SAD 806x Disassembler

Disassembly, Programming, Coding, Assembly, Binary information and all hacking discussions belong here.

Re: SAD 806x Disassembler

Unread postby Pym » Wed Mar 28, 2018 3:33 pm

decipha wrote:the vid block is pretty useless for disaasembly, what info do u need about the vid block?

For disassembly, it permits to show decoded values for the related places, but main thing is to get whole information on related binary in one click, before disassembling.
An example of text output header :
Code: Select all
║                   Binary File :                                   S6x file :                                         ║
║                   EECV MLF 4G7 USES KHAI8AU 0 3FFFF.bin    EECV MLF 4G7 USES KHAI8AU 0 3FFFF.s6x                     ║
║                             262144 (40000) bytes                                                                     ║
║                               KHAI8(AU) Strategy                             Part Number 98BBAAE                     ║
║                                      VIN XK89772                                         PATS 00                     ║
║                                     Rev/Mile 853                                       Rt Axle 1                     ║
║                                      VID Enabled                                                                     ║

and the related code :
Code: Select all
Strategy:
9 ff06: 4b,48,41,49,38,41,55                           
KHAI8AU

9 ff0d: 2e,48,45,58,2a,ff                             Unknown Operation/Structure

PATS Code:
9 ff13: 00                                             
00

Part Number:
9 ff14: 39,38,42,42,41,41,45                           
98BBAAE

9 ff1b: 2a,ff,01,cc,46,35,e2,1f                       Unknown Operation/Structure
9 ff23: 2a,1a,4d,e6,f8,be,9e,01                       Unknown Operation/Structure

9 ff2b -> ff62                     fill               ff

Copyright:
9 ff63: 43,6f,70,79,72,69,67,68,74,20,46,6f,72,64,20,4d,6f,74,6f,72,20,43,6f,2e,20,31,39,39,38
Copyright Ford Motor Co. 1998

VIN Code:
9 ff80: 58,4b,38,39,37,37,32,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
XK89772

9 ff91: ff,ff,ff,ff                                   Unknown Operation/Structure

9 ff95: 2a                      1                     VID Block Enabled

9 ff96: 30,52,30,ff                                   Unknown Operation/Structure

9 ff9a: 55,03                 355                     Tyre Revolutions per Mile
9 ff9c: 00,04                   1                     Rear End Gear Ratio

9 ff9e -> fffb                     fill               ff

9 fffc: 89,2f,ff,91                                   Unknown Operation/Structure


Disassembly would be better with everything identified and I have a huge doubt on PATS Code size (1 byte), which is often at 0.
Pym
Hacker
 
Posts: 139
Joined: Sat Mar 04, 2017 4:29 am
Name: Pierre-Yves
Vehicle Information: Ford(EU) 91 Fiesta RS Turbo / EEC IV VM120 0FAB
TunerPro on Moates chips
Vehicle 2 Information: Ford(EU) 97 Puma 1.7 VCT / EEC V LP2-110 MUFF AXPDCB4
Vehicle 3 Information: Ford(EU) 97 Mondeo V / EEC V MLP-427 REED ATAFHE3
Additional Vehicles: Ford(EU) 91 Fiesta XR2i / EEC IV SD111 1AFA
Ford(EU) 98 Cougar V6 / EEC V ?

Re: SAD 806x Disassembler

Unread postby decipha » Wed Mar 28, 2018 10:00 pm

the vid block is useless and doesnt help disassembly in any way

the pata code is always 26 bytes except for pats type e iirc which is 13 bytes static with identifier off chip

i dont see how any of that will be helpful
User avatar
decipha
Tooner
 
Posts: 14022
Joined: Mon Jul 15, 2013 5:29 pm
Location: New Orleans, LA
Name: Michael Ponthieux
Vehicle Information: Supercoupin' x10
90 (4x 5spds) - Dante, Ruby, Daja, Ava
91 4r70w - Skarlett
92 (2x) 5spd & auto - Bianqa, Andrea
93 auto - Danika
94 5spd Rionda
95 auto Aisha
Vehicle 2 Information: Others:
00 Lincoln LS - Luanda
98 Camaro SS - Bounquisha
02 Harley F-150 - Sasasha
03 Marauder - DyShyKy
00 Explorer 5L - Bernyce

Re: SAD 806x Disassembler

Unread postby Pym » Thu Mar 29, 2018 12:06 am

This is what, I was thinking, PATS code identification is totally wrong.
It is not at ff13 on 1 byte, the only place I see is ff1d to ff36.

