Pages: 1 2 3 [4]
Author Topic: ME7 Swiss Army Knife! (Including ME7 ROM MAP Finder)  (Read 9301 times)
DT
Full Member
***

Karma: +8/-1
Offline Offline

Posts: 139


« Reply #45 on: June 12, 2019, 03:15:54 PM »

I will be releasing a big update soon..

I have re-designed the way my search works now to be more like the way my custom disassembler works. This allows me to automatically mask out physical addresses for given instructions, etc. and therefore compare dumped functions between ecu dumps. This in turn allows rapid discovery of variables for the purposes of logging, etc.
Really nice!
I think I've suggested it before but have you thought about incorporating a points system to be able to get even higher hit count in different files. Like SpamAssassins system. Positive points for a opcode match, negative points if not matching. Sometimes the routine match execept for an additional command or different source/destination register within a very similar routine.
Logged
360trev
Full Member
***

Karma: +21/-1
Offline Offline

Posts: 130


« Reply #46 on: June 14, 2019, 07:35:06 AM »

Really nice!
I think I've suggested it before but have you thought about incorporating a points system to be able to get even higher hit count in different files. Like SpamAssassins system. Positive points for a opcode match, negative points if not matching. Sometimes the routine match execept for an additional command or different source/destination register within a very similar routine.

Well yes I actually already mask out the registers anyway from all matches as this is compiler generation specific and not related to pure logic of the original functional C code.

I am sure a points systems could work well and I will invest some time on it, the only concern really is having enough data points in the original signatures for it to make sense. In other words the signatures need to be of given size to make it work well. The idea of looking at number of functional calls and the variables used already gives quite some decent level match, adding a weighting system could help refine it further and make it even better, agreed.

I'd like to re-visit this and re-write it with an opcode API (a bit like the one used in IDA) so I could make it instruction set agnostic. That would be useful then for attacking other later architectures like PowerPC and Infineon TriCore's too.



Logged
360trev
Full Member
***

Karma: +21/-1
Offline Offline

Posts: 130


« Reply #47 on: June 20, 2019, 06:35:24 AM »

And here is the reverse lookup from the DTC table that I explained was possible earlier...

