RomRaider

If it works out I'll post a full ''How To'' I don't really know much about patch utilities and HEW.
So I'm just going to make the few small changes with HxD but maybe with your help we could make a patch that others could use?

Eventually what I want to do is install an SI-drive selector plus required parts of centre console and use the C-diff and dccd sw's for ffs and lc. I'd have to rewrite the determination logic because there would need to be 4 recognisable states not three.

Would it be easy enough to integrate this in to one of your FFS/LC patches?

Basically all I'd need is logic to go from....

0 = Lc and Ffs off
1 = LC on Ffs off
2 = Lc off Ffs on
3 = lc Off Ffs Off

A place to start... viewtopic.php?f=25&t=7680

hi guys,

I've had more progress- when I run the tables idc script, i get the following:

--- Now marking Tables_AZ1G900C ---
No reference to Target_Boost_Compensation_ECT
No reference to InitialMax_Wastegate_Duty_Compensation_IAT
No reference to InitialMax_Wastegate_Duty_Compensation_ECT
No reference to TD_Proportional_Compensation_IAT
No reference to TD_Integral_Positive_Compensation_IAT
No reference to TD_Integral_Negative_Compensation_IAT
No reference to Primary_Open_Loop_Fueling
No reference to Primary_Open_Loop_Fueling_Failsafe
No reference to CL_to_OL_Transition_with_Delay_Throttle
No reference to Per_Injector_Pulse_Width_Compensation_A
No reference to Per_Injector_Pulse_Width_Compensation_B
No reference to Per_Injector_Pulse_Width_Compensation_C
No reference to Per_Injector_Pulse_Width_Compensation_D
No reference to Cranking_Fuel_Injector_Pulse_Width_A_ECT
No reference to Cranking_Fuel_Injector_Pulse_Width_B_ECT
No reference to Cranking_Fuel_Injector_Pulse_Width_C_ECT
No reference to Cranking_Fuel_Injector_Pulse_Width_D_ECT
No reference to Cranking_Fuel_Injector_Pulse_Width_E_ECT
No reference to Cranking_Fuel_Injector_Pulse_Width_F_ECT
No reference to Throttle_Tipin_Enrichment_A
No reference to Tipin_Enrichment_Compensation_RPM
No reference to Tipin_Enrichment_Compensation_A_ECT
No reference to Tipin_Enrichment_Compensation_B_ECT
No reference to Tipin_Enrichment_Compensation_C_ECT
No reference to Tipin_Enrichment_Compensation_D_ECT
No reference to Min_Primary_Base_Enrichment_1_Cruise
No reference to Min_Primary_Base_Enrichment_1_NonCruise
No reference to Min_Primary_Base_Enrichment_1_NonPrimary_OL_
No reference to MAF_Sensor_Scaling
No reference to Base_Timing_Primary_Cruise
No reference to Base_Timing_Reference_NonCruise_AVCS_related
No reference to Base_Timing_Primary_NonCruise
No reference to Base_Timing_Reference_Cruise_AVCS_related
No reference to Base_Timing_Idle_B_InGear
No reference to Base_Timing_Idle_A_Neutral
No reference to Knock_Correction_Advance_Max_Cruise
No reference to Knock_Correction_Advance_Max_NonCruise
No reference to Timing_Compensation_A_IAT
No reference to Timing_Compensation_B_IAT
No reference to Timing_Compensation_Imm_Cruise_A_ECT
No reference to Timing_Compensation_Imm_Cruise_B_ECT
No reference to Timing_Compensation_Imm_NonCruise_A_ECT
No reference to Timing_Compensation_Imm_NonCruise_B_ECT
No reference to Intake_Cam_Advance_Angle_Cruise_AVCS
No reference to Intake_Cam_Advance_Angle_NonCruise_AVCS
No reference to Requested_Torque_Base_RPM
No reference to Target_Throttle_Plate_Position_Cruise_Requested_Torque_Ratio
No reference to Target_Throttle_Plate_Position_NonCruise_Requested_Torque_Ratio
No reference to Target_Throttle_Plate_Position_Maximum_Requested_Torque_Ratio
No reference to Idle_Speed_Target_A
No reference to Idle_Speed_Target_B
No reference to Idle_Speed_Target_C

If i click on one of these, it takes me to the table in ROM, for instance if I click on the first message re:Turbo_Dynamics_Integral_Positive_Y_Axis:

ROM:000C090C Turbo_Dynamics_Integral_Positive_Y_Axis:.data.l 0 ; DATA XREF: ROM:00084B10o
ROM:000C0910 .data.l h'41200000, h'41A00000, h'42200000, h'42A00000
ROM:000C0910 .data.l h'42F00000, h'43200000, h'43480000, h'43700000

Does this look right ?

