NefMoto

Technical => Reverse Engineering => Topic started by: fknbrkn on November 15, 2016, 02:27:18 PM



Title: error_flags setting workaround
Post by: fknbrkn on November 15, 2016, 02:27:18 PM
hi
there is a little guide how to find a routine which activated error flags.
for example we interested in e_dk flag.

1. find e_dk in the ecu file (0x383952 in my case)
same in IDA. you can see there is a few xrefs for reading this ram value but no one for a write. and there is a problem.

2. go upward to the first defined word, the undefined word above is start of the table.
this word used in dtc_set routine as the base for offset.
0x383920 in my file (= 0xB920) 

3. there is some math to find a routine where is the error_flag is set
in our case with e_dk it is
383952h-383920h = 32h
divide it by 2 (32h/2 = 19h)

4. now search for #19h in IDA
multiple results can be found ofcourse.
we interested only in this

               mov r12, #19h

go there and if your code looks like this

                mov     [-r0], r4
                mov     r12, #19h
                calls   84h, sub_12345

than its yours.

5. for sure, jump to the sub_12345 and there should be some strings like

                 mov     r5, #0B920h

yay