|
RomRaider
Documentation
Community
Developers
|
| Author |
Message |
|
dschultz
|
Post subject: Re: Another way to find SSM base from the ECU ID  Posted: Fri Sep 13, 2019 9:38 pm |
|
 |
| RomRaider Developer |
Joined: Thu May 21, 2009 1:49 am
Posts: 7323
Location: Canada eh!
|
You need to load in the binary file, not the .srf file. That is one thing messing up IDA. The search is binary a310, just as I mentioned, no spaces as there is no such thing as a space between bytes. It also looks like you have an endian problem. If you searched for binary a310 and it finds 10a3 that's an issue with how you loaded and told IDA to interpret the file. Do you have a link to the stock binary or srf file on RR? I found this with a quick binary search for a310. Attachment: LF9D010H_ECUID.PNG
You do not have the required permissions to view the files attached to this post.
|
|
| Top |
|
 |
|
big_dims
|
Post subject: Re: Another way to find SSM base from the ECU ID Posted: Mon Sep 16, 2019 12:31 pm |
|
|
| Newbie |
Joined: Mon Sep 02, 2019 11:51 am
Posts: 10
|
dschultz wrote: You need to load in the binary file, not the .srf file. That is one thing messing up IDA. The search is binary a310, just as I mentioned, no spaces as there is no such thing as a space between bytes. It also looks like you have an endian problem. If you searched for binary a310 and it finds 10a3 that's an issue with how you loaded and told IDA to interpret the file. Do you have a link to the stock binary or srf file on RR? I found this with a quick binary search for a310. Attachment: LF9D010H_ECUID.PNG Ah got it. The file I pulled with the tactrix cable was .srf, is there a way to get a .bin? I searched for "A3 10" and got a few more results, but didn't see mention of "6E". Code: ROM:0006321E .data.b h'A3
ROM:0006321F .data.b h'10
ROM:00063220 .data.b h'F
ROM:00063221 .data.b h'C0
ROM:00063222 .data.b h'29 ; )
ROM:00063223 .data.b h'B0
ROM:00063224 .data.b h'40 ; @ Code: ROM:000B2D68 .data.b h'A3
ROM:000B2D69 .data.b h'10
ROM:000B2D6A .data.b h'FF
ROM:000B2D6B .data.b h'F8
ROM:000B2D6C .data.b h'8D
ROM:000B2D6D .data.b h'48 ; H Code: ROM:000EDC4E .data.b h'A3
ROM:000EDC4F .data.b h'10
ROM:000EDC50 .data.b h'D1
ROM:000EDC51 .data.b h'3A ; :
ROM:000EDC52 .data.b h'B
ROM:000EDC53 .data.b h'80
ROM:000EDC54 .data.b h'B6
ROM:000EDC55 .data.b h'6C ; l
ROM:000EDC56 .data.b h'66 ; f None of them have mention of 6E, so I imagine either I'm inspecting in the wrong way or maybe there's different bytes to look for now. I've attached my .srf below. Thanks for all the help! 
You do not have the required permissions to view the files attached to this post.
|
|
| Top |
|
|
|
dschultz
|
Post subject: Re: Another way to find SSM base from the ECU ID Posted: Mon Sep 16, 2019 12:38 pm |
|
|
| RomRaider Developer |
Joined: Thu May 21, 2009 1:49 am
Posts: 7323
Location: Canada eh!
|
|
EcuFlash can 'Save as' the file as a .bin.
What does 6E mean ?
It looks like the address 0006321E is the correct stop, if that's the address from the bin file.
|
|
| Top |
|
|
|
big_dims
|
Post subject: Re: Another way to find SSM base from the ECU ID Posted: Mon Sep 16, 2019 4:15 pm |
|
|
| Newbie |
Joined: Mon Sep 02, 2019 11:51 am
Posts: 10
|
dschultz wrote: EcuFlash can 'Save as' the file as a .bin.
