained that horribly, hopefully you'll be able to make sense of it somehow. )

Once you've done that, start working backward through the code, making notes about branches (and their surrounding code) as you go, so you can make your way back forward through it. Eventually, you'll either hit some code you know already from both ROMs, or you'll wind your way back to one of the interrupt vectors. Either way, once you're at a "known" location that you can find in the other ROM, you now have a roadmap for getting you back there in the new ROM, or at least a good starting point.

----

Now, all that being said: if you're looking for the "EGR Map Offset" tables from this thread, you understand that you don't have to do any of that to log a JDM MAP sensor on 96530006, right? If you're wanting to play with those for another reason (people still have the EGR equipment installed? ), that's fine, but I just thought I'd mention it.