IDA help, ECU/Assembly Language -cruise to idling control ?

hmanxx · **Joined:** Wed Jul 12, 2006 3:01 pm **Posts:** 154

Hi,
I have started using IDA 5.2 Pro to play around with the code and trying to understand some logic out of it. With the help from a few threads here on IDA guidance and ROM Definition file address, I managed to trace quite a number of routines,however one of the area that i am keen on is to find the logging extended parameters on 32bits ECU(Since 16 bits usage is getting lesser over time..just start fresh from 32bits)

Questions
1) Are they any relationship of the ECUID 5 bytes data representing the base address or something ?
2) Are all the Extended parameters cluster on the same area like the SSM standard parameter..? Or there is fix logic to decode the address?
2) I still dont quite understand how the ECUID address pointing to the SSM Base address work.
e.g WRX08-EDM, ECUID 5152584007, from this ECUID.., where is the SSM base address ? 51525 ?

Background,
1) Roughly know how assembly language work.
2) Understand data structure for 3D/2D ,mostly found it at address at 0x80000 range

thanks.

merchgod · **Joined:** Thu Mar 30, 2006 2:38 am **Posts:** 5336

The 2nd function of the SSM indexed parameters references the first byte of the ECU id.

Extended parameters (besides engineer logging parameters) are just RAM addresses from various routines that I thought would be useful for tuning. That is, there's no standard.

nfn15037 · **Joined:** Mon Dec 11, 2006 3:16 am **Posts:** 109

Can someone post a disassembled ROM? It would allow others to help without buying or stealing a prohibitively expensive piece of software....

fujiillin · **Joined:** Wed Feb 13, 2008 3:00 am **Posts:** 153

Regarding the ext parameters, search for XMLtoIDC, it produces a file that names all the locations in IDA from your ECU definitions.

IMO posting a dissembled file wouldn't offer much, the output formats are tough to browse. It's much easier to learn how to open up the entire rom with the VBR and use the XMLtoIDC program.

hmanxx · **Joined:** Wed Jul 12, 2006 3:01 pm **Posts:** 154

Above is one of the 3D data structure reference function.

One of the instruction that i cant understand where it is pointing to
r0=> Sub routine address
r6=>3D structure , data address
mov.l @(r0,r6),r5 =>Dont understand where it is point to.
jsr @5

If adding both r0 and r6, the address range will exceed the ROM address..

Can anyone give some comment.

merchgod · **Joined:** Thu Mar 30, 2006 2:38 am **Posts:** 5336

hmanxx wrote:

Above is one of the 3D data structure reference function.

One of the instruction that i cant understand where it is pointing to
r0=> Sub routine address
r6=>3D structure , data address
mov.l @(r0,r6),r5 =>Dont understand where it is point to.
jsr @5

If adding both r0 and r6, the address range will exceed the ROM address..

Can anyone give some comment.

r5 = 0xBE848 + data type byte
jsr @r5 -> jump to the address referenced at r5

hmanxx · **Joined:** Wed Jul 12, 2006 3:01 pm **Posts:** 154

thank you very much..
I didnt pay attention to the Byte move (mov.b) instruction..keep thinking of the move does 4 bytes long move (mov.l).

mov.b @r0, r6 ; This is moving the first byte into the register..

I am too rusty on the assembly language..will pick it up slowly.
Will a C decompiler will help ? I want to bring one of this up to make reading of logic easy.

merchgod · **Joined:** Thu Mar 30, 2006 2:38 am **Posts:** 5336

hmanxx wrote:

I am too rusty on the assembly language..will pick it up slowly.
Will a C decompiler will help ? I want to bring one of this up to make reading of logic easy.

