Another way to find SSM base from the ECU ID

Merp · **Joined:** Thu Jul 23, 2009 5:46 pm **Posts:** 863

Pushed a new version that makes a second attempt with adjusted parameters (tested on E6PF101A). Also made it output a single file using 'makeall' when you select all three sets.

dschultz · **Posted:** Tue Mar 12, 2013 10:25 pm

A210 is specific only to certain ECUs as I described in the OP so it's not for everything.

Sasha_A80 · **Posted:** Wed Mar 13, 2013 3:21 am

ALL Denso ecu ROM involves A2 10 patterns.
There is a but.
The early ROMs do not have SSM lookup tables directly following A2 10.
Those table are located other place and could be routinely found thru the code analyzed.

Easty · **Posted:** Mon Sep 09, 2013 12:41 am

Has anyone got any tips on finding Ssmbase on an unknown rom, I'm currently trying to disassemble a Nissan Navara td rom image.

It uses sh7058, and i have successfully open the image in IDA and found many tables just need to find Ssmbase before I can start making sense of it all.

Easty

dschultz · **Posted:** Mon Sep 09, 2013 2:44 am

You might have more luck following the vectors from vbr base for the serial interrupt handlers to see where they lead. Have you confirmed there's an sequence returned for a command such as SSM get ECU init, considering this is not a Subaru ECU?

Jochen_145 · **Joined:** Wed Nov 10, 2010 11:56 am **Posts:** 418

I struggel a bit finding SSM-base on a Nissan ?
SSM is AFAIK Subaru spezific, so Nissan will use a nother protocol to communicate.

If not, the I can expact the same way in Mazda / Subaru / Nissan SH7058 based Denso ecus :?:

Table finding is not a problem. The table register is the same to Subaru / Mazda, so you can use ScoobyROM for this. Checksumm is Denso-32-bit-CS simular to Subaru Diesel ECU.

If you take a deeper look into the TD-Software, I am very curious about DTC handling:
I expact the same way on all Denso Renesas based Diesel-ECU, so if you are suggessful, we should take a look to the subaru diesel ECUs to.

btw.:
have you ever tryed to open the Subaru E4 diesel Rom parallel to Nissan.
I think there can be some parallels. The same to Mazda

Jochen

Easty · **Posted:** Tue Sep 10, 2013 1:03 am

Jochen_145 wrote:

I struggel a bit finding SSM-base on a Nissan ?
SSM is AFAIK Subaru spezific, so Nissan will use a nother protocol to communicate.Jochen

I think i may have found it? Unable to confirm as I haven't purchased the vehicle yet.

What can i do to check that Romraider data logging will work with this ECU?

Could it be as easy as logging ram addresses instead Ssm parameters?

I'm unfamiliar with communications protocol for ECU's so to be honest i have no idea what I'm looking for here, any suggestions would be appreciated.

Jochen_145 wrote:

Table finding is not a problem. The table register is the same to Subaru / Mazda, so you can use ScoobyROM for this. Checksumm is Denso-32-bit-CS simular to Subaru Diesel ECU.Jochen

I used the MakeTablePointers script to find all the Tables it was quiet easy.

Most of the tables in this rom have RPM vs 0-100 axis, 0-100 could be throttle opening or load as a %?

Jochen_145 wrote:

have you ever tryed to open the Subaru E4 diesel Rom parallel to Nissan.
I think there can be some parallels. The same to Mazda
Jochen

I noticed you have defined some diesel roms can you suggest one to compare it to?

Jochen_145 · **Joined:** Wed Nov 10, 2010 11:56 am **Posts:** 418

Easty wrote:

What can i do to check that Romraider data logging will work with this ECU?

If it is SSM, RomRaider-Logger will work, but I don´t expact.

Quote:

Could it be as easy as logging ram addresses instead Ssm parameters?

AFAIK also ram parameter logging uses the same protocoll, only other addresses.

Quote:

I used the MakeTablePointers script to find all the Tables it was quiet easy.