What does 6E mean ?
It looks like the address 0006321E is the correct stop, if that's the address from the bin file. Attached .bin 0x6E was the first byte of your ECU ID in post #1, hadn't considered it'll probably be different. Would C0 be the first byte in my case? Code: ROM:0006321E .data.b h'A3
ROM:0006321F .data.b h'10
ROM:00063220 .data.b h'F
ROM:00063221 .data.b h'C0
ROM:00063222 .data.b h'29 ; )
ROM:00063223 .data.b h'B0
ROM:00063224 .data.b h'40 ; @ Also, how can I get an XREF to show? 'c' doesn't work in that location. Also, I tried 'select all' and then analyze, but that didn't yield usable results as the code size changed as well as the actual hex. thanks a lot 
You do not have the required permissions to view the files attached to this post.
|
|
| Top |
|
|
|
big_dims
|
Post subject: Re: Another way to find SSM base from the ECU ID Posted: Mon Sep 16, 2019 7:12 pm |
|
|
| Newbie |
Joined: Mon Sep 02, 2019 11:51 am
Posts: 10
|
|
If I understand correctly, then, my ecu id is C029B0407?
|
|
| Top |
|
|
|
dschultz
|
Post subject: Re: Another way to find SSM base from the ECU ID Posted: Mon Sep 16, 2019 11:28 pm |
|
|
| RomRaider Developer |
Joined: Thu May 21, 2009 1:49 am
Posts: 7323
Location: Canada eh!
|
|
I'd say so.
But you need to be analyzing the bin file not the srf file. All references will be off or non-existent in the srf.
The ECU ID starts at 0630ff in the bin file.
'c' is to make code. The ECU ID area is data so it won't work there.
You may have to make some x-refs manually, not all code and references unfold nicely, especially when there's a lookup table structure in the middle of the call routine.
|
|
| Top |
|
|
|
riksk
|
Post subject: Re: Another way to find SSM base from the ECU ID Posted: Mon Aug 09, 2021 9:47 am |
|
|
| Experienced |
Joined: Sun Jun 28, 2020 6:25 am
Posts: 242
|
Might need some help trying to understand this. When I search for A210, this pops up; Code: ROM:000CFB89 .data.b h'A2
ROM:000CFB8A .data.b h'10
ROM:000CFB8B .data.b h'11
ROM:000CFB8C .data.b h'43 ; C
ROM:000CFB8D .data.b h'12
ROM:000CFB8E .data.b h'58 ; X
ROM:000CFB8F .data.b h'40 ; @
ROM:000CFB90 .data.b 6
ROM:000CFB91 .data.b 0
ROM:000CFB92 .data.b h'F3
ROM:000CFB93 .data.b h'FA
ROM:000CFB94 .data.b h'CB
ROM:000CFB95 .data.b h'A6
ROM:000CFB96 .data.b h'2B ; +
ROM:000CFB97 .data.b h'81
ROM:000CFB98 .data.b h'FE
ROM:000CFB99 .data.b h'AC Nothing readable related to the ECU ID. Alright. So I select all that code and right click "Analyze selected area" It turns into this: Code: ROM:000CFB89 .data.b h'A2, h'10, h'11
ROM:000CFB8C .data.l h'43125840, h'600F3FA, h'CBA62B81, h'FEAC0000
ROM:000CFB8C .data.l h'60CE54, h'F8B1E400, h'C200000, h'DC, h'751F
ROM:000CFB8C .data.l h'3080F0E2, h'43FB, h'F18102, 0 Seems a little better but still nothing compared to the first post on this topic. But I can see some of the ECUID here in the second line. Code: ROM:000CFB8C .data.l h'43125840 The full ECUID tho is 4312584006. No XREF to anything, no idea how to create them correctly. I tried a few options with right click or from the "Jump >" Menu, nothing works, just errors. I'm literally lost and don't know what to do from here. What makes it worst, is that finding ssm base seems to be the most basic thing... and I can't even do that.