Good luck finding one.

hmanxx · **Joined:** Wed Jul 12, 2006 3:01 pm **Posts:** 154

I have further questions
1)Is the CheckSum module address for 32bits ECU always at the same address ?
2) Are MAF, MAP ,RPM, all using fix A to D channel ?

merchgod · **Joined:** Thu Mar 30, 2006 2:38 am **Posts:** 5336

1. checksum start address SH7055 = 0x7FB80, SH7058 = 0xFFB80.
2. Probably generally among the same group of ECUs. However, if you need to determine the RAM add. for RPM, ECT, etc. you only need to look at the SSM logging functions and the ssm.pdf document that describes the protocol.

hmanxx · **Joined:** Wed Jul 12, 2006 3:01 pm **Posts:** 154

I have checked the SSM write on multi threads ..but i still couldnt grasp how it exactly work..Is 32bits processor use the same working principle as 16bits ?

I can trace to ECUID address and branch to the reference routine on the first byte of ecuid(0xD391C), but from there, i am not sure am I pointing to the correct reference routine.

For example my rom AZ1E400C(MY08 WRX EDM), ECUID:51 52 58 40 07, found at 0xD391C.. From 0xD391C,the reference function is at 0x51C5C(Offset) further pointing to 0x51B46( a routine returning D391C)....

IDA cross reference at D391C zone

Code:

ROM:000D3914                                         ; ROM:off_5191Co
ROM:000D3918 byte_D3918:     .data.b 4               ; DATA XREF: ROM:off_51C10o
ROM:000D3919                 .data.b h'A2 ; ó        ; DATA XREF: ROM:off_5A3C0o
ROM:000D391A                 .data.b h'10            ; DATA XREF: ROM:0005A3C4o
ROM:000D391B                 .data.b h'11            ; DATA XREF: ROM:0005A3C8o
ROM:000D391C byte_D391C:     .data.b h'51            ; DATA XREF: ROM:off_51C58o
ROM:000D391C                                         ; ROM:0005A22Co
ROM:000D391C                                         ; ECUID
ROM:000D391D byte_D391D:     .data.b h'52            ; DATA XREF: ROM:off_51C5Co
ROM:000D391D                                         ; ROM:0005A230o
ROM:000D391E byte_D391E:     .data.b h'58            ; DATA XREF: ROM:off_51C60o
ROM:000D391E                                         ; ROM:0005A234o
ROM:000D391F byte_D391F:     .data.b h'40            ; DATA XREF: ROM:off_51C64o
ROM:000D391F                                         ; ROM:0005A238o
ROM:000D3920 byte_D3920:     .data.b 7               ; CODE XREF: ROM:000D316Ej
ROM:000D3920                                         ; DATA XREF: ROM:off_51C68o ...
ROM:000D3921 byte_D3921:     .data.b h'F3            ; DATA XREF: ROM:0005A240o
ROM:000D3921                                         ; ROM:0005A3E0o
ROM:000D3922 byte_D3922:     .data.b h'FA            ; DATA XREF: ROM:0005A244o
ROM:000D3922                                         ; ROM:0005A3E4o
ROM:000D3923 byte_D3923:     .data.b h'C9            ; DATA XREF: ROM:0005A248o
ROM:000D3923                                         ; ROM:0005A3E8o
ROM:000D3924 byte_D3924:     .data.b h'8C            ; DATA XREF: ROM:0005A24Co
ROM:000D3924                                         ; ROM:0005A3ECo
ROM:000D3925 byte_D3925:     .data.b h'B             ; DATA XREF: ROM:0005A250o
ROM:000D3925                                         ; ROM:0005A3F0o
ROM:000D3926 byte_D3926:     .data.b h'81            ; DATA XREF: ROM:0005A254o
ROM:000D3926                                         ; ROM:0005A3F4o
ROM:000D3927 byte_D3927:     .data.b h'FE            ; DATA XREF: ROM:0005A258o
ROM:000D3927                                         ; ROM:0005A3F8o
ROM:000D3928 byte_D3928:     .data.b h'AC            ; DATA XREF: ROM:0005A25Co
ROM:000D3928                                         ; ROM:0005A3FCo
ROM:000D3929 off_D3929:      .data.l loc_66          ; DATA XREF: ROM:0005A260o
ROM:000D3929                                         ; ROM:0005A400o ...
ROM:000D392D byte_D392D:     .data.b h'CE            ; DATA XREF: ROM:0005A270o
ROM:000D392D                                         ; ROM:0005A410o
ROM:000D392E byte_D392E:     .data.b h'54            ; DATA XREF: ROM:0005A274o
ROM:000D392E                                         ; ROM:0005A414o
ROM:000D392F byte_D392F:     .data.b h'F9            ; DATA XREF: ROM:0005A278o
ROM:000D392F                                         ; ROM:0005A418o
ROM:000D3930 byte_D3930:     .data.b h'B0            ; DATA XREF: ROM:0005A27Co
ROM:000D3930                                         ; ROM:0005A41Co
ROM:000D3931 byte_D3931:     .data.b h'60            ; DATA XREF: ROM:0005A280o
ROM:000D3931                                         ; ROM:0005A420o
ROM:000D3932 byte_D3932:     .data.b 0               ; DATA XREF: ROM:0005A284o
ROM:000D3932                                         ; ROM:0005A424o
ROM:000D3933 byte_D3933:     .data.b h'13            ; DATA XREF: ROM:0005A288o
ROM:000D3933                                         ; ROM:0005A428o
ROM:000D3934 byte_D3934:     .data.b 0               ; DATA XREF: ROM:0005A28Co
ROM:000D3934                                         ; ROM:0005A42Co
ROM:000D3935 byte_D3935:     .data.b 0               ; DATA XREF: ROM:0005A290o
ROM:000D3935                                         ; ROM:0005A430o
ROM:000D3936 byte_D3936:     .data.b 0               ; DATA XREF: ROM:0005A294o
ROM:000D3936                                         ; ROM:0005A434o
ROM:000D3937 off_D3937:      .data.l loc_DC          ; DATA XREF: ROM:0005A298o