When you get the "no reference" message that means you probably have not disassemble all of the code in the ROM yet. Look for sections that did not disassemble automatically into code or data and proceed to undefined them and then "force" code analysis by pressing the c key while at the start of the section. After you have completed that re-run the IDC script to mark the ROM and many of the "no reference" messages should disappear.

Hmm okay...

For example:

I click Throttle_Tipin_Enrichment_A in the list of "no references found, and jump to the following in the disassembly window:



I search for a byte sequence 0CA4FC and get the following:



i presume this is an array ?

i then select it and click U to undefine it:



and then if i select this and click C, and then select "analyze" it just puts it back the way it was before I undefined it.

If however, I convert them all to longs one by one I get the following:



and the "no reference" message for Throttle_Tipin_Enrichment_A goes away.

But I want to know, if what I am doing is correct ?

You need to read through the first couple of posts thoroughly again, especially regarding the table structures (Layout of a 2D table in memory (32-bit) ).

What you have there is the Lookup Table. The first two words give you the axis sizes (12x8), the first reference (0xCA4B4) is the x axis, the next is the 'z' axis (i.e. the table) and the last two are float values (multiplier and offset).

Using Dale's formatting scripts will make your life much easier.

Notice that you are missing a reference to this table data. That's what the script is complaining about. So it can't follow back to the lookup table structure that points to it.
When the lookup table structure is formatted correctly then the IDC script can properly mark all the references.
See viewtopic.php?t=8449 step 4 (but do steps 1 - 3 first)

Holy s***... Okay there is a bunch of stuff I missed. I'd never even set foot in that thread...

You, my friend, are a legend

Thanks!

just saw this. okay good stuff, that makes sense now. lots to keep me busy on my downtime during our canada/usa holiday.

Okay, so I have never disassembled a binary before. I am having a hard time understanding everything I need to get the file to open in IDA. I have tried reading through the first post, and not really grasping it.

The ROM is from my bike, 06 GSX-R 750. The ECU uses a Renesas SH7054 (as best I can tell). I will attach my ROM and the 7054 datasheet. I am unsure how to get the file to open in Ida!

The only thing I know is that RAM starts at 0xFFFF8000 and goes to 0xFFFFBFFF (length of 0x7FFF). I also don't really understand hex at all. I got that length from Google Calculator, not going to lie about it.

When you open the hex file in IDA select process type Renesas SH2A. If you are prompt for a specific processor version just ignore it as you don't have the complete definition in IDA for the SH7054, you would need to create it. Set the RAM to 0xFFFF8000 size 0x4000 (16kB).
If IDA does not start to process the ROM then you will need to open the Option > General tab click 'Kernel options 1' and check the 'Make final analysis pass' box. Click OK and the re-analyze.
The very first subroutine run by the processor on RESET or power up is the one indicated by the first 4 bytes of the ROM (sub_400). This sub starts the processor and peripherals initialization.
If you have the addresses of a few tables then you can go to them 'g command' and list the x-ref back to where they are used in code, assuming the ROM unfolded correctly and completely. You need the SH-2A software manual to get a sense of how the processor operates on each instruction.

Ok, I'll try to start with that.

So, I will admit that I don't know the first thing about ROM disassembly. I am trying to open up the 710J (04 STi) ROM in Ida, and am stuck on this step... First of all, how long is 4 bytes in hex? Second, how do I determine where this pointer is pointing to?

Open the Rom. While at the top click the rom address. press d three times. You should have made the first four bytes (8hex digits) clickable. Double click, press c.

And just so you know what's going on, pressing d cycles the selected address through various data types (byte, short, long, etc...)

As far as bytes and hex goes.. Here's a basic crash course:
4 bits = 1 nibble = 1 hexadecimal digit.
8 bits = 1 byte = 2 hexadecimal digits = 'data.b'
16 bits = 2 bytes = 1 short = 1 word = 'data.w'
32 bits = 4 bytes = 1 long = 1 longword = 'data.l'

This is a good introduction to binary/hex: http://www.codeproject.com/Articles/406 ... exadecimal

Once you have the hang of that, endianness, signing, and floating point values are fairly important concepts to understand: https://en.wikipedia.org/wiki/Endianness https://en.wikipedia.org/wiki/Signed_nu ... esentation https://en.wikipedia.org/wiki/Floating_point