IDA Pro helper functions

Pages: 1 2 [3]

« previous next »

Author

Topic: IDA Pro helper functions (Read 42852 times)

fknbrkn

Hero Member

Karma: +177/-18
Offline

Offline

Posts: 1402

mk4 1.8T AUM

	Re: IDA Pro helper functions « Reply #30 on: February 15, 2024, 04:24:16 PM »

Ive made a script to find and parse MED17 registers values / addresing and so on
IDA 7.4+ / ida_python required

Howto:
-load bin with start address, loading address = 0x80000000, tricore cpu
-make autoanalyse of pflash segment to get raw code
-file -> script file

Whats inside:
-searching for global registers values (simply assignment)
-parse em in code, converts to offset (based on prjs indirect() script)
-searching for a9 global register offset
-parse direct addressing mode (sometimes not)
-handle double pointer offset // this part might be buggy (offset applies until target register assignment with some other value or 'rets')

Initial code

Code:

PFLASH:800F0076                 st32.b          byte_D000209F, d15
PFLASH:800F007A                 ld32.bu         d15, byte_D00000CE
PFLASH:800F007E                 jnz32.t         d15:5, locret_800F00A2
PFLASH:800F0082                 ld32.a          a4, [a9]0x52C
PFLASH:800F0086                 ld32.a          a15, [a9]0x798
PFLASH:800F008A                 ld32.w          d5, [a0]-0x6DC0
PFLASH:800F008E                 lea             a4, [a4]0xBDD
PFLASH:800F0092                 ld32.bu         d4, [a15]0x150
PFLASH:800F0096                 ld32.w          d6, [a0]-0x6DF0
PFLASH:800F009A                 call32          sub_800FC9C8
PFLASH:800F009E                 st32.b          byte_D0002097, d2

After script apply

Code:

PFLASH:800F0076                 st32.b          byte_D000209F, d15
PFLASH:800F007A                 ld32.bu         d15, byte_D00000CE
PFLASH:800F007E                 jnz32.t         d15:5, locret_800F00A2
PFLASH:800F0082                 ld32.a          a4, [a9](off_80174B70 - off_80174644)
PFLASH:800F0086                 ld32.a          a15, [a9](off_80174DDC - off_80174644)
PFLASH:800F008A                 ld32.w          d5, [a0](dword_D0003B98 - word_D000A958)
PFLASH:800F008E                 lea             a4, [a4](dword_80057E58+0x1D - dword_80057298)
PFLASH:800F0092                 ld32.bu         d4, [a15](unk_80062CDE - dword_80062B8E)
PFLASH:800F0096                 ld32.w          d6, [a0](dword_D0003B68 - word_D000A958)
PFLASH:800F009A                 call32          sub_800FC9C8
PFLASH:800F009E                 st32.b          byte_D0002097, d2


	Logged

fknbrkn

Hero Member

Karma: +177/-18
Offline

Offline

Posts: 1402

mk4 1.8T AUM

	Re: IDA Pro helper functions « Reply #31 on: March 06, 2024, 02:27:43 AM »

Added a2l parser with maps / params / bitfields
Still room of imporvement ofc but no time for that

Moved to git
https://github.com/fknbrkn/IDA-PRO---MED17-python-script


	Logged

prj

Hero Member

Karma: +915/-427
Offline

Offline

Posts: 5840

	Re: IDA Pro helper functions « Reply #32 on: March 06, 2024, 04:34:43 AM »

Bitfields not very useful on tricore because the ones outside the dedicated memory it just uses shifting and extr.u to access them.
So to track them you need a full blown pseudocode generator/decompiler like hexrays or ghidra.


