Pages: [1] 2
Author Topic: ME7idatool  (Read 14156 times)
DT
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 184


« on: September 28, 2022, 01:54:01 PM »

ME7idatool is a bit more than a fancy way to name variables. Some of you have asked about it after I posted some mysterious IDA screen dumps of files for which there are no public a2l/dam files available.

@nyet, since it is not compiled code anyone can see it in it's full glory(?) and anyone with a lot of patience can modify it as they wish. Github? I've never worked with it.

@prj, some lines might still be a carbon copy of your short IDA code snippets which can be found here on the forum. Thank you, those got me interested in IDApython.

@fluke9, a line or two of your python code might also be found, I don't remember, but thank you.

I dedicate this script or rather what it can achieve to my father who passed away earlier this year. Please have mercy, the script is really ugly but it is quite capable. I had zero knowledge of Python or similar coding when I started on this project. Therefore some (most?) things are really ugly and not written in a Pythonic way while other parts are quite smart and heavily optimized to keep all often used functions responding quick enough. I never thought it finally would become this automated, therefore it is based on routines meant for manual CLI work. To begin with my plan was to import dam/a2l and nothing else. At some places code are added to fix something instead of fixing the original faulty code.

Some things could have been done much more easily if I would have used more external libraries (eg. pandas) but until I needed to use the pywin32 for clipboard I tried to work with plain Python and IDA idc. It is developed on a borrowed laptop with genuine IDA pro 7.2 32-bit. (thank you Mr Z)

============================

What can it help you with?

* Primarily it can help you save tens or even hundreds of hours of work depending of what your goal is.

* Can import .ecu, .dam and .a2l files although with .ecu you are very limited. Always start with a fresh .idb.  Handles german umlauten correctly (at least on the system I used). .dam and .a2l needs to be directly from VAG without any change of file format for this to work.
These imported files help you achieve a nice IDA file.

* Show a list of what was not automatically named from a2l/dam. Can be easily clicked on and then if address look like a match it can manually be set by pressing p on keyboard. It can label the routines according to a threshold. Those who do not reach threshold can be handled manually and it gives the most probable names as suggestions depending on what it find.

* Can create patches that can easily be pasted directly into TunerPro. Very nice when working with code patches and an emulator like Roadrunner. For example while hacking hex code directly in ida without Keil. Unfortunately it does not handle faulty variables that can be found in certain .ecu files. Eg. some dual bank wideband lambda files. Avoid using .ecu if not absolutely needed.

Now on to the more fancy stuff...

* Makes most of the nice idb portable(!?). It does this by up/down search and ability to copy/paste naming from one idb to another. Almost zero knowledge needed to find similar code in another bin. Select what you need to find in another plain idb.

* It can export .dam and .a2l after you have ported from one idb to another. If you use a correctly matching file from similar year/version/family of ECU it will probably output what you need.
 
Avoid adding your own comments if you care for the portability to other similar binaries. Keep a copy of your original ME7idatool prepared .idb when you start working manually in the file. Some parts of this tool rely heavily on clipboard, be sure not to mess with it while working with the tool.


PS. If you feel an urge to help me buy my own copy of IDApro you can make a paypal donation. Email can be found in profile. ME7idatool can easily save you countless hours of work.
Logged

DT
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 184


« Reply #1 on: September 28, 2022, 01:54:49 PM »

Requirements:
pywin32 v228 for Python 2
If I recall correctly it could be installed with this command: pip install pywin32
but it was some time ago since I did it.

