// // ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» // º This file is generated by The Interactive Disassembler (IDA) º // º Copyright (c) 2003 by DataRescue sa/nv, º // º Licensed to: Andy Whittaker, Special, 1 user, adv, 01/2002 º // ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ // // // This file contains the user-defined type definitions. // To use it press F2 in IDA and enter the name of this file. // #define UNLOADED_FILE 1 #include static main(void) { Bytes(); // Defines in the binary Segments(); // Create all the segments Enums(); // enumerations Structures(); // structure types AutoAnalyse();// Tries to automatically disassemble the binary DTC_Enum();// search for and emumerate DTC references // Stuff for Bosch ME7.1 ECUs TranslateOffsets();// find lookup tables TranslateJmpi();//Find jmpi and tries to find the jump table FindSeedTable(); LoadMapPackCSV();//Import Map Pack tables } //Runs through each segment and tries to disassemble everything static AutoAnalyse(void) { auto addr; auto index; #define ROM_START 0x800000 #define MAP_AREA_START 0x810000 #define MAP_AREA_FINISH 0x822000 // if (AskYN(1,"Do you want to Auto-Disassemble?") != 1) // return; Message("++++++++++++++++++++++++++ \n"); Message("Trying to Auto-Disassemble \n"); Message("++++++++++++++++++++++++++ \n"); addr = ROM_START; //start address MakeFunction(addr, BADADDR); while(addr != BADADDR) { addr = FindUnexplored(addr, SEARCH_DOWN | SEARCH_NEXT); // The previous MakeFunction may not have disassembled the instructions // following a relative jmp instruction. // If Makefunction fails, try and create code if (MakeFunction(addr, BADADDR)) Message("Function found at 0x%0lx \n", addr); else if(MakeCode(addr) != 0) Message("Code created at 0x%0lx \n", addr); if( (addr > MAP_AREA_START) & (addr < MAP_AREA_FINISH) ) { Message("Ignoring data - within MAP area\n"); addr = MAP_AREA_FINISH; } if(addr == BADADDR) Message("End of Auto-Disassemble analysis loop\n"); } } //Finds where the XOR seed routine and table are located static FindSeedTable(void) { auto found; auto namestr; auto table_address; auto offset; auto seg; namestr = ""; // if (AskYN(1,"Do you want to search for the seed table?") != 1) // return; Message("++++++++++++++++++++++++ \n"); Message("Searching for Seed-Table \n"); Message("++++++++++++++++++++++++ \n"); found = FindBinary(0x810000, SEARCH_DOWN | SEARCH_NEXT, "8c f0 9d 0d 1e dc 09 a9 88 f0 56 51 a8 b9 a0"); if (found == BADADDR) Message("** Seed Table Not Found **\n"); else { found = found - 21; //Start of function Message("XOR Seed routine is located at 0x%0lx", found); namestr = "XORChkSumGenerate_"; namestr = namestr + ltoa(found, 16); MakeName(found, namestr); // Let's find out where the seed table is found = found + 0x24;// this is where the seed table is referenced ExtLinA(found, 0, ";"); ExtLinA(found, 1, "; This is where the seed table is referenced"); ExtLinA(found, 2, ";"); //convert the C16x offset into an address table_address = GetOperandValue(found, 1); //find what the table's address is seg = GetOperandValue(found + 4, 1); offset = seg << 16; table_address = table_address + offset; Message(" - XOR Seed table is located at 0x%0lx\n", table_address); namestr = "XORSeedTable_"; namestr = namestr + ltoa(table_address, 16); MakeName(table_address, namestr); ExtLinA(table_address, 0, ";"); ExtLinA(table_address, 1, "; XOR seed table - 256 words long, 32 bit data"); ExtLinA(table_address, 2, ";"); } } static Segments(void) { // auto filesize; // if (AskYN(1,"Do you want to create Segments?") != 1) // return; Message("++++++++++++++++++\n"); Message("Creating Segments \n"); Message("++++++++++++++++++\n"); // Create the RAM segments SetSelector(0x1,0x38000); SegCreate(0x380000,0x390000,0x1,0,saRelWord,scPub); SegRename(0x380000,"segRAM"); SegClass (0x380000,"RAM"); SetSegmentType(0x380000,SEG_DATA); // Create the segments SetSelector(0x2,0x80000); SegCreate(0x800000,0x808000,0x2,0,saRelWord,scPub); SegRename(0x800000,"seg080"); SegClass (0x800000,"CODE"); SetSegmentType(0x800000,SEG_CODE); // The ME7.1 sets up the data page pointers to the following values. SegDefReg(0x800000,"dpp0",0x0204); SegDefReg(0x800000,"dpp1",0x0205); SegDefReg(0x800000,"dpp2",0x00E0); SegDefReg(0x800000,"dpp3",0x0003); SetSelector(0x3,0x80800); SegCreate(0x808000,0x80c000,0x3,0,saRelWord,scPub); SegRename(0x808000,"seg202"); SegClass (0x808000,"CODE"); SetSegmentType(0x808000,SEG_CODE); SegDefReg(0x808000,"dpp0",0x0204); SegDefReg(0x808000,"dpp1",0x0205); SegDefReg(0x808000,"dpp2",0x00E0); SegDefReg(0x808000,"dpp3",0x0003); SetSelector(0x4,0x80c00); SegCreate(0x80c000,0x810000,0x4,0,saRelWord,scPub); SegRename(0x80c000,"seg203"); SegClass (0x80c000,"CODE"); SetSegmentType(0x80c000,SEG_CODE); SegDefReg(0x80c000,"dpp0",0x0204); SegDefReg(0x80c000,"dpp1",0x0205); SegDefReg(0x80c000,"dpp2",0x00E0); SegDefReg(0x80c000,"dpp3",0x0003); SetSelector(0x5,0x81000); SegCreate(0x810000,0x814000,0x5,0,saRelWord,scPub); SegRename(0x810000,"seg204"); SegClass (0x810000,"MAP"); SetSegmentType(0x810000,SEG_DATA); SegDefReg(0x810000,"dpp0",0x0204); SegDefReg(0x810000,"dpp1",0x0205); SegDefReg(0x810000,"dpp2",0x00E0); SegDefReg(0x810000,"dpp3",0x0003); SetSelector(0x6,0x81400); SegCreate(0x814000,0x818000,0x6,0,saRelWord,scPub); SegRename(0x814000,"seg205"); SegClass (0x814000,"MAP"); SetSegmentType(0x814000,SEG_DATA); SegDefReg(0x814000,"dpp0",0x0204); SegDefReg(0x814000,"dpp1",0x0205); SegDefReg(0x814000,"dpp2",0x00E0); SegDefReg(0x814000,"dpp3",0x0003); SetSelector(0x7,0x81800); SegCreate(0x818000,0x81c000,0x7,0,saRelWord,scPub); SegRename(0x818000,"seg206"); SegClass (0x818000,"MAP"); SetSegmentType(0x818000,SEG_DATA); SegDefReg(0x818000,"dpp0",0x0204); SegDefReg(0x818000,"dpp1",0x0205); SegDefReg(0x818000,"dpp2",0x00E0); SegDefReg(0x818000,"dpp3",0x0003); SetSelector(0x8,0x81c00); SegCreate(0x81c000,0x820000,0x8,0,saRelWord,scPub); SegRename(0x81c000,"seg207"); SegClass (0x81c000,"MAP"); SetSegmentType(0x81c000,SEG_DATA); SegDefReg(0x81c000,"dpp0",0x0204); SegDefReg(0x81c000,"dpp1",0x0205); SegDefReg(0x81c000,"dpp2",0x00E0); SegDefReg(0x81c000,"dpp3",0x0003); SetSelector(0x9,0x82000); SegCreate(0x820000,0x830000,0x9,0,saRelWord,scPub); SegRename(0x820000,"seg082"); SegClass (0x820000,"CODE"); SetSegmentType(0x820000,SEG_CODE); SegDefReg(0x820000,"dpp0",0x0204); SegDefReg(0x820000,"dpp1",0x0205); SegDefReg(0x820000,"dpp2",0x00E0); SegDefReg(0x820000,"dpp3",0x0003); SetSelector(0xa,0x83000); SegCreate(0x830000,0x840000,0xa,0,saRelWord,scPub); SegRename(0x830000,"seg083"); SegClass (0x830000,"CODE"); SetSegmentType(0x830000,SEG_CODE); SegDefReg(0x830000,"dpp0",0x0204); SegDefReg(0x830000,"dpp1",0x0205); SegDefReg(0x830000,"dpp2",0x00E0); SegDefReg(0x830000,"dpp3",0x0003); SetSelector(0xb,0x84000); SegCreate(0x840000,0x850000,0xb,0,saRelWord,scPub); SegRename(0x840000,"seg084"); SegClass (0x840000,"CODE"); SetSegmentType(0x840000,SEG_CODE); SegDefReg(0x840000,"dpp0",0x0204); SegDefReg(0x840000,"dpp1",0x0205); SegDefReg(0x840000,"dpp2",0x00E0); SegDefReg(0x840000,"dpp3",0x0003); SetSelector(0xc,0x85000); SegCreate(0x850000,0x860000,0xc,0,saRelWord,scPub); SegRename(0x850000,"seg085"); SegClass (0x850000,"CODE"); SetSegmentType(0x850000,SEG_CODE); SegDefReg(0x850000,"dpp0",0x0204); SegDefReg(0x850000,"dpp1",0x0205); SegDefReg(0x850000,"dpp2",0x00E0); SegDefReg(0x850000,"dpp3",0x0003); SetSelector(0xd,0x86000); SegCreate(0x860000,0x870000,0xd,0,saRelWord,scPub); SegRename(0x860000,"seg086"); SegClass (0x860000,"CODE"); SetSegmentType(0x860000,SEG_CODE); SegDefReg(0x860000,"dpp0",0x0204); SegDefReg(0x860000,"dpp1",0x0205); SegDefReg(0x860000,"dpp2",0x00E0); SegDefReg(0x860000,"dpp3",0x0003); SetSelector(0xe,0x87000); SegCreate(0x870000,0x880000,0xe,0,saRelWord,scPub); SegRename(0x870000,"seg087"); SegClass (0x870000,"CODE"); SetSegmentType(0x870000,SEG_CODE); SegDefReg(0x870000,"dpp0",0x0204); SegDefReg(0x870000,"dpp1",0x0205); SegDefReg(0x870000,"dpp2",0x00E0); SegDefReg(0x870000,"dpp3",0x0003); SetSelector(0xf,0x88000); SegCreate(0x880000,0x890000,0xf,0,saRelWord,scPub); SegRename(0x880000,"seg088"); SegClass (0x880000,"CODE"); SetSegmentType(0x880000,SEG_CODE); SegDefReg(0x880000,"dpp0",0x0204); SegDefReg(0x880000,"dpp1",0x0205); SegDefReg(0x880000,"dpp2",0x00E0); SegDefReg(0x880000,"dpp3",0x0003); SetSelector(0x10,0x89000); SegCreate(0x890000,0x8a0000,0x10,0,saRelWord,scPub); SegRename(0x890000,"seg089"); SegClass (0x890000,"CODE"); SetSegmentType(0x890000,SEG_CODE); SegDefReg(0x890000,"dpp0",0x0204); SegDefReg(0x890000,"dpp1",0x0205); SegDefReg(0x890000,"dpp2",0x00E0); SegDefReg(0x890000,"dpp3",0x0003); SetSelector(0x11,0x8a000); SegCreate(0x8a0000,0x8b0000,0x11,0,saRelWord,scPub); SegRename(0x8a0000,"seg08a"); SegClass (0x8a0000,"CODE"); SetSegmentType(0x8a0000,SEG_CODE); SegDefReg(0x8a0000,"dpp0",0x0204); SegDefReg(0x8a0000,"dpp1",0x0205); SegDefReg(0x8a0000,"dpp2",0x00E0); SegDefReg(0x8a0000,"dpp3",0x0003); SetSelector(0x12,0x8b000); SegCreate(0x8b0000,0x8c0000,0x12,0,saRelWord,scPub); SegRename(0x8b0000,"seg08b"); SegClass (0x8b0000,"CODE"); SetSegmentType(0x8b0000,SEG_CODE); SegDefReg(0x8b0000,"dpp0",0x0204); SegDefReg(0x8b0000,"dpp1",0x0205); SegDefReg(0x8b0000,"dpp2",0x00E0); SegDefReg(0x8b0000,"dpp3",0x0003); SetSelector(0x13,0x8c000); SegCreate(0x8c0000,0x8d0000,0x13,0,saRelWord,scPub); SegRename(0x8c0000,"seg08c"); SegClass (0x8c0000,"CODE"); SetSegmentType(0x8c0000,SEG_CODE); SegDefReg(0x8c0000,"dpp0",0x0204); SegDefReg(0x8c0000,"dpp1",0x0205); SegDefReg(0x8c0000,"dpp2",0x00E0); SegDefReg(0x8c0000,"dpp3",0x0003); } static Enums_0(id) { // if (AskYN(1,"Do you want to define standard Bosch Enumerations?") != 1) // return; Message("++++++++++++++++++++++\n"); Message("Creating Emumerations \n"); Message("++++++++++++++++++++++\n"); id = AddEnum(-1,"ECMERROR",0x1100000); AddConstEx(id,"ECMERROR_00", 0x0, 0xffffffff); AddConstEx(id,"ECMERROR_RAM01", 0x1, 0xffffffff); AddConstEx(id,"ECMERROR_RAM02", 0x2, 0xffffffff); AddConstEx(id,"ECMERROR_ILLBUS", 0x3, 0xffffffff); AddConstEx(id,"ECMERROR_ILLINA", 0x4, 0xffffffff); AddConstEx(id,"ECMERROR_ILLOPA", 0x5, 0xffffffff); AddConstEx(id,"ECMERROR_PRTFLT", 0x6, 0xffffffff); AddConstEx(id,"ECMERROR_UNDOPC", 0x7, 0xffffffff); AddConstEx(id,"ECMERROR_08", 0x8, 0xffffffff); AddConstEx(id,"ECMERROR_09", 0x9, 0xffffffff); AddConstEx(id,"ECMERROR_10", 0xa, 0xffffffff); AddConstEx(id,"ECMERROR_11", 0xb, 0xffffffff); AddConstEx(id,"ECMERROR_12", 0xc, 0xffffffff); AddConstEx(id,"ECMERROR_13", 0xd, 0xffffffff); AddConstEx(id,"ECMERROR_14", 0xe, 0xffffffff); AddConstEx(id,"ECMERROR_15", 0xf, 0xffffffff); AddConstEx(id,"ECMERROR_16", 0x10, 0xffffffff); AddConstEx(id,"ECMERROR_17", 0x11, 0xffffffff); AddConstEx(id,"ECMERROR_18", 0x12, 0xffffffff); AddConstEx(id,"ECMERROR_19", 0x13, 0xffffffff); AddConstEx(id,"ECMERROR_20", 0x14, 0xffffffff); AddConstEx(id,"ECMERROR_21", 0x15, 0xffffffff); AddConstEx(id,"ECMERROR_22", 0x16, 0xffffffff); AddConstEx(id,"ECMERROR_23", 0x17, 0xffffffff); AddConstEx(id,"ECMERROR_24", 0x18, 0xffffffff); AddConstEx(id,"ECMERROR_25", 0x19, 0xffffffff); AddConstEx(id,"ECMERROR_26", 0x1a, 0xffffffff); SetConstCmt(GetConst(id,0x1a,0xffffffff),"Data Corruption",1); AddConstEx(id,"ECMERROR_27", 0x1b, 0xffffffff); AddConstEx(id,"ECMERROR_28", 0x1c, 0xffffffff); AddConstEx(id,"ECMERROR_29", 0x1d, 0xffffffff); AddConstEx(id,"ECMERROR_30", 0x1e, 0xffffffff); AddConstEx(id,"ECMERROR_31", 0x1f, 0xffffffff); AddConstEx(id,"ECMERROR_32", 0x20, 0xffffffff); AddConstEx(id,"ECMERROR_33", 0x21, 0xffffffff); AddConstEx(id,"ECMERROR_106", 0x6a, 0xffffffff); AddConstEx(id,"ECMERROR_147", 0x93, 0xffffffff); AddConstEx(id,"ECMERROR_149", 0x95, 0xffffffff); id = AddEnum(-1,"Bits",0x1100000); SetEnumBf(id,1); AddConstEx(id,"Bit0", 0x1, 0x1); AddConstEx(id,"Bit1", 0x2, 0x2); AddConstEx(id,"Bit2", 0x4, 0x4); AddConstEx(id,"Bit3", 0x8, 0x8); AddConstEx(id,"Bit4", 0x10, 0x10); AddConstEx(id,"Bit5", 0x20, 0x20); AddConstEx(id,"Bit6", 0x40, 0x40); AddConstEx(id,"Bit7", 0x80, 0x80); AddConstEx(id,"Bit8", 0x100, 0x100); AddConstEx(id,"Bit9", 0x200, 0x200); AddConstEx(id,"Bit10", 0x400, 0x400); AddConstEx(id,"Bit11", 0x800, 0x800); AddConstEx(id,"Bit12", 0x1000, 0x1000); AddConstEx(id,"Bit13", 0x2000, 0x2000); AddConstEx(id,"Bit14", 0x4000, 0x4000); AddConstEx(id,"Bit15", 0x8000, 0x8000); id = AddEnum(-1,"AirFuelStatus",0x1100000); SetEnumBf(id,1); AddConstEx(id,"BaroFaulty", 