RomRaider

Hello guys,

i don´t want to threadjack mrf´s thread about voltage compensation injector correction, so i thought i´d open a new thread.

As maybe a few already know, i´m dealing with the exact same problem like you, just i´m using MS43 and i´m really lucky to have a damos file. Nevertheless theres more then enough work to do and i´m currently stuck at disassembling.

I don´t know much about assembler, nor processor technology, but i´m working as hard as i can.

What i know:
MS43 uses C167CR-LM Processor which is supported by IDA. I know all of the important stuff is in the flash, no IROM file needed. I know its using a 29F400BB-55SI (512kb file) and i have dozens of them.

What i don´t know:
How do i find maps in IDA Pro?

Lets say we use the example of battery voltage compensation, at MS43 i have the axis description at 0x74288 (512kb) or at 0x4288 (64kb) when using just the map portion of the flash.

I know that axis description is used at different maps:



If i do a hex-search for either "88 42" or "42 88" i´ll get several links, but none of them is in the calibration file (0x7****), they are all located in the full flash file (<0x7000)

let me help you.
at address 74288h i can see 6 bytes axis table, not 8. all in your screenshot is 8.
can you give me your definitions file? i have MS43-V07b_(75181111)

Thanks for having a look

I´m sorry, i think i used Damos for MS430066 whereas you probably use the version for MS430056 (the original A2L file for MS43 available on the internet.

Lets stick with MS430056 as there is less conversion errors.

http://www12.zippyshare.com/v/VCVlXyNK/file.html
http://www12.zippyshare.com/v/Q9yS6Tt1/file.html

In case of MS430056, this is the correct position of the axis description:



So in Ols it looks like this:



lets pick a map where that axis is used:



Direct in front of that map is another map (with different axis and size) and the same goes for the map later.

I don´t see anything how siemens managed to referenced between map and axis

There could be a section of just axis and map descriptors somewhere else in the file that point to the beginning address of the map etc.

Something like: Use 0x**** at 0x****?

Shouldn´t one be able to find that in the disassembly?

I just don´t get my head around IDA. I bet it has something to do with this memory layout.

Bump. Id like to help with Ida. Is there any Ida for dummy guides?

Ive been told this:



Just don´t know what to do with that reset_handler.

It's more complicated than that. First off, the default memory map is not applicable for the MS43 configuration. IDA will only partially decode the first segment (64kB). And a copy of the Flash has to be converted to linear memory as the CPU would see it.

So you´re talking about doing similar to this?

download/file.php?id=23545&mode=view

Yes, which requires a custom cfg file for IDA.

Can you provide high res photos of the MS43 circuit board?

Shure, any special place? I have no problem doing a trace route, too

this is getting exciting!

Yes sir. Here are very high quality photographs of front and rear MS43 board with processor and eeprom removed:
http://s25.postimg.org/ns86hjlwt/Ms43board_front.jpg
http://s25.postimg.org/4oev1792l/Ms43board_back.jpg


I would like to add that I traced EWS anti theft signal from pin 33 on connector X60004 to processor pin number #79, which indicates P3.12/BHE/WRH, external memory high byte enable signal and write strobe.

Thanks. I have a memory map about 99% sorted out for use in IDA. I'll post it soon along with the required customized IDA files.

your awesome!