Pages: 1 2 [3]
Author Topic: IDA Pro helper functions  (Read 50902 times)
fknbrkn
Hero Member
*****

Karma: +185/-23
Offline Offline

Posts: 1454


mk4 1.8T AUM


« Reply #30 on: February 15, 2024, 04:24:16 PM »

Ive made a script to find and parse MED17 registers values / addresing and so on
IDA 7.4+ / ida_python required

Howto:
-load bin with start address, loading address = 0x80000000, tricore cpu
-make autoanalyse of pflash segment to get raw code
-file -> script file

Whats inside:
-searching for global registers values (simply assignment)
-parse em in code, converts to offset (based on prjs indirect() script)
-searching for a9 global register offset
-parse direct addressing mode (sometimes not)
-handle double pointer offset // this part might be buggy (offset applies until target register assignment with some other value or 'rets')

Initial code
Code:
PFLASH:800F0076                 st32.b          byte_D000209F, d15
PFLASH:800F007A                 ld32.bu         d15, byte_D00000CE
PFLASH:800F007E                 jnz32.t         d15:5, locret_800F00A2
PFLASH:800F0082                 ld32.a          a4, [a9]0x52C
PFLASH:800F0086                 ld32.a          a15, [a9]0x798
PFLASH:800F008A                 ld32.w          d5, [a0]-0x6DC0
PFLASH:800F008E                 lea             a4, [a4]0xBDD
PFLASH:800F0092                 ld32.bu         d4, [a15]0x150
PFLASH:800F0096                 ld32.w          d6, [a0]-0x6DF0
PFLASH:800F009A                 call32          sub_800FC9C8
PFLASH:800F009E                 st32.b          byte_D0002097, d2

After script apply
Code:
PFLASH:800F0076                 st32.b          byte_D000209F, d15
PFLASH:800F007A                 ld32.bu         d15, byte_D00000CE
PFLASH:800F007E                 jnz32.t         d15:5, locret_800F00A2
PFLASH:800F0082                 ld32.a          a4, [a9](off_80174B70 - off_80174644)
PFLASH:800F0086                 ld32.a          a15, [a9](off_80174DDC - off_80174644)
PFLASH:800F008A                 ld32.w          d5, [a0](dword_D0003B98 - word_D000A958)
PFLASH:800F008E                 lea             a4, [a4](dword_80057E58+0x1D - dword_80057298)
PFLASH:800F0092                 ld32.bu         d4, [a15](unk_80062CDE - dword_80062B8E)
PFLASH:800F0096                 ld32.w          d6, [a0](dword_D0003B68 - word_D000A958)
PFLASH:800F009A                 call32          sub_800FC9C8
PFLASH:800F009E                 st32.b          byte_D0002097, d2

Logged
fknbrkn
Hero Member
*****

Karma: +185/-23
Offline Offline

Posts: 1454


mk4 1.8T AUM


« Reply #31 on: March 06, 2024, 02:27:43 AM »

Added a2l parser with maps / params / bitfields
Still room of imporvement ofc but no time for that

Moved to git
https://github.com/fknbrkn/IDA-PRO---MED17-python-script
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6034


« Reply #32 on: March 06, 2024, 04:34:43 AM »

Bitfields not very useful on tricore because the ones outside the dedicated memory it just uses shifting and extr.u to access them.
So to track them you need a full blown pseudocode generator/decompiler like hexrays or ghidra.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
fknbrkn
Hero Member
*****

Karma: +185/-23
Offline Offline

Posts: 1454


mk4 1.8T AUM


« Reply #33 on: March 06, 2024, 07:02:23 AM »

Bitfields not very useful on tricore because the ones outside the dedicated memory it just uses shifting and extr.u to access them.
So to track them you need a full blown pseudocode generator/decompiler like hexrays or ghidra.

Well i might be wrong at naming here, i mean bit params b_xxx and mapping it as enums
Code:
PFLASH:8011479A                     ld.hu           d15, mdns_w ; "Nachstartmoment"
PFLASH:8011479E                     st32.h          mdsmn_w, d1 ; "Motorverlustmoment ohne Ladungswechselarbeit"
PFLASH:801147A2                     jnz16           d15, loc_801147AC
PFLASH:801147A4                     ld32.bu         d15, byte_D0000088
PFLASH:801147A8                     jnz32.t         d15:B_stend, loc_80114850 ; "Bedingung Startende erreicht"