	Logged

PM's will not be answered, so don't even try.
Log your car properly.

fknbrkn

Hero Member

Karma: +177/-18
Offline

Offline

Posts: 1402

mk4 1.8T AUM

	Re: IDA Pro helper functions « Reply #33 on: March 06, 2024, 07:02:23 AM »

Quote from: prj on March 06, 2024, 04:34:43 AM

Well i might be wrong at naming here, i mean bit params b_xxx and mapping it as enums

Code:

PFLASH:8011479A                     ld.hu           d15, mdns_w ; "Nachstartmoment"
PFLASH:8011479E                     st32.h          mdsmn_w, d1 ; "Motorverlustmoment ohne Ladungswechselarbeit"
PFLASH:801147A2                     jnz16           d15, loc_801147AC
PFLASH:801147A4                     ld32.bu         d15, byte_D0000088
PFLASH:801147A8                     jnz32.t         d15:B_stend, loc_80114850 ; "Bedingung Startende erreicht"


 enum enm_0xd0000088, mappedto_323
FFFFFFFF SWSVW_bChaElgDeb1  = 0                  ; XREF: PFLASH:800FC54A/s
FFFFFFFF                                         ; PFLASH:800FC93A/s ... ; "Fehler in Steuerkettenlдngung"
FFFFFFFF B_dlrparc        = 1                    ; XREF: PFLASH:8009C080/s
FFFFFFFF                                         ; sub_8009C140+24E/s ... ; "Bedingung: SollgrцЯensprung steht an"
FFFFFFFF B_stendrk        = 2                    ; XREF: sub_800FAADC+4/s
FFFFFFFF                                         ; sub_800FAC20+2C/s ... ; "Bedingung Umschaltung Start / Nachstart-Warmlauf fьr rk"
FFFFFFFF B_stend          = 3                    ; XREF: PFLASH:8007456C/s
FFFFFFFF                                         ; sub_8009C4C2+45C/s ... ; "Bedingung Startende erreicht"
FFFFFFFF B_wbkse          = 4                    ; XREF: PFLASH:800B6B18/s
FFFFFFFF                                         ; PFLASH:loc_800B6FD6/s ... ; "Bed. Wobbeln BKS enabled"
FFFFFFFF B_hstnl          = 6                    ; XREF: PFLASH:800EF134/s
FFFFFFFF                                         ; PFLASH:loc_800EF13A/s ... ; "Bed. HeiЯstart aus tmot-Verlauf im SG-Nachlauf"
FFFFFFFF B_dkpaw          = 7                    ; XREF: sub_800F3086+2A8/s
FFFFFFFF                                         ; sub_800F3086+30E/s ... ; "Bedingung DK-Poti-Auswahl fьr DK-Sensor-Ersatzbetrieb"
FFFFFFFF

It covers only direct access to bit, not much but something


	Logged

prj

Hero Member

Karma: +915/-427
Offline

Offline

Posts: 5840

	Re: IDA Pro helper functions « Reply #34 on: March 06, 2024, 07:05:20 AM »

Quote from: fknbrkn on March 06, 2024, 07:02:23 AM

It covers only direct access to bit, not much but something

Only a very small amount of memory on TriCore is bit addressable.
The rest is not.
On modern ECU's there are much more bitfields than can ever fit into the small bit addressable memory.

Because of this it needs to do a load, and then using extr.u shift and extract the result.
IDA can not follow this at all and there is no hexrays plugin for tricore.

Ghidra can with the decompiler...

It becomes even worse between two software revisions if some bitfields are moved around. Then the code to access them is different.

Of course it's still useful to load the bitfields as enums, but not as useful as it seems on first glance.


	Logged

PM's will not be answered, so don't even try.
Log your car properly.

fknbrkn

Hero Member

Karma: +177/-18
Offline

Offline

Posts: 1402

mk4 1.8T AUM

	Re: IDA Pro helper functions « Reply #35 on: March 06, 2024, 07:54:31 AM »

Quote from: prj on March 06, 2024, 07:05:20 AM

Ghidra decompiler looks promising
Just a bit tricky for ida user, thanks for the input


« Last Edit: March 06, 2024, 08:14:53 AM by fknbrkn »	Logged

prj

Hero Member

Karma: +915/-427
Offline

Offline

Posts: 5840

	Re: IDA Pro helper functions « Reply #36 on: March 06, 2024, 08:16:19 AM »

For fast work IDA is still the best by far.

Ghidra is really clunky to use for many things, but in case of more complex usage, the decompiler is pretty invaluable.
Reversing headers and other stuff becomes trivial.


	Logged

PM's will not be answered, so don't even try.
Log your car properly.

Pages: 1 2 [3]

« previous next »

Jump to:

Navigation

Personal Tools

April 27, 2024, 06:39:56 AM

Welcome, Guest. Please login or register.
Did you miss your activation email?

Navigation

Personal Tools

Search