TODO
* fix a long list of annoying bugs (from what I know those does not affect the quality/integrity of the naming)
* some other features I've thought of like using info available in a2l/dam to correctly import bin in IDA
* find all jumplists(correct name?) to fix them automatically. UPDATE! (will probably be fixed within a few days, the logic is simple)
* Create a list of suitable matching a2l/dam/binary for common files which do not have a2l/dam. Though I've not planned to do this myself but rather hope the community will do this.
* Remove too eager auto naming scheme and alter too eager tresholds. Though I'm yet to find any problem myself but will happen when more users work with the tool.
* Automatically name functions that are called, like filters and similar. Hopefully the knowledge of the community can help.
* Some commands cannot identify if you are working in source or destination IDA.
* make sure that there is nothing transferred back to source via clipboard, 95% usage of clipboard data is only to be used in destination ida.
* Let me7identfunc() set function name to same as previous and next if they both are the same. (regardless of name hits matching FKT)
* possibly name 10ms, 100ms synchro usw...
* me7help() is not showing what it is supposed to?
« Last Edit: October 08, 2022, 09:47:01 AM by DT » Logged

DT
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 184


« Reply #2 on: September 28, 2022, 01:55:46 PM »

me7getmnem()   (in source ida window after marking text)

me7findcode()   (possible to use startaddress. eg 0x810000, ommit to use cursor position)

me7findcodereverse()

me7nameit()

me7prereq() (needed if closing ida and starting over again later, loads dam or a2l)

me7makeit_stage1()

me7makeit_stage2()

me7makeit_stage3()

me7identfunc()  (me7prereq() needed if IDA has been closed since last working with the file)

me7identfunc(nosfp)

me7setfuncname() (use this after me7identfunc() )

me7setfuncname()

me7list_names_wo_ref()

me7jumptable()

me7addresscmt()

me7cleancmt()

me7export()

me7tppatch()

me7patchbytes()

me7makefunc()
« Last Edit: September 28, 2022, 02:02:19 PM by DT » Logged

DT
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 184


« Reply #3 on: September 28, 2022, 01:56:40 PM »

Open .bin 0x800000 , size 0x100000 or 0x80000
Load additional file 0x0  ,  size 0x8000 no segments
alt-F7 to load script first time
alt-F9 Show recent scripts
me7makeit_stage1()
me7makeit_stage2()
in the list in output window double click on address you think might be something the script didn't handle
press p on keyboard and continue to next in list which seems to be of interest.

me7makeit_stage3()

manual work after stage 3, place the cursor within code that has no name. Why not start in 100ms, 10ms or a jumptable, go to code without name and try
me7identfunc() ,either it will autoname code or present some suggestions, then me7setfuncname(x) where x is the number of one of the suggested names.
(there might be some problem with this in some situations, but me7makeit_stage3() auto naming works quite well)

me7jumptable() fix the format of table including references if you know where tables are


mark some lines of code or even a few pages if you're feeling lucky, then
me7getmnem()
which place information in clipboard. move over to the destination .idb in another IDA pro session.(make sure it is a clean import of the .bin)
in the destination window use (where you have imported a bin and opened script followed by me7makeit_stage1()  )
me7findcode() which start at cursor or eg. me7findcode(0x810000) to define start address
there is also me7findcodereverse()

If code is found, use
me7nameit()
followed by me7setfuncname() if source had functionname.

if you want address on each comment
me7addresscmt()
to clean these, use
me7cleancmt()

me7export() export to a2l/dam using a template file. Those in template which were not exported get a SKIPA1_ or SKIPD1_ prepended to their name and also 0x100000 added to their address. Which allows for easy filtering in Winols.

mark edited code and try
me7tppatch()
it puts the patch on clipboard, you can paste this directly in TunerProRT which create a patch FromIDApro. Very quick when working with custom code in emulator.


me7patchbytes() (either let cursor sit or mark a few lines)
I don't remember if this was useful or redundant to functions in IDApro.

me7makefunc()
search for next code out of function with rets/reti before
Logged

DT
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 184


« Reply #4 on: September 28, 2022, 01:58:38 PM »

v0.9.8
Logged

sda2
Full Member
***

Karma: +23/-1
Offline Offline

Posts: 76


« Reply #5 on: September 29, 2022, 02:52:17 AM »

Awesome work! I will definately test that with ME7 BMW Cheesy
Logged
prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6034


« Reply #6 on: September 29, 2022, 02:00:29 PM »