_________________
2011 Forester S Edition 5EAT~ Flex Fuel
2011 WRX 6MT ~ Flex Fuel
|
|
| Top |
|
|
|
dschultz
|
Post subject: Re: Another way to find SSM base from the ECU ID Posted: Mon Aug 09, 2021 11:39 pm |
|
|
| RomRaider Developer |
Joined: Thu May 21, 2009 1:49 am
Posts: 7323
Location: Canada eh!
|
|
| Top |
|
|
|
riksk
|
Post subject: Re: Another way to find SSM base from the ECU ID Posted: Tue Aug 10, 2021 12:41 am |
|
|
| Experienced |
Joined: Sun Jun 28, 2020 6:25 am
Posts: 242
|
dschultz wrote: There's no x-ref most likely because you have not analyzed the ROM area that would make reference to this section. You need to 'make code' for more of the ROM. viewtopic.php?f=40&t=6303viewtopic.php?f=40&t=8449Thanks, I'm nearly there. So I closed everything and Re-Opened the file using instructions on the second topic you mentioned. I ended up getting closer. Code: ROM:000D42C1 byte_D42C1: .data.b h'A2 ; DATA XREF: ROM:off_5B204↑o
ROM:000D42C1 ; ROM:off_5B3A4↑o
ROM:000D42C2 byte_D42C2: .data.b h'10 ; DATA XREF: ROM:off_5B204↑o
ROM:000D42C2 ; ROM:off_5B3A4↑o
ROM:000D42C3 byte_D42C3: .data.b h'11 ; DATA XREF: ROM:off_5B204↑o
ROM:000D42C3 ; ROM:off_5B3A4↑o
ROM:000D42C4 ECU_ID_B1: .data.b h'74 ; DATA XREF: ROM:00052A16↑o
ROM:000D42C4 ; ROM:off_52B28↑o ... I renamed the first ECUID Byte for reference, like you did in the first post. Code: ROM:000D42C4 ECU_ID_B1: .data.b h'74 ; DATA XREF: ROM:00052A16↑o Now I'm having another issue. The following XREF doesn't appear to be even near what it is supposed to be haha. Code: ROM:00052A16 ; ---------------------------------------------------------------------------
ROM:00052A16 mov.l #ECU_ID_B1, r2
ROM:00052A18 rts
ROM:00052A1A mov.b @r2, r0
ROM:00052A1C ; --------------------------------------------------------------------------- And below is the full subroutine; (for references) Code: ROM:000529A8 ; =============== S U B R O U T I N E =======================================
ROM:000529A8
ROM:000529A8
ROM:000529A8 sub_529A8: ; CODE XREF: ROM:0004247A↑p
ROM:000529A8 ; DATA XREF: ROM:00042478↑o ...