0x5, 0x5); id = AddEnum(-1,"Const",0x1100000); AddConstEx(id,"NUMCYL", 0x6, 0xffffffff); id = AddEnum(-1,"DTCLBit",0x1100000); SetEnumBf(id,1); AddConstEx(id,"DTCBit_L0", 0x1, 0x1); AddConstEx(id,"DTCBit_L1", 0x2, 0x2); AddConstEx(id,"DTCBit_L2", 0x4, 0x4); AddConstEx(id,"DTCBit_L3", 0x8, 0x8); AddConstEx(id,"DTCBit_L4", 0x10, 0x10); AddConstEx(id,"DTCBit_L5", 0x20, 0x20); AddConstEx(id,"DTCBit_L6", 0x40, 0x40); AddConstEx(id,"DTCBit_L7", 0x80, 0x80); id = AddEnum(-1,"DTCHBit",0x1100000); SetEnumBf(id,1); AddConstEx(id,"DTCFieldA_H0", 0x1, 0x1); SetConstCmt(GetConst(id,0x1,0x1),"Select member 0",1); AddConstEx(id,"DTCFieldB_H1", 0x2, 0x2); SetConstCmt(GetConst(id,0x2,0x2),"Select member 1",1); AddConstEx(id,"DTCFieldC_H2", 0x4, 0x4); SetConstCmt(GetConst(id,0x4,0x4),"Select member 2",1); AddConstEx(id,"DTCFieldD_H3", 0x8, 0x8); SetConstCmt(GetConst(id,0x8,0x8),"Select member 3",1); AddConstEx(id,"DTCBit_H4", 0x10, 0x10); AddConstEx(id,"DTCBit_H5", 0x20, 0x20); AddConstEx(id,"DTCBit_H6", 0x40, 0x40); AddConstEx(id,"DTCBit_H7", 0x80, 0x80); id = AddEnum(-1,"DTC",0x1100000); AddConstEx(id,"DTC_P1402", 0x1, 0xffffffff); SetConstCmt(GetConst(id,0x1,0xffffffff),"EGR Valve Circ Short to B+",1); AddConstEx(id,"DTC_P0402", 0x2, 0xffffffff); SetConstCmt(GetConst(id,0x2,0xffffffff),"EGR - Excessive Flow",1); AddConstEx(id,"DTC_P1456", 0x3, 0xffffffff); SetConstCmt(GetConst(id,0x3,0xffffffff),"Exhaust gas temperature control bank 1 limit attained",1); AddConstEx(id,"DTC_P1460", 0x4, 0xffffffff); SetConstCmt(GetConst(id,0x4,0xffffffff),"Exhaust gas temperature control bank 2 limit attained",1); AddConstEx(id,"DTC_P1461", 0x5, 0xffffffff); SetConstCmt(GetConst(id,0x5,0xffffffff),"Exhaust gas temperature control bank 1 Range/Performance",1); AddConstEx(id,"DTC_P1462", 0x6, 0xffffffff); SetConstCmt(GetConst(id,0x6,0xffffffff),"Exhaust gas temperature control bank 2 Range/Performance",1); AddConstEx(id,"DTC_P1453", 0x7, 0xffffffff); SetConstCmt(GetConst(id,0x7,0xffffffff),"Exhaust gas temperature sensor 1 open/short to B+",1); AddConstEx(id,"DTC_P1457", 0x8, 0xffffffff); SetConstCmt(GetConst(id,0x8,0xffffffff),"Exhaust gas temperature sensor 2 open/short to B+",1); AddConstEx(id,"DTC_P0321", 0x9, 0xffffffff); SetConstCmt(GetConst(id,0x9,0xffffffff),"Ign./Distributor Eng.Speed Inp.Circ Range/Performance",1); AddConstEx(id,"DTC_P0571", 0xa, 0xffffffff); SetConstCmt(GetConst(id,0xa,0xffffffff),"Cruise/Brake Switch (A) Circ Malfunction",1); AddConstEx(id,"DTC_P1639", 0xb, 0xffffffff); SetConstCmt(GetConst(id,0xb,0xffffffff),"Accelera.Pedal Pos.Sensor 1+2 Range/Performance",1); AddConstEx(id,"DTC_P1629", 0xc, 0xffffffff); SetConstCmt(GetConst(id,0xc,0xffffffff),"Data-Bus Powertrain missing message from distance control",1); AddConstEx(id,"DTC_P1645", 0xd, 0xffffffff); SetConstCmt(GetConst(id,0xd,0xffffffff),"Data Bus Powertrain missing message f.all wheel drive contr.",1); AddConstEx(id,"DTC_P1853", 0xe, 0xffffffff); SetConstCmt(GetConst(id,0xe,0xffffffff),"Data-Bus Powertrain Unplausible Message from Brake Contr.",1); AddConstEx(id,"DTC_P1649", 0xf, 0xffffffff); SetConstCmt(GetConst(id,0xf,0xffffffff),"Data Bus Powertrain Missing message from ABS Control Module",1); AddConstEx(id,"DTC_P1626", 0x10, 0xffffffff); SetConstCmt(GetConst(id,0x10,0xffffffff),"Data-Bus Powertrain Missing Message from Transm.Contr.",1); AddConstEx(id,"DTC_P1648", 0x11, 0xffffffff); SetConstCmt(GetConst(id,0x11,0xffffffff),"Data Bus Powertrain Malfunction",1); AddConstEx(id,"DTC_P1650", 0x12, 0xffffffff); SetConstCmt(GetConst(id,0x12,0xffffffff),"Data Bus Powertrain Missing message fr.instrument panel ECU",1); AddConstEx(id,"DTC_P1628", 0x13, 0xffffffff); SetConstCmt(GetConst(id,0x13,0xffffffff),"Data-Bus Powertrain missing message from steering sensor",1); AddConstEx(id,"DTC_P1544_1", 0x14, 0xffffffff); SetConstCmt(GetConst(id,0x14,0xffffffff),"Throttle Actuation Potentiometer Signal too High",1); AddConstEx(id,"DTC_P1544", 0x15, 0xffffffff); SetConstCmt(GetConst(id,0x15,0xffffffff),"Throttle Actuation Potentiometer Signal too High",1); AddConstEx(id,"DTC_P1173", 0x16, 0xffffffff); SetConstCmt(GetConst(id,0x16,0xffffffff),"Throttle Actuation Potentiometer Sign.2 Signal too High",1); AddConstEx(id,"DTC_P1602", 0x17, 0xffffffff); SetConstCmt(GetConst(id,0x17,0xffffffff),"Power Supply (B+) Terminal 30 Low Voltage",1); AddConstEx(id,"DTC_P0238", 0x18, 0xffffffff); SetConstCmt(GetConst(id,0x18,0xffffffff),"Turbocharger Boost Sensor (A) Circ High Input",1); AddConstEx(id,"DTC_P0108", 0x19, 0xffffffff); SetConstCmt(GetConst(id,0x19,0xffffffff),"MAP - Hi",1); AddConstEx(id,"DTC_P1387", 0x1a, 0xffffffff); SetConstCmt(GetConst(id,0x1a,0xffffffff),"Internal Contr. Module altitude sensor error",1); AddConstEx(id,"DTC_P0106", 0x1b, 0xffffffff); SetConstCmt(GetConst(id,0x1b,0xffffffff),"Manifold Abs.Pressure or Bar.Pressure Range/Performance",1); AddConstEx(id,"DTC_P1604_1", 0x1c, 0xffffffff); SetConstCmt(GetConst(id,0x1c,0xffffffff),"Internal Control Module Driver Error",1); AddConstEx(id,"DTC_P1568_0", 0x1d, 0xffffffff); SetConstCmt(GetConst(id,0x1d,0xffffffff),"Idle Speed Contr.Throttle Pos. mechanical Malfunction",1); AddConstEx(id,"DTC_P1568_1", 0x1e, 0xffffffff); SetConstCmt(GetConst(id,0x1e,0xffffffff),"Idle Speed Contr.Throttle Pos. mechanical Malfunction",1); AddConstEx(id,"DTC_P1545", 0x1f, 0xffffffff); SetConstCmt(GetConst(id,0x1f,0xffffffff),"Throttle Pos.Contr Malfunction",1); AddConstEx(id,"DTC_P1559_1", 0x20, 0xffffffff); SetConstCmt(GetConst(id,0x20,0xffffffff),"Idle Speed Contr.Throttle Pos. Adaptation Malfunction",1); AddConstEx(id,"DTC_P1545_1", 0x21, 0xffffffff); SetConstCmt(GetConst(id,0x21,0xffffffff),"Throttle Pos.Contr Malfunction",1); AddConstEx(id,"DTC_P1579_1", 0x22, 0xffffffff); SetConstCmt(GetConst(id,0x22,0xffffffff),"Idle Speed Contr.Throttle Pos. Adaptation not started",1); AddConstEx(id,"DTC_P1565", 0x23, 0xffffffff); SetConstCmt(GetConst(id,0x23,0xffffffff),"Idle Speed Control Throttle Position lower limit not attained",1); AddConstEx(id,"DTC_P1579", 0x24, 0xffffffff); SetConstCmt(GetConst(id,0x24,0xffffffff),"Idle Speed Contr.Throttle Pos. Adaptation not started",1); AddConstEx(id,"DTC_P1559", 