Most of the tables in this rom have RPM vs 0-100 axis, 0-100 could be throttle opening or load as a %?

This is the same way as ScoobyROM:
0-100 will be injection amout in mm³/h.
Diesel-ECU work according to injection amoud witch is at least simular to load.

Quote:

I noticed you have defined some diesel roms can you suggest one to compare it to?

All EURO4 Subaru Diesel ECU works with Renesas SH7058S control, so these are the dumps to compare:

I suggest this one : viewtopic.php?f=34&t=9034

Please attach your Nissan dump. I took a look in some with ScoobyROM and find a lot simularities in 2D and 3D mamps, but quite because of working at Subaru

Jochen

Easty · **Posted:** Tue Sep 10, 2013 8:37 pm

Thanks I probably should move the discussion to its own thread, I've attached a copy of the rom and a raw definition.

http://www.romraider.com/forum/viewtopic.php?f=25&t=9943

big_dims · **Joined:** Mon Sep 02, 2019 11:51 am **Posts:** 10

Hi all,

trying to get SSM base for 19 wrx.

Code:

ROM:0006EA55                 .data.b h'10
ROM:0006EA56                 .data.b h'A2
ROM:0006EA57                 .data.b h'68 ; h
ROM:0006EA58                 .data.b h'4F ; O
ROM:0006EA59                 .data.b h'26 ; &
ROM:0006EA5A                 .data.b h'7F ; 
ROM:0006EA5B                 .data.b h'10
ROM:0006EA5C                 .data.b h'A0
ROM:0006EA5D                 .data.b h'1D

A2 and 10 seem to be switched. Is this an endianness issue?

So it looks like I should follow the Xref for `h'68`, but there's no `DATA_XREF`. What am I missing here?

Best,
dima

big_dims · **Joined:** Mon Sep 02, 2019 11:51 am **Posts:** 10

Okay so I searched for A210 using "all occurrences" and did find it, but there's no

Code:

; DATA XREF: ROM:off_

next to it, I'm assuming bc I don't have the defs. Can I have a hint on finding the SSM base?

Here's the excerpt I'm looking at

Code:

ROM:0008D2F4                 .data.l h'613F2166, h'56D2A010, h'613F2166, h'55D2A210
ROM:0008D2F4                 .data.l h'613F2166, h'54D2A410, h'900A9A0, h'F8FF0000
ROM:0008D2F4                 .data.l h'F8FF54A0, h'F8FF56A0, h'F8FF58A0, h'F8FF5AA0
ROM:0008D2F4                 .data.l h'F8FF5CA0, h'F8FF5EA0, h'F8FF61A0, h'F8FF62A0
ROM:0008D2F4                 .data.l h'F8FF64A0, h'F8FF66A0, h'F8FF68A0, h'F8FF6AA0
ROM:0008D2F4                 .data.l h'F8FF6CA0, h'F8FF6FA0, h'F8FF70A0, h'F8FF72A0
ROM:0008D2F4                 .data.l h'F8FF74A0, h'F8FF77A0, h'F8FF16A0, h'F8FF18A0
ROM:0008D2F4                 .data.l h'F8FF1AA0, h'F8FF1DA0, h'F8FF78A0, h'F8FF7CA0
ROM:0008D2F4                 .data.l h'F8FF7AA0, h'F8FF7DA0, h'F8FF86A0, h'F8FF88A0
ROM:0008D2F4                 .data.l h'F8FF8AA0, h'F8FF8CA0, h'F8FF8EA0, h'F8FF90A0
ROM:0008D2F4                 .data.l h'F8FF92A0, h'F8FF94A0, h'F8FF96A0, h'F8FF98A0
ROM:0008D2F4                 .data.l h'F8FF9AA0, h'F8FF9CA0, h'F8FF9EA0, h'F8FFA0A0
ROM:0008D2F4                 .data.l h'F8FFA2A0, h'F8FFA4A0, h'F8FFA6A0, h'F8FFA8A0
ROM:0008D2F4                 .data.l h'F8FFAAA0, h'F8FFACA0, h'F8FFAEA0, h'F8FFB0A0
ROM:0008D2F4                 .data.l h'F8FFB2A0, h'F8FFB4A0, h'F8FFB6A0, h'F8FF5CA1
ROM:0008D2F4                 .data.l h'F8FF5DA1, h'F8FF5EA1, h'F8FF5FA1, h'F8FF60A1
ROM:0008D2F4                 .data.l h'F8FFBEA0, h'F8FFC0A0, h'F8FFC2A0, h'F8FFC4A0
ROM:0008D2F4                 .data.l h'F8FFC6A0, h'F8FFC8A0, h'F8FFC9A0, h'F8FFCAA0
ROM:0008D2F4                 .data.l h'F8FFCBA0, h'F8FFCCA0, h'F8FFCDA0, h'F8FFCEA0
ROM:0008D2F4                 .data.l h'F8FFCFA0, h'F8FFD0A0, h'F8FFD1A0, h'F8FFD2A0
ROM:0008D2F4                 .data.l h'F8FFD3A0, h'F8FFD4A0, h'F8FFD5A0, h'F8FFD6A0
ROM:0008D2F4                 .data.l h'F8FFD8A0, h'F8FFDAA0, h'F8FFDCA0, h'F8FFDEA0
ROM:0008D2F4                 .data.l h'F8FFE0A0, h'F8FFE2A0, h'F8FFE4A0, h'2166E6A0
ROM:0008D2F4                 .data.l h'A610613F, h'2166B0D2, h'A810613F, h'2166AFD2