ROM:000529A8 mov.l r14, @-r15
ROM:000529AA sts.l pr, @-r15
ROM:000529AC mov.l #unk_FFFF9804, r2
ROM:000529AE mov.b @r2, r6
ROM:000529B0 mov.l #unk_FFFF9805, r5
ROM:000529B2 mov.b @r5, r14
ROM:000529B4 tst r6, r6
ROM:000529B6 bf/s loc_529C6
ROM:000529B8 mov #0, r0
ROM:000529BA mov.l #sub_BE550, r2
ROM:000529BC mov.l #unk_FFFF87E4, r1
ROM:000529BE mov.b @(3,r1), r0
ROM:000529C0 extu.b r0, r4
ROM:000529C2 jsr @r2 ; sub_BE550
ROM:000529C4 mov #1, r5
ROM:000529C6
ROM:000529C6 loc_529C6: ; CODE XREF: sub_529A8+E↑j
ROM:000529C6 mov.l #unk_FFFF87E4, r1
ROM:000529C8 mov.b r0, @(3,r1)
ROM:000529CA tst r14, r14
ROM:000529CC bf/s loc_529DC
ROM:000529CE mov #0, r0
ROM:000529D0 mov.l #sub_BE550, r2
ROM:000529D2 mov #1, r5
ROM:000529D4 mov.b @(4,r1), r0
ROM:000529D6 jsr @r2 ; sub_BE550
ROM:000529D8 extu.b r0, r4
ROM:000529DA mov.l #unk_FFFF87E4, r1
ROM:000529DC
ROM:000529DC loc_529DC: ; CODE XREF: sub_529A8+24↑j
ROM:000529DC mov.b r0, @(4,r1)
ROM:000529DE mov.b @(3,r1), r0
ROM:000529E0 mov #6, r6
ROM:000529E2 cmp/hs r6, r0
ROM:000529E4 bt loc_529F6
ROM:000529E6 mov.b @(4,r1), r0
ROM:000529E8 mov #6, r6
ROM:000529EA cmp/hs r6, r0
ROM:000529EC bt loc_529F6
ROM:000529EE mov.l #unk_FFFF87E4, r6
ROM:000529F0 mov.b @r6, r0
ROM:000529F2 bra loc_529FC
ROM:000529F4 or #h'40, r0
ROM:000529F6 ; ---------------------------------------------------------------------------
ROM:000529F6
ROM:000529F6 loc_529F6: ; CODE XREF: sub_529A8+3C↑j
ROM:000529F6 ; sub_529A8+44↑j
ROM:000529F6 mov.l #unk_FFFF87E4, r6
ROM:000529F8 mov.b @r6, r0
ROM:000529FA and #h'BF, r0
ROM:000529FC
ROM:000529FC loc_529FC: ; CODE XREF: sub_529A8+4A↑j
ROM:000529FC mov.b r0, @r6
ROM:000529FE lds.l @r15+, pr
ROM:00052A00 rts
ROM:00052A02 mov.l @r15+, r14
ROM:00052A02 ; End of function sub_529A8
ROM:00052A02
ROM:00052A04 ; ---------------------------------------------------------------------------
ROM:00052A04
ROM:00052A04 loc_52A04: ; DATA XREF: ROM:000595AC↓o
ROM:00052A04 mov.l #byte_595A0, r2
ROM:00052A06 rts
ROM:00052A08 mov.b @r2, r0
ROM:00052A0A ; ---------------------------------------------------------------------------
ROM:00052A0A
ROM:00052A0A loc_52A0A: ; DATA XREF: ROM:0005960C↓o
ROM:00052A0A ; ROM:0005963C↓o
ROM:00052A0A mov.l #byte_595A1, r2
ROM:00052A0C rts
ROM:00052A0E mov.b @r2, r0
ROM:00052A10 ; ---------------------------------------------------------------------------
ROM:00052A10
ROM:00052A10 loc_52A10: ; DATA XREF: ROM:off_595A4↓o
ROM:00052A10 mov.l #unk_FFFF87DB, r2
ROM:00052A12 rts
ROM:00052A14 mov.b @r2, r0
ROM:00052A16 ; ---------------------------------------------------------------------------
ROM:00052A16 mov.l #ECU_ID_B1, r2
ROM:00052A18 rts
ROM:00052A1A mov.b @r2, r0
ROM:00052A1C ; ---------------------------------------------------------------------------
ROM:00052A1C
ROM:00052A1C loc_52A1C: ; DATA XREF: ROM:000595AC↓o