0x25, 0xffffffff); SetConstCmt(GetConst(id,0x25,0xffffffff),"Idle Speed Contr.Throttle Pos. Adaptation Malfunction",1); AddConstEx(id,"DTC_P1604", 0x26, 0xffffffff); SetConstCmt(GetConst(id,0x26,0xffffffff),"Internal Control Module Driver Error",1); AddConstEx(id,"DTC_P1141", 0x27, 0xffffffff); SetConstCmt(GetConst(id,0x27,0xffffffff),"Load Calculation Cross Check Range/Performance",1); AddConstEx(id,"DTC_P1677", 0x28, 0xffffffff); SetConstCmt(GetConst(id,0x28,0xffffffff),"Drive by Wire-MIL Circ. Short to B+",1); AddConstEx(id,"DTC_P1258", 0x29, 0xffffffff); SetConstCmt(GetConst(id,0x29,0xffffffff),"Engine Coolant System Valve Short to B+",1); AddConstEx(id,"DTC_P1213", 0x2a, 0xffffffff); SetConstCmt(GetConst(id,0x2a,0xffffffff),"Cyl.1-Fuel Inj.Circ. Short to B+",1); AddConstEx(id,"DTC_P1216", 0x2b, 0xffffffff); SetConstCmt(GetConst(id,0x2b,0xffffffff),"Cyl.4-Fuel Inj.Circ. Short to B+",1); AddConstEx(id,"DTC_P1215", 0x2c, 0xffffffff); SetConstCmt(GetConst(id,0x2c,0xffffffff),"Cyl.3-Fuel Inj.Circ. Short to B+",1); AddConstEx(id,"DTC_P1218", 0x2d, 0xffffffff); SetConstCmt(GetConst(id,0x2d,0xffffffff),"Cyl.6-Fuel Inj.Circ. Short to B+",1); AddConstEx(id,"DTC_P1214", 0x2e, 0xffffffff); SetConstCmt(GetConst(id,0x2e,0xffffffff),"Cyl.2-Fuel Inj.Circ. Short to B+",1); AddConstEx(id,"DTC_P1217", 0x2f, 0xffffffff); SetConstCmt(GetConst(id,0x2f,0xffffffff),"Cyl.5-Fuel Inj.Circ. Short to B+",1); AddConstEx(id,"DTC_P1219", 0x30, 0xffffffff); SetConstCmt(GetConst(id,0x30,0xffffffff),"Cyl.7-Fuel Inj.Circ. Short to B+",1); AddConstEx(id,"DTC_P1220", 0x31, 0xffffffff); SetConstCmt(GetConst(id,0x31,0xffffffff),"Cyl.8-Fuel Inj.Circ. Short to B+",1); AddConstEx(id,"DTC_P1631", 0x32, 0xffffffff); SetConstCmt(GetConst(id,0x32,0xffffffff),"Accelera.Pedal Pos.Sensor 1 Signal too High",1); AddConstEx(id,"DTC_P1634", 0x33, 0xffffffff); SetConstCmt(GetConst(id,0x33,0xffffffff),"Accelera.Pedal Pos.Sensor 2 Signal too High",1); AddConstEx(id,"DTC_P1631_1", 0x34, 0xffffffff); SetConstCmt(GetConst(id,0x34,0xffffffff),"Accelera.Pedal Pos.Sensor 1 Signal too High",1); AddConstEx(id,"DTC_P1128_0", 0x35, 0xffffffff); SetConstCmt(GetConst(id,0x35,0xffffffff),"Long Term Fuel Trim mult.,Bank1 System too Lean",1); AddConstEx(id,"DTC_P1130_0", 0x36, 0xffffffff); SetConstCmt(GetConst(id,0x36,0xffffffff),"Long Term Fuel Trim mult.,Bank2 System too Lean",1); AddConstEx(id,"DTC_P1128_1", 0x37, 0xffffffff); SetConstCmt(GetConst(id,0x37,0xffffffff),"Long Term Fuel Trim mult.,Bank1 System too Lean",1); AddConstEx(id,"DTC_P1130_1", 0x38, 0xffffffff); SetConstCmt(GetConst(id,0x38,0xffffffff),"Long Term Fuel Trim mult.,Bank2 System too Lean",1); AddConstEx(id,"DTC_P1111", 0x39, 0xffffffff); SetConstCmt(GetConst(id,0x39,0xffffffff),"O2 Control (Bank 1) System too lean",1); AddConstEx(id,"DTC_P1147", 0x3a, 0xffffffff); SetConstCmt(GetConst(id,0x3a,0xffffffff),"O2 Control (Bank 2) System too lean",1); AddConstEx(id,"DTC_P1612", 0x3b, 0xffffffff); SetConstCmt(GetConst(id,0x3b,0xffffffff),"Electronic Control Module Incorrect Coding",1); AddConstEx(id,"DTC_P1569", 0x3c, 0xffffffff); SetConstCmt(GetConst(id,0x3c,0xffffffff),"Cruise control switch Incorrect signal",1); AddConstEx(id,"DTC_P1114", 0x3d, 0xffffffff); SetConstCmt(GetConst(id,0x3d,0xffffffff),"Bank1-Sensor2 Internal Resistance too High",1); AddConstEx(id,"DTC_P1140", 0x3e, 0xffffffff); SetConstCmt(GetConst(id,0x3e,0xffffffff),"Bank2-Sensor2 Internal Resistance too High",1); AddConstEx(id,"DTC_P1105", 0x3f, 0xffffffff); SetConstCmt(GetConst(id,0x3f,0xffffffff),"O2 Sensor Heating Circ.,Bank1-Sensor2 Short to B+",1); AddConstEx(id,"DTC_P1110", 0x40, 0xffffffff); SetConstCmt(GetConst(id,0x40,0xffffffff),"O2 Sensor Heating Circ.,Bank2-Sensor2 Short to B+",1); AddConstEx(id,"DTC_P1102", 0x41, 0xffffffff); SetConstCmt(GetConst(id,0x41,0xffffffff),"O2 Sensor Heating Circ.,Bank1-Sensor1 Short to B+",1); AddConstEx(id,"DTC_P1107", 0x42, 0xffffffff); SetConstCmt(GetConst(id,0x42,0xffffffff),"O2 Sensor Heating Circ.,Bank2-Sensor1 Short to B+",1); AddConstEx(id,"DTC_P0422", 0x43, 0xffffffff); SetConstCmt(GetConst(id,0x43,0xffffffff),"Main Catalyst,Bank1 Efficiency Below Threshold",1); AddConstEx(id,"DTC_P0432", 0x44, 0xffffffff); SetConstCmt(GetConst(id,0x44,0xffffffff),"Main Catalyst,Bank2 Efficiency Below Threshold",1); AddConstEx(id,"DTC_P1502", 0x45, 0xffffffff); SetConstCmt(GetConst(id,0x45,0xffffffff),"Fuel Pump Relay Circ. Short to B+",1); AddConstEx(id,"DTC_P1325", 0x46, 0xffffffff); SetConstCmt(GetConst(id,0x46,0xffffffff),"Cyl.1-Knock Contr. -Limit Attained",1); AddConstEx(id,"DTC_P1328", 0x47, 0xffffffff); SetConstCmt(GetConst(id,0x47,0xffffffff),"Cyl.4-Knock Contr. -Limit Attained",1); AddConstEx(id,"DTC_P1327", 0x48, 0xffffffff); SetConstCmt(GetConst(id,0x48,0xffffffff),"Cyl.3-Knock Contr. Limit Attained",1); AddConstEx(id,"DTC_P1330", 0x49, 0xffffffff); SetConstCmt(GetConst(id,0x49,0xffffffff),"Cyl.6-Knock Contr. Limit Attained",1); AddConstEx(id,"DTC_P1326", 0x4a, 0xffffffff); SetConstCmt(GetConst(id,0x4a,0xffffffff),"Cyl.2-Knock Contr. Limit Attained",1); AddConstEx(id,"DTC_P1329", 0x4b, 0xffffffff); SetConstCmt(GetConst(id,0x4b,0xffffffff),"Cyl.5-Knock Contr. Limit Attained",1); AddConstEx(id,"DTC_P1331", 0x4c, 0xffffffff); SetConstCmt(GetConst(id,0x4c,0xffffffff),"Cyl.7-Knock Contr. Limit Attained",1); AddConstEx(id,"DTC_P1332", 0x4d, 0xffffffff); SetConstCmt(GetConst(id,0x4d,0xffffffff),"Cyl.8-Knock Contr. Limit Attained",1); AddConstEx(id,"DTC_P1386_1", 0x4e, 0xffffffff); SetConstCmt(GetConst(id,0x4e,0xffffffff),"Internal Control Module Knock Control Circ.Error",1); AddConstEx(id,"DTC_P1386_0", 0x4f, 0xffffffff); SetConstCmt(GetConst(id,0x4f,0xffffffff),"Internal Control Module Knock Control Circ.Error",1); AddConstEx(id,"DTC_P1386", 0x50, 0xffffffff); SetConstCmt(GetConst(id,0x50,0xffffffff),"Internal Control Module Knock Control Circ.Error",1); AddConstEx(id,"DTC_P0328", 0x51, 0xffffffff); SetConstCmt(GetConst(id,0x51,0xffffffff),"Knock Sensor 1 Circ High Input",1); AddConstEx(id,"DTC_P0333", 0x52, 0xffffffff); SetConstCmt(GetConst(id,0x52,0xffffffff),"Knock Sensor 2 Circ High Input",1); AddConstEx(id,"DTC_P1322", 0x53, 