Electronic Fuel Injection - Developement & Tuning
https://pcmhacking.net/forums/
Code: Select all
Var1 = FUN_000d54f2(uVar2,&DAT_0003ee05);
CAN_RESPONSE = 0x62;
CAN_DATA_BYTE = POSS_MODE_SUB_OR_PID_value;
CAN_DATA_BYTE2 = POSS_PID_BYTE_2;
FUN_000d9c8e(iVar1 + 3U & 0xff);04colyZQ8 wrote:That disassembly is sweeeeet!! How are you getting such clean code? Did you write this yourself? Baised
On the assembly code given by disassembling in ida? Or does the program you have spit this wonderful code out?
I really would like to see my code disassembled like this!
Tazzi wrote:I would assume the 'success' CAN TX would be FUN_000d9c8e(iVar1 + 3U & 0xff);Code: Select all
Var1 = FUN_000d54f2(uVar2,&DAT_0003ee05); CAN_RESPONSE = 0x62; CAN_DATA_BYTE = POSS_MODE_SUB_OR_PID_value; CAN_DATA_BYTE2 = POSS_PID_BYTE_2; FUN_000d9c8e(iVar1 + 3U & 0xff);
I wouldn't think var1 is the actual calculated response since its being & 0xFF which makes it only 1byte size.
Code: Select all
void FUN_000d9c8e(int param_1)
{
DAT_0003edb4 = 3;
FUN_000e0716(1,&CAN_RESPONSE,param_1);
return;
}
Code: Select all
undefined4 FUN_000e0716(int param_1,undefined4 param_2,int param_3)
{
undefined uVar1;
undefined4 uVar2;
int iVar3;
int iVar4;
FUN_000dc894();
iVar3 = param_1 * 6;
if ((&DAT_0003f39b)[iVar3] == '\0') {
if ((byte)(SBORROW4(param_3,7) ^ param_3 + -7 < 0 | param_3 == 7) == 0) {
uVar1 = 0x20;
}
else {
uVar1 = 0x10;
}
(&DAT_0003f39b)[iVar3] = uVar1;
(&DAT_0003f398)[param_1 * 3] = 0xb;
FUN_000dc8b8();
iVar4 = param_1 * 0xc;
*(undefined4 *)(&DAT_0003f374 + iVar4) = param_2;
*(undefined2 *)(&DAT_0003f378 + iVar4) = 0;
*(short *)(&DAT_0003f37a + iVar4) = (short)param_3;
(&DAT_0003f39c)[iVar3] = (&DAT_0003f39c)[iVar3] | 0x80;
uVar2 = 0;
}
else {
FUN_000dc8b8();
uVar2 = 3;
}
return uVar2;
}
antus wrote:I think MODE_22_FUNCTION(void) might be handling responses of different lengths. It seems like it has some special handling for 3 byte packets including the mask of ivar1+3 to one byte, perhaps because its stored as a word. Then the other error conditions, and finally maybe a transmission for a longer packet at the end. Looking at https://en.wikipedia.org/wiki/OBD-II_PIDs I can see all kinds of different length responses, including IAT sensor which is 3 bytes. If this is the case then DAT_0003edec is the length of the response payload.
antus wrote:sorry that was not confirmation, just my thoughts after a read for you to consider. Now im looking again I see I miss aligned one of the brackes on my scan of your post and if DAT_0003edec is not 3 it returns a 7f error. So its unlikely to be length, and instead some kind of a flag. I'd probably need to load up the project in ghidra or ida to explore a bit more to try and get further. Though I'll keep looking and post back. Starting to think CAN_TX might be a copy in to a buffer, not the actual tx, and the response struct is finished being populated by the return and tx'd somewhere else.
Tried to open in Ghidra but got a "Language not found for 'Fujitsu:BE:32:FR8n'"gmtech825 wrote:antus wrote:sorry that was not confirmation, just my thoughts after a read for you to consider. Now im looking again I see I miss aligned one of the brackes on my scan of your post and if DAT_0003edec is not 3 it returns a 7f error. So its unlikely to be length, and instead some kind of a flag. I'd probably need to load up the project in ghidra or ida to explore a bit more to try and get further. Though I'll keep looking and post back. Starting to think CAN_TX might be a copy in to a buffer, not the actual tx, and the response struct is finished being populated by the return and tx'd somewhere else.
I think you are right though. I came to the same conclusion by another method. I compared the Node Interface Pseudo Code from some GM engineering documents to the code for several functions and it seems to be the case for every one of them. The functions start out comparing the message data length to what is expected and if not equal then CanTX= x7F, xMODE, x12.
you may be right about CANTX, those labels are not abslolute, more just indicators to help me while searching through the functions. I'll try to attach this if you're interested in looking at it. Change the .txt to a .gzf (it's a ghidra zip file that wouldn't attach in that format).
ah my bad...it was one of these, I can't remember which.Tazzi wrote:Tried to open in Ghidra but got a "Language not found for 'Fujitsu:BE:32:FR8n'"gmtech825 wrote:antus wrote:sorry that was not confirmation, just my thoughts after a read for you to consider. Now im looking again I see I miss aligned one of the brackes on my scan of your post and if DAT_0003edec is not 3 it returns a 7f error. So its unlikely to be length, and instead some kind of a flag. I'd probably need to load up the project in ghidra or ida to explore a bit more to try and get further. Though I'll keep looking and post back. Starting to think CAN_TX might be a copy in to a buffer, not the actual tx, and the response struct is finished being populated by the return and tx'd somewhere else.
I think you are right though. I came to the same conclusion by another method. I compared the Node Interface Pseudo Code from some GM engineering documents to the code for several functions and it seems to be the case for every one of them. The functions start out comparing the message data length to what is expected and if not equal then CanTX= x7F, xMODE, x12.
you may be right about CANTX, those labels are not abslolute, more just indicators to help me while searching through the functions. I'll try to attach this if you're interested in looking at it. Change the .txt to a .gzf (it's a ghidra zip file that wouldn't attach in that format).
Do you know which plugin you added?