  0) MATCHED @ 0x0002B572 : DTC idx= 62 (0x3E)     DFPM_DUMMY_D() : (Unsupported) Lambda Probe Aging TP
  1) MATCHED @ 0x0002B572 : DTC idx= 63 (0x3F)     DFPM_DUMMY_D() : (Unsupported) Lambda Probe Aging TV
  2) MATCHED @ 0x0002B572 : DTC idx= 98 (0x62)     DFPM_DUMMY_D() : (Unsupported) OBDII Empty Tank Failure
  3) MATCHED @ 0x0002B572 : DTC idx=100 (0x64)     DFPM_DUMMY_D() : (Unsupported) Tank Low Flow Switch Valve (Power Amplifier)
  5) MATCHED @ 0x0002B572 : DTC idx=106 (0x6A)     DFPM_DUMMY_D() : (Unsupported) Engine Oil Temperature
  6) MATCHED @ 0x0002B572 : DTC idx=107 (0x6B)     DFPM_DUMMY_D() : (Unsupported) Ambient (Air) Temperature TUM
  7) MATCHED @ 0x0002C554 : DTC idx= 91 (0x5B)     DFPM_DSLSLRS() : Secondary Air System
  9) MATCHED @ 0x00035A72 : DTC idx=117 (0x75)       DFPM_DVKUP() : Engine Off Request from F1 TCU Failure
 12) MATCHED @ 0x0003809C : DTC idx= 69 (0x45)      DFPM_DMDMIL() : Misfire, Sum Error (Multiple)
 14) MATCHED @ 0x0003CB14 : DTC idx= 79 (0x4F)         DFPM_DDG() : Speed Sensor
 16) MATCHED @ 0x0003D314 : DTC idx= 80 (0x50)       DFPM_DNWKW() : Assignment Camshaft to Crankshaft
 17) MATCHED @ 0x0003D5D8 : DTC idx= 84 (0x54)         DFPM_DPH() : Phase Sensor
 18) MATCHED @ 0x00040000 : DTC idx= 61 (0x3D)      DFPM_DLSAHK() : Lambda Probe aging behind cat.
 19) MATCHED @ 0x000408FA : DTC idx= 48 (0x30)       DFPM_DHLSU() : Lambda Probe Heating 2 before Catalyst
 20) MATCHED @ 0x000408FA : DTC idx= 46 (0x2E)       DFPM_DHLSU() : Lambda probe heater in front of catalyst; (Bank2)
 21) MATCHED @ 0x00042C64 : DTC idx= 67 (0x43)        DFPM_DLSU() : Lambda Probe before Cat
 22) MATCHED @ 0x000431A4 : DTC idx=116 (0x74)        DFPM_DVFZ() : Vehicle Speed
 24) MATCHED @ 0x00044642 : DTC idx= 36 (0x24)       DFPM_GGPED() : Throttle Pedal Poti 1
 25) MATCHED @ 0x000472D2 : DTC idx= 24 (0x18)        DFPM_DDVE_ERR() : DV-E Error Undefined
 26) MATCHED @ 0x00047628 : DTC idx= 19 (0x13)        DFPM_DDVE_FAULT() : DV-E Feather Check Error
 27) MATCHED @ 0x00047628 : DTC idx= 28 (0x1C)        DFPM_DDVE_FAULT() : DV-E Amplifier Matching Error
 28) MATCHED @ 0x00047628 : DTC idx= 20 (0x14)        DFPM_DDVE_FAULT() : DV-E Return Spring Failure
 29) MATCHED @ 0x00047628 : DTC idx= 26 (0x1A)        DFPM_DDVE_FAULT() : DV-E Errors in Motor Driven Throttle
 30) MATCHED @ 0x00047628 : DTC idx= 23 (0x17)        DFPM_DDVE_FAULT() : DV-E Control Range
 33) MATCHED @ 0x0004BE5C : DTC idx= 32 (0x20)       DFPM_DEKON_EV() : EV by Cylinder 1
 34) MATCHED @ 0x0004BE5C : DTC idx= 33 (0x21)       DFPM_DEKON_EV() : EV by Cylinder 2
 35) MATCHED @ 0x0004BE5C : DTC idx= 34 (0x22)       DFPM_DEKON_EV() : EV by Cylinder 3
 39) MATCHED @ 0x0004C2C8 : DTC idx= 44 (0x2C)       DFPM_DEKON_PWR() : Power amplifier heating probe behind cat.
 40) MATCHED @ 0x0004C2C8 : DTC idx= 44 (0x2C)       DFPM_DEKON_PWR() : Power amplifier heating probe behind cat.
 41) MATCHED @ 0x0004C556 : DTC idx= 83 (0x53)       DFPM_DEKON_CAM() : Camshaft Control Valve Power Amplifier
 42) MATCHED @ 0x0004C71C : DTC idx= 94 (0x5E)       DFPM_DEKON_CHG1() : End Stage Suction Tube Changeover
 43) MATCHED @ 0x0004C7A8 : DTC idx= 95 (0x5F)       DFPM_DEKON_CHG2() : Circuit intake manifold Bank 2
 44) MATCHED @ 0x0004CA60 : DTC idx= 88 (0x58)         DFPM_SGA() : Switch Control Selector
 45) MATCHED @ 0x0005117E : DTC idx= 81 (0x51)        DFPM_DNWS() : Camshaft Control
 46) MATCHED @ 0x00051206 : DTC idx= 82 (0x52)        DFPM_DNWS() : Camshaft Control Bank2
 47) MATCHED @ 0x00055E50 : DTC idx= 39 (0x27)        DFPM_DKVS_UPR() : LR-Adaption Upper Multiplicative
 48) MATCHED @ 0x00055E50 : DTC idx= 86 (0x56)        DFPM_DKVS_UPR() : LR adaptation QL additive
 49) MATCHED @ 0x00055F34 : DTC idx= 40 (0x28)        DFPM_DKVS_LWR() : LR Adaption Lower Multiplicative
 50) MATCHED @ 0x00055F34 : DTC idx= 87 (0x57)        DFPM_DKVS_LWR() : LR adaptation ti-additive
 51) MATCHED @ 0x000576B2 : DTC idx= 97 (0x61)       DFPM_GGTFA() : (IAT) Intake Air Temperature Sensor (Airflow Meters)
 52) MATCHED @ 0x00057AA4 : DTC idx=105 (0x69)       DFPM_GGTFM() : Engine Temperature TMOT
 53) MATCHED @ 0x000597BC : DTC idx= 51 (0x33)       DFPM_DTKAT() : Catalyst Temperature
 54) MATCHED @ 0x000597BC : DTC idx= 51 (0x33)       DFPM_DTKAT() : Catalyst Temperature
 55) MATCHED @ 0x000597BC : DTC idx= 51 (0x33)       DFPM_DTKAT() : Catalyst Temperature
 56) MATCHED @ 0x00059AC4 : DTC idx= 49 (0x31)         DFPM_SAK() : Catalyst Protection Active
 57) MATCHED @ 0x0005B414 : DTC idx= 54 (0x36)       DFPM_DKRNT() : Knock Control Null Test
 58) MATCHED @ 0x0005B414 : DTC idx= 55 (0x37)       DFPM_DKRNT() : Knock Control Offset
 59) MATCHED @ 0x0005BD90 : DTC idx= 56 (0x38)       DFPM_DKRTP() : Knock Control Test Pulses
 60) MATCHED @ 0x00064F7C : DTC idx=111 (0x6F)         DFPM_DUF() : Function Monitoring : Safety Fuel Cutoff
 61) MATCHED @ 0x00064F7C : DTC idx=110 (0x6E)         DFPM_DUF() : Function Monitoring : Moment Comparison
 62) MATCHED @ 0x00064F7C : DTC idx=109 (0x6D)         DFPM_DUF() : Function Monitoring : Other ME Data
 63) MATCHED @ 0x00064FEA : DTC idx=111 (0x6F)         DFPM_DUF_CUT() : Function Monitoring : Safety Fuel Cutoff
 64) MATCHED @ 0x0006520A : DTC idx=113 (0x71)         DFPM_DUR() : Computer Monitoring : ROM
 65) MATCHED @ 0x0006A696 : DTC idx= 96 (0x60)       DFPM_BGRBS() : Bad Path Detection Acceleration Sensor
 66) MATCHED @ 0x0006BDAE : DTC idx= 17 (0x11)        DFPM_DDST() : Pressure Sensor Tank
 67) MATCHED @ 0x0006C134 : DTC idx=102 (0x66)       DFPM_DTESK() : Tank Bleeding System Grobleck
 68) MATCHED @ 0x0006C134 : DTC idx=103 (0x67)       DFPM_DTESK() : Tank detoxification system Kleinstleck


