NefMoto

Technical => Reverse Engineering => Topic started by: Maze10 on December 28, 2021, 05:01:26 PM


Title: ERCOS ME7
Post by: Maze10 on December 28, 2021, 05:01:26 PM
Here is little explanation about ERCOS and ME7 management

https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1040.1066&rep=rep1&type=pdf






Title: Re: ERCOS ME7
Post by: 360trev on January 12, 2022, 08:10:25 AM
ETAS (fully owned by Bosch for many years now) who wrote the original C16x ERCOS also ported its RTOS to PowerPC (MPC6xx).

Since Bosch own ETAS its hardly surprising that they used it in pretty much all Motronic sw versions. Its for instance also ported Freescales MPC6xx (as used in MED9.x) and to all the Infineon Tricore series automotive microcontrollers, so if your interested to reverse engineer it, its probably a bit easier to use Ghidra which can translate Tricore and PPC code to C pseudo code. No such pseudo code options are available for C16x targets, so unless your very familiar with C16x instruction set its the way to go. Most of the core logic is the same across all targets...

These are the core library components (originally written in C, sorry no I don't have the sources just the filenames);

Code:
erc_vers.c
e_getalarm.c
e_setabsalarm.c
e_getalarmbase.c
e_cancelalarm.c
e_changealarmperiod.c
e_setrelalarm.c
e_alloc.c
e_setnextappmode.c
e_inappmodeinit.c
e_exitos.c
e_terminateinitseq.c
e_dispatchcoopseq.c
e_checktaskdeadline.c
e_error.c
e_idle.c
e_getactiveapplicationmode.c
e_getpriority.c
e_startos.c
e_shutdownos.c
e_initapplicationmode.c
e_callInitcuncs.c
e_shutdownapplicationmode.c
e_initscheduling.c
e_processcfgdata.c
e_meminit.c
e_memcopy.c
e_suspendallinterrupts.c
e_resumeallinterrupts.c
e_getinterruptdescriptor.c
e_enableinterrupt.c
e_disableinterrupt.c
e_getresource.c
e_releaseresource.c
e_restarttask.c
e_activatetask.c
e_downschedule.c
e_unregistertask.c
e_schedule.c
e_initstack.c
e_writeustackcheckwords.c
e_checksoftwarestack.c
e_writestackpattern.c
e_stackpatterncheck.c
e_gettaskid.c
e_gettaskstate.c
e_inittimerlist.c
e_processtimeouts.c
e_activatetimetablerel.c
e_activatetimetableabs.c
e_canceltimetable.c
e_reloadtimetableptr.c
e_switchtimetable.c
e_resumeosinterrupts.c
e_suspendosinterrupts.c
e_suspendinterrupts.c
e_getsystemtime.c
e_getsystemtimehigh.c
e_getsystemtimelow.c
e_init_sched_int.c
e_initsystemtimer.c
e_proctarcfgdata.c
e_protectwdcon.c
e_restoreregisters.c
e_resumeinterrupts.c
e_switchtostartupstack.c
e_storeregisters.c
e_ttisr.c
e_unprotectwdcon.c
e_userstackpointer.c
e_tabletimerrunning.c
e_switchtouserstackptr.c
e_disableallinterrupts.c
e_enableallinterrupts.c
e_initalarmtimerregister.c
e_inittimetableregister.c
e_chaintask.c
e_dispatchpreemp.c
e_terminatetaskintern.c
e_terminatetask.c


Title: Re: ERCOS ME7
Post by: Blazius on January 12, 2022, 02:47:36 PM
Quote from: 360trev on January 12, 2022, 08:10:25 AM
ETAS (fully owned by Bosch for many years now) who wrote the original C16x ERCOS also ported its RTOS to PowerPC (MPC6xx).

Since Bosch own ETAS its hardly surprising that they used it in pretty much all Motronic sw versions. Its for instance also ported Freescales MPC6xx (as used in MED9.x) and to all the Infineon Tricore series automotive microcontrollers, so if your interested to reverse engineer it, its probably a bit easier to use Ghidra which can translate Tricore and PPC code to C pseudo code. No such pseudo code options are available for C16x targets, so unless your very familiar with C16x instruction set its the way to go. Most of the core logic is the same across all targets...

