Pages: [1] 2
Author Topic: Tricore Addressing Mode  (Read 10469 times)
unicornux
Full Member
***

Karma: +2/-6
Offline Offline

Posts: 83


« on: November 10, 2020, 12:36:13 AM »

Hi guys.
I recently start Tricore Arch.
And during reversing an ECU dump, I was confronted to some problem.
One of the ways that there is for addressing mode is that uses 'a0' register.

For example : a15, [a0]-0x68C6

But when I was looking for a0 value I couldn't find anything. Sad
How I can calculate and find this address value?
Can anyone explain me this issue?
Logged
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12270


WWW
« Reply #1 on: November 10, 2020, 12:45:15 AM »

A0 is a global register that is generally only set up once. iirc the only op that is used to modify it is MTCR (move to core register)
It provides the base address of small data storage globals, which can be accessed quickly with the base addr addressing mode w/o a ton of operations. Generally never modified, even in ISRs.

you'll need an a2l or something to give you the memory map, which should tell you where small data storage starts.
« Last Edit: November 10, 2020, 12:46:55 AM by nyet » Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #2 on: November 10, 2020, 02:41:05 AM »

This is what worked for me (in my scenario)

You know that A0 needs to get initialised (loaded with some value)

Therefore do a text search in your disassembler like this -  "lea             a0"

And you’ll find a result like this:

seg002:808835CC                 movh.a          a0, #0xD002
seg002:808835D0                 lea             a0, [a0]-0x8000
seg002:808835D4                 movh.a          a1, #0xA081
seg002:808835D8                 lea             a1, [a1]-0x8000
seg002:808835DC                 movh.a          a8, #0x8005
seg002:808835E0                 lea             a8, [a8]-0x7800
seg002:808835E4                 movh.a          a9, #0xD001
seg002:808835E8                 lea             a9, [a9]-0x4000

In this example, A0, A1, A8 and A9 are used as ‘helper registers’ – base address plus offset.

This is just one way of figuring it out. There are other ways as well, there's a thread on this forum that works it out using known map addresses.

Logged
unicornux
Full Member
***

Karma: +2/-6
Offline Offline

Posts: 83


« Reply #3 on: November 11, 2020, 12:04:41 AM »

This is what worked for me (in my scenario)

You know that A0 needs to get initialised (loaded with some value)

Therefore do a text search in your disassembler like this -  "lea             a0"

And you’ll find a result like this:

seg002:808835CC                 movh.a          a0, #0xD002
seg002:808835D0                 lea             a0, [a0]-0x8000
seg002:808835D4                 movh.a          a1, #0xA081
seg002:808835D8                 lea             a1, [a1]-0x8000
seg002:808835DC                 movh.a          a8, #0x8005
seg002:808835E0                 lea             a8, [a8]-0x7800
seg002:808835E4                 movh.a          a9, #0xD001
seg002:808835E8                 lea             a9, [a9]-0x4000

In this example, A0, A1, A8 and A9 are used as ‘helper registers’ – base address plus offset.

This is just one way of figuring it out. There are other ways as well, there's a thread on this forum that works it out using known map addresses.




This approach worked for me, too.
Thanks a lot.

But the addressing mode for assign value to a0 is different for me that I have shown below:

movh.a          a0, #@HIS(unk_D00032E0)
lea             a0, [a0]@LOS(unk_D00032E0)

As you see it seems I need procedures that copy data from FLASH to RAM(probably they show by structures).
Is there any approach to find these procedures?
I have no idea how can I find out what is going to be executed.

PS: Unfortunately I have not any A2L file Sad

Thanks in advance.
Logged
unicornux
Full Member
***

Karma: +2/-6
Offline Offline

Posts: 83


« Reply #4 on: November 11, 2020, 12:06:40 AM »

you'll need an a2l or something to give you the memory map, which should tell you where small data storage starts.

Interesting reply but unfortunately I have not any A2L file.  Undecided
Logged
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12270


WWW
« Reply #5 on: November 11, 2020, 12:35:07 AM »

movh.a          a0, #@HIS(unk_D00032E0)
lea             a0, [a0]@LOS(unk_D00032E0)

What? you're looking at it.

unk_D00032E0 is literally D00032E0. It means the disassembler is seeing d00032e0 but doesn't know what it is, hence the unk

so this is
movh.a a0, d000
lea a0, [a0]+32e0

or a0 = d00032e0
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
unicornux
Full Member
***

Karma: +2/-6
Offline Offline

Posts: 83


« Reply #6 on: November 11, 2020, 12:49:23 AM »

What? you're looking at it.

unk_D00032E0 is literally D00032E0. It means the disassembler is seeing d00032e0 but doesn't know what it is, hence the unk

so this is
movh.a a0, d000
lea a0, [a0]+32e0

or a0 = d00032e0

According to this thread(http://nefariousmotorsports.com/forum/index.php?topic=6990.msg87488#msg87488) I thought need a struct for rest of works.
Logged
nyet
Administrator
Hero Member
*****

Karma: +607/-168
Offline Offline

Posts: 12270


WWW
« Reply #7 on: November 11, 2020, 12:55:14 AM »

What does this have to do with your original question

Quote
For example : a15, [a0]-0x68C6

in which you asked what a0 was?
Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
unicornux
Full Member
***

Karma: +2/-6
Offline Offline

Posts: 83


« Reply #8 on: November 11, 2020, 01:05:01 AM »

What does this have to do with your original question

in which you asked what a0 was?

