FAQFAQ SearchSearch MemberlistMemberlist UsergroupsUsergroups RegisterRegister
ProfileProfile Log in to check your private messagesLog in to check your private messages Log inLog in

 
Has anyone on here disassembled the 413 code?

 
Post new topic   Reply to topic    TunerPro User Forum Forum Index -> Bosch
 
Hairyscreech



Joined: 20 Jun 2017
Posts: 157

PostPosted: Mon Sep 18, 2017 6:32 am    Post subject: Has anyone on here disassembled the 413 code? Reply with quote

I have been trying for a while to get a good disassembly of the code from the 413 ECU with mixed results.

Biggest issue I am finding is that the code seems to reference the zero register a lot and IDA is not liking it. IDA treats the zero register as always zero making a lot of the code meaningless.

Has anyone here done a full disassembly and if so any pointers?
Back to top
View user's profile Send private message
 

 
olafu



Joined: 26 Jul 2016
Posts: 101
Location: Finland

PostPosted: Mon Sep 18, 2017 11:05 am    Post subject: Reply with quote

My assembly or any other programming skills are about zero, but i was thinked many times, how powerful tool some kind counter can be, which is counting how many times ecu reads some rom addresses when using an emulator. If those counter values can be align on to the ROM dump in hex editor, coloring cells or something like that, it can be helpful to understand where to find some program parts to partially disassemble them. Maybe by manually, without specific disassembler.

Address sequence recording is other interesting thing. It would be feature, which you can set the recorder triggered from specific address hit to record certain number of ROM addresses after that.

EDIT: Actually that hit counter utility seems to be found at TunerPro.
Back to top
View user's profile Send private message
 

 
olafu



Joined: 26 Jul 2016
Posts: 101
Location: Finland

PostPosted: Wed Sep 27, 2017 7:50 am    Post subject: Reply with quote

I tried that with 413/623 dme, tracing area was set from E680 to E7AF and fitted to match with "Map address table". It ends on E7AA, but i thik it's better to see like this.

That seems to indicate quite clearly what maps are in use or not in use...
Picture below is edited with Paint to fit that map address table on to the trace table.

http://ibb.co/jFUEjQ

I think there is not enough bandwidth in RS232 to get real time address data to PC, but this helps to get a grip from rarely readed maps, which is use in only when happens something abnormal, like knock detected or something fault is detected.


Last edited by olafu on Wed Sep 27, 2017 9:10 am; edited 3 times in total
Back to top
View user's profile Send private message
 

 
Evil



Joined: 18 Jul 2017
Posts: 121
Location: France

PostPosted: Wed Sep 27, 2017 8:12 am    Post subject: Reply with quote

Very interesting!
Which utility did you use ?
Back to top
View user's profile Send private message
 

 
olafu



Joined: 26 Jul 2016
Posts: 101
Location: Finland

PostPosted: Wed Sep 27, 2017 8:15 am    Post subject: Reply with quote

Tools -> Hardware utility -> Address watch utility. ( CTRL- W ) in TunerPro.
Back to top
View user's profile Send private message
 

 
Evil



Joined: 18 Jul 2017
Posts: 121
Location: France

PostPosted: Wed Sep 27, 2017 8:25 am    Post subject: Reply with quote

Thanks!
Very Happy
Back to top
View user's profile Send private message
 

 
olafu



Joined: 26 Jul 2016
Posts: 101
Location: Finland

PostPosted: Wed Sep 27, 2017 8:32 am    Post subject: Reply with quote

Like that: http://ibb.co/kWeddk

It draws almost immediatelly graph look like this. Then it's colors partly other 16 bit cells, but if either byte of 16 bit address is read, i think it means whole address it is read at least once.
Back to top
View user's profile Send private message
 

 
olafu



Joined: 26 Jul 2016
Posts: 101
Location: Finland

PostPosted: Sat Sep 30, 2017 3:22 am    Post subject: Reply with quote

Tried to catch running parts of software/bin with that. Seems to fit with IDA output... Smile
Back to top
View user's profile Send private message
 

 
biela



Joined: 22 Jul 2014
Posts: 27

PostPosted: Wed Oct 31, 2018 1:28 am    Post subject: Reply with quote

Hello

Can you post a simple function explained?
Like table/map look up calls.

Thanks
Back to top
View user's profile Send private message
 

Display posts from previous:   
View previous topic :: View next topic  
Post new topic   Reply to topic    TunerPro User Forum Forum Index -> Bosch All times are GMT - 9 Hours
 
Page 1 of 1
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
 


Powered by phpBB © 2001, 2002 phpBB Group
RedSquare theme 1.0.3 © DoubleJ(Jan Jaap)