These are the core library components (originally written in C, sorry no I don't have the sources just the filenames);

Code:
erc_vers.c
e_getalarm.c
e_setabsalarm.c
e_getalarmbase.c
e_cancelalarm.c
e_changealarmperiod.c
e_setrelalarm.c
e_alloc.c
e_setnextappmode.c
e_inappmodeinit.c
e_exitos.c
e_terminateinitseq.c
e_dispatchcoopseq.c
e_checktaskdeadline.c
e_error.c
e_idle.c
e_getactiveapplicationmode.c
e_getpriority.c
e_startos.c
e_shutdownos.c
e_initapplicationmode.c
e_callInitcuncs.c
e_shutdownapplicationmode.c
e_initscheduling.c
e_processcfgdata.c
e_meminit.c
e_memcopy.c
e_suspendallinterrupts.c
e_resumeallinterrupts.c
e_getinterruptdescriptor.c
e_enableinterrupt.c
e_disableinterrupt.c
e_getresource.c
e_releaseresource.c
e_restarttask.c
e_activatetask.c
e_downschedule.c
e_unregistertask.c
e_schedule.c
e_initstack.c
e_writeustackcheckwords.c
e_checksoftwarestack.c
e_writestackpattern.c
e_stackpatterncheck.c
e_gettaskid.c
e_gettaskstate.c
e_inittimerlist.c
e_processtimeouts.c
e_activatetimetablerel.c
e_activatetimetableabs.c
e_canceltimetable.c
e_reloadtimetableptr.c
e_switchtimetable.c
e_resumeosinterrupts.c
e_suspendosinterrupts.c
e_suspendinterrupts.c
e_getsystemtime.c
e_getsystemtimehigh.c
e_getsystemtimelow.c
e_init_sched_int.c
e_initsystemtimer.c
e_proctarcfgdata.c
e_protectwdcon.c
e_restoreregisters.c
e_resumeinterrupts.c
e_switchtostartupstack.c
e_storeregisters.c
e_ttisr.c
e_unprotectwdcon.c
e_userstackpointer.c
e_tabletimerrunning.c
e_switchtouserstackptr.c
e_disableallinterrupts.c
e_enableallinterrupts.c
e_initalarmtimerregister.c
e_inittimetableregister.c
e_chaintask.c
e_dispatchpreemp.c
e_terminatetaskintern.c
e_terminatetask.c



There was actually a plugin for ghidra to support c166 like tricore module but unfortunately it never took off, and contains some bugs AFAIK. It can be found on github.

However the more intresting thing is that some people actually ported the ghidra decompiler to IDA, it should allow you to decompile/show into pseudo code in IDA, never tested it myself though. Might be worth a try for someone.

EDIT: Looks like it might not work afterall(no surprise) because it basically invokes Ghidra in headless mode , which still works off pcode , basically the processor modules, and since it doesnt support c166 out the gate it prolly wont. However someone could give it a go with the community c166 module and should technically work like that I guess? prolly seems to be that even tho the module was written correctly it seems to have had some bugs.


https://github.com/Cisco-Talos/GhIDA

Title: Re: ERCOS ME7
Post by: 360trev on January 13, 2022, 06:29:32 AM
Can you point people the Ghidra C16x processor module ? and any quick instructions on setup would be super useful. If it converts back to pseudo code its interesting. I seriously doubt it will work very effectively at doing all the device control stuff (probably misses that out) and stuff like segment register management, etc. but any basic stuff is better than none!!!

Title: Re: ERCOS ME7
Post by: Blazius on January 13, 2022, 12:30:58 PM
Quote from: 360trev on January 13, 2022, 06:29:32 AM
Can you point people the Ghidra C16x processor module ? and any quick instructions on setup would be super useful. If it converts back to pseudo code its interesting. I seriously doubt it will work very effectively at doing all the device control stuff (probably misses that out) and stuff like segment register management, etc. but any basic stuff is better than none!!!



https://github.com/esaulenka/Ghidra_C166
here it is.
You need to create a folder in ghidralocation\Ghidra\Processors called c166 or something, and then extract everything from the zip from github into it. That should be it, then you can select the proc when you try to open a bin file:
(https://i.imgur.com/eZxeLMq.png)

Basically they are files to set the ESFR/SFR's etc, basically the proc setup according to the manual.

One of the reported issues on the github is that the sfr list does not seem to match the manual/s, the problem is that there seems to be 3 manual versions for the c166 family. the 1.0 one , the c166v2 one from 2001 thats is the common referenced 166ism from keil.com and the xc161 infineon one.

https://github.com/esaulenka/Ghidra_C166/issues/12

https://github.com/esaulenka/Ghidra_C166/issues

If you wanna maybe develop it further/fix bugs https://swarm.ptsecurity.com/creating-a-ghidra-processor-module-in-sleigh-using-v8-bytecode-as-an-example/ explains the SLEIGH in ghidra and the various files.

Title: Re: ERCOS ME7
Post by: 360trev on February 02, 2022, 12:20:18 PM
Just a quick note for other people trying this, this extension only works on the older versions of Ghidra!


Powered by SMF 1.1.21 | SMF © 2015, Simple Machines