And reference function zone

Code:

ROM:00051B40 ; =============== S U B R O U T I N E =======================================
ROM:00051B40
ROM:00051B40
ROM:00051B40 sub_51B40:                              ; DATA XREF: ROM:off_586ACo
ROM:00051B40                 mov.l   @(h'110,pc), r2 ; [00051C54] = unk_FFFF884F
ROM:00051B42                 rts
ROM:00051B44                 mov.b   @r2, r0
ROM:00051B44 ; End of function sub_51B40
ROM:00051B44
ROM:00051B46
ROM:00051B46 ; =============== S U B R O U T I N E =======================================
ROM:00051B46
ROM:00051B46
ROM:00051B46 sub_51B46:                              ; DATA XREF: ROM:000586B0o
ROM:00051B46                 mov.l   @(h'110,pc), r2 ; [00051C58] = byte_D391C
ROM:00051B48                 rts
ROM:00051B4A                 mov.b   @r2, r0
ROM:00051B4A ; End of function sub_51B46
ROM:00051B4A
ROM:00051B4C ; ---------------------------------------------------------------------------
ROM:00051B4C
ROM:00051B4C loc_51B4C:                              ; DATA XREF: ROM:000586B4o
ROM:00051B4C                 mov.l   @(h'10C,pc), r2 ; [00051C5C] = byte_D391D
ROM:00051B4E                 rts
ROM:00051B50                 mov.b   @r2, r0
ROM:00051B52
ROM:00051B52 ; =============== S U B R O U T I N E =======================================
ROM:00051B52
ROM:00051B52
ROM:00051B52 sub_51B52:                              ; DATA XREF: ROM:000586B8o
ROM:00051B52                 mov.l   @(h'10C,pc), r2 ; [00051C60] = byte_D391E
ROM:00051B54                 rts
ROM:00051B56                 mov.b   @r2, r0
ROM:00051B56 ; End of function sub_51B52
ROM:00051B56
ROM:00051B58
ROM:00051B58 ; =============== S U B R O U T I N E =======================================
ROM:00051B58
ROM:00051B58
ROM:00051B58 sub_51B58:                              ; DATA XREF: ROM:000586BCo
ROM:00051B58                 mov.l   @(h'108,pc), r2 ; [00051C64] = byte_D391F
ROM:00051B5A                 rts
ROM:00051B5C                 mov.b   @r2, r0
ROM:00051B5C ; End of function sub_51B58
ROM:00051B5C
ROM:00051B5E
ROM:00051B5E ; =============== S U B R O U T I N E =======================================
ROM:00051B5E
ROM:00051B5E
ROM:00051B5E sub_51B5E:                              ; DATA XREF: ROM:000586C0o
ROM:00051B5E                 mov.l   @(h'108,pc), r2 ; [00051C68] = byte_D3920
ROM:00051B60                 rts
ROM:00051B62                 mov.b   @r2, r0
ROM:00051B62 ; End of function sub_51B5E
ROM:00051B62
ROM:00051B64
ROM:00051B64 ; =============== S U B R O U T I N E =======================================
ROM:00051B64
ROM:00051B64
ROM:00051B64 sub_51B64:                              ; DATA XREF: ROM:000586C8o