ROM:00052A1C mov.l #byte_D42C5, r2
ROM:00052A1E rts
ROM:00052A20 mov.b @r2, r0
ROM:00052A22 ; ---------------------------------------------------------------------------
ROM:00052A22
ROM:00052A22 loc_52A22: ; DATA XREF: ROM:000595AC↓o
ROM:00052A22 mov.l #byte_D42C6, r2
ROM:00052A24 rts
ROM:00052A26 mov.b @r2, r0
ROM:00052A28 ; ---------------------------------------------------------------------------
ROM:00052A28
ROM:00052A28 loc_52A28: ; DATA XREF: ROM:000595AC↓o
ROM:00052A28 mov.l #byte_D42C7, r2
ROM:00052A2A rts
ROM:00052A2C mov.b @r2, r0
ROM:00052A2E ; ---------------------------------------------------------------------------
ROM:00052A2E
ROM:00052A2E loc_52A2E: ; DATA XREF: ROM:000595AC↓o
ROM:00052A2E mov.l #byte_D42C8, r2
ROM:00052A30 rts
ROM:00052A32 mov.b @r2, r0
ROM:00052A34 ; ---------------------------------------------------------------------------
ROM:00052A34
ROM:00052A34 loc_52A34: ; DATA XREF: ROM:000595AC↓o
ROM:00052A34 mov.l #unk_FFFF9A77, r2
ROM:00052A36 rts
ROM:00052A38 mov.b @r2, r0
ROM:00052A38 ; ---------------------------------------------------------------------------
ROM:00052A3A word_52A3A: .data.w h'AA55 ; DATA XREF: sub_5288C+1C↑r
ROM:00052A3C word_52A3C: .data.w h'4055 ; DATA XREF: sub_528CE↑r
ROM:00052A3E ; ---------------------------------------------------------------------------
ROM:00052A3E
ROM:00052A3E loc_52A3E: ; DATA XREF: ROM:000595AC↓o
ROM:00052A3E sts.l pr, @-r15
ROM:00052A40 mov.l #unk_FFFF4140, r2
ROM:00052A42 fmov.s @r2, fr4
ROM:00052A44 mov.l #sub_BE5BC, r2
ROM:00052A46 mova h'52B48, r0
ROM:00052A48 fmov.s @r0, fr6
ROM:00052A4A jsr @r2 ; sub_BE5BC
ROM:00052A4C fldi1 fr5
ROM:00052A4E lds.l @r15+, pr
ROM:00052A50 rts
ROM:00052A52 extu.b r0, r0
ROM:00052A54 ; ---------------------------------------------------------------------------
ROM:00052A54
ROM:00052A54 loc_52A54: ; DATA XREF: ROM:000595AC↓o
ROM:00052A54 sts.l pr, @-r15
ROM:00052A56 mov.l #unk_FFFF7130, r2
ROM:00052A58 fmov.s @r2, fr4
ROM:00052A5A fldi1 fr6
ROM:00052A5C fneg fr6
ROM:00052A5E fadd fr6, fr4
ROM:00052A60 mov.l #sub_BE5BC, r2
ROM:00052A62 mova h'52B50, r0
ROM:00052A64 jsr @r2 ; sub_BE5BC
ROM:00052A66 fmov.s @r0, fr5
ROM:00052A68 lds.l @r15+, pr
ROM:00052A6A rts
ROM:00052A6C extu.b r0, r0
ROM:00052A6E ; ---------------------------------------------------------------------------
ROM:00052A6E sts.l pr, @-r15
ROM:00052A70 mov.l #unk_FFFF72B0, r2
ROM:00052A72 fmov.s @r2, fr4
ROM:00052A74 mov.l #sub_BE5BC, r2
ROM:00052A76 fldi1 fr6
ROM:00052A78 fneg fr6
ROM:00052A7A mova h'52B50, r0
ROM:00052A7C jsr @r2 ; sub_BE5BC
ROM:00052A7E fmov.s @r0, fr5
ROM:00052A80 lds.l @r15+, pr
ROM:00052A82 rts
ROM:00052A84 extu.b r0, r0
ROM:00052A86 ; ---------------------------------------------------------------------------
ROM:00052A86
ROM:00052A86 loc_52A86: ; DATA XREF: ROM:000595D0↓o
ROM:00052A86 sts.l pr, @-r15