 enum enm_0xd0000088, mappedto_323
FFFFFFFF SWSVW_bChaElgDeb1  = 0                  ; XREF: PFLASH:800FC54A/s
FFFFFFFF                                         ; PFLASH:800FC93A/s ... ; "Fehler in Steuerkettenlдngung"
FFFFFFFF B_dlrparc        = 1                    ; XREF: PFLASH:8009C080/s
FFFFFFFF                                         ; sub_8009C140+24E/s ... ; "Bedingung: SollgrцЯensprung steht an"
FFFFFFFF B_stendrk        = 2                    ; XREF: sub_800FAADC+4/s
FFFFFFFF                                         ; sub_800FAC20+2C/s ... ; "Bedingung Umschaltung Start / Nachstart-Warmlauf fьr rk"
FFFFFFFF B_stend          = 3                    ; XREF: PFLASH:8007456C/s
FFFFFFFF                                         ; sub_8009C4C2+45C/s ... ; "Bedingung Startende erreicht"
FFFFFFFF B_wbkse          = 4                    ; XREF: PFLASH:800B6B18/s
FFFFFFFF                                         ; PFLASH:loc_800B6FD6/s ... ; "Bed. Wobbeln BKS enabled"
FFFFFFFF B_hstnl          = 6                    ; XREF: PFLASH:800EF134/s
FFFFFFFF                                         ; PFLASH:loc_800EF13A/s ... ; "Bed. HeiЯstart aus tmot-Verlauf im SG-Nachlauf"
FFFFFFFF B_dkpaw          = 7                    ; XREF: sub_800F3086+2A8/s
FFFFFFFF                                         ; sub_800F3086+30E/s ... ; "Bedingung DK-Poti-Auswahl fьr DK-Sensor-Ersatzbetrieb"
FFFFFFFF
It covers only direct access to bit, not much but something
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6034


« Reply #34 on: March 06, 2024, 07:05:20 AM »

It covers only direct access to bit, not much but something
Only a very small amount of memory on TriCore is bit addressable.
The rest is not.
On modern ECU's there are much more bitfields than can ever fit into the small bit addressable memory.

Because of this it needs to do a load, and then using extr.u shift and extract the result.
IDA can not follow this at all and there is no hexrays plugin for tricore.

Ghidra can with the decompiler...

It becomes even worse between two software revisions if some bitfields are moved around. Then the code to access them is different.

Of course it's still useful to load the bitfields as enums, but not as useful as it seems on first glance.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
fknbrkn
Hero Member
*****

Karma: +185/-23
Offline Offline

Posts: 1454


mk4 1.8T AUM


« Reply #35 on: March 06, 2024, 07:54:31 AM »

Only a very small amount of memory on TriCore is bit addressable.
The rest is not.
On modern ECU's there are much more bitfields than can ever fit into the small bit addressable memory.

Because of this it needs to do a load, and then using extr.u shift and extract the result.
IDA can not follow this at all and there is no hexrays plugin for tricore.

Ghidra can with the decompiler...

It becomes even worse between two software revisions if some bitfields are moved around. Then the code to access them is different.

Of course it's still useful to load the bitfields as enums, but not as useful as it seems on first glance.

Ghidra decompiler looks promising
Just a bit tricky for ida user, thanks for the input
« Last Edit: March 06, 2024, 08:14:53 AM by fknbrkn » Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6034


« Reply #36 on: March 06, 2024, 08:16:19 AM »

For fast work IDA is still the best by far.

Ghidra is really clunky to use for many things, but in case of more complex usage, the decompiler is pretty invaluable.
Reversing headers and other stuff becomes trivial.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
prometey1982
Sr. Member
****

Karma: +70/-60
Offline Offline

Posts: 323



WWW
« Reply #37 on: September 12, 2024, 04:27:42 PM »

IDC function for adding indirection XRefs to memory with DPP and extp

Code:
static makexrefauto()
{
auto curaddr;
auto prevaddr;
auto from_addr;
auto is_ok = 0;
auto i;
        curaddr = ScreenEA();
prevaddr = PrevHead(curaddr, 0);
for(i = 0; i < 2; ++i) {
auto optype = get_operand_type(curaddr, i);
auto local_addr = get_operand_value(curaddr, i);
msg("local addr 0x%X, op_type %d\n", local_addr, optype);
if(optype == o_mem) {
from_addr = local_addr;
is_ok = 1;
}
else if(optype == o_displ) {
auto prev_instr = print_insn_mnem(prevaddr);
if(prev_instr == "extp") {
from_addr = get_operand_value(prevaddr, 0) * 0x4000 + local_addr;
is_ok = 1;
}
else if(local_addr & 0x8000 && local_addr & 0x4000) {
from_addr = get_sreg(curaddr, "DPP3") * 0x4000 + local_addr - 0xC000;
is_ok = 1;
}
else if(local_addr & 0x8000) {
from_addr = get_sreg(curaddr, "DPP2") * 0x4000 + local_addr - 0x8000;
is_ok = 1;
}
else if(local_addr & 0x4000) {
from_addr = get_sreg(curaddr, "DPP1") * 0x4000 + local_addr - 0x4000;
is_ok = 1;
}
else {
from_addr = get_sreg(curaddr, "DPP0") * 0x4000 + local_addr;
is_ok = 1;
}
}
if(is_ok)
break;