ROM:00051B64                 mov.l   @(h'104,pc), r2 ; [00051C6C] = unk_FFFF9AA7
ROM:00051B66                 rts
ROM:00051B68                 mov.b   @r2, r0
ROM:00051B68 ; End of function sub_51B64
ROM:00051B68
ROM:00051B68 ; ---------------------------------------------------------------------------
ROM:00051B6A word_51B6A:     .data.w h'AA55          ; DATA XREF: sub_519BC+1Cr
ROM:00051B6C word_51B6C:     .data.w h'4055          ; DATA XREF: sub_519FEr
ROM:00051B6E
ROM:00051B6E ; =============== S U B R O U T I N E =======================================
ROM:00051B6E
ROM:00051B6E
ROM:00051B6E sub_51B6E:                              ; DATA XREF: ROM:000586CCo
ROM:00051B6E                 sts.l   pr, @-r15
ROM:00051B70                 mov.l   @(h'FC,pc), r2 ; [00051C70] = unk_FFFF413C
ROM:00051B72                 fmov.s  @r2, fr4
ROM:00051B74                 mov.l   @(h'FC,pc), r2 ; [00051C74] = sub_BE4DC
ROM:00051B76                 mova    @(h'100,pc), r0 ; [00051C78] = h'C2200000
ROM:00051B78                 fmov.s  @r0, fr6
ROM:00051B7A                 jsr     @r2 ; sub_BE4DC ; Scaling Function:(fr4-fr6)/fr5->fr4,
ROM:00051B7A                                         ; fr4+@r0->Rounding down to r4->r0
ROM:00051B7C                 fldi1   fr5
ROM:00051B7E                 lds.l   @r15+, pr
ROM:00051B80                 rts
ROM:00051B82                 extu.b  r0, r0
ROM:00051B82 ; End of function sub_51B6E
ROM:00051B82
ROM:00051B84
ROM:00051B84 ; =============== S U B R O U T I N E =======================================
ROM:00051B84
ROM:00051B84
ROM:00051B84 sub_51B84:                              ; DATA XREF: ROM:000586D0o
ROM:00051B84                 sts.l   pr, @-r15
ROM:00051B86                 mov.l   @(h'F4,pc), r2 ; [00051C7C] = unk_FFFF7214
ROM:00051B88                 fmov.s  @r2, fr4
ROM:00051B8A                 fldi1   fr6
ROM:00051B8C                 fneg    fr6
ROM:00051B8E                 fadd    fr6, fr4
ROM:00051B90                 mov.l   @(h'E0,pc), r2 ; [00051C74] = sub_BE4DC
ROM:00051B92                 mova    @(h'EC,pc), r0 ; [00051C80] = h'3C000000
ROM:00051B94                 jsr     @r2 ; sub_BE4DC ; Scaling Function:(fr4-fr6)/fr5->fr4,
ROM:00051B94                                         ; fr4+@r0->Rounding down to r4->r0
ROM:00051B96                 fmov.s  @r0, fr5
ROM:00051B98                 lds.l   @r15+, pr
ROM:00051B9A                 rts
ROM:00051B9C                 extu.b  r0, r0
ROM:00051B9C ; End of function sub_51B84

Going further tracing the routine above Reference routine to D391C..,cross referencing to a table pointing to multiple sub routines.