ROM:00052A88 mov.l #sub_BE5BC, r2
ROM:00052A8A fldi1 fr6
ROM:00052A8C fneg fr6
ROM:00052A8E fmov fr6, fr4
ROM:00052A90 mova h'52B50, r0
ROM:00052A92 jsr @r2 ; sub_BE5BC
ROM:00052A94 fmov.s @r0, fr5
ROM:00052A96 lds.l @r15+, pr
ROM:00052A98 rts
ROM:00052A9A extu.b r0, r0
ROM:00052A9C ; ---------------------------------------------------------------------------
ROM:00052A9C
ROM:00052A9C loc_52A9C: ; DATA XREF: ROM:000595D0↓o
ROM:00052A9C sts.l pr, @-r15
ROM:00052A9E mov.l #sub_BE5BC, r2
ROM:00052AA0 fldi1 fr6
ROM:00052AA2 fneg fr6
ROM:00052AA4 mova h'52B50, r0
ROM:00052AA6 fmov.s @r0, fr5
ROM:00052AA8 jsr @r2 ; sub_BE5BC
ROM:00052AAA fldi0 fr4
ROM:00052AAC lds.l @r15+, pr
ROM:00052AAE rts
ROM:00052AB0 extu.b r0, r0
ROM:00052AB0 ; ---------------------------------------------------------------------------
_________________
2011 Forester S Edition 5EAT~ Flex Fuel
2011 WRX 6MT ~ Flex Fuel
|
|
| Top |
|
|
|
riksk
|
Post subject: Re: Another way to find SSM base from the ECU ID Posted: Tue Aug 10, 2021 1:28 am |
|
|
| Experienced |
Joined: Sun Jun 28, 2020 6:25 am
Posts: 242
|
Update; So I tried another ROM. A2WC522N, because this one I know the value i'm looking for is 0x4EDDC. So I can reverse-logic it for my other rom. Going for the same path, opening the rom, analyzing it, searching for the byte sequence.. I end up here. Code: ROM:000CD879 byte_CD879: .data.b h'A2 ; DATA XREF: ROM:off_4EC18↑o
ROM:000CD879 ; ROM:off_4ECF8↑o
ROM:000CD87A byte_CD87A: .data.b h'10 ; DATA XREF: ROM:0004EC1C↑o
ROM:000CD87A ; ROM:off_4ECF8↑o
ROM:000CD87B byte_CD87B: .data.b h'11 ; DATA XREF: ROM:0004EC20↑o
ROM:000CD87B ; ROM:off_4ECF8↑o
ROM:000CD87C ECU_ID_B1: .data.b h'2F ; DATA XREF: ROM:loc_48DB6↑o
ROM:000CD87C ; ROM:off_48F90↑o ... Great, it has a XREF to 0x48DB6, lets follow it. Code: ROM:00048DB6
ROM:00048DB6 loc_48DB6: ; DATA XREF: ROM:off_4EDDC↓o
ROM:00048DB6 mov.l #ECU_ID_B1, r2
ROM:00048DB8 rts
ROM:00048DBA mov.b @r2, r0
ROM:00048DBC ; --------------------------------------------------------------------------- From there I can already see my target value in the XREF "DATA XREF: ROM:off_4EDDC↓o". However in AZ1G800D, the first XREF from th e ECUID Byte 1, points to 0x52A16. From there, i'm pretty much blind, since this time I have no more XREFs to follow. Code: ROM:00052A16 mov.l #ECU_ID_B1, r2
ROM:00052A18 rts
ROM:00052A1A mov.b @r2, r0
ROM:00052A1C ; ---------------------------------------------------------------------------
ROM:00052A1C
ROM:00052A1C loc_52A1C: ; DATA XREF: ROM:000595AC↓o
ROM:00052A1C mov.l #byte_D42C5, r2
ROM:00052A1E rts
ROM:00052A20 mov.b @r2, r0
ROM:00052A22 ; --------------------------------------------------------------------------- Both ROMs were disassembled the same. It's wierd that the only value around the routine that has no XREFs to follow gotta be the one i'm looking for, lol.
