fknbrkn
Hero Member
Karma: +185/-23
 Offline
Posts: 1454
mk4 1.8T AUM
|
 |
« Reply #30 on: February 15, 2024, 04:24:16 PM »
|
|
|
Ive made a script to find and parse MED17 registers values / addresing and so on IDA 7.4+ / ida_python required Howto: -load bin with start address, loading address = 0x80000000, tricore cpu -make autoanalyse of pflash segment to get raw code -file -> script file Whats inside: -searching for global registers values (simply assignment) -parse em in code, converts to offset (based on prjs indirect() script) -searching for a9 global register offset -parse direct addressing mode (sometimes not) -handle double pointer offset // this part might be buggy (offset applies until target register assignment with some other value or 'rets') Initial code PFLASH:800F0076 st32.b byte_D000209F, d15
PFLASH:800F007A ld32.bu d15, byte_D00000CE
PFLASH:800F007E jnz32.t d15:5, locret_800F00A2
PFLASH:800F0082 ld32.a a4, [a9]0x52C
PFLASH:800F0086 ld32.a a15, [a9]0x798
PFLASH:800F008A ld32.w d5, [a0]-0x6DC0
PFLASH:800F008E lea a4, [a4]0xBDD
PFLASH:800F0092 ld32.bu d4, [a15]0x150
PFLASH:800F0096 ld32.w d6, [a0]-0x6DF0
PFLASH:800F009A call32 sub_800FC9C8
PFLASH:800F009E st32.b byte_D0002097, d2 After script apply PFLASH:800F0076 st32.b byte_D000209F, d15
PFLASH:800F007A ld32.bu d15, byte_D00000CE
PFLASH:800F007E jnz32.t d15:5, locret_800F00A2
PFLASH:800F0082 ld32.a a4, [a9](off_80174B70 - off_80174644)
PFLASH:800F0086 ld32.a a15, [a9](off_80174DDC - off_80174644)
PFLASH:800F008A ld32.w d5, [a0](dword_D0003B98 - word_D000A958)
PFLASH:800F008E lea a4, [a4](dword_80057E58+0x1D - dword_80057298)
PFLASH:800F0092 ld32.bu d4, [a15](unk_80062CDE - dword_80062B8E)
PFLASH:800F0096 ld32.w d6, [a0](dword_D0003B68 - word_D000A958)
PFLASH:800F009A call32 sub_800FC9C8
PFLASH:800F009E st32.b byte_D0002097, d2 |
|
|
|
|
Logged
|
|
|
|
|
|
|
prj
|
|
« Reply #32 on: March 06, 2024, 04:34:43 AM »
|
|
|
Bitfields not very useful on tricore because the ones outside the dedicated memory it just uses shifting and extr.u to access them.
So to track them you need a full blown pseudocode generator/decompiler like hexrays or ghidra.
|
|
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +185/-23
Offline
Posts: 1454
mk4 1.8T AUM
|
|
« Reply #33 on: March 06, 2024, 07:02:23 AM »
|
|
|
Bitfields not very useful on tricore because the ones outside the dedicated memory it just uses shifting and extr.u to access them.
So to track them you need a full blown pseudocode generator/decompiler like hexrays or ghidra.
