ninjadaniel
26-08-2010, 09:16 AM
Below is a copy/paste of an email I wrote to a gent wanting a bit of help with disassembly, please excuse grammatical and general noob errors and PLEASE don't take my word as gospel! Constructive criticism is more than welcome
---------------------------------------------------------------------
Attached is my XML file with ALOT of unknown stuff in it- perhaps somebody can shed some light? I was going to get a dyno tuning friend to take a look and see if he can identify what some of the values could be.
Now I'll try to get you up to speed, I'm not an expert and I only first laid eyes on HEX two weeks ago.
The ecu ROM file is made up of HEX values, 16 in each line, 1000's of lines long. As you may already know hex is a way of counting to 16 using 0,2,3,4,5,6,7,8,9,a,b,c,d,e,f
So each hex value has a corresponding Decimal value which the ecu understands by use of "scalers". For example the numbers in HEX "80" mean 128 when converted to binary. You will find this number in alot of places throughout the hex code however its the PATTERN in which it is used that is obvious.
To identify these patterns worked backwards, as all the scales for mitsubishi cars are the same, i created an excel spreadsheet which converts HEX to Decimal and then applies the scale to it, you will see i have given you two examples, AFR scale and RPM (rpm is more complicated and ill get to that).
uint8 type scaler, it uses a single hex address for a single value, in the case of 80 being equal to 128, run that through the AFR scale of " x / 14.7*128 " and you get 14.7 enough of these and you have yourself a fuel table!
To identify less obvious trends you will have to attempt each "scaler" and see what you find, be aware that at the start and end of each area of values you will see numbers that don't belong... for instance you may find 240 0 0 80 80 80 80 80 240.
uint16 type scalers require TWO hex addresses for a single value, in the case of RPM, a 04 04 will = 7296. This is accomplished by taking the first number and multiplying it by 256, then adding the result to the second number. so 4x 256 + 4 = 1028. And in the case of RPM scale, you will put it into this equation, 7500000/x with x being 1028 you get 7296 which is our rev limit The spreadsheet example has this incorporated, be aware that the last column points to the first column the next line down (look at my sums at the top).
these types of scalers are often hard to identify as they are very similar to the one of the load scales, you have to identify each of the ranges you find and determine which scale to use based on the results, an example would be finding a ranges of RPM under 500 are likely not rpm and more likely something else (our cars have no need to run at lower than 500 rpm)
Layout of the HEX file is simple, once you get rid of the subroutines like i have (subroutines being the brains of the ecu, explaining what addresses have which effect on which output etc) you will notice that the beginning has singular addresses like RPM and Speed limit, the middle has lots of tables and other values, the very end will have all the scales of which to compare your tables and ranges to, an example would be you may find the values for the fuel table in the middle and the LOAD and RPM parts of the table at the end of the hex file.
The only way i currently know how to identify which scales are for which tables is counting how many values and cross referencing them with how many columns/rows in the table- once i learn how more about subroutines i can do this much better.
To view my spreadsheet you will need to go tools-> addins -> analysis pack, in excel. You will notice i have applied "conditional formatting" to highlight the values i am looking for depending on the scale, for AFR i have highlighted all values between 7.4 and 14.7, more difficult things to work out would be temperature as the scale is a very simple " x -40 " consequently this gives us a lot of numbers to work with.
Anyways, thats all for now- I am not an expert on code and like i said i have only started reverse engineering roms 2 weeks ago (started with one from my girlfriends Pajero IO with great success).
I am sure there are other ways to do it but this method has made sense to me.
http://rapidshare.com/files/413212972/VR4_Disassembly_Example1.xls
If somebody could host this file here that would be great
---------------------------------------------------------------------
Attached is my XML file with ALOT of unknown stuff in it- perhaps somebody can shed some light? I was going to get a dyno tuning friend to take a look and see if he can identify what some of the values could be.
Now I'll try to get you up to speed, I'm not an expert and I only first laid eyes on HEX two weeks ago.
The ecu ROM file is made up of HEX values, 16 in each line, 1000's of lines long. As you may already know hex is a way of counting to 16 using 0,2,3,4,5,6,7,8,9,a,b,c,d,e,f
So each hex value has a corresponding Decimal value which the ecu understands by use of "scalers". For example the numbers in HEX "80" mean 128 when converted to binary. You will find this number in alot of places throughout the hex code however its the PATTERN in which it is used that is obvious.
To identify these patterns worked backwards, as all the scales for mitsubishi cars are the same, i created an excel spreadsheet which converts HEX to Decimal and then applies the scale to it, you will see i have given you two examples, AFR scale and RPM (rpm is more complicated and ill get to that).
uint8 type scaler, it uses a single hex address for a single value, in the case of 80 being equal to 128, run that through the AFR scale of " x / 14.7*128 " and you get 14.7 enough of these and you have yourself a fuel table!
To identify less obvious trends you will have to attempt each "scaler" and see what you find, be aware that at the start and end of each area of values you will see numbers that don't belong... for instance you may find 240 0 0 80 80 80 80 80 240.
uint16 type scalers require TWO hex addresses for a single value, in the case of RPM, a 04 04 will = 7296. This is accomplished by taking the first number and multiplying it by 256, then adding the result to the second number. so 4x 256 + 4 = 1028. And in the case of RPM scale, you will put it into this equation, 7500000/x with x being 1028 you get 7296 which is our rev limit The spreadsheet example has this incorporated, be aware that the last column points to the first column the next line down (look at my sums at the top).
these types of scalers are often hard to identify as they are very similar to the one of the load scales, you have to identify each of the ranges you find and determine which scale to use based on the results, an example would be finding a ranges of RPM under 500 are likely not rpm and more likely something else (our cars have no need to run at lower than 500 rpm)
Layout of the HEX file is simple, once you get rid of the subroutines like i have (subroutines being the brains of the ecu, explaining what addresses have which effect on which output etc) you will notice that the beginning has singular addresses like RPM and Speed limit, the middle has lots of tables and other values, the very end will have all the scales of which to compare your tables and ranges to, an example would be you may find the values for the fuel table in the middle and the LOAD and RPM parts of the table at the end of the hex file.
The only way i currently know how to identify which scales are for which tables is counting how many values and cross referencing them with how many columns/rows in the table- once i learn how more about subroutines i can do this much better.
To view my spreadsheet you will need to go tools-> addins -> analysis pack, in excel. You will notice i have applied "conditional formatting" to highlight the values i am looking for depending on the scale, for AFR i have highlighted all values between 7.4 and 14.7, more difficult things to work out would be temperature as the scale is a very simple " x -40 " consequently this gives us a lot of numbers to work with.
Anyways, thats all for now- I am not an expert on code and like i said i have only started reverse engineering roms 2 weeks ago (started with one from my girlfriends Pajero IO with great success).
I am sure there are other ways to do it but this method has made sense to me.
http://rapidshare.com/files/413212972/VR4_Disassembly_Example1.xls
If somebody could host this file here that would be great