NefMoto

I finally got some time to twiddle with IDA PRO...

I'm trying to figure out this

http://nefariousmotorsports.com/forum/index.php?topic=3562.0title=

Here are the first few RAM locations (trying to trace bgmszs) I didn't have that I found.

Can some of the pros take a look and see if i got them right? (2.7t mbox of course)

 0000:F9EE       mste?
 0000:380C77       pspvdsmx?
 0000:38215C       mlhfmf_w?
 0000:3821A6       fwrldk_w?
 0000:3821AE       msdkalm_w?
 0000:3821CA       rlfdkroh_w?
 0000:3821D2       umsrln_w?

 0000:FD66.5 or .6 B_ehfm? (DHFM is at 0x851560?)

how am I doing?

Bout time Nye! Good shit 8)

Addresses confirmed.

0xFD66.5 is B_ehfm
0xFD66.6 is B_ehfs

0x851560 is part of BGMSZS

a few stupid noob idapro questions:

Is there a way to set up bitfields in IDA Pro?

How do you tag map locations? Just add a comment? The constants that are set up before map lookup are rarely the location itself.

If I use comments, i can't figure out how to search for them.

Also, what kind of function naming convention do you use?

Finally, would it be worth it to start some sort of shared db of ram and function locations?

hmm according to ME7L,

B_ehfs          , {}                                , 0x00FD66,  2,  0x0080, {}        , 0, 0,            1,      0, {Bedingung Ersatzwert Hauptfüllungssensor}

which is .7?

You can enumerate bitfields, but commenting is better for x-refing.

For maps, I usually manually adjust the address to accurately represent the DPP and comment the name.

Text search will find comments, but there isn't a need really. When do you find the need to search for comments?

I label functions in the flash per the FR.

What kind of shared DB did you have in mind?

Check it out...you tell me.

That's what I got when I looked briefly earlier.

OK, i am a TOTAL noob, so be gentle :)


I'm not sure how comments interact with x-refs.. i'll have to play with that more. especially dont undersand the difference between ":" and ";"


So. I totally don't get what you are saying... can you cut and paste an example? Keep in mind that while i understand the c166 pretty well at this point, IDA pro still baffles me.

 

e.g. say it says "jb 0xFD66.5 blah" and i want to comment it as '; B_ehfm' because i can't name "0xfd66.5" B_ehfm...

how do i search for B_ehfm? or are you saying if i do it right, B_ehfm will show up somehow as a x-ref?


Basically, some sort of editable/import/exportable db of function and ram locations.. I know IDAPro can export symbol tables... not sure about importing, but I know i can probably write some sort of plugin for it (once i figure out how plugins work etc). Also, would need some sort of metadata format so we can include conversions...

Altho we should really do it ASAP2 style, and have some sort of DB of "types" rather than repeat conversions for every damn item... then i could write a script to convert that to an .ecu file (and back) for ME7L, etc.

Not sure how to handle merging etc. but if i can do it all with a git repo with text files, i think it can work. I could also write a website/sql type of thing for it, but that would be a lot of work and probably beyond what i'm willing to work on solo.

This all depends, of course, if there is enough interest in some sort of shared effort.

7 is correct, and if you figured that out by looking at the line in the me7l ecu file you are on the right track

I like to add the comment to bits in the following style.  ; B_sl, {Bedingung Servo-Lenkung}
Sometimes the name of the bit is not good enough and the description nice to have.

Do you have a problem with text search for comments?

yea, its super slow (and doesn't work?) and i like the "xref" thing (where you highlight something then hit x).. does that work with comments? actually, don't answer that, I think i just need to experiment more..

if you say it works, i must just not be doing it right.

Ahh...I should have been more diligent.

0xFD66.6 is B_ehfm1
0xFD66.7 is B_ehfs

I searched the x-ref and mistakenly went off the repeatable comment from the jump. The repeatable comment from bset B_ehfs was displayed next to jb B_ehfm1.

"super slow" is very subjective. Can you put that in context, compare to something else. But sure, in my "car laptop" it takes 10sec to search from top to bottom of a 512mb flash idb. But it works well to find comments (no search parameters set).

nyet is there no linux assembler we can use or are we only able to use ida pro?

There is a native linux version of IDA Pro... have not tried it yet though.

There is a native linux version but they split the licenses last year so my license no longer includes both Windows and Linux :(

Does anyone have a commented (or especially) commented IDA file they can share?

I'd like something to compare with whilst trying to IDA my Volvo ME7 file.

:)

Anyone?  Or is it secret dark magic?

secret dark magic, I tried to get some feedback on whether I had my idb file created correctly and nothing nadda absolutely zero feedback...

Lol, ok well I'm doing it the slow and hard way.  I would have been nice to find another defined idb file.  There is one on here for the RS4, have you seen that?

I would contribute to this thread but i myself haven't really had time to add to the existing information that is available.

If i get to the point where i have a useful ida pro file, i will post it.

right now, it isn't much more than what you get if you use my autoit script...

Thanks for the modded script, that's what I've got now as well....

One problem I have with sharing IDA data is that most people are not using legit copies of IDA so I can't open their databases. Since I'm always running the latest version people can't easily open mine. I'm getting into bosch but it takes time. If you're still screwing with the volvo database maybe I could look at an idc export but I haven't yet built a database of functions.

Could you please confirm if this is working? I've thought about buying IDA pro a couple of years ago but can't afford to loose all the work I've done with the illegal IDA I'm using at the moment.
http://www.0xebfe.net/blog/2013/01/13/how-to-create-anonymous-ida-pro-database-dot-idb/

I pointed it out to Ilfak when it first came out a couple years back but he was already aware and I think appropriate countermeasures were taken. I have definitely seen databases that didn't seem to disassemble quite correctly on pirated copies yet mine did it perfectly. I think it's worth saving up for if you plan to be using it longterm. There are sometimes bugs or improvements in processor modules and those guys will often turn around a bug fix hours after I report it.

I've seen no problems in my non legit version but think it's fair to buy the product when starting to capitalise on the use of it.
What I do NOT understand and cannot accept in any way is that the legit program do not accept idb from pirated version. That must also be very counterproductive for hexray since many will stay away from legit since they cannot redo the hundreds of hours they might have done with pirated copy.
Of course I have no problem that they make it difficult to open a legit idb on a pirated .exe which they probably also do.

Export the database to an idc using the pirate copy, then take your legit copy and import it. The way they prevent pirate versions from working with legit ones is that they keep updating the format. I've discussed the anti-piracy stuff with ilfak a lot over the years. I even asked if he would be willing to clear the pirate flag when a user goes "legit" but he wasn't keen on it. IDA Pro is a really good product and has absolutely no competition. It's his choice not to sell it to you.

I worked for law firms for many years and have seen businesses close because of pirates. What if someone gave away all the professional tunes ever developed. Why would anyone pay a professional to tune? In the IDA case I'm sure the only reason the tricore bugs got fixed is that paying users found them and asked. The owners of hex-rays are not millionaires either. It's just a couple of really smart guys in Belgium with families to feed.

As for hundreds of hours spent on your databases you have to be careful with a known pirate version because it might self-corrupt over time. A contractor turned in his work only as an IDC but when I compared the changes I found all sorts of stuff he didn't touch had been messed up. So I asked for his original idb. At that point I learned it was a pirated version. Hex-rays said something to the effect of guess guys who use pirated versions have a few surprises waiting.

my ass