Figuring out RAM addresses

Disassembly, Reassembly, Tools and devleopment. Going deep with Hardware and Software.
Post Reply
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Figuring out RAM addresses

Post by NSFW »

This question came up in a PM, but I'm posting my answer here to help more people.

How do you figure out what a RAM address is used for?

That's the hardest part of the reverse-engineering process, or at least it is if you're working on a ROM that has an XDF for it already.

If you're lucky you can find a PID lookup function that refers to the same RAM address, and then get the purpose of the PID. Actually I do that in reverse - one of the first things I did after writing a script to label all of the PID lookup functions was go through the individual PID lookup functions and label the RAM addresses they use, so that they will stand out when I'm looking in code elsewhere that references those same RAM addresses.

Usually there are a lot of places the read the address, and just one or two that write to it. The ones that write to it are the ones to focus on. With luck there will be some ROM tables defined there, which give you a hint about what's going on. That usually works out well for things that come from sensor signals - if there are sensor scaling parameters or tables, you'll find code that does a lookup, or multiply-and-add, or something like that - and then writes the result to RAM. Give that RAM address a name based on the names of the tables that were referenced to calculate the value.

Mostly, I just look at all the other places it gets used, and hope for clues.

But sometimes it helps to view an address in RAM with a running engine. You can use PcmLogger for that.

For example if you have a theory about what a RAM location might be used for, you can log it and see if it moves like you expected it to. The unit-of-measurement might take a while to figure out - these PCMs use odd scaling factors for everything since they only do integer math. But it should still be obvious whether something is moving up or down like you expected.

Or you can start with how the car behaves, and work backward from there. My Subaru had a rich spot about a second after stomping on the gas (well after tip-in was finished) so I looked at the target AFR value (the address for that was already known) and found the code that added some things together to create that value... there were 5 or 6 things being added up, and some of them were well known, like the basic target AFR, then IAT and ECT compensations, but a couple of them were complete mysteries. Most of the others were staying at zero, but one was increasing about a second after stomping on the gas.... that was the cause of the rich dip.

So then I looked for code that wrote to that address, and that led to a collection of tables for wall-wetting compensation. I only figured out the wall-wetting part by watching the value move after throttle increases and decreases. I never really figured those tables out (not even close!) but I did figure out enough to make the result taper to nothing as boost increased, and that took care of most of the rich dip. Subaru tuned them very well for starting and stopping and cruising, but they made the AFR get sputtering rich shortly after full throttle (AFR around 9:1).

Other folks figured the wall-wetting stuff out in more detail later, so post about what you're looking for and what you're finding. You might help somebody, or somebody might help you. "Many hands make light work" is what open source is all about. We have to do it in the open for that happen though. :)
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Figuring out RAM addresses

Post by Tazzi »

That was a great read!

Its kinda off topic, but would writing to those RAM addresses effectively override the data its using for running the engine?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
NSFW
Posts: 679
Joined: Fri Feb 02, 2018 3:13 pm

Re: Figuring out RAM addresses

Post by NSFW »

Tazzi wrote:That was a great read!

Its kinda off topic, but would writing to those RAM addresses effectively override the data its using for running the engine?
Thanks!

Yes, but no... Most of the data in RAM gets updated many times per second. So if you write to RAM via OBD2, your values are likely to be overwritten faster than you can write them.

Subaru ECUs have a couple of RAM addresses for this purpose - it sets them to zero at startup and at runtime it just adds whatever value is there to whatever value its usual math came up with. For example you can offset spark timing by a few degrees, and adjust idle RPM up and down. That kind of thing might exist in GM PCMs too, I haven't looked. If not, it might be possible to patch in some code to do that kind of thing.
Please don't PM me with technical questions - start a thread instead, and send me a link to it. That way I can answer in public, and help other people who have the same question. Thanks!
Post Reply