nighthunter
Jr. Member
Karma: +0/-0
Offline
Posts: 25
|
|
« on: April 15, 2017, 02:12:13 AM »
|
|
|
Hi, i want to start learning disassemly of my ECUs. I have bosch 0 261 205 005 and 0 261 205 006. 005 has B59233 wich should be SAK-C167CR-4RM (32k IROM) and the 006 SAK-C167CR-LM. Is the 006 really ROMless or is it only deliberatedly badly marked?
|
|
|
Logged
|
|
|
|
nubcake
|
|
« Reply #1 on: April 17, 2017, 05:19:08 AM »
|
|
|
Hi, i want to start learning disassemly of my ECUs. I have bosch 0 261 205 005 and 0 261 205 006. 005 has B59233 wich should be SAK-C167CR-4RM (32k IROM) and the 006 SAK-C167CR-LM. Is the 006 really ROMless or is it only deliberatedly badly marked?
Not sure about this specific ECU, but I have seen quite a few of them having bootloader in first 32k of the flash (could've been just a mirror, though?). Would maybe make sense to check whatever is in the flash for clues?
|
|
|
Logged
|
|
|
|
nighthunter
Jr. Member
Karma: +0/-0
Offline
Posts: 25
|
|
« Reply #2 on: May 03, 2017, 12:41:04 AM »
|
|
|
Hi, i ve attached ORIs for the 005 and 006. Could you look at the files, if there is bootloader in flash on the 006?
|
|
|
Logged
|
|
|
|
nubcake
|
|
« Reply #3 on: May 06, 2017, 05:13:33 AM »
|
|
|
Hi, i ve attached ORIs for the 005 and 006. Could you look at the files, if there is bootloader in flash on the 006?
Just a brief glance with hex editor - yes, it seems to be there. It should be really irrelevant for usual disassembly as bootloader itself is of little interest? Or you're trying to do something specifically with it?
|
|
|
Logged
|
|
|
|
nighthunter
Jr. Member
Karma: +0/-0
Offline
Posts: 25
|
|
« Reply #4 on: May 07, 2017, 01:22:37 AM »
|
|
|
Thanks for your time to look at the files. I am trying to understand the ECU and disassembly of C167's. I am working 8b MCUs, so C167CR is new for me. Could you help me, please, how to correctly set IDA to disassembly the 006 ecu file?
|
|
|
Logged
|
|
|
|
nubcake
|
|
« Reply #5 on: May 07, 2017, 05:33:53 AM »
|
|
|
|
|
|
Logged
|
|
|
|
nighthunter
Jr. Member
Karma: +0/-0
Offline
Posts: 25
|
|
« Reply #6 on: May 07, 2017, 12:12:50 PM »
|
|
|
Ive read your instructions, also downloaded the funktionsrahmen document. Seems that this ECU (when i compare the labels in DAMOS, that i have) is a ME7 family member. It is multi map ecu, that selects the coding depending on EEPROM VIN/FIN data. But when i want to create segments RAM and IRAM i am getting error messages. I am using IDA 6.8. Ive attached the ida file that i using to test it. Could you take look on that file? EDIT:The unit has 6264 RAM connected to the micro.
|
|
« Last Edit: May 07, 2017, 12:18:20 PM by nighthunter »
|
Logged
|
|
|
|
nubcake
|
|
« Reply #7 on: May 07, 2017, 03:53:04 PM »
|
|
|
You missed the load BIN to the 0x800000 offset step.
|
|
|
Logged
|
|
|
|
nighthunter
Jr. Member
Karma: +0/-0
Offline
Posts: 25
|
|
« Reply #8 on: May 09, 2017, 03:22:47 AM »
|
|
|
I have modified the load offset. As a template i used the autoit scripts that are here on forum. But i think on many places the resulting code does not look ok. Could you look at it? The file is in attachment.
|
|
|
Logged
|
|
|
|
nubcake
|
|
« Reply #9 on: May 09, 2017, 08:57:26 AM »
|
|
|
I have modified the load offset. As a template i used the autoit scripts that are here on forum. But i think on many places the resulting code does not look ok. Could you look at it? The file is in attachment.
Wrong offset still. Forget scripts, do it by hand step by step like described in my post. You want the "0x800000" in both "ROM start" and "Input file loading address". Then create RAM segment and set DPPs. You will be 90% there.
|
|
|
Logged
|
|
|
|
nighthunter
Jr. Member
Karma: +0/-0
Offline
Posts: 25
|
|
« Reply #10 on: May 12, 2017, 01:05:59 AM »
|
|
|
Hi, today i changed the offsets, created RAM and IRAM, now i have only 2 functions after the automatic code analyze. Everything other is in data. Should i now mark all the 0x800000-880000 region as code manually?
|
|
|
Logged
|
|
|
|
nubcake
|
|
« Reply #11 on: May 12, 2017, 05:33:30 AM »
|
|
|
Actually you know what. I'm sorry for wasting your time. Somehow I had presumed that the binary itself was from the same VW/Audi cars we usually discuss here. Took a better look at the binary in IDA. It appears that loading the binary to "0" is right. And the RAM actually starts from 0xB0000. This way everything seems to align quite well.
So: Start IDA, open binary, set CPU type. Check "create RAM region", set it to 0xB0000, length 0x10000. Leave "create ROM" default at zero, length 0x80000.
And this should produce a nice "basic" database.
Again, sorry for the initial mislead.
|
|
|
Logged
|
|
|
|
|