NefMoto

Hello!

I am new to reversing and as a workout I start with Mercedes-Benz Bosch ME9.7.My goal is to find the seed key algorithm.It is possible to test it on a real ECU Bosch ME9.7.I use for reversing full dump for this ECU (virgin ECU).In IDA Pro I choose PowerPC big-endian.

I have questions:

1.What sda (r13) address should I enter in the settings?

I see line: ROM:000010E0                 lis       r13, 0x80 # 0x7FFFF0 # 'А'

I can not find in the documentation about the parameters:# 0x7FFFF0 # 'A'

2.How to find the TOC address?

IDA Database file:https://mega.nz/#!LL4UiSSL!CXenlS2SGp1g1FPqLEVepmLunOLb1uVZcmvbLR91tEA (https://mega.nz/#!LL4UiSSL!CXenlS2SGp1g1FPqLEVepmLunOLb1uVZcmvbLR91tEA)



Thanks.

I deal with SDA  address:

It is known that register r13 contains the address of the SDA.

Looking for IDA Pro mention of r13: IDA Pro -> Search -> text -> string -> r13

In the search results we see:

ROM:000010E0                 lis       r13, 0x80 # 0x7FFFF0 # 'А'
ROM:000010E4                 addi      r13, r13, -0x10 # 0x7FFFF0

lis       r13, 0x80 # 0x7FFFF0 # 'А'      //loaded into the upper bytes of r13 is a hexadecimal number 0x80,there becomes 0x00800000
addi      r13, r13, -0x10 # 0x7FFFF0   //loaded into the lower bytes of r13 hexadecimal number-0x10,ie need 0x00800000-0x10=0x007ffff0

After that r13 contains 0x7ffff0 and # 0x7fff0 listing IDA may tip.

SDA (r13) address =0x7ffff0

I deal with TOC  address:

It is known that register r2 contains the address of the TOC(Table of Contents).

Looking for IDA Pro mention of r2: IDA Pro -> Search -> text -> string -> r2

In the search results we see:

ROM:000010E8                 lis       r2, loc_17FF0@h       //the upper byte is written to r2 address labels loc_17FF0 ?
ROM:000010EC                 addi      r2, r2, loc_17FF0@l //in r2 lower byte is written the address label loc_17FF0 ?

r2 then becomes 0x17FF17FF ?

To understand the contents of loc_17FF0 from IDA:

ROM:00017FF0 loc_17FF0:                              # DATA XREF: ROM:000010E8o
ROM:00017FF0                                         # ROM:000010ECo
ROM:00017FF0                 lhz       r11, 0x28(r3)
ROM:00017FF4                 ori       r11, r11, 0x80
ROM:00017FF8                 sth       r11, 0x28(r3)
ROM:00017FFC                 lbz       r10, 0x10+var_8(r1)
ROM:00018000                 addi      r10, r10, 1
ROM:00018004                 stb       r10, 0x10+var_8(r1)
ROM:00018008                 lbz       r12, 0x10+var_8(r1)
ROM:0001800C                 addi      r12, r12, 1
ROM:00018010                 stb       r12, 0x10+var_8(r1)
ROM:00018014                 lhz       r11, 0x28(r3)
ROM:00018018                 rlwinm    r11, r11, 0,25,23
ROM:0001801C                 sth       r11, 0x28(r3)
ROM:00018020                 addi      r1, r1, 0x10
ROM:00018024                 blr
ROM:00018024 # End of function sub_17FE0

Who knows the correct r2 value?

Try TOC address: 0x5C9FF0

0x56E0B4    lis    r2, qword_5C9FF0@ha
0x56E0B8    addi    r2, r2, qword_5C9FF0@l

Try TOC address: 0x5C9FF0

0x56E0B4    lis    r2, qword_5C9FF0@ha
0x56E0B8    addi    r2, r2, qword_5C9FF0@l

Ignore everything <0x10000 That is bootloader area, not ASW. It has nothing to do with the main app that is running, and it has it's own registers and so on.

Turns out using the same settings as on MED9.1 , described elsewhere on this site,  http://nefariousmotorsports.com/forum/index.php?topic=6834.0 (http://nefariousmotorsports.com/forum/index.php?topic=6834.0) works.

Use the above link as a guide, but change a few of the values using the bellow settings.

The settings I’ll give are not 100% correct, but should be good enough to get us started.

Load a 2Mb ME9.7 file using these settings :
Pc Big Endian
TOC : 0x5C9FF0
SDA : 0x7FFFF0

RAM @ 0x600000 size 0x400000
ROM @ 0x000000 size 0x200000
Loading address 0x000000 size 0x200000

Select MPC5xx

Then select File tab
Load File
additional binary file
Select the same 2Mb ME9.7bin, but this time we load it with an offset of 0x400000.

Loading segment : 0x0
Loading offset : 0x400000
File offset in bytes : 0x0
Number of bytes : 0x200000

Then we follow basano’s MED9.1 guide, but select the whole area from 0x0 till 0x700000 and we have a reasonably disassembled code to start with.

Again this is not 100% correct, things aren't decompiled enough in the 0x1C2000 - 0x200000 (or mirror at 0x5C2000-0x600000) region, so if anyone can improve these settings, let us know.