Pages: [1]
Author Topic: ME7.9.10 ST10F275-CEG Disassembly Help  (Read 8918 times)
J.Laborde
Full Member
***

Karma: +57/-29
Offline Offline

Posts: 82


Tuner and Software Developer


WWW
« on: July 01, 2019, 06:08:47 AM »

Good Day All,

I'm after some help with the disassembly of my Fiat Punto 1.4-TJET ME7.9.10 file.
So far using the powers of the internet I have obtained the following information:

****************************
- ST10F275 768K Flash/36K RAM
- 64MHz
- 2x16Ch/8PWM
****************************
IDA PRO Configuration:
Processor Type: SHS-Thomson ST10 [st10]
- [✔] Create RAM Section
RAM Start Address: ?
RAM Size: 0x36000

- [  ] Create ROM Section
ROM Start Address:
ROM Size: 0x00

Input File
Loading Address: ?
File Offset: 0x0
Loading Size: 0xD0000

How am I able to find the additional information I need to begin disassembly? Seeing multiple posts from user woj has me inspired to start creating some functions into this ECU, learning more about the CITY driving mode and the ability to add additional functions such as NLS, LC and the other amazing things woj has achieved.

I have attached my stock readout.

Thanks in advance

J.Laborde
 
Logged

I am here to learn and help others learn. Smiley

He's a maniac.......MAAAAAANIIIAC
J.Laborde
Full Member
***

Karma: +57/-29
Offline Offline

Posts: 82


Tuner and Software Developer


WWW
« Reply #1 on: July 03, 2019, 11:33:11 PM »

Well I got this so far, hope it helps someone:

IDA PRO Configuration:
Processor Type: SHS-Thomson ST10 [st10]
- [✔] Create RAM Section
RAM Start Address: 0x0
RAM Size: 0x36000

- [✔] Create ROM Section
ROM Start Address:0x36000
ROM Size: 0xD0000

Input File
Loading Address: 0x36000
File Offset: 0x0
Loading Size: 0xD0000

Don't split the file.

I'll keep updates here regularly.
« Last Edit: July 03, 2019, 11:40:44 PM by J.Laborde » Logged

I am here to learn and help others learn. Smiley

He's a maniac.......MAAAAAANIIIAC
J.Laborde
Full Member
***

Karma: +57/-29
Offline Offline

Posts: 82


Tuner and Software Developer


WWW
« Reply #2 on: July 04, 2019, 12:27:55 AM »

ST10-Family Programming Manual + Instruction Set

https://www.st.com/content/ccc/resource/technical/document/programming_manual/20/09/13/1c/cf/32/4b/ce/CD00004609.pdf/files/CD00004609.pdf/jcr:content/translations/en.CD00004609.pdf
Logged

I am here to learn and help others learn. Smiley

He's a maniac.......MAAAAAANIIIAC
woj
Hero Member
*****

Karma: +43/-3
Offline Offline

Posts: 500


« Reply #3 on: July 04, 2019, 04:16:20 AM »

Load file address from 0 to 0x7FFF into logical address 0 to 0x7FFF. 0x8000-0xFFFF is the regular ST10 register and other stuff area. Then load the file from offset 0x8000 to the end into logical address 0x18000 and on. The external RAM starts at 0xF0000 and is sized at 64K (even though the ECU does not really use more than 32K). Plus there is a couple of special areas up above in the address space, e.g. Flash registers at 0xE0000 (but you don't need that for the basic functionality reversing) and a couple of small things like external device mapping at some small address ranges to which the ECU code references from a handful of places. The DPP registers are 0x2A, 0x2B, 0x3C, and 0x3. That should be all you need to know to load it.
Logged
J.Laborde
Full Member
***

Karma: +57/-29
Offline Offline

Posts: 82


Tuner and Software Developer


WWW
« Reply #4 on: July 04, 2019, 04:48:13 AM »

Thank you woj, from what you've stated I've resulted to this:

EDIT: (modified loading address to 0x0)
« Last Edit: July 04, 2019, 04:54:44 AM by J.Laborde » Logged