@prj, some lines might still be a carbon copy of your short IDA code snippets which can be found here on the forum. Thank you, those got me interested in IDApython.
Good Smiley

Anything I've posted here is fair game, have at it.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
kirukisu
Jr. Member
**

Karma: +1/-4
Offline Offline

Posts: 26


« Reply #7 on: October 02, 2022, 11:20:39 AM »

Could You share IDA SDK here or via pm?
Logged
DT
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 184


« Reply #8 on: October 11, 2022, 06:45:54 PM »

This script makes code even more understandable after using ME7idatool on C25ea01g.bin . Though it might break some features of ME7idatool, i've not tested me7findcode() and me7nameit() afterwords yet.
Unfortunately I need to fix some things before it works well on an ST10 file like C25ea01g.bin.

btw. If someone source the IROM of 022906032CA this particular bin/a2l with addition would make a highly useful idb for working with any ME7.

edit 221013:
I posted a bit too early. I forgot that I had not fixed a few names in the attached file. Will post a better version later.
« Last Edit: October 12, 2022, 08:37:40 PM by DT » Logged

DT
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 184


« Reply #9 on: October 11, 2022, 07:10:01 PM »

New version. Works better with some ST10 variants
Please edit me7makeit_stage1() and me7makeit_stage1()  for other variants of memory setup in ecu
those two commands now take option 1 or 2 (which relate to c16x or st10) eg. me7makeit_stage1(2)

me7jumptable() is improved

I know, crappy Versioning
Logged

flamy
Full Member
***

Karma: +6/-0
Offline Offline

Posts: 56


« Reply #10 on: October 12, 2022, 01:15:36 PM »

Thanks for this tool, DT!!!

Here how it worked for me on a x64 machine using Windows 11 and IDA Pro 7.2
1.) Install Python 2.7.18 (Get it here: https://www.python.org/ftp/python/2.7.18/python-2.7.18.amd64.msi)
2.) Add "C:\Python27" and "C:\Python27\Scripts" to environment variable PATH
3.) Execute "pip install pywin32" from commandline
4.) Run IDA Pro, open/start project and add script via Alt+F7
5.) Call functions listed above.

Previously, I tried to run it on a x86 machine using Windows 10 and IDA Pro 6.6, but that didn't work.
Python and pywin32 were installed correctly and running fine, but IDA Pro trew an error message while importing the modules "win32clipboard" and "win32api".
Logged
flamy
Full Member
***

Karma: +6/-0
Offline Offline

Posts: 56


« Reply #11 on: October 12, 2022, 01:24:16 PM »

Please delete this post.
« Last Edit: October 16, 2022, 02:45:02 PM by flamy » Logged
DT
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 184


« Reply #12 on: October 12, 2022, 08:34:52 PM »

Were you looking for theese?
Well, yes. But they do look a bit funky and does not match what is addressed from flash.

Though the first 32kb from one of these line up perfectly.
022906032bg
022906032cn
022906032cs
022906032ge


btw. nice python explanation
« Last Edit: October 13, 2022, 01:51:15 PM by DT » Logged

DT
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 184


« Reply #13 on: October 13, 2022, 02:01:17 PM »

As promised, a fixed version of C25ea01g_additional_names.py

steps
1. c25ea01g.bin  (022906032CA)
2. additional 32kb from one of above mentioned files @0x0
3. me7idatool + c25ea01g.a2l (though it is not perfect for this version of me7.1.1 yet)
4. apply C25ea01g_additional_names.py

I don't think a naturally aspirated me7.1.1 will ever be more easy to understand/patch/hack.
Logged

Blazius
Hero Member
*****

Karma: +89/-40
Offline Offline

Posts: 1282



« Reply #14 on: October 14, 2022, 10:51:07 AM »

I have seen this in various threads where you posted, nice of you to finally release it, looks great.

Might give it a go sometime, see how is it vs the conventional scripts on this site.
Logged
Pages: [1] 2
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.024 seconds with 17 queries. (Pretty URLs adds 0s, 0q)