Code:

ROM:000586AC off_586AC:      .data.l sub_51B40       ; DATA XREF: ROM:off_53FD0o
ROM:000586AC                                         ; ROM:off_761E8o ...
ROM:000586AC                                         ; Suspect SSM Look up table
ROM:000586B0                 .data.l sub_51B46       ; reference function to first byte of ECUID
ROM:000586B4                 .data.l loc_51B4C
ROM:000586B8                 .data.l sub_51B52
ROM:000586BC                 .data.l sub_51B58       ; 4
ROM:000586C0                 .data.l sub_51B5E
ROM:000586C4                 .data.l sub_51B34
ROM:000586C8                 .data.l sub_51B64
ROM:000586CC                 .data.l sub_51B6E       ; 8=> ECT, Routine processing ECT
ROM:000586D0                 .data.l sub_51B84
ROM:000586D4                 .data.l sub_51B9E
ROM:000586D8                 .data.l sub_51BB6
ROM:000586DC                 .data.l sub_51BCC       ; 12
ROM:000586E0                 .data.l sub_51C88
ROM:000586E4                 .data.l sub_51C9E
ROM:000586E8                 .data.l sub_51CBE
ROM:000586EC                 .data.l sub_51CD4       ; 16
ROM:000586F0                 .data.l sub_51CE8
ROM:000586F4                 .data.l sub_51D00
ROM:000586F8                 .data.l sub_51D16
ROM:000586FC                 .data.l sub_51D36
ROM:00058700                 .data.l sub_51D4C
ROM:00058704                 .data.l sub_51D62
ROM:00058708                 .data.l sub_51D66
ROM:0005870C                 .data.l sub_51D6A
ROM:00058710                 .data.l sub_51D8A
ROM:00058714                 .data.l sub_51DA0
ROM:00058718                 .data.l sub_51DA4
ROM:0005871C                 .data.l sub_51DA8
ROM:00058720                 .data.l sub_51DBE
ROM:00058724                 .data.l sub_51B3A
ROM:00058728                 .data.l sub_51B3A
ROM:0005872C                 .data.l sub_51DE2
ROM:00058730                 .data.l sub_51DF8
ROM:00058734                 .data.l sub_51B3A
ROM:00058738                 .data.l sub_51E10
ROM:0005873C                 .data.l sub_51E26
ROM:00058740                 .data.l sub_51B3A
ROM:00058744                 .data.l sub_51B3A
ROM:00058748                 .data.l sub_51B3A
ROM:0005874C                 .data.l sub_51E44
ROM:00058750                 .data.l sub_51E62
ROM:00058754                 .data.l sub_51E78
ROM:00058758                 .data.l sub_51B3A

Question:
1)Is the last sub routines listing the SSM look up table..?
I managed to cross referencing RAM Address of RPM, IAT,ECT correctly with 3D and 2D look up function which using FR4 and FR5 for the X and Y axis. on IAT Timing ,ECT compensation..

merchgod · **Joined:** Thu Mar 30, 2006 2:38 am **Posts:** 5336

hmanxx wrote:

Question:
1)Is the last sub routines listing the SSM look up table..?

Yes, you got it.

hmanxx · **Joined:** Wed Jul 12, 2006 3:01 pm **Posts:** 154

I am keen to explore on the routine or RAM address that control the Cruise to Idle .the objective is to ease those folks that have changed to lighten flywheel, lighten pully. Have been reading around the routines involved on the idling /IAT , E-THrottle control..but so far not that fruitful..

Any advice and input to shorten my search on it..
Any good tool to recommend to quicky plot the undefined tables..I can use Romraider but abit slow.

The observation is the car will learn on time to enter idle after 20-30 times of engine stall..I believed there is table at ram that control the time to take over control.

merchgod · **Joined:** Thu Mar 30, 2006 2:38 am **Posts:** 5336

the idle switch is one of the standard SSM parameters, so just go from there. Ecuflash is much faster than RR, especially when loading a large number of tables

legaulois · **Posted:** Wed Dec 16, 2009 2:36 pm

Is there a command to identify the outputs (logger)

RomRaider

IDA help, ECU/Assembly Language -cruise to idling control ?

Who is online