RomRaider

That would be awesome Dale, thanks.

I've spent a few hours trying to sort out the memory map.
I'm curious of a couple of things:
1) The CPU is for sure SAB 80C166W-M-T3 16bit microcontroller, -40˚C to +85˚C, 1 kByte RAM
2) No internal ROM only the external 256kB Flash
3) I believe the IDA cfg for the 80C166 is a bit off for the 80C166W, so I'm going to modify the config to correct what I found to be different.
4) There's an additional 8kB (0x2000) SRAM chip, does anyone have an idea what address range it's mapped to, it would be writable of course?
5) We already know there's an EEPROM
6) There's a dedicated CAN controller chip
7) There appears to be a dedicate flywheel detection chip too

If you attempt to use anything in IDA other than 80C166 you'll get a bunch of registers for peripherals that don't exist.

I'm a little confused by Intel's math regarding the 256kB Flash. Here's their memory map:By my calculations it should work out as:
16kB block: 0x0000 - 0x3FFF
8kB block: 0x4000 - 0x5FFF
8kB block: 0x6000 - 0x7FFF
96kB block: 0x8000 - 0x1FFFF
128kB block: 0x20000 - 0x3FFFF

Interesting that the first 16kB block is "protected".
BTW: address line A0 is connected to the CPU on its address line A1. The Flash address line A17 is connected to that square PAL chip near the outer corner of the PCB.

Oh never mind. In the diagram it states the address map is based on WORD addresses. And I was calculating the map using BYTE addresses.

So because the ECU can only address 256KB, the 8KB on the actual flash chip that corresponds to this 8KB SRAM ought to be 'blank' during a 'chip read' right? If so, we can take a chip read' and convert it to 'memory/logical read' and compare that to an actual memory dump.

I would expect so.

I came up with this memory map. Comments...?

Regarding the address space swaps, I believe that is correct. Maybe Alec can comment on the other stuff in detail.

The default c166 memory map that comes with IDA is not accurate for the MS41 memory layout.

In reference to the memory map posted above I created a custom c166.cfg file to replace the one that comes with IDA tailored for the MS41.
Save it in the "C:\Program Files (x86)\IDA 6.7\cfg\" folder.

Before you play, make a copy of your current .idb file so you can go back to what you had before.
Open your .mem file with IDA. Select Siemens c166 family as the processor. OK all the dialogues to open the ROM.
Once you have it open Load the script file to set the DPPs and format each segment.
Once you run the IDA script you should have a ROM that is >75% disassembled. A few functions need to be visited in the 0x20000 and 0x30000 segments. The ones with red prefix lines, you can go to the start of each red section and press 'p' to create a function. You will see more of the code gets disassembled and in ~10 minutes you can get it all disassembled.

You will need to go to the jump table ~0x2400 and convert the data to words and then set the appropriate offset (ctrl-R) to either 0x20000 or 0x30000 whichever references a sub_.

How the C166 deals with DPP Registers - http://www.hitex.com/fileadmin/img/down ... isters.pdf

Thank you for this. I loaded an MS41.2 and it seems like it works fine (to my very limited knowledge of IDA Pro).
I loaded MS41.1 and it's quite different in the way IDA Pro sets it up. There's a lot of "blue" area around 1A62 and after for a large chunk, while MS41.2 has none of that. I would have assumed they should be the same. That, or it's very likely that I don't know what I'm doing just yet.

Here's what it looked like for me:







Not sure what I'm supposed to do with this: "You will need to go to the jump table ~0x2400 and convert the data to words and then set the appropriate offset (ctrl-R) to either 0x20000 or 0x30000 whichever references a sub_." but I have a feeling this is relevant. Bear with me as I'm an MD in healthcare as a career, so it's not exactly second nature. I'm doing my best to learn in my spare time.

Did you run the IDA script on this yet?

The one you provided? Yes.

I loaded my dump (MS41.1), Selected Siemens c166, then selected your MS41 script. It then asked me to select the entry point, so I went to 20000h and pressed "C". Then Options - General - analysis tab - kernel options 1 - "make final analysis pass" - Reanalyze Program. The end result is above. Not too sure if it's correct or not.


Maybe I didn't do something right with "Disassembly Memory Organization"? I left the checkboxes and options as is and clicked ok. Maybe this is wrong.

Hmm, I'm not sure where that's coming from. Did you convert your flash read to a mem file with xbyte's Conversion Tool?

The process, I thought was simple.
Open ROM with IDA, select the c166 processor, accept all the default actions and when the ROM has been opened run the formatting script. Here's my result from scratch:
After that you can go exploring... For this you need to understand the CPU, the instruction set and how the code accesses linear memory (segmentation, pages and DPP etc.).
I'll post up a little tutorial on the last part.

The instructions are simple, misunderstanding on my part, since I was using things from previous instructions, and the pop up in IDA asking to set entry point. Getting there, slowly. I need a whole lot more work and research to get it all.

I don't recall ever seeing that popup.

I re-read through this whole thread again. forgot this.






You must be an advanced user... and have the checkbox to never remind you again.

I'm passing extremely carefully through this to try to make sense of something. I can see why holding our hand is needed. Maybe this is a bit more than I can chew, but I've learned many things up until now, so this isn't anything I won't eventually get.