big_dims · **Joined:** Mon Sep 02, 2019 11:51 am **Posts:** 10

I've got sections like

Code:

ROM:00188C24 ; ---------------------------------------------------------------------------
ROM:00188C24                 mov.b   r12, @-r12
ROM:00188C26                 mov.l   r8, @(r0,r6)
ROM:00188C28                 mov.b   r12, @r12
ROM:00188C2A                 mov.b   r12, @-r13
ROM:00188C2C                 mov.l   r8, @(r0,r7)
ROM:00188C2E                 mov     #ATUIII_TCRJ1_B, r5
ROM:00188C30                 mov.b   r12, @r13
ROM:00188C32                 mov.l   @(0,r6), r3
ROM:00188C32 ; ---------------------------------------------------------------------------

So it looks like params like ATUIII_TCRJ1_B are being found, but I'm not able to see where they're defined. What's the next step I can try?

dschultz · **Posted:** Thu Sep 12, 2019 11:12 pm

With this ECU it's a bit different so this guide will not apply 100% of the time.
For the 2015 WRX I started with, it used A310 followed by the engine-code byte then ECU ID bytes.

big_dims · **Joined:** Mon Sep 02, 2019 11:51 am **Posts:** 10

dschultz wrote:

With this ECU it's a bit different so this guide will not apply 100% of the time.
For the 2015 WRX I started with, it used A310 followed by the engine-code byte then ECU ID bytes.

Thanks for the response! I tried searching for A310 but didn't have any luck with that, I think. I've pasted the only two results, and neither has any mention of ecuid or ssm_id.

Attachment:

Capture.PNG

Is there a way to figure out where it could be without knowing the rough location? I tried searching for string but neither the ecuid nor the ssm_id had any results.

solidxsnake · **Joined:** Wed Jan 06, 2016 3:27 am **Posts:** 64

You need to search for bytes "A3 10", not "A310"... note the space separation between the bytes (those are in hex, so it's really one byte with value 0xA3, and one with value 0x10). Also, keep in mind, that there won't be any mention of "ssm_id" or "ecuid" or whatever, those are labels that are entered by you. IDA can't figure things like that out on its own; that's what disassembly is all about :wink:

RomRaider

Another way to find SSM base from the ECU ID

Who is online