RomRaider

Search for the byte sequence A210. Following that sequence you'll find a byte matching the list at the end of this post (depending on engine type and size) then the five byte ECU ID, possibly a 00 or the start of the SSM init sequence indicating what the ECU supports.
Then just follow the cross references to the routines.

Can anyone else confirm this?
---
EDIT: An example, search for A210 (as I know this is from a 2.5L Turbo car)...
At the line which is the first byte of the ECU ID (0x6E in my example) follow the DATA XREF to the location that points to the ECU ID byte 1.

At the line which is the address of the first byte of the ECU ID follow the DATA XREF to the subroutine that fetches the ECU ID address.

Now you'll see a DATA XREF for the ECU ID byte 1 subroutine which points to a location in ROM which is a table of SSM subroutine addresses.

The ROM address right above the address that points to the subroutine that fetches the ECU ID byte 1 is the base of the SSM table.


EDIT: adding info about the third byte*, the one after A210. It should be one of these codes, such as 11 for 2.5L Turbo engine.
*Source.

Sometimes the ECU ID can be found after searching for A110. But the ROM layout is different than described above.

Nice. That works for my LGT's ROM, A2WC522N...

( [code] section removed, copy-paste from IDA just produced unreadable garbage)

The XREF from the first byte of the ECU id goes to the SSM handler for 'get ECU id.'
From that address, the XREF goes to the 0x4EDE0, and the SSM base is the previous dword, 0x4EDDC.

Works for my 2008 STI ROM, AZ1G201I (yes I know about the 202I reflash boost cut fix ) Address at 0xD62CC.

There were two other occurrences of the byte sequence A210 further up in the ROM, the ECU ID was the third.

Out of curiosity, how do you do a crossreference check/search? I tried highlighting the address and selecting, "Jump to crossreference", from the "Jump" menu, but no crossreferences were found. I was able to do a byte sequence search for D62CC, which turned up two references. The first reference contained D62CC, D62CD, ..., D62D0, which seems to be an array of address pointers pointing to each byte of the ECU ID.

The second reference was contained in what appears to be an array of address pointers starting at D62C9 to D6330, followed by D62C9 to D62CB. This seems too sequential to be a random occurrence. What are these addresses pointing to?

It sounds like you have not run the analysis pass on your ROM, or when you did, IDA didn't have enough information to start from. There's some more info about that in this thread:

viewtopic.php?f=25&t=2864

I've just started working on a how-to that should put the important steps in one place.

Can't wait to read it.

32 bit DBW JDM ECUID 2A 04 44 63 05

ROM:0002B3FC ; ---------------------------------------------------------------------------
ROM:0002B3FC
ROM:0002B3FC SSM_READ_@000: ; DATA XREF: ROM:SSM_LUT_READ
ROM:0002B3FC mov.w @(h'16,pc), r3 ; [0002B416] = h'FFFFAF2A
ROM:0002B3FE rts
ROM:0002B400 mov.b @r3, r0
ROM:0002B402 ; ---------------------------------------------------------------------------
ROM:0002B402
ROM:0002B402 SSM_READ_ID00: ; DATA XREF: ROM:00037CB4
ROM:0002B402 mov.l @(h'54,pc), r2 ; [0002B458] = unk_60114 ; / h'2A
ROM:0002B404 rts
ROM:0002B406 mov.b @r2, r0
ROM:0002B408 ; ---------------------------------------------------------------------------
ROM:0002B408
ROM:0002B408 SSM_READ_ID01: ; DATA XREF: ROM:00037CB8
ROM:0002B408 mov.l @(h'50,pc), r3 ; [0002B45C] = unk_60115 ; / h'04 - first ECUID byte JDM
ROM:0002B40A rts
ROM:0002B40C mov.b @r3, r0

------------------------------------------------------------

ROM:00060111 unk_60111: .data.b h'A2 ; â ; DATA XREF: ROM:off_3887C
ROM:00060111 ; ROM:off_3895Co
ROM:00060112 .data.b h'10
ROM:00060113 .data.b h'F
ROM:00060114 unk_60114: .data.b h'2A ; * ; DATA XREF: ROM:off_2B458
ROM:00060115 unk_60115: .data.b 4 ; DATA XREF: ROM:off_2B45C
ROM:00060116 unk_60116: .data.b h'44 ; D ; DATA XREF: ROM:off_2B6D0
ROM:00060117 unk_60117: .data.b h'63 ; c ; DATA XREF: ROM:off_2B6D4
ROM:00060118 unk_60118: .data.b 5 ; DATA XREF: ROM:off_2B6D8

Hi guys,

I'm stuck with this step now

So I find the following:



I right click on "DATA XREF: ROM:000527EA" and click jump to cross reference.

I see three options - they each take me somewhere different.

I click the first option, and I get this:



Thats different to what I see in your example above, dschultz ? Am I doing something wrong ?

Now if you follow the xref from that subroutine, you will get to the SSM Table. One more step.

SharpTune (patching GUI/CLI app) now has a GUI interface for XmlToIdc with SSM base detection. It uses pattern searching and so far has found the correct addresses on several different markets/years/makes of cars. Please report a bug @ github if you find one that does not work!

https://github.com/Merp/SharpTune

I can already give you some candidates - the odd early 32 bit roms with the truncated knock control logic. SSM pattern will not match A210.

Here's one:

FileName: 2004 Legacy(2).hex
xmlid: E6PF101A
internalidaddress: 2000
internalidstring: E6PF101A
ecuid: 3722047206
year: 04
market: USDM

And the reason:

I've used it on some early roms, but I believe they all had the A210 tag.

This routine uses the unique patterns involved in the routines that fetch the ecuid and their arrangement after the SSM base, so unless that is altered as well it should work.

Nothing would surprise me with these roms - they're a pain in the arse to disassemble, quite different in a number of ways.

It definitely did not work on the one above - that's the output from Sharptune - did not automatically find the SSM Base.

I expect you will find the same with E2VG211E.

And this one: E2WD200C

These three are the only oddities I've come across to date.

Thanks, I'll have a look