I was talking some months ago, about moates F3 vs F3v2 chips hiding the VID block or not.
I the case we want to force VID block in chips (especially when changing ECU), we need to know what it contains especially for PATS.
Some strategies have PATS learning activated and it can be done simply through OBD, this is the case for KHAI8.
But others do not and require specific Ford interface to do it, this is in this case that F3V2 without VID Block hiding is useful, with well duplicated VID Block.
Pym
Hacker
 
Posts: 139
Joined: Sat Mar 04, 2017 4:29 am
Name: Pierre-Yves
Vehicle Information: Ford(EU) 91 Fiesta RS Turbo / EEC IV VM120 0FAB
TunerPro on Moates chips
Vehicle 2 Information: Ford(EU) 97 Puma 1.7 VCT / EEC V LP2-110 MUFF AXPDCB4
Vehicle 3 Information: Ford(EU) 97 Mondeo V / EEC V MLP-427 REED ATAFHE3
Additional Vehicles: Ford(EU) 91 Fiesta XR2i / EEC IV SD111 1AFA
Ford(EU) 98 Cougar V6 / EEC V ?

Re: SAD 806x Disassembler

Unread postby rocks08 » Wed Apr 04, 2018 9:42 am

Hi Pym nice job

if i read the bin with a kess, your sad800x can disassemble it?
rocks08
General Poster
 
Posts: 4
Joined: Mon Jul 31, 2017 2:24 pm
Name: Anthony
Vehicle Information: ford puma 1.7 eecv DUDE

Re: SAD 806x Disassembler

Unread postby Pym » Wed Apr 04, 2018 11:30 pm

rocks08 wrote:if i read the bin with a kess, your sad800x can disassemble it?

Yes it should, but the main thing is to make a Kess work properly. If you are able to read/write binaries with your Kess, please just give me its reference, I am interested.
Personally, for Puma ECU I use Moates tools and your ECU should use a AXPDA or AXPDC strategy which is well disassembled.
Pym
Hacker
 
Posts: 139
Joined: Sat Mar 04, 2017 4:29 am
Name: Pierre-Yves
Vehicle Information: Ford(EU) 91 Fiesta RS Turbo / EEC IV VM120 0FAB
TunerPro on Moates chips
Vehicle 2 Information: Ford(EU) 97 Puma 1.7 VCT / EEC V LP2-110 MUFF AXPDCB4
Vehicle 3 Information: Ford(EU) 97 Mondeo V / EEC V MLP-427 REED ATAFHE3
Additional Vehicles: Ford(EU) 91 Fiesta XR2i / EEC IV SD111 1AFA
Ford(EU) 98 Cougar V6 / EEC V ?

Re: SAD 806x Disassembler

Unread postby rocks08 » Thu Apr 05, 2018 1:20 am

yes work properly, with i can read, write without problem
it's a kess v2 hw: 4.036 & sw: 2.12 or 2.32 working

i'ts mine with just the rev limit change:
WinOLS (Ford puma (ford puma anthony rev limit 7100) - ).bin


and that files it's the frp puma map foun on web and read with kess
frp puma map internet.bin


my ecm is a dude and can write with the kess the frp map on it

but for me is not a good chiptuning, i prefer to understand how the ecm work for better tuning.
You do not have the required permissions to view the files attached to this post.
rocks08
General Poster
 
Posts: 4
Joined: Mon Jul 31, 2017 2:24 pm
Name: Anthony
Vehicle Information: ford puma 1.7 eecv DUDE

Re: SAD 806x Disassembler

Unread postby Pym » Thu Apr 05, 2018 4:09 am

I should try this Kess too, not so easy to find the right tool for cars before 2000.