0xffffffff); SetConstCmt(GetConst(id,0x53,0xffffffff),"Knock Sensor 3 Circ. High Input",1); AddConstEx(id,"DTC_P1324", 0x54, 0xffffffff); SetConstCmt(GetConst(id,0x54,0xffffffff),"Knock Sensor 4 Circ. High Input",1); AddConstEx(id,"DTC_P1539", 0x55, 0xffffffff); SetConstCmt(GetConst(id,0x55,0xffffffff),"Clutch Vacuum Vent Valve Switch Incorrect signal",1); AddConstEx(id,"DTC_P0139", 0x56, 0xffffffff); SetConstCmt(GetConst(id,0x56,0xffffffff),"O2 Sensor Circ.,Bank1-Sensor2 Slow Response",1); AddConstEx(id,"DTC_P0159", 0x57, 0xffffffff); SetConstCmt(GetConst(id,0x57,0xffffffff),"O2 Sensor Circ.,Bank2-Sensor2 Slow Response",1); AddConstEx(id,"DTC_P0133", 0x58, 0xffffffff); SetConstCmt(GetConst(id,0x58,0xffffffff),"O2 Sensor Circ.,Bank1-Sensor1 Slow Response",1); AddConstEx(id,"DTC_P0153", 0x59, 0xffffffff); SetConstCmt(GetConst(id,0x59,0xffffffff),"O2 Sensor Circ.,Bank2-Sensor1 Slow Response",1); AddConstEx(id,"DTC_P1176", 0x5a, 0xffffffff); SetConstCmt(GetConst(id,0x5a,0xffffffff),"O2 Correction Behind Catalyst,B1 Limit Attained",1); AddConstEx(id,"DTC_P1177", 0x5b, 0xffffffff); SetConstCmt(GetConst(id,0x5b,0xffffffff),"O2 Correction Behind Catalyst,B2 Limit Attained",1); AddConstEx(id,"DTC_P1546", 0x5c, 0xffffffff); SetConstCmt(GetConst(id,0x5c,0xffffffff),"Boost Pressure Contr.Valve Short to B+",1); AddConstEx(id,"DTC_P1555", 0x5d, 0xffffffff); SetConstCmt(GetConst(id,0x5d,0xffffffff),"Charge Pressure -Upper Limit exceeded",1); AddConstEx(id,"DTC_P1475", 0x5e, 0xffffffff); SetConstCmt(GetConst(id,0x5e,0xffffffff),"EVAP Emission Contr.LDP Circ Malfunction/Signal Circ.Open",1); AddConstEx(id,"DTC_P1471", 0x5f, 0xffffffff); SetConstCmt(GetConst(id,0x5f,0xffffffff),"EVAP Emission Contr.LDP Circ Short to B+",1); AddConstEx(id,"DTC_P1557", 0x60, 0xffffffff); SetConstCmt(GetConst(id,0x60,0xffffffff),"Charge Pressure Contr. -Positive Deviation",1); AddConstEx(id,"DTC_P0507", 0x61, 0xffffffff); SetConstCmt(GetConst(id,0x61,0xffffffff),"Idle Control System Higher than Expected",1); AddConstEx(id,"DTC_P0103", 0x62, 0xffffffff); SetConstCmt(GetConst(id,0x62,0xffffffff),"Mass or Volume Air Flow Circ High Input",1); AddConstEx(id,"DTC_P0138", 0x63, 0xffffffff); SetConstCmt(GetConst(id,0x63,0xffffffff),"O2 Sensor Circ.,Bank1-Sensor2 High Voltage",1); AddConstEx(id,"DTC_P0158", 0x64, 0xffffffff); SetConstCmt(GetConst(id,0x64,0xffffffff),"O2 Sensor Circ.,Bank2-Sensor2 High Voltage",1); AddConstEx(id,"DTC_P0132", 0x65, 0xffffffff); SetConstCmt(GetConst(id,0x65,0xffffffff),"O2 Sensor Circ.,Bank1-Sensor1 High Voltage",1); AddConstEx(id,"DTC_P0152", 0x66, 0xffffffff); SetConstCmt(GetConst(id,0x66,0xffffffff),"O2 Sensor Circ.,Bank2-Sensor1 High Voltage",1); AddConstEx(id,"DTC_P0300", 0x67, 0xffffffff); SetConstCmt(GetConst(id,0x67,0xffffffff),"Random/Multiple Cylinder Misfire Detected",1); AddConstEx(id,"DTC_P0301", 0x68, 0xffffffff); SetConstCmt(GetConst(id,0x68,0xffffffff),"Cyl.1 Misfire Detected",1); AddConstEx(id,"DTC_P0304", 0x69, 0xffffffff); SetConstCmt(GetConst(id,0x69,0xffffffff),"Cyl.4 Misfire Detected",1); AddConstEx(id,"DTC_P1336", 0x6e, 0xffffffff); SetConstCmt(GetConst(id,0x6e,0xffffffff),"Engine Torque Monitoring - Adaptation at limit",1); AddConstEx(id,"DTC_P0300_1", 0x6f, 0xffffffff); SetConstCmt(GetConst(id,0x6f,0xffffffff),"Random/Multiple Cylinder Misfire Detected",1); AddConstEx(id,"DTC_P0301_1", 0x70, 0xffffffff); SetConstCmt(GetConst(id,0x70,0xffffffff),"Cyl.1 Misfire Detected",1); AddConstEx(id,"DTC_P0304_1", 0x71, 0xffffffff); SetConstCmt(GetConst(id,0x71,0xffffffff),"Cyl.4 Misfire Detected",1); AddConstEx(id,"DTC_P0303", 0x72, 0xffffffff); SetConstCmt(GetConst(id,0x72,0xffffffff),"Cyl.3 Misfire Detected",1); AddConstEx(id,"DTC_P1693", 0x76, 0xffffffff); SetConstCmt(GetConst(id,0x76,0xffffffff),"Malfunction Indication Light -Short circuit to B+",1); AddConstEx(id,"DTC_P0322", 0x77, 0xffffffff); SetConstCmt(GetConst(id,0x77,0xffffffff),"Ign./Distributor Eng.Speed Inp.Circ No Signal",1); AddConstEx(id,"DTC_P1347", 0x78, 0xffffffff); SetConstCmt(GetConst(id,0x78,0xffffffff),"Bank2,Crankshaft-/Camshaft os.Sens.Sign. Out of Sequence",1); AddConstEx(id,"DTC_P1340", 0x79, 0xffffffff); SetConstCmt(GetConst(id,0x79,0xffffffff),"Crankshaft-/Camshaft Pos.Sens.Signals Out of Sequence",1); AddConstEx(id,"DTC_P1522", 0x7a, 0xffffffff); SetConstCmt(GetConst(id,0x7a,0xffffffff),"Intake Camshaft Contr.,Bank2 Malfunction",1); AddConstEx(id,"DTC_P1519", 0x7b, 0xffffffff); SetConstCmt(GetConst(id,0x7b,0xffffffff),"Intake Camshaft Contr.,Bank1 Malfunction",1); AddConstEx(id,"DTC_P1529", 0x7c, 0xffffffff); SetConstCmt(GetConst(id,0x7c,0xffffffff),"Camshaft Control Circuit Short to B+",1); AddConstEx(id,"DTC_P1560", 0x7d, 0xffffffff); SetConstCmt(GetConst(id,0x7d,0xffffffff),"Maximum Engine Speed Exceeded",1); AddConstEx(id,"DTC_P1392", 0x7e, 0xffffffff); SetConstCmt(GetConst(id,0x7e,0xffffffff),"Camshaft Pos.Sensor,Bank2 Open Circ./Short to B+",1); AddConstEx(id,"DTC_P1338", 0x7f, 0xffffffff); SetConstCmt(GetConst(id,0x7f,0xffffffff),"Internal Contr. Module drive by wire error",1); AddConstEx(id,"DTC_P1606", 0x80, 0xffffffff); SetConstCmt(GetConst(id,0x80,0xffffffff),"Rough Road Spec Engine Torque ABS-ECU Electrical Malfunction",1); AddConstEx(id,"DTC_P1136_0", 0x81, 0xffffffff); SetConstCmt(GetConst(id,0x81,0xffffffff),"Long Term Fuel Trim Add.Fuel,Bank1 System too Lean",1); AddConstEx(id,"DTC_P1138_0", 0x82, 0xffffffff); SetConstCmt(GetConst(id,0x82,0xffffffff),"Long Term Fuel Trim Add.Fuel,Bank2 System too Lean",1); AddConstEx(id,"DTC_P1136_1", 0x83, 0xffffffff); SetConstCmt(GetConst(id,0x83,0xffffffff),"Long Term Fuel Trim Add.Fuel,Bank1 System too Lean",1); AddConstEx(id,"DTC_P1138_1", 0x84, 0xffffffff); SetConstCmt(GetConst(id,0x84,0xffffffff),"Long Term Fuel Trim Add.Fuel,Bank2 System too Lean",1); AddConstEx(id,"DTC_P1640", 0x85, 0xffffffff); SetConstCmt(GetConst(id,0x85,0xffffffff),"Internal Control Module (EEPROM) Error",1); AddConstEx(id,"DTC_P1434", 0x86, 0xffffffff); SetConstCmt(GetConst(id,0x86,0xffffffff),"Sec.Air Inj.Sys.Pump Relay Circ. Short to B+",1); AddConstEx(id,"DTC_P1423", 0x87, 0xffffffff); SetConstCmt(GetConst(id,0x87,0xffffffff),"Sec.Air Inj.Sys.,Bank1 Flow too Low",1); AddConstEx(id,"DTC_P1411", 