Well i might be wrong at naming here, i mean bit params b_xxx and mapping it as enums PFLASH:8011479A ld.hu d15, mdns_w ; "Nachstartmoment"
PFLASH:8011479E st32.h mdsmn_w, d1 ; "Motorverlustmoment ohne Ladungswechselarbeit"
PFLASH:801147A2 jnz16 d15, loc_801147AC
PFLASH:801147A4 ld32.bu d15, byte_D0000088
PFLASH:801147A8 jnz32.t d15:B_stend, loc_80114850 ; "Bedingung Startende erreicht"
enum enm_0xd0000088, mappedto_323
FFFFFFFF SWSVW_bChaElgDeb1 = 0 ; XREF: PFLASH:800FC54A/s
FFFFFFFF ; PFLASH:800FC93A/s ... ; "Fehler in Steuerkettenlдngung"
FFFFFFFF B_dlrparc = 1 ; XREF: PFLASH:8009C080/s
FFFFFFFF ; sub_8009C140+24E/s ... ; "Bedingung: SollgrцЯensprung steht an"
FFFFFFFF B_stendrk = 2 ; XREF: sub_800FAADC+4/s
FFFFFFFF ; sub_800FAC20+2C/s ... ; "Bedingung Umschaltung Start / Nachstart-Warmlauf fьr rk"
FFFFFFFF B_stend = 3 ; XREF: PFLASH:8007456C/s
FFFFFFFF ; sub_8009C4C2+45C/s ... ; "Bedingung Startende erreicht"
FFFFFFFF B_wbkse = 4 ; XREF: PFLASH:800B6B18/s
FFFFFFFF ; PFLASH:loc_800B6FD6/s ... ; "Bed. Wobbeln BKS enabled"
FFFFFFFF B_hstnl = 6 ; XREF: PFLASH:800EF134/s
FFFFFFFF ; PFLASH:loc_800EF13A/s ... ; "Bed. HeiЯstart aus tmot-Verlauf im SG-Nachlauf"
FFFFFFFF B_dkpaw = 7 ; XREF: sub_800F3086+2A8/s
FFFFFFFF ; sub_800F3086+30E/s ... ; "Bedingung DK-Poti-Auswahl fьr DK-Sensor-Ersatzbetrieb"
FFFFFFFF
It covers only direct access to bit, not much but something |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #34 on: March 06, 2024, 07:05:20 AM »
|
|
|
It covers only direct access to bit, not much but something Only a very small amount of memory on TriCore is bit addressable. The rest is not. On modern ECU's there are much more bitfields than can ever fit into the small bit addressable memory. Because of this it needs to do a load, and then using extr.u shift and extract the result. IDA can not follow this at all and there is no hexrays plugin for tricore. Ghidra can with the decompiler... It becomes even worse between two software revisions if some bitfields are moved around. Then the code to access them is different. Of course it's still useful to load the bitfields as enums, but not as useful as it seems on first glance. |
|
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +185/-23
Offline
Posts: 1454
mk4 1.8T AUM
|
|
« Reply #35 on: March 06, 2024, 07:54:31 AM »
|
|
|
Only a very small amount of memory on TriCore is bit addressable.
The rest is not.
On modern ECU's there are much more bitfields than can ever fit into the small bit addressable memory.
Because of this it needs to do a load, and then using extr.u shift and extract the result.
IDA can not follow this at all and there is no hexrays plugin for tricore.
Ghidra can with the decompiler...
It becomes even worse between two software revisions if some bitfields are moved around. Then the code to access them is different.
Of course it's still useful to load the bitfields as enums, but not as useful as it seems on first glance.
Ghidra decompiler looks promising Just a bit tricky for ida user, thanks for the input |
|
|
|
« Last Edit: March 06, 2024, 08:14:53 AM by fknbrkn »
|
Logged
|
|
|
|
|
prj
|
|
« Reply #36 on: March 06, 2024, 08:16:19 AM »
|
|
|
For fast work IDA is still the best by far.
Ghidra is really clunky to use for many things, but in case of more complex usage, the decompiler is pretty invaluable.
Reversing headers and other stuff becomes trivial.
|
|
|
|
|
Logged
|
|
|
|
|
prometey1982
|
|
« Reply #37 on: September 12, 2024, 04:27:42 PM »
|
|
|
IDC function for adding indirection XRefs to memory with DPP and extp static makexrefauto()
{
auto curaddr;
auto prevaddr;
auto from_addr;
auto is_ok = 0;
auto i;
curaddr = ScreenEA();
prevaddr = PrevHead(curaddr, 0);
for(i = 0; i < 2; ++i) {
auto optype = get_operand_type(curaddr, i);
auto local_addr = get_operand_value(curaddr, i);
msg("local addr 0x%X, op_type %d\n", local_addr, optype);
if(optype == o_mem) {
from_addr = local_addr;
is_ok = 1;
}
else if(optype == o_displ) {
auto prev_instr = print_insn_mnem(prevaddr);
if(prev_instr == "extp") {
from_addr = get_operand_value(prevaddr, 0) * 0x4000 + local_addr;
is_ok = 1;
}
else if(local_addr & 0x8000 && local_addr & 0x4000) {
from_addr = get_sreg(curaddr, "DPP3") * 0x4000 + local_addr - 0xC000;
is_ok = 1;
}
else if(local_addr & 0x8000) {
from_addr = get_sreg(curaddr, "DPP2") * 0x4000 + local_addr - 0x8000;
is_ok = 1;
}
else if(local_addr & 0x4000) {
from_addr = get_sreg(curaddr, "DPP1") * 0x4000 + local_addr - 0x4000;
is_ok = 1;
}
else {
from_addr = get_sreg(curaddr, "DPP0") * 0x4000 + local_addr;
is_ok = 1;
}
}
if(is_ok)
break;
}
msg("0x%X\n", from_addr);
if(!is_ok)
return;
AddCodeXref(curaddr, from_addr, XREF_USER);
auto name = sprintf("0x%X", from_addr);
MakeComm(curaddr, name);
}
|
|
|
|
|
Logged
|
|
|
|
Artemisia
Full Member
Karma: +13/-0
Offline
Posts: 59
|
|
« Reply #38 on: September 23, 2024, 11:21:10 PM »
|
|
|
A script that generate patterns that can help to identify variable addresses on a slightly different file You input the segment name in which to search for the variable. The script will load all references of that variable, load 5 instructions before and after each instance. Then it applies wildcards to dynamic operands while keeping the opcode. Generated patterns / sequences are output to the console Works for IDA 7.5, Python 3.8.2 Output example:
Clearing console...