I use FRP binary on my Puma, which works really well, nothing changes under 4000rpm, but over it is a different car.
It seems to be the best thing for this car, even if changes are not really big, but well done.
Yes MAF transfer function should give leaner results, but MAF is probably not the same part, I have not checked.
You can open a topic on it on Ford Euro & Aussie Tuning if you want.
Pym
Hacker
 
Posts: 139
Joined: Sat Mar 04, 2017 4:29 am
Name: Pierre-Yves
Vehicle Information: Ford(EU) 91 Fiesta RS Turbo / EEC IV VM120 0FAB
TunerPro on Moates chips
Vehicle 2 Information: Ford(EU) 97 Puma 1.7 VCT / EEC V LP2-110 MUFF AXPDCB4
Vehicle 3 Information: Ford(EU) 97 Mondeo V / EEC V MLP-427 REED ATAFHE3
Additional Vehicles: Ford(EU) 91 Fiesta XR2i / EEC IV SD111 1AFA
Ford(EU) 98 Cougar V6 / EEC V ?

Re: SAD 806x Disassembler

Unread postby rocks08 » Thu Apr 05, 2018 4:46 am

For me the kess with this version is the best work fine with obd on a lot of car.
Frp works fine, but i use e85 with modified fuel pressure regulator.
I want down the pressure and up injection timing.

I have try sad800x 1.2 can't find the function (16 for other car) for the MAF. I will open topic later i continu little search before
rocks08
General Poster
 
Posts: 4
Joined: Mon Jul 31, 2017 2:24 pm
Name: Anthony
Vehicle Information: ford puma 1.7 eecv DUDE

Re: SAD 806x Disassembler

Unread postby ranga83 » Thu Apr 05, 2018 6:09 am

thanks PYM, the new version seems to work ok with the 4TAD, it misses some code, but a tweek to the .dir should sort that out.
I think ive found a bug tho, when I click on "text output" the program crashes. it does however save the .txt
ranga83
Power Poster
 
Posts: 237
Joined: Sat May 24, 2014 10:40 pm
Location: melbourne, victoria, australia
Name: kendall
Vehicle Information: 1996 EF Falcon 4.0 inline 6, 4TAD ecu, tunerpro, and moates q/h

Re: SAD 806x Disassembler

Unread postby Pym » Thu Apr 05, 2018 6:15 am

rocks08 wrote:I have try sad800x 1.2 can't find the function (16 for other car) for the MAF. I will open topic later i continu little search before

Yes, this is normal, on AXPD* MAF transfer function is not used through a word function routine, but is used like a structure.
SAD806x detects its start as a structure, but structure are not for now automatically identified.
So you have 2 choices (address is 1 2154) :
- Update detected Structure like this (Structure = "Word:2" or "Word,Word" and Number = 30), but you will not be able to scale values.
- Create a 30 rows Word function at the related address.
Pym
Hacker
 
Posts: 139
Joined: Sat Mar 04, 2017 4:29 am
Name: Pierre-Yves
Vehicle Information: Ford(EU) 91 Fiesta RS Turbo / EEC IV VM120 0FAB
TunerPro on Moates chips
Vehicle 2 Information: Ford(EU) 97 Puma 1.7 VCT / EEC V LP2-110 MUFF AXPDCB4
Vehicle 3 Information: Ford(EU) 97 Mondeo V / EEC V MLP-427 REED ATAFHE3
Additional Vehicles: Ford(EU) 91 Fiesta XR2i / EEC IV SD111 1AFA
Ford(EU) 98 Cougar V6 / EEC V ?

Re: SAD 806x Disassembler

Unread postby jsa » Fri Apr 06, 2018 5:07 pm

Pym wrote:- Advanced routine and signatures added


To help understand how to fill in signature details, do you have an s6x with signatures you could share, please?
Cheers
John
jsa
Power Poster
 
Posts: 332
Joined: Thu Jan 16, 2014 1:44 am
Location: In the shed or On the Computer, 'straya
Name: John
Vehicle Information: Escort RS Cosworth
EEC-IV GHAJ0 ANTI or COSY

Re: SAD 806x Disassembler

Unread postby Pym » Sat Apr 07, 2018 1:59 am

jsa wrote:To help understand how to fill in signature details, do you have an s6x with signatures you could share, please?

No, I have not started to prepare a good Signature S6x, I have just done tests with specific routines.
The principle will probably to have S6x Signatures files for each period.
To begin, just use option "Copy (signature)" on a detected routine, then past it, to create a signature, it will create the related Signature, with the code at the beginning of the routine.
After this, remove code that is 100% specific to your strategy and replace parts that are addresses or registers related with "." or with #38#,... if you want to reuse them in advanced properties.

