RomRaider

Hi all

I was wondering if someone with previous knowledge about disassembling would be interested in work again up the merpMod project

I am a student of Electronic Engineering and I have had a good time tuning subarus in my country and these patches definitely leave a good taste in my mouth

I have been working on the disassembly with the support of the guides and threads that exist here in the forum but I am still stuck in the part of locating the address where to hang the hacks in the rom and I have not managed to find support or someone to whom I can refer to in seek help

currently my unmounted rom is AE5IA10L wrx 2011

and I intend to contribute the versions to the usdm wrx 2011-2014 in case I succeed in compiling

the topic is wide and obviously somewhat complicated but it is a boat that I am willing to board but I would like to have support from the experts here or at least to know that they advise me to understand better, currently I read the user manual sh7058 with the hope of being able to understand more and be successful

any suggestion or proposal from someone?

I really appreciate your attention

You've posted a couple of times on this in a similar manner.

What exactly do you require?

It would seem there's a limited few on the forums presently who have the ability to do what you're asking, most of whom are pushed for time or moved on to other things.

You're statements are a little vague and broad. Why can't you find the addresses if you have IDA?

The process for patching is essentially:

1.)Use a ROM for which MerpMod exists.
2.)Load ROM in IDA
3.)Map out the addresses from the header files. (header files available on here or github)
4.)Load up you ROM of interest in IDA
5.)Cross reference code between open ROMs to find the new addresses in ROM of interest
6.)Create your new header files to be used in HEW
7.)Download your flavour of MerpMod HEW files from GitHub, along with HEW
8.)Get sharptune if it's not with the GitHub package you've already got
8.)Place ROM of interest in OEM directory for the MerpMod HEW files
9.)Open HEW, set placeholder for new ROM, execute and bingo - you have your new patch.
10.)Donate to RomRaider

There is plenty of detail about many of the aspects written above created by people like Merp, NSFW, DSchultz, Andea79, Aijii, Puddles and many others in these forums. Occasionally some of it can be a little difficult to follow however, most of it can be worked through. If I've managed to muddle my way through with no formal teaching or qualification in IT, I'm sure an engineer can sort it.

It's probably easier to ask in the forums if you've got particular points that are catching you out, rather than a general fishing exercise.

Hi Lorax, thank you very much for answering and if I have asked many times, trying to be persistent and get success at the end of the tunnel

just clarifying,

I did not want to sound egocentric when mentioning that I study, I have not graduated yet but this is quite exciting and it has helped me to understand a little, but without knowing it, I do not know everything or think I am an expert. I just mentioned it with the hope that someone could see that if you give me help it would not be help from scratch and tedious

I will make a log with images of the process that I am up to now, in order to be the most specific about what I have advanced in my attempt. :

I have IDApro, HEW, sharptune and right now I trying build a "gratis_testing"

1) done
2) done
3) done
4) no
5) no


6) puddles mentioned to me that I could copy and use the existing headers and link the new addresses in this new heading of my CALLID and I did so.

I have been able to unmount my rom and the rom that I am taking from reference thanks to the existing threads in the forum. of which I am very grateful

here comes the part that I could not solve

the first is:
I do not know exactly what RomHole and RamHole are or how to determine where they start, in the text file of my headers there is always that information but I never found information related to that to understand it exactly

the second is:

I am taking as reference a rom ADM wrx 2011

I look at the address of the rev limit (0x00034FCC in this case)




I go to IDA and look for that address and I get this



then I go to IDA for the rom of my interest and I look for in all the functions the rev limiter code but I can't find what I would at least expect



What I would expect is to find a code equal to what I can see from the reference rom but it has not been like that, what can I be missing?

If I look for the code of the reference rom in the rom of my interest I get this which I think is normal that the address is not the same and I do not get a code or something similar


With the XMLtoIDC utility I have table scripts, standard and extended parameters, at one time I thought that with the table script it could be easier to find the addresses of the codes but I remember that it was you who mentioned that those addresses only referred to the hosting the tables inside the rom, something more like data,
NOT the code



the lorax I want to thank you for your attention and time !!

in fact you are very right the last answer I got from andea79 was that I did not have much time available currently to be able to continue and I do not doubt that the same thing happens with many more people in here ... I am afraid that indeed I am the only one with the interest and the desire to resume it at least for the moment, I wish I could achieve it but it has been difficult for me to go on the road and not know where to go to any doubt like the one of this moment.

one more time!

thanks a lot lorax !!

ROM Holes and RAM Holes are simply areas contained within each that have no code i.e. 'FF" or addresses that are never referenced by the subroutines. It's this space that is required to insert the new patch into. I thought I had read some detail on it in the forums previously, but can't seem to find a reference to it now with a brief search. The Merp/HEW package does have some basic tests written into it so that if you select the incorrect addresses it will (typically) not execute, or give you an error message.

I though I had also read somewhere about a semi automated way of how to find a suitable area; of appropriate length to place the new patched code and referenced RAM addresses somewhere, but again I can't seem to be able to find it.

I've always done it manually. Ensuring you've got most of the ROM explored in IDA; so that it executes most of the contained code and populates the RAM addresses, then you simply need to find a space for each with suitable length.

I can't recall exactly how long this needs to be to squeeze everything in, but at a quick glance of my ROM, a length of h'c800 should be sufficient. Most of the ROMs up until around 2015 have enough room without having to hack into the existing MerpMod code. h'210 length should be OK for RAM.



Depending upon the ROM and year, changes are likely to have been made to the code. It seems for the 32bit ROMs that generally the 07/08+ divide was significant, but there have been also significant changes in later years for 32bit as well.

Sometimes you can search for the first few lines of hex for a known subroutine in the ROM of interest. Other times I've found it useful to search for one of the multipliers that is hard coded in the subroutine. Sometimes you just have to search for subroutines that reference the one of interest. There isn't a particular technique that will always deliver, nor is there any particular sequence that improves your strike rate, other than already mapping out all the known addresses and making sure that you've explored/converted any code that IDA didn't do automatically. The more I've done this sort of thing, you tend to get a feel for how things should look, without having to step through each line until you find the subroutine you really want to focus in on. The graph mode, which you've already found is quite helpful in this regard.



It is definitely easier, but the tables that are referenced in the code are one step higher in order than the data addresses that you see in RR or ECUFlash