NefMoto

Technical => Reverse Engineering => Topic started by: nihalot on April 11, 2017, 11:29:54 PM


Title: EDC16/MPC555
Post by: nihalot on April 11, 2017, 11:29:54 PM
hi guys, so Im starting my next project: EDC16U1/34
What I know:
EDC16U1-
SDA: 0x4017F0
TOC: not used
Loading address-
IROM: 0x0
Flash: 0x800000

Unlike med9, TOC(r2) is not used for referencing addresses in flash.
Instead, I think, GOT(Global offset table) is used. Does anyone know how to set it up to have correct xrefs?

I was able to get a ram dump(3F9800-408000). tried searching for the canbus buffer, but the can ids are not directly present in RAM. instead, they are scrambled, stored in ram, then unscrambled and then sent over can.
Im trying to figure out the scrambling math, will post a screen cap of the scrambling/unscrambling function which i found.
The scrambling function is same on both U1 and U34.
DPRAM is used for CAN


EDIT- RAM starts at 3F9800 not 3F8000.

Title: Re: EDC16/MPC555
Post by: nubcake on April 12, 2017, 05:33:03 PM
I have only played with petrol MPCs so far (MED9), but 3F8000-408000 don't look like correct RAM addresses.
0x400000-0x480000 is IROM there.

Title: Re: EDC16/MPC555
Post by: nihalot on April 12, 2017, 07:54:32 PM
hi,
this is what threw me off track initially, but a edc16U1 A2L lists the following RAM addresses.


Code:
    /begin MEMORY_SEGMENT ExtRam4FE000 "" VARIABLES RAM EXTERN 0x4FE000 0x2000 -1 -1 -1 -1 -1 
        /* AsapMLXFm - CCP_V2_3 */
        
        /begin IF_DATA ETK 
            ADDRESS_MAPPING 
                /* origin addr  */ 0x4FE000 
                /* mapping addr */ 0x4FE000 
                /* length       */ 0x2000 
        /end IF_DATA 
        
        /* AsapMLXFm - KWP2000 */ 
        
        /* AsapMLXFm - McMess */ 
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Ram3F9800 "" VARIABLES RAM INTERN 0x3F9800 0x6800 -1 -1 -1 -1 -1 
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Ram400000 "" VARIABLES RAM INTERN 0x400000 0x8000 -1 -1 -1 -1 -1 
    /end MEMORY_SEGMENT

Also, I have correct xref in IDA with this SDA and RAM segment...

I believe the "EXTERN" RAM is for the ETK tool and not actually present in the ECU.

Title: Re: EDC16/MPC555
Post by: Tim on April 13, 2017, 04:10:16 AM
Hi Nihalot, the memory layout is different to the files I've been looking at, however they do vary slightly so it doesn't suprise me.
Therefore the SDA you have looks like it will be correct.
Follow the a2l and you'll be fine as all the memory addresses further down the a2l will be in the right places and can be easily labelled.

Yes there is an offset table (actually a few, I'm thinking datablocks e.g auto, 4x4, manual etc) for the flash data addressing. You should be able to find it by looking at your file in 32bit view on WinOLS.
Took me ages to figure out how it was calling it but, data seems to be referenced by offsets on higher registers r26-r31 with initial values loaded from another register (on the files I've looked at its r15). So its like an offset with another offset on top. A bit like the double index links (I don't really know the correct terminology of these things) on EDC17 too. Working backwards and subtracting from the lwz and addi ops on those higher registers meant I could figure out the initial value of r15- right at the start of the offset table. You'll need to create a user-defined offset for the other registers using r15 as the base address and the rest of the data references will start to appear.

(https://s20.postimg.org/638sp2drx/EDC16_sub_with_refs.jpg)

Regards

Title: Re: EDC16/MPC555
Post by: nubcake on April 13, 2017, 10:21:24 AM
Quote from: nihalot on April 12, 2017, 07:54:32 PM
I believe the "EXTERN" RAM is for the ETK tool and not actually present in the ECU.

Interesting suggestion. A2L mentions "CCP" and "McMess" at those addresses, so must be it. :)

Title: Re: EDC16/MPC555
Post by: Teitek on April 22, 2017, 03:39:00 AM
Quote from: Tim on April 13, 2017, 04:10:16 AM
Hi Nihalot, the memory layout is different to the files I've been looking at, however they do vary slightly so it doesn't suprise me.
Therefore the SDA you have looks like it will be correct.
Follow the a2l and you'll be fine as all the memory addresses further down the a2l will be in the right places and can be easily labelled.

Yes there is an offset table (actually a few, I'm thinking datablocks e.g auto, 4x4, manual etc) for the flash data addressing. You should be able to find it by looking at your file in 32bit view on WinOLS.
Took me ages to figure out how it was calling it but, data seems to be referenced by offsets on higher registers r26-r31 with initial values loaded from another register (on the files I've looked at its r15). So its like an offset with another offset on top. A bit like the double index links (I don't really know the correct terminology of these things) on EDC17 too. Working backwards and subtracting from the lwz and addi ops on those higher registers meant I could figure out the initial value of r15- right at the start of the offset table. You'll need to create a user-defined offset for the other registers using r15 as the base address and the rest of the data references will start to appear.

(https://s20.postimg.org/638sp2drx/EDC16_sub_with_refs.jpg)

Regards

Then, the addressing is very similar to MED17 / EDC17... i supossed it.
In edc16u1 the addressing table is at the beginning of the Flash, edc16u3x i saw that have others addressing table.

My big problem is load on IDA this files..

Thanks and great work!!


Powered by SMF 1.1.21 | SMF © 2015, Simple Machines