I will try to provide you some good samples.
Pym
Hacker
 
Posts: 139
Joined: Sat Mar 04, 2017 4:29 am
Name: Pierre-Yves
Vehicle Information: Ford(EU) 91 Fiesta RS Turbo / EEC IV VM120 0FAB
TunerPro on Moates chips
Vehicle 2 Information: Ford(EU) 97 Puma 1.7 VCT / EEC V LP2-110 MUFF AXPDCB4
Vehicle 3 Information: Ford(EU) 97 Mondeo V / EEC V MLP-427 REED ATAFHE3
Additional Vehicles: Ford(EU) 91 Fiesta XR2i / EEC IV SD111 1AFA
Ford(EU) 98 Cougar V6 / EEC V ?

Re: SAD 806x Disassembler

Unread postby jsa » Sat Apr 07, 2018 6:45 am

Thanks I will have a go at copy and paste.
Cheers
John
jsa
Power Poster
 
Posts: 332
Joined: Thu Jan 16, 2014 1:44 am
Location: In the shed or On the Computer, 'straya
Name: John
Vehicle Information: Escort RS Cosworth
EEC-IV GHAJ0 ANTI or COSY

Re: SAD 806x Disassembler

Unread postby Pym » Tue Apr 10, 2018 2:45 am

jsa wrote:Thanks I will have a go at copy and paste.

I will give you a first example on ANTI :
One routine starts like this and I want to force it like a Unsigned Table Routine, for better recognition, with fixed Cols & Rows input registers and fixed Columns number :
Code: Select all
8 2654: f8                   clc                      CY = 0;             
8 2655: af,72,b4,30          ldzbw R30,[R72+b4]       R30 = (uns)[534];   
8 2659: af,72,b5,32          ldzbw R32,[R72+b5]       R32 = (uns)[535];   
8 265d: ad,06,34             ldzbw R34,6              R34 = (uns)6;       
8 2660: db,03                jc    2665               if (CY == 1) goto 2665;
8 2662: e7,3c,52             jump  78a1               goto UTabLU;         
8 2665: e7,36,52             jump  789e               goto STabLU;


Signature definition and result Routine are in attachment.

Parameters (#XX#) should always be distinct and XX should always be a decimal number (00 => 99). I have used #73# in example to prevent having duplicated parameters.
If parameter is a RBase or RConst (R72 in this case) to be added, parameter reuse should start with #72#+#XX#, #XX#+#72# will just add 2 values XX+72.
Fields of type Register / Address can contains a dot, to separate Register from an Address.

On resulted Routine, I have R30.[534] for Columns input register / address. R30 is just for information, but [534] will be reused to detect existing scaling function and would not be detected inside a table routine, if not set.

If you try this signature on ANTI binary, you will see that a mistake will be created on some Table signs.
This is normal, because, the routine is now recognized as a unsigned table routine, previous routine with CY=1 (or any code) calling it which is for signed tables is badly affected.
To manage it, you have 2 possibilities, update previous routine to force it as a signed routine or create another signature like this one for previous routine, but signed in this case.

Yes, it is not so simple, but it permits to manage everything.

New examples will come.
You do not have the required permissions to view the files attached to this post.
Pym
Hacker
 
Posts: 139
Joined: Sat Mar 04, 2017 4:29 am
Name: Pierre-Yves
Vehicle Information: Ford(EU) 91 Fiesta RS Turbo / EEC IV VM120 0FAB
TunerPro on Moates chips
Vehicle 2 Information: Ford(EU) 97 Puma 1.7 VCT / EEC V LP2-110 MUFF AXPDCB4
Vehicle 3 Information: Ford(EU) 97 Mondeo V / EEC V MLP-427 REED ATAFHE3
Additional Vehicles: Ford(EU) 91 Fiesta XR2i / EEC IV SD111 1AFA
Ford(EU) 98 Cougar V6 / EEC V ?

Re: SAD 806x Disassembler

Unread postby jsa » Tue Apr 10, 2018 3:13 am

Thanks Pym, I will have a play with that.

I have not had a chance to try C & P yet.

