RomRaider

OK, I'm new to ECU analysis (but not to reverse engineering and disassembly). I started by simply trying to trace the table addresses in the XML into the ROM image, using a hex editor. I quickly realized that the addresses in the XML file do not correspond directly to the addresses in the ROM hex file. So, there must be relocation going on at run time, or for that matter, when RomRaider or ECUFlash load the ROM image. For example, a table definition reads as:

<table name="Requested Torque A (Accelerator Pedal)" address="fa08c">
<table name="Accelerator Pedal Angle" address="f9ff4" elements="20"/>
<table name="Engine Speed" address="fa044" elements="18"/>
</table>

I go to address fa08c in the hex file, and there is nothing there that matches the descriptions of the table headers in any of the postings. However, I can see the table dimensions (0x00140012) followed by the value 0x000F9FF4, at address 0x00b4544 in the ROM image. So, it appears that the ROM image is relocated before the tables are accessed.

This ROM image and XML are from a 2013 Impreza 2.0i MT (SH7058). I've been searching through this forum, and reading all the "getting started" postings I can find, and I feel like I must have missed something basic here...

Does the SH7058 copy the ROM to a RAM area before execution starts? There are some postings which mention "unfolding" the ROM using IDA (no, I don't have it), by running the SH4 processor simulation starting at the first instruction in the ROM image. However, the beginning of the ROM image doesn't appear to be executable code.

Thanks for any help with getting started!

The addressing is linear starting at 0x00, so the XML addresses are the actual addresses. If you don't see float values at the axis address then your ROM is either not the same as the XML def you are using or the ROM is not complete. What is the byte length of the ROM? It should be exactly 1,048,576
The last Word of the ROM file should indicate the hex address of the CAL ID.

EP5I200F right?

As Dale says, it's a one to one relationship between the XML definition and the rom addresses, no shifting.

i.e.

But remember - that's the actual data - the lookup table exists elsewhere (if you follow the xref in IDA, it will get you back to the LUT):

Ahhhh... (realization slowly dawns). I had assumed that the XML would point to the table descriptor, but that is not the case. The table descriptor address is not captured in the XML at all; instead only the data addresses (column values, row values, and table contents) are in the XML. So finding the table descriptor (without IDA) is a bit of an exercise. I should have noticed this because there are 3 addresses captured in the XML for the table I used as an example.

I came to this point because I am having the ECU in my 2012 Impreza 2.0i CVT upflashed, and wanted to capture the before and after ROM images, to see if Subaru had addressed the bizarre accelerator pedal sensitivity. So, I took my "before" ROM image, and the EP5I200F which td-d created for the 2013 Impreza 2.0i MT (thanks!), and hacked the XML ROM descriptors to match my ROM image, just to see how it would load into RomRaider. Of course, RomRaider rejected a whole bunch of the table data, but the two accelerator to torque mapping tables happened to be in the same place in both images.

I did a data analysis on both tables, and assuming that the new ROM image I'm getting in the upflash (Subaru WQC-39 TSB) has accelerator mapping which matches the 2013 Impreza 2.0i MT, they DID address the sensitivity. I posted the results of my data analysis on NASIOC (http://forums.nasioc.com/forums/showthr ... ?t=2480429) if you're interested.

So, this must mean that when RomRaider loads a ROM image, any sanity checking is only on the data contents (e.g. invalid or bizarre float values). It can't directly check the sizes of tables, because it doesn't have the table descriptor addresses available. I know from other posts that the table descriptor has several different forms, but was there every any discussion of capturing the table descriptor addresses, as well as the table contents, in the XML?

I also realized that the table descriptor address I listed (0x00B4544) is the one from my existing, pre-upgrade, ROM image, not the one which was used to create EP5I200F. Looking at the EP5I200F ROM image, I see the table descriptor starting at 0x000BA8E4, as td-d noted. The same table descriptor is at 0x00B4544 in my pre-upgrade image.

This forum is great! I posted a somewhat noob question, and not one but two of the experts replied... thanks!

To find the lookup table without IDA, you can use find in a hex editor and put in the longword hex address of the data.

There has been some discussion, but its a bit dated. I also think that it's a major flaw in the architecture of things. By pointing to the lookup table, things become more simplified and safer. No need for a ton of scalings for different tables that output the same units but have different storage formats as the lut contains gradient offset to get output units. Then you can just convert from the table output format to whatever units the user wants to view. However, such a change is easier said than done.