0x88, 0xffffffff); SetConstCmt(GetConst(id,0x88,0xffffffff),"Sec.Air Inj.Sys.,Bank2 Flow too Flow",1); AddConstEx(id,"DTC_P1424", 0x89, 0xffffffff); SetConstCmt(GetConst(id,0x89,0xffffffff),"Sec.Air Inj.Sys.,Bank1 Leak Detected",1); AddConstEx(id,"DTC_P1414", 0x8a, 0xffffffff); SetConstCmt(GetConst(id,0x8a,0xffffffff),"Sec.Air Inj.Sys.,Bank2 Leak Detected",1); AddConstEx(id,"DTC_P1422", 0x8b, 0xffffffff); SetConstCmt(GetConst(id,0x8b,0xffffffff),"Sec.Air Inj.Sys.Contr.Valve Circ Short to B+",1); AddConstEx(id,"DTC_P1002", 0x8c, 0xffffffff); AddConstEx(id,"DTC_P1512", 0x8d, 0xffffffff); SetConstCmt(GetConst(id,0x8d,0xffffffff),"Intake Manifold Changeover Valve circuit Short to B+",1); AddConstEx(id,"DTC_P1606_1", 0x8e, 0xffffffff); SetConstCmt(GetConst(id,0x8e,0xffffffff),"Rough Road Spec Engine Torque ABS-ECU Electrical Malfunction",1); AddConstEx(id,"DTC_P0112", 0x8f, 0xffffffff); SetConstCmt(GetConst(id,0x8f,0xffffffff),"Intake Air Temp.Circ Low Input",1); AddConstEx(id,"DTC_P1250", 0x90, 0xffffffff); SetConstCmt(GetConst(id,0x90,0xffffffff),"Fuel too low",1); AddConstEx(id,"DTC_P0441", 0x91, 0xffffffff); SetConstCmt(GetConst(id,0x91,0xffffffff),"EVAP Emission Contr.Sys.Incorrect Purge Flow",1); AddConstEx(id,"DTC_P0442", 0x92, 0xffffffff); SetConstCmt(GetConst(id,0x92,0xffffffff),"EVAP Emission Contr.Sys.(Small Leak) Leak Detected",1); AddConstEx(id,"DTC_P0455", 0x93, 0xffffffff); SetConstCmt(GetConst(id,0x93,0xffffffff),"EVAP Emission Contr.Sys.(Gross Leak) Leak Detected",1); AddConstEx(id,"DTC_P1410", 0x94, 0xffffffff); SetConstCmt(GetConst(id,0x94,0xffffffff),"Tank Ventilation Valve Circ. Short to B+",1); AddConstEx(id,"DTC_P1467", 0x95, 0xffffffff); SetConstCmt(GetConst(id,0x95,0xffffffff),"EVAP Canister Purge Solenoid Valve Short Circuit to B+",1); AddConstEx(id,"DTC_P0117", 0x96, 0xffffffff); SetConstCmt(GetConst(id,0x96,0xffffffff),"Engine Coolant Temp.Circ Low Input",1); AddConstEx(id,"DTC_P1620", 0x97, 0xffffffff); SetConstCmt(GetConst(id,0x97,0xffffffff),"Engine coolant temperature signal open/short to B+",1); AddConstEx(id,"DTC_P0197", 0x98, 0xffffffff); SetConstCmt(GetConst(id,0x98,0xffffffff),"Engine Oil Temperature Circuit Low Input",1); AddConstEx(id,"DTC_P1029", 0x99, 0xffffffff); AddConstEx(id,"DTC_P0601", 0x9a, 0xffffffff); SetConstCmt(GetConst(id,0x9a,0xffffffff),"ECM - Checksum",1); AddConstEx(id,"DTC_P0563", 0x9b, 0xffffffff); SetConstCmt(GetConst(id,0x9b,0xffffffff),"System Voltage High Voltage",1); AddConstEx(id,"DTC_P1335", 0x9c, 0xffffffff); SetConstCmt(GetConst(id,0x9c,0xffffffff),"Engine Torque Monitoring 2 Control Limit Exceeded",1); AddConstEx(id,"DTC_P1388", 0x9d, 0xffffffff); SetConstCmt(GetConst(id,0x9d,0xffffffff),"Internal Contr. Module drive by wire error",1); AddConstEx(id,"DTC_P0604", 0x9e, 0xffffffff); SetConstCmt(GetConst(id,0x9e,0xffffffff),"Memory (RAM) Error",1); AddConstEx(id,"DTC_P0605", 0x9f, 0xffffffff); SetConstCmt(GetConst(id,0x9f,0xffffffff),"Internal Contr. Module ROM Test Error",1); AddConstEx(id,"DTC_P1603", 0xa0, 0xffffffff); SetConstCmt(GetConst(id,0xa0,0xffffffff),"Internal Control Module Malfunction",1); AddConstEx(id,"DTC_P1288", 0xa1, 0xffffffff); SetConstCmt(GetConst(id,0xa1,0xffffffff),"Turbocharger bypass valve short to B+",1); AddConstEx(id,"DTC_P0501", 0xa2, 0xffffffff); SetConstCmt(GetConst(id,0xa2,0xffffffff),"Vehicle Speed Sensor Range/Performance",1); AddConstEx(id,"DTC_P1570", 0xa3, 0xffffffff); SetConstCmt(GetConst(id,0xa3,0xffffffff),"Control Module Locked",1); AddConstEx(id,"DTC_P0606", 0xa4, 0xffffffff); SetConstCmt(GetConst(id,0xa4,0xffffffff),"ECM - Watchdog",1); AddConstEx(id,"DTC_P1356", 0xa5, 0xffffffff); SetConstCmt(GetConst(id,0xa5,0xffffffff),"Cyl. 1, ignition circuit Short to B+",1); AddConstEx(id,"DTC_P1365", 0xa6, 0xffffffff); SetConstCmt(GetConst(id,0xa6,0xffffffff),"Cyl. 4, ignition circuit Short circuit to B+",1); AddConstEx(id,"DTC_P1362", 0xa7, 0xffffffff); SetConstCmt(GetConst(id,0xa7,0xffffffff),"Cyl. 3, ignition circuit Short Circuit to B+",1); AddConstEx(id,"DTC_P1371", 0xa8, 0xffffffff); SetConstCmt(GetConst(id,0xa8,0xffffffff),"Cyl. 6, ignition circuit Short Circuit to B+",1); AddConstEx(id,"DTC_P1359", 0xa9, 0xffffffff); SetConstCmt(GetConst(id,0xa9,0xffffffff),"Cyl. 2, ignition circuit Short Circuit to B+",1); AddConstEx(id,"DTC_P1368", 0xaa, 0xffffffff); SetConstCmt(GetConst(id,0xaa,0xffffffff),"Cyl. 5, ignition circuit Short Circuit to B+",1); AddConstEx(id,"DTC_P1374", 0xab, 0xffffffff); SetConstCmt(GetConst(id,0xab,0xffffffff),"Cyl. 7, ignition circuit Short Circuit to B+",1); AddConstEx(id,"DTC_P1377", 0xac, 0xffffffff); SetConstCmt(GetConst(id,0xac,0xffffffff),"Cyl. 8, ignition circuit Short Circuit to B+",1); AddConstEx(id,"DTC_MAX", 0xad, 0xffffffff); SetConstCmt(GetConst(id,0xad,0xffffffff),"Maximum number of DTC blocks",1); id = AddEnum(-1,"LOCALVAR",0x1100000); AddConstEx(id,"LOCALVAR_0", 0x0, 0xffffffff); AddConstEx(id,"LOCALVAR_1", 0x1, 0xffffffff); AddConstEx(id,"LOCALVAR_2", 0x2, 0xffffffff); AddConstEx(id,"LOCALVAR_3", 0x3, 0xffffffff); AddConstEx(id,"LOCALVAR_4", 0x4, 0xffffffff); AddConstEx(id,"LOCALVAR_5", 0x5, 0xffffffff); AddConstEx(id,"LOCALVAR_6", 0x6, 0xffffffff); AddConstEx(id,"LOCALVAR_7", 0x7, 0xffffffff); AddConstEx(id,"LOCALVAR_8", 0x8, 0xffffffff); AddConstEx(id,"LOCALVAR_9", 0x9, 0xffffffff); AddConstEx(id,"LOCALVAR_10", 0xa, 0xffffffff); AddConstEx(id,"LOCALVAR_11", 0xb, 0xffffffff); AddConstEx(id,"LOCALVAR_12", 0xc, 0xffffffff); AddConstEx(id,"LOCALVAR_13", 0xd, 0xffffffff); AddConstEx(id,"LOCALVAR_14", 0xe, 0xffffffff); AddConstEx(id,"LOCALVAR_15", 0xf, 0xffffffff); AddConstEx(id,"LOCALVAR_16", 0x10, 0xffffffff); AddConstEx(id,"LOCALVAR_17", 0x11, 0xffffffff); AddConstEx(id,"LOCALVAR_18", 0x12, 0xffffffff); AddConstEx(id,"LOCALVAR_19", 0x13, 0xffffffff); AddConstEx(id,"LOCALVAR_20", 0x14, 0xffffffff); AddConstEx(id,"LOCALVAR_21", 0x15, 0xffffffff); AddConstEx(id,"LOCALVAR_22", 0x16, 0xffffffff); AddConstEx(id,"LOCALVAR_23", 0x17, 0xffffffff); AddConstEx(id,"LOCALVAR_24", 0x18, 0xffffffff); AddConstEx(id,"LOCALVAR_25", 0x19, 0xffffffff); AddConstEx(id,"LOCALVAR_26", 0x1a, 0xffffffff); id = AddEnum(-1,"FLASH_OPS",0x1100000); AddConstEx(id,"FLASH_OPS_0", 