_________________
2011 Forester S Edition 5EAT~ Flex Fuel
2011 WRX 6MT ~ Flex Fuel
|
|
| Top |
|
|
|
riksk
|
Post subject: Re: Another way to find SSM base from the ECU ID Posted: Tue Aug 10, 2021 1:47 am |
|
|
| Experienced |
Joined: Sun Jun 28, 2020 6:25 am
Posts: 242
|
More progress I think... So I noticed on A2WC522N, that ECU_ID_B2, B3, B4 and B5 are very close to each other, in the same line... So I ditched B1 for a moment and followed B2 XREF which is 0x595AC. I noticed a very familiar address kinda glitchy in the code above that address. Code: ROM:000595A8 .data.b 0, 5
ROM:000595AA .data.w h'2A16
ROM:000595AC .data.l loc_52A1C, loc_52A22, loc_52A28, loc_52A2E, loc_52A04
ROM:000595AC .data.l loc_52A34, loc_52A3E, loc_52A54 See that "5" in one line, and 2A16 in the other line? Well that kinda completes to 52A16, which is my B1 XREF.... So i selected both lines, and Undefined it so it went back to raw data. Looks like this Code: ROM:000595A8 .data.b 0
ROM:000595A9 .data.b 5
ROM:000595AA .data.b h'2A ; *
ROM:000595AB .data.b h'16 Selected those 4 lines and chose to Analyze data again. Now looks like this Code: ROM:000595A8 .data.l loc_52A16 Well, Seems like I was right. Now 0x52A16 has a XREF to this address, lets go back there. Code: ROM:00052A16 ; ---------------------------------------------------------------------------
ROM:00052A16
ROM:00052A16 loc_52A16: ; DATA XREF: ROM:000595A8↓o
ROM:00052A16 mov.l #ECU_ID_B1, r2
ROM:00052A18 rts
ROM:00052A1A mov.b @r2, r0 Sure it does! So I guess AZ1G800D ECU SSM Base is 0x595A8?
_________________
2011 Forester S Edition 5EAT~ Flex Fuel
2011 WRX 6MT ~ Flex Fuel
|
|
| Top |
|
|
|
dschultz
|
Post subject: Re: Another way to find SSM base from the ECU ID Posted: Tue Aug 10, 2021 11:28 am |
|
|
| RomRaider Developer |
Joined: Thu May 21, 2009 1:49 am
Posts: 7323
Location: Canada eh!
|
|
A logical analysis. So what do you see at 0x595A8, is it similar to A2WC522N?
|
|
| Top |
|
|
|
riksk
|
Post subject: Re: Another way to find SSM base from the ECU ID Posted: Wed Aug 11, 2021 12:22 am |
|
|
| Experienced |
Joined: Sun Jun 28, 2020 6:25 am
Posts: 242
|
dschultz wrote: A logical analysis. So what do you see at 0x595A8, is it similar to A2WC522N? Yup, both has all 5 ECU ID Bytes in the data region.
_________________
2011 Forester S Edition 5EAT~ Flex Fuel
2011 WRX 6MT ~ Flex Fuel
|
|
| Top |
|
|
|
dschultz
|
Post subject: Re: Another way to find SSM base from the ECU ID Posted: Thu Aug 12, 2021 12:52 am |
|
|
| RomRaider Developer |
Joined: Thu May 21, 2009 1:49 am
Posts: 7323
Location: Canada eh!
|
|
At 0x595A8, I'd expect to see an list of jump addresses.
|
|
| Top |
|
|
Who is online |
Users browsing this forum: No registered users and 7 guests |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
|
|