OOOM, I guess maybe I should create a new topic for next question.
I want to associate all the related question in this topic.
Excuse Me.
Thanks.
Logged
crystal_imprezav
Newbie
*

Karma: +5/-0
Offline Offline

Posts: 12


« Reply #9 on: November 30, 2020, 05:49:21 PM »

Look in the tricore helper sticky for the parse indirect script. Then find the main routine in the asw. From there you will be able to find a0, csa_smalldata2, and a10(sp) to use with the indirect script.
Logged
360trev
Full Member
***

Karma: +68/-2
Offline Offline

Posts: 235


« Reply #10 on: December 04, 2020, 07:21:20 AM »

Have a play with Ghidra, it can translate Tricore instructions into pseudo code and will massively accelerate your understanding of the instruction set!

Logged
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« Reply #11 on: March 04, 2021, 10:01:32 AM »

What is a stack pointer?
I know the basics like push and pop, sp points to the value stored on the stack.
From the instruction set I read:

SUB.A A[10], const8
Decrement the Stack Pointer (A[10]) by the zero-extended value of const8 (a range of 0 through to 255).

sp is actually a10 and like a0, a1, a8, a9 in most cases set up only once:
movh.a          sp, #@HIS(unk_D000C380)
lea                 sp, [sp]@LOS(unk_D000C380)


I would appreciate if anyone could comment on this part of the code.

 0x80006EA8       sub.a        sp, #0x20        // allocate a space   
 0x80006EAA       movh.a       a15, #0xD000
 0x80006EAE       lea          a4, [sp]0x14     // load address to a4.  0xD000C380 + 0x14?
 0x80006EB2       lea          a15, [a15]0xBF4      
 0x80006EB6       ld.w         d4, [a15]0x00
 0x80006EB8       call         0x80007086
 0x80006EBC       ld.w         d4, [a15]0x01
 0x80006EBE       lea          a4, [sp]0x08      
 0x80006EC2       call         0x80007086
 0x80006EC6       ld.hu        d2, [sp]0x16
 0x80006ECA       jeq          d2, #0x00, 0x80006F1A
 0x80006ECE       ld.hu        d1, [sp]0x0A
 0x80006ED2       jeq          d1, #0x00, 0x80006F1A
 0x80006ED6       ld.w         d15, [sp], #0x07
 0x80006ED8       jlt.u        d15, #0x02, 0x80006F1A
 0x80006EDC       ld.w         d15, [sp], #0x04
 0x80006EDE       jlt.u        d15, #0x02, 0x80006F1A
 0x80006EE2       ld.hu        d0, [sp]0x18
 0x80006EE6       ld.hu        d15, [sp]0x0C
 0x80006EEA       jeq          d0, d15, 0x80006F1A
 0x80006EEE       mov          d0, #0x00
 0x80006EF0       mov.aa       a15, sp

Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #12 on: March 04, 2021, 10:16:19 AM »

You need to read a book about programming basics or you need some formal education on that matter.

This Wiki article is pretty good:
https://en.wikipedia.org/wiki/Stack_register

Your first comment is already wrong. A4 is loaded with address that is 0x14 offset from current sp.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« Reply #13 on: March 04, 2021, 12:06:21 PM »

Thanks for the answer. I hope I understood it right.

By default, the stack grows downward in memory, so newer values are placed at lower memory addresses.
sub.a        sp, #0x20
lea              a4, [sp]0x14     // 0xD000C380 - 0x20 + 0x14 = 0xD000C374 ?
ld.bu        d15, [a4]0x00      // load byte from 0xD000C374 to d15? right?


« Last Edit: March 04, 2021, 12:10:28 PM by terminator » Logged
prj
Hero Member
*****

Karma: +1072/-481
Offline Offline

Posts: 6037


« Reply #14 on: March 04, 2021, 03:44:12 PM »

Your assumptions towards the stack pointer is wrong.
You have zero guarantees that it is D000C380 at that point. There can be and most likely are more function calls in the callstack. Each of them makes use of the stackpointer for storage. You never know what it exactly points to (apart from exactly at the initialization) nor should you care. It is simply function-local storage that does not fit into registers. Your only care should be that you do not overflow the stack due to too much recursion or function call chains.
Trying to find the absolute address is a complete waste of time, nor is it the intended usage of the stack pointer. In fact the absolute address is different every time the function is called from a different place.

You need to study the basics, you are trying to run before you can walk.
Try to learn how a stack pointer fits into an architecture and everything will become clear.
« Last Edit: March 04, 2021, 03:47:21 PM by prj » Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
Pages: [1] 2
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.025 seconds with 16 queries. (Pretty URLs adds 0s, 0q)