0x0, 0xffffffff); AddConstEx(id,"FLASH_OPS_1", 0x1, 0xffffffff); AddConstEx(id,"FLASH_OPS_2", 0x2, 0xffffffff); AddConstEx(id,"FLASH_OPS_3", 0x3, 0xffffffff); AddConstEx(id,"FLASH_OPS_4", 0x4, 0xffffffff); AddConstEx(id,"FLASH_OPS_5", 0x5, 0xffffffff); AddConstEx(id,"FLASH_OPS_6", 0x6, 0xffffffff); id = AddEnum(-1,"LOGIC",0x1100000); AddConstEx(id,"FALSE", 0x0, 0xffffffff); AddConstEx(id,"TRUE", 0x1, 0xffffffff); } //------------------------------------------------------------------------ // Information about enum types static Enums(void) { auto id; id = Enums_0(id); } static Structures_0(id) { // if (AskYN(1,"Do you want to define structures?") != 1) // return; Message("++++++++++++++++++++\n"); Message("Creating Structures \n"); Message("++++++++++++++++++++\n"); id = AddStrucEx(-1,"strDTC_Struct",0); SetStrucComment(id,"DTC Structure",1); id = AddStrucEx(-1,"SeedLookup",0); id = AddStrucEx(-1,"ADCCheck",0); id = AddStrucEx(-1,"strChkSumBlock",0); id = AddStrucEx(-1,"strDTC_Store",0); id = GetStrucIdByName("strDTC_Struct"); AddStrucMember(id,"DTC1", 0x0, 0x10100400, -1, 2); AddStrucMember(id,"DTC2", 0x2, 0x10100400, -1, 2); AddStrucMember(id,"DTC3", 0x4, 0x10100400, -1, 2); AddStrucMember(id,"DTC4", 0x6, 0x10100400, -1, 2); id = GetStrucIdByName("SeedLookup"); AddStrucMember(id,"Seed", 0x0, 0x10000400, -1, 4); id = GetStrucIdByName("ADCCheck"); AddStrucMember(id,"bField_0", 0x0, 0x10000400, -1, 2); AddStrucMember(id,"bField_2", 0x2, 0x10000400, -1, 2); AddStrucMember(id,"ValueA", 0x4, 0x10000400, -1, 2); AddStrucMember(id,"ValueB", 0x6, 0x10000400, -1, 2); id = GetStrucIdByName("strChkSumBlock"); AddStrucMember(id,"StartAddr", 0x0, 0x10100400, -1, 2); AddStrucMember(id,"StartSeg", 0x2, 0x10100400, -1, 2); AddStrucMember(id,"EndAddr", 0x4, 0x10100400, -1, 2); AddStrucMember(id,"EndSeg", 0x6, 0x10100400, -1, 2); AddStrucMember(id,"ChksumLo", 0x8, 0x10100400, -1, 2); SetMemberComment(id, 0x8, "Chksum Lo", 1); AddStrucMember(id,"ChksumHi", 0xa, 0x10100400, -1, 2); SetMemberComment(id, 0xa, "Chksum Hi", 1); AddStrucMember(id,"InvChksumLo", 0xc, 0x10100400, -1, 2); SetMemberComment(id, 0xc, "Chksum Lo inverted", 1); AddStrucMember(id,"InvChksumHi", 0xe, 0x10100400, -1, 2); SetMemberComment(id, 0xe, "Chksum Hi inverted", 1); id = GetStrucIdByName("strDTC_Store"); AddStrucMember(id,"field_0", 0x0, 0x000400, -1, 1); AddStrucMember(id,"DTCA_Hi", 0x1, 0x100400, -1, 1); AddStrucMember(id,"DTCA_Lo", 0x2, 0x100400, -1, 1); AddStrucMember(id,"DTCB_Hi", 0x3, 0x100400, -1, 1); AddStrucMember(id,"DTCB_Lo", 0x4, 0x100400, -1, 1); AddStrucMember(id,"field_5", 0x5, 0x000400, -1, 1); AddStrucMember(id,"field_6", 0x6, 0x000400, -1, 1); AddStrucMember(id,"field_7", 0x7, 0x000400, -1, 1); AddStrucMember(id,"field_8", 0x8, 0x000400, -1, 1); AddStrucMember(id,"field_9", 0x9, 0x000400, -1, 1); AddStrucMember(id,"field_A", 0xa, 0x000400, -1, 1); AddStrucMember(id,"field_B", 0xb, 0x000400, -1, 1); AddStrucMember(id,"field_C", 0xc, 0x000400, -1, 1); AddStrucMember(id,"field_D", 0xd, 0x000400, -1, 1); } //------------------------------------------------------------------------ // Information about structure types static Structures(void) { auto id; id = Structures_0(id); } //------------------------------------------------------------------------ // Information about bytes static Bytes_0(void) { auto x; #define id x // ExtLinA (0x0, 0, "; GOLF 4 R32 3.2L V6"); ExtLinA (0x0, 1, "; Disassembly by Andy Whittaker"); ExtLinA (0x0, 2, "; http://www.andywhittaker.com/"); // MakeRptCmt (0x812d10, "This is a test repeat comment at 0x812d10"); // MakeWord (x=0x812d10); // OpHex (x, 0); // MakeName (0x812d10, "TestName_812D10"); } static Bytes(void) { Bytes_0(); } static DTC_Enum(void) { auto string; // if (AskYN(1,"Do you want to search for and translate DTC Enumerations?") != 1) // return; Message("+++++++++++++++++++++++++++++++++++++++++++++++\n"); Message("Searching and translating enumerations for DTCs \n"); Message("+++++++++++++++++++++++++++++++++++++++++++++++\n"); string = "bfldh"; MakeC16xEnum(0x800000,string); string = "bfldl"; MakeC16xEnum(0x800000,string); Message("\nDTC Enum search complete!\n"); } //converts a C16x bitfield instruction to an Bosch Enum // ea = linear address to search from // search_string = string to search for static MakeC16xEnum(ea,search_string) { auto enums_found; auto lin_address; auto next_address; auto operand; enums_found = 0; lin_address = 0; Message("\nLooking for Enums - Ref %s\n", search_string); lin_address = FindText(ea,SEARCH_DOWN,0,0,search_string); while(lin_address != BADADDR) { operand = GetOpnd(lin_address, 0); Message("Found Enum %s at 0x%lx, operand %s", search_string, lin_address, operand); if ((operand == "r1") | (operand == "r2") | (operand == "r3") | (operand == "r4") | (operand == "r5")) { if (search_string == "bfldh") { Message(" - Enumerating DTCHBit\n"); OpEnumEx(lin_address,1,GetEnum("DTCHBit"),0); } else if (search_string == "bfldl") { Message(" - Enumerating DTCLBit\n"); OpEnumEx(lin_address,1,GetEnum("DTCLBit"),0); } enums_found++; } else Message("- Ignoring\n"); lin_address = lin_address + 0x10; next_address = FindText(lin_address,SEARCH_DOWN | SEARCH_NEXT,0,0,search_string); lin_address = next_address; // new search point } Message("\nDTC Enum search for %s complete! Enums found = %ld\n", search_string, enums_found); } //This routine increments through the disassembled code and tries to convert //the segment:offset pairs into a real offset address. Bosch generally uses //r12 as a table location with the following r13 instruction as the C16x //segment offset. //The routine finds the r13 reference, back-tracks 4 bytes to the r12 reference //and passes this address onto the MakeC16xOffset function. static TranslateOffsets(void) { auto string; // if (AskYN(1,"Do you want to search for tables?") != 1) // return; Message("++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"); Message("Translating offsets in code to reference lookup tables\n"); Message("++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"); string = ", #204h"; MakC16xOffsetLp(0x800000,0x204,string); string = ", #205h"; MakC16xOffsetLp(0x800000,0x205,string); string = ", #206h"; MakC16xOffsetLp(0x800000,0x206,string); string = ", #207h"; MakC16xOffsetLp(0x800000,0x207,string); string = ", #209h"; MakC16xOffsetLp(0x800000,0x209,string); string = ", #20Ah"; MakC16xOffsetLp(0x800000,0x20a,string); // string = ", #20Bh"; // MakC16xOffsetLp(0x800000,0x20b,string); // string = ", #20Ch"; // MakC16xOffsetLp(0x800000,0x20c,string); // string = ", #20Dh"; // MakC16xOffsetLp(0x800000,0x20d,string); Message("\nLookup tables search complete!