Variable 'redist' found at address: 0xd000190c
Usage of 'redist' found at 0x800a9258: st32.b redist, d15
Generated pattern: AB 11 ?? ?? 37 00 ?? ?? 02 F1 BF 50 ?? ?? 25 DF ?? ?? 25 DF ?? ?? 16 FF 05 D0 ?? ?? EE 04 8F 40 ?? ??
Usage of 'redist' found at 0x8010d5ca: ld32.bu d1, redist
Generated pattern: 05 D4 ?? ?? 6D FF ?? ?? 25 D2 ?? ?? 00 90 BB 00 ?? ?? 05 D1 ?? ?? DF 01 ?? ?? 82 0F FF 51 ?? ?? 82 50
Usage of 'redist' found at 0x8010de2e: ld32.bu d8, redist
Generated pattern: D9 0F ?? ?? A8 0F 00 90 05 DF ?? ?? 3C 51 05 D8 ?? ?? D5 D7 ?? ?? FF 58 ?? ?? D9 0F ?? ?? 82 66
Usage of 'redist' found at 0x8010e390: ld32.bu d15, redist
Generated pattern: 00 90 D9 0F ?? ?? 05 DF ?? ?? 37 0F ?? ?? 28 0F 05 DF ?? ?? D9 0F ?? ?? 28 0F 00 90 00 90
Usage of 'redist' found at 0x801241a2: ld32.bu d15, redist
Generated pattern: 05 DF ?? ?? 09 F0 ?? ?? 3F 0F ?? ?? 05 DF ?? ?? 6F 3F ?? ?? 05 DF ?? ?? FF 5F ?? ?? 05 D0 ?? ?? 09 CF ?? ?? 42 0F
Usage of 'redist' found at 0x80124312: ld32.bu d15, redist
Generated pattern: 05 D0 ?? ?? 05 DF ?? ?? AB 00 ?? ?? 25 DF ?? ?? 00 90 05 DF ?? ?? 1E 55 05 DF ?? ?? 6F 3F ?? ?? D5 DA ?? ??
|
|
|
|
« Last Edit: September 23, 2024, 11:23:00 PM by Artemisia »
|
Logged
|
|
|
|
|
prometey1982
|
|
« Reply #39 on: October 10, 2024, 12:39:07 AM »
|
|
|
Updated script to load A2L to IDA. Also contains function to disassemble memory region instead of repeating Ctrl+U C. Usage: processrom(0x0, 0x80000) # try to disassemble memory from 0x0 to 0x80000
a2l('c:\my_shit\a2l\my_super_puper.a2l') # load a2l
Works with IDA 7.7. Tested on Volvo ME9 and Ford ME9 A2L and bins. |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #40 on: October 10, 2024, 03:28:52 AM »
|
|
|
Updated script to load A2L to IDA. Also contains function to disassemble memory region instead of repeating Ctrl+U C. Usage: processrom(0x0, 0x80000) # try to disassemble memory from 0x0 to 0x80000
a2l('c:\my_shit\a2l\my_super_puper.a2l') # load a2l
Works with IDA 7.7. Tested on Volvo ME9 and Ford ME9 A2L and bins. I am not sure what you did besides copy-pasting my script form first post into a .py file? |
|
|
|
|
Logged
|
|
|
|
|
prometey1982
|
|
« Reply #41 on: October 10, 2024, 06:00:07 AM »
|
|
|
I am not sure what you did besides copy-pasting my script form first post into a .py file?
I'm maintaining this script to support new IDA versions. Also was added functionality to define enums for c167 CPUs. And function to define code and functions by one line command. And this script defines maps too instead of original function. It works well with PowerPC and c167 ECUs. |
|
|
|
« Last Edit: October 10, 2024, 06:02:24 AM by prometey1982 »
|
Logged
|
|
|
|
|