You said you had tested, would it be worthwhile to put the test s6x files here?
At least it would populate the fields on the various tabs, but of course the results may be um, 'interesting'.
Cheers
John
jsa
Power Poster
 
Posts: 332
Joined: Thu Jan 16, 2014 1:44 am
Location: In the shed or On the Computer, 'straya
Name: John
Vehicle Information: Escort RS Cosworth
EEC-IV GHAJ0 ANTI or COSY

Re: SAD 806x Disassembler

Unread postby Pym » Wed Apr 18, 2018 1:55 pm

Another more simple example, for Mass Air Flow transfer curve signature. No advanced thing, just for naming routine.
It should works well on modern EEC V binaries.
Code: Select all
af,..,..,..
08,01,..
b1,01,..
*
b0,15
*
fa
b0,19,..
b0,17,..
b0,15,..
fb


If you have understood how it works, you should be able to complete signature to use 2 Parameters to find MAF transfer function address (if address is not encoded).
These parameters can be reused to create an "Internal Function" (Word with 30 rows) to generate automatically MAF transfer function, if it was not already detected.

Please find attached a real 1.2 version, which is really working on multi banks for signatures.
You do not have the required permissions to view the files attached to this post.
Pym
Hacker
 
Posts: 139
Joined: Sat Mar 04, 2017 4:29 am
Name: Pierre-Yves
Vehicle Information: Ford(EU) 91 Fiesta RS Turbo / EEC IV VM120 0FAB
TunerPro on Moates chips
Vehicle 2 Information: Ford(EU) 97 Puma 1.7 VCT / EEC V LP2-110 MUFF AXPDCB4
Vehicle 3 Information: Ford(EU) 97 Mondeo V / EEC V MLP-427 REED ATAFHE3
Additional Vehicles: Ford(EU) 91 Fiesta XR2i / EEC IV SD111 1AFA
Ford(EU) 98 Cougar V6 / EEC V ?

Re: SAD 806x Disassembler

Unread postby jsa » Thu Apr 19, 2018 6:22 am

Thanks Pym. I have not had a chance to try yet. Hopefully on the weekend.
Cheers
John
jsa
Power Poster
 
Posts: 332
Joined: Thu Jan 16, 2014 1:44 am
Location: In the shed or On the Computer, 'straya
Name: John
Vehicle Information: Escort RS Cosworth
EEC-IV GHAJ0 ANTI or COSY

Re: SAD 806x Disassembler

Unread postby decipha » Thu Apr 19, 2018 4:27 pm

it doesn't work for me, i tried importing my rzasa xdf cmt and dir file and it keeps erroring out

attached the files to see if you can help out with it
You do not have the required permissions to view the files attached to this post.
User avatar
decipha
Tooner
 
Posts: 14022
Joined: Mon Jul 15, 2013 5:29 pm
Location: New Orleans, LA
Name: Michael Ponthieux
Vehicle Information: Supercoupin' x10
90 (4x 5spds) - Dante, Ruby, Daja, Ava
91 4r70w - Skarlett
92 (2x) 5spd & auto - Bianqa, Andrea
93 auto - Danika
94 5spd Rionda
95 auto Aisha
Vehicle 2 Information: Others:
00 Lincoln LS - Luanda
98 Camaro SS - Bounquisha
02 Harley F-150 - Sasasha
03 Marauder - DyShyKy
00 Explorer 5L - Bernyce

Re: SAD 806x Disassembler

Unread postby Pym » Sat Apr 21, 2018 1:51 am

I will have a look at it.
...
Ok, really good cases, related with imports and generated conflicts. It was probably the same thing on previous version.
First, it was required to modify Xdf file to make it compatible with Xml format (I do not know how TunerPro is able to read it or write it).
=> FNRPM_LIM - TQ Ratio Desired : Description was containing invalid Xml characters.
Now let me a bit time to analyse conflicts or errors and propose something.
Pym
Hacker
 
Posts: 139
Joined: Sat Mar 04, 2017 4:29 am
Name: Pierre-Yves
Vehicle Information: Ford(EU) 91 Fiesta RS Turbo / EEC IV VM120 0FAB
TunerPro on Moates chips
Vehicle 2 Information: Ford(EU) 97 Puma 1.7 VCT / EEC V LP2-110 MUFF AXPDCB4
Vehicle 3 Information: Ford(EU) 97 Mondeo V / EEC V MLP-427 REED ATAFHE3
Additional Vehicles: Ford(EU) 91 Fiesta XR2i / EEC IV SD111 1AFA
Ford(EU) 98 Cougar V6 / EEC V ?

Previous

Return to Programming & Coding

Who is online

Users browsing this forum: No registered users and 6 guests

cron