\n"); } //converts a C16x table offset to an IDA linear offset over an address range // ea = linear address to search from // seg = the segment address the operand relates to // search_string = string to search for static MakC16xOffsetLp(ea,seg,search_string) { auto tables_found; auto lin_address; auto next_address; auto operand; tables_found = 0; Message("\nLooking for tables in segment 0x%x (0x%lx) - Ref %s\n", seg, ea, search_string); lin_address = FindText(ea,SEARCH_DOWN,0,0,search_string); while(lin_address != BADADDR) { operand = GetOpnd(lin_address, 0); Message("Found reference %s at 0x%lx, operand %s", search_string, lin_address, operand); if ((operand == "r5") | (operand == "r13") | (operand == "r14") | (operand == "r15")) { MakeC16xOffset(lin_address, seg);// Create the table entry at the previous instruction tables_found++; } else Message("- Ignoring\n"); lin_address = lin_address + 0x8; next_address = FindText(lin_address,SEARCH_DOWN | SEARCH_NEXT,0,0,search_string); lin_address = next_address; // new search point } Message("\nLookup tables found = %ld at segment 0x%lx\n", tables_found, seg); } //converts a C16x table offset to an IDA linear offset // ea = linear address of instruction // seg = the segment address the operand relates to static MakeC16xOffset(ea,seg) { auto x; auto offset; auto table_address; x=ea - 0x4; // MakeCode (x=ea); //convert the C16x offset into an address offset = seg * 0x4000; //create the offset OpOff (x, 1, offset); OpOff (x, 129, offset); table_address = GetOperandValue(x,1) + offset; //find what the table's address is Message("- Table reference at 0x%lx is probably: 0x%lx\n",x,table_address); MakeRptCmt(table_address, "Probable Lookup Table"); } //This routine increments through the disassembled code and tries to convert //the offsets for conditional jumps into a real addresses. //The routine finds the jmpi reference, back-tracks 6 bytes to the offset reference //and passes this address onto the MakeC16xOffset function. static TranslateJmpi(void) { auto string; auto tables_found; auto lin_address; auto next_address; auto segment; auto table_address; auto namestr; auto instruction;// test string // if (AskYN(1,"Do you want to search for jump tables?") != 1) // return; Message("++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"); Message("Translating jumps in code to reference function jump lookup tables\n"); Message("++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"); string = "jmpi cc_UC, ["; //what we want to search for tables_found = 0; lin_address = FindText(0x800000,SEARCH_DOWN,0,0,string); // lin_address = FindText(0x834000,SEARCH_DOWN,0,0,string); while(lin_address != BADADDR) { // Check where the offset table is by backtracking // and checking for the add instruction. if (GetMnem(lin_address - 4) == "add") { if (GetMnem(lin_address - 6) == "shl") { //if we're here, then the table is an offset to the current segment. //If the add instruction is directly before the jmpi, //the offset is an offset from the current segment. lin_address = lin_address - 4; segment = (lin_address & 0xff0000); OpOff(lin_address,1, segment);//Make the offset table_address = GetOperandValue(lin_address,1) + segment; //find what the table's address is Message("Offset table reference at 0x%lx is probably: 0x%lx\n",lin_address, table_address); MakeRptCmt(table_address, "Function Jump Table"); namestr = "jtbl_"; namestr = namestr + ltoa(table_address, 16); MakeName(table_address, ""); MakeName(table_address, namestr); } } else if (GetMnem(lin_address - 6) == "add") { //If the add instruction is not before the jmpi, but a //mov rx, [rx] is following it, then the offset is from //the data segment. lin_address = lin_address - 6; segment = (lin_address & 0xff0000); // OpOff(lin_address,1, segment);//Make the offset OpOff(lin_address,1, 0x810000);//Make the offset OpOff(lin_address,129, 0x810000); table_address = GetOperandValue(lin_address,1) + 0x810000; //find what the table's address is // table_address = GetOperandValue(lin_address,1); //find what the table's address is Message("Function table reference at 0x%lx is probably: 0x%lx\n",lin_address,table_address); MakeRptCmt(table_address, "Probable Function Lookup Table"); namestr = "jtbl_"; namestr = namestr + ltoa(table_address, 16); MakeName(table_address, ""); MakeName(table_address, namestr); } tables_found++; lin_address = lin_address + 0x10; next_address = FindText(lin_address,SEARCH_DOWN | SEARCH_NEXT,0,0,string); // if (next_address >= 0x840000) // break; lin_address = next_address; // new search point } Message("\nConditional jump search complete! Jump tables found = %ld\n", tables_found); } //Loads a WinOLS csv export static LoadMapPackCSV(void) { auto filename; auto hFHandle; auto flength; auto chin; auto fstring; auto addressstr; auto commentstr; auto arraystr; auto fstringlength; auto stringindex; auto address; auto namestr; if (AskYN(1,"Do you want to import map pack tables?") != 1) return; filename = AskFile(0,"*.csv","Select WinOLS CSV MapPack to import"); // ask a file name if (filename == 0) return; Message("++++++++++++++++++++++++++++++++++\n"); Message("Importing Map Pack WinOLS csv file\n"); Message("++++++++++++++++++++++++++++++++++\n"); hFHandle = fopen(filename,"r"); flength = filelength(hFHandle); while(fstring != -1) { addressstr = ""; commentstr = ""; arraystr = ""; //read the first line in fstring = readstr(hFHandle); fstringlength = strlen(fstring); //check to see if the line contains an address //if it's an address, the 2nd char will be a $ if (substr(fstring, 1, 2) == "$") { stringindex = 2; //Read through each character of the string to extract our 3 strings //1st the address string for(;stringindex