Its discovered all of these diagnostic function entry points from the original DTC's. It does this by deriving the ID from the table and then searching for the opcode where the ID calls the DTC function. Once it finds a hit it walks backwards until it finds the start of the function. This makes it very easy (even for DTC's you haven't yet reversed) to lookup their function from workshop manuals or the web and then find the function entry point directly. From this I could now generate a IDC script to use MakeName() on the entries. You could for example use this to automatically label very rapidly all of the DTC functions AND for functions you know their variables in a new rom you've just dumped. That's why this approach is very powerful and rapidly accelerates the reversing of a rom...

 
Logged
Blazius
Hero Member
*****

Karma: +26/-20
Offline Offline

Posts: 619



« Reply #48 on: June 23, 2019, 03:07:57 PM »

snip
 

You should probably also update the github readme lol, I bet people dont even know you can instafind KRKTE , MLHFM, KFPED , LAMFA in any bin and others , instantly because the github readme is not updated  Tongue
Logged
vwaudiguy
Hero Member
*****

Karma: +47/-35
Offline Offline

Posts: 1982



« Reply #49 on: September 10, 2019, 09:05:25 PM »

test.bin is in the same directory as the .exe

├╛ Opening 'test.bin' file

Can't open file "test.bin".
Failed to load, result = -1
Nothing to free

Halp? Smiley

Logged

"If you have a chinese turbo, that you are worried is going to blow up when you floor it, then LOL."
Pages: 1 2 3 [4]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.021 seconds with 17 queries. (Pretty URLs adds 0s, 0q)