Title: ME7.8 / ME7.8.1 / IDA Questions and CAN Bus Questions Post by: mattd on July 02, 2015, 06:59:05 PM Hi everyone, I'm just getting started in IDA disassembly and I'm having some issues with ensuring I'm looking at the correct memory locations during my investigations on the Bosch ME7.8 / 7.8.1 platform.
For instance, in this code section here: FLASH:00823A6E extp #23Ch, #1 ; Begin Extended Page Sequence FLASH:00823A72 movb rl4, byte_8F2497 ; Move Byte FLASH:00823A76 movb byte_3804DB, rl4 ; Move Byte FLASH:00823A7A movb byte_3804DA, rl4 ; Move Byte FLASH:00823A7E movb byte_3804D9, rl4 ; Move Byte FLASH:00823A82 movb byte_3804D8, rl4 ; Move Byte FLASH:00823A86 movb byte_3804D7, rl4 ; Move Byte FLASH:00823A8A rets ; Return from Inter-Segment Subroutine The names that IDA gave are correct for the 3804XX addresses, but how can I tell IDA that extp changes the DPP values? I am currently looking through the code for the 997, and am trying to understand how the CAN code works. I have a ASAP2 file, and that's been extremely helpful. However there's still some 'magic' to me as to certain memory addresses, and where the data actually is that is going to be pushed onto the bus. I have found the 'mailbox' setup sections that set up EF10->EFF0 with direction bits and CAN IDs. I notice that there's similar code for EE10->EEF0. Are there actually 2 CAN chips on the Porsche devices? Also, lots of memory access in the F2FX area in these subroutines. If someone has the answer to the following --- this would save me a lot of time, but, even some pointers would be great.. Byte 7 (starting from 0) of ARBID 0x246 is a generated 'check' value, and I'm trying to find how to calculate it. So any pointers when dealing with IDA (6.8, costly but worth it), and the C166 would be greatly appreciated. Thanks. -Matt Title: Re: ME7.8 / ME7.8.1 / IDA Questions and CAN Bus Questions Post by: IamwhoIam on July 03, 2015, 02:42:15 AM ME7.8.1 uses ST10, not sure what difference that makes, but thought it was worth mentioning...
Title: Re: ME7.8 / ME7.8.1 / IDA Questions and CAN Bus Questions Post by: mattd on July 06, 2015, 06:36:30 PM Thanks, that's good to know. That does explain some minor differences in similar code blocks.
I started tracing things like ambient pressure, which I know are in one of the IDs I'm interested in, but I still have some mental disconnects... Title: Re: ME7.8 / ME7.8.1 / IDA Questions and CAN Bus Questions Post by: mattd on July 15, 2015, 07:59:06 PM I haven't had much time to look at this, due to working on other projects. Anyone else have any other pointers?
Thanks. -Matt Title: Re: ME7.8 / ME7.8.1 / IDA Questions and CAN Bus Questions Post by: mattd on August 07, 2015, 06:39:02 PM So, the answer is, IDA *does* figure it out most of the time.
If you do the math, it does grab the correct byte with 23C as the DPP. You should still set the correct default segment registers. Also, turns out byte 7 is not a check value. It's multiplexed data. Lots of work to get it done..I ended up tracing bytes that I knew were there (like ambient pressure) and then using the ASAP file to find what the bytes around it were...and then found out not all of the models have the same data there, and had to do it again. :) While I know this isn't a super helpful post, I wanted to at least provide the answer to the question I had. -Matt Title: Re: ME7.8 / ME7.8.1 / IDA Questions and CAN Bus Questions Post by: hytron on August 24, 2015, 10:42:23 AM Can you actually use IDA for this purpose? We are talking about HexRays IDA disassembler? I didn't see any options for that cpu.
|