        }
msg("0x%X\n", from_addr);
if(!is_ok)
return;
AddCodeXref(curaddr, from_addr, XREF_USER);
        auto name = sprintf("0x%X", from_addr);
MakeComm(curaddr, name);
}

Logged

Россия - Великая страна!
https://youtu.be/fup5GzIFdXk
Artemisia
Full Member
***

Karma: +13/-0
Offline Offline

Posts: 59



« Reply #38 on: September 23, 2024, 11:21:10 PM »

A script that generate patterns that can help to identify variable addresses on a slightly different file

You input the segment name in which to search for the variable. The script will load all references of that variable, load 5 instructions before and after each instance. Then it applies wildcards to dynamic operands while keeping the opcode. Generated patterns / sequences are output to the console

Works for IDA 7.5, Python 3.8.2

Output example:

Code:

Clearing console...
Variable 'redist' found at address: 0xd000190c
Usage of 'redist' found at 0x800a9258: st32.b          redist, d15
Generated pattern: AB 11 ?? ?? 37 00 ?? ?? 02 F1 BF 50 ?? ?? 25 DF ?? ?? 25 DF ?? ?? 16 FF 05 D0 ?? ?? EE 04 8F 40 ?? ??

Usage of 'redist' found at 0x8010d5ca: ld32.bu         d1, redist
Generated pattern: 05 D4 ?? ?? 6D FF ?? ?? 25 D2 ?? ?? 00 90 BB 00 ?? ?? 05 D1 ?? ?? DF 01 ?? ?? 82 0F FF 51 ?? ?? 82 50

Usage of 'redist' found at 0x8010de2e: ld32.bu         d8, redist
Generated pattern: D9 0F ?? ?? A8 0F 00 90 05 DF ?? ?? 3C 51 05 D8 ?? ?? D5 D7 ?? ?? FF 58 ?? ?? D9 0F ?? ?? 82 66

Usage of 'redist' found at 0x8010e390: ld32.bu         d15, redist
Generated pattern: 00 90 D9 0F ?? ?? 05 DF ?? ?? 37 0F ?? ?? 28 0F 05 DF ?? ?? D9 0F ?? ?? 28 0F 00 90 00 90

Usage of 'redist' found at 0x801241a2: ld32.bu         d15, redist
Generated pattern: 05 DF ?? ?? 09 F0 ?? ?? 3F 0F ?? ?? 05 DF ?? ?? 6F 3F ?? ?? 05 DF ?? ?? FF 5F ?? ?? 05 D0 ?? ?? 09 CF ?? ?? 42 0F

Usage of 'redist' found at 0x80124312: ld32.bu         d15, redist
Generated pattern: 05 D0 ?? ?? 05 DF ?? ?? AB 00 ?? ?? 25 DF ?? ?? 00 90 05 DF ?? ?? 1E 55 05 DF ?? ?? 6F 3F ?? ?? D5 DA ?? ??

« Last Edit: September 23, 2024, 11:23:00 PM by Artemisia » Logged
prometey1982
Sr. Member
****

Karma: +70/-60
Offline Offline

Posts: 323



WWW
« Reply #39 on: October 10, 2024, 12:39:07 AM »

Updated script to load A2L to IDA. Also contains function to disassemble memory region instead of repeating Ctrl+U C.
Usage:
Code:
processrom(0x0, 0x80000) # try to disassemble memory from 0x0 to 0x80000
a2l('c:\my_shit\a2l\my_super_puper.a2l') # load a2l
Works with IDA 7.7. Tested on Volvo ME9 and Ford ME9 A2L and bins.
Logged

Россия - Великая страна!
https://youtu.be/fup5GzIFdXk
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6034


« Reply #40 on: October 10, 2024, 03:28:52 AM »

Updated script to load A2L to IDA. Also contains function to disassemble memory region instead of repeating Ctrl+U C.
Usage:
Code:
processrom(0x0, 0x80000) # try to disassemble memory from 0x0 to 0x80000
a2l('c:\my_shit\a2l\my_super_puper.a2l') # load a2l
Works with IDA 7.7. Tested on Volvo ME9 and Ford ME9 A2L and bins.

I am not sure what you did besides copy-pasting my script form first post into a .py file?
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
prometey1982
Sr. Member
****

Karma: +70/-60
Offline Offline

Posts: 323



WWW
« Reply #41 on: October 10, 2024, 06:00:07 AM »

I am not sure what you did besides copy-pasting my script form first post into a .py file?
I'm maintaining this script to support new IDA versions. Also was added functionality to define enums for c167 CPUs. And function to define code and functions by one line command. And this script defines maps too instead of original function. It works well with PowerPC and c167 ECUs.
« Last Edit: October 10, 2024, 06:02:24 AM by prometey1982 » Logged

Россия - Великая страна!
https://youtu.be/fup5GzIFdXk
Pages: 1 2 [3]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.037 seconds with 16 queries. (Pretty URLs adds 0s, 0q)