I am here to learn and help others learn. Smiley

He's a maniac.......MAAAAAANIIIAC
woj
Hero Member
*****

Karma: +43/-3
Offline Offline

Posts: 500


« Reply #5 on: July 04, 2019, 12:43:47 PM »

Mostly wrong Wink

RAM start address: 0xF0000 (that you got right)
RAM size: 0x10000

ROM start address: 0x0000
ROM size: 0xD0000 (from the bin file structure it should be 0xE0000, but there is nothing in the last 64K anyhow)

Loading address: 0x0000
File offset: 0x0000
Loading size: 0x8000

And then you use load additional binary to load:

Loading address: 0x18000
File offset: 0x8000
Loading size: 0xB8000

(I hope I got all these hex calculations right in my head).

Logged
J.Laborde
Full Member
***

Karma: +57/-29
Offline Offline

Posts: 82


Tuner and Software Developer


WWW
« Reply #6 on: July 07, 2019, 11:17:29 PM »

Hello woj,

So i've followed your instructions loading the binary into IDA PRO. Thank you again for you guidance with the RAM/ROM addresses and sizes. After this I proceeded to choose the closest device to that used in the ST10F275-CEG Microprocessor given by IDA; the ST10F276.

After this I ticked all the information types in the dialog box including I/O ports, Memory layout and interrupts. I proceeded to Load an Additional Binary File using the following information:
Loading Segment: 0x018000
Loading Offset: 0x8000
File Offset in Bytes: 0x0
Number of Bytes: 0xB8000

I ticked create segments and code segments proceeding to click ok. After this I pressed ALT+G to dial in the DPP Registers as per your instructions, then Analysed the entire file using ALT+L from start to finish then pressed C. I clicked on Analyze not force. I'll keep the forum updated with my progress. Thanks again

Josh. 
Logged

I am here to learn and help others learn. Smiley

He's a maniac.......MAAAAAANIIIAC
J.Laborde
Full Member
***

Karma: +57/-29
Offline Offline

Posts: 82


Tuner and Software Developer


WWW
« Reply #7 on: July 07, 2019, 11:18:39 PM »

Pictures attached
Logged

I am here to learn and help others learn. Smiley

He's a maniac.......MAAAAAANIIIAC
woj
Hero Member
*****

Karma: +43/-3
Offline Offline

Posts: 500


« Reply #8 on: July 08, 2019, 12:43:53 AM »

Something is still wrong I think, your logical addresses should end at D0000, and from C0000 on you should still have ECU code. I thing the loading segment for the additional binary should be calculated differently (the address is 0x18000, but there is a way to calculate the IDA segment out of this). I don't remember now, Andy had this in his tutorial, I think you take one zero out from there? 0x1800? Or what as this?).
Logged
pOwy
Full Member
***

Karma: +0/-0
Offline Offline

Posts: 52


« Reply #9 on: December 29, 2022, 02:22:44 PM »

Hello!
 Really old post but i am looking for the same, did you find out what was the right settings, i set everything like Woj wrote earlier and it looks right. Could you connect those addresses to some of damos?
I am trying to understand but without the names it is not going well Smiley

Thank you!
Logged
pOwy
Full Member
***

Karma: +0/-0
Offline Offline

Posts: 52


« Reply #10 on: January 09, 2023, 02:57:24 PM »

Hello!

These are my settings, can some check it please. I am not sure if its right or not.

Thanks
Logged
pOwy
Full Member
***

Karma: +0/-0
Offline Offline

Posts: 52


« Reply #11 on: January 09, 2023, 02:58:35 PM »

now with all the photos..
Logged
woj
Hero Member
*****

Karma: +43/-3
Offline Offline

Posts: 500


« Reply #12 on: January 12, 2023, 02:26:16 PM »

Address stuff looks good to me, from what I still remember. The thing I never remember is the exact ST10 type for this one, but even if you choose the wrong one what you possible miss is the revision specific register names, disassembly is nevertheless the same for all of them.
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.02 seconds with 17 queries. (Pretty URLs adds 0s, 0q)