|
masterj
|
 |
« on: November 19, 2012, 11:11:21 AM »
|
|
|
Hello, fellow tuners, i wanted to start this thread as a help for anyone who wants to start disassembling their bins and one place for all these questions one might have trying to do so. So, first mini tutorial to get the proper idb file: 1) Get yourself a copy of IDA PRO (v6.1 or later) 2) Download your car flash file 3) Download cpu code (me7.5 cpu code is attached to this topic) 4) Use prj's autoit script from http://nefariousmotorsports.com/forum/index.php?topic=2431.0title= to help with the preparation (First time it asks for file use cpu.bin, second time - actual flash). If for some reason prj's script doesn't work, you can try my update (for me didn't work some of the alt+xxx commands so i've just recorded mouse clicks instead - loadbin.exe). 5) After script is finished (code is analyzed & cleanup performed) try to get similar flash file in OLS or other complete definition format and do whole procedure again 6) Now it gets tricky... that's when this topic comes in  6a) http://nefariousmotorsports.com/forum/index.php?topic=2851.msg27875#msg278756b) http://nefariousmotorsports.com/forum/index.php?topic=2851.msg27866#msg278666c) http://nefariousmotorsports.com/forum/index.php?topic=2851.msg27862#msg27862Also I have uploaded disassembled 4B0906018DC_ME7.5_Bosch_362358_VW_B5.5_-_(Original)-v00.idb: http://www.sendspace.com/file/zf40l0& 06A906032HN_ME7.5_Bosch__Seat_1.8T_-_(Original)-v00.idb: http://www.sendspace.com/file/9bqold& 4Z7907551R__ME7.1.1_Bosch__Audi_2.7T_-_(Original)-v00.idb: http://www.sendspace.com/file/k59059if anyone needs them (definition files are here: http://nefariousmotorsports.com/forum/index.php?topic=2847.msg27312#msg27312) ADDED Q67121-C946.pdf (C167CR datasheet) ADDED: c166ism.pdf (mostly C166 family instructions, very good resource!) ATM this is all I have, just started to do the asm and those are my first idb files ) |
|
|
|
« Last Edit: November 28, 2012, 08:10:31 AM by masterj »
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #1 on: November 19, 2012, 11:17:26 AM »
|
|
|
So i wanted to ask this first question:
When i look at the PROKONAL bits of known binary I see that IDA works in 16bit mode, because it shows only every second address (segment003) 18194, 18196, 18198... Is it possible to change some settings so I could see every single address in 8bit mode? 18194, 18195, 18196, 18197...
In 06A906032HN_ME7.5_Bosch__Seat_1.8T_-_(Original)-v00.idb @ 18194 there's CDAGR map and @ 18196 CDATR. How can I see 18195 (CDAGRL)?
Also can someone post a basic routine on how to identify these PROKONAL maps in other files by using this file as a reference?
|
|
|
|
« Last Edit: November 19, 2012, 11:26:22 AM by masterj »
|
Logged
|
|
|
|
|
phila_dot
|
|
« Reply #2 on: November 19, 2012, 12:06:45 PM »
|
|
|
Pressing the "d" key will change data types, but if that location isn't referenced then it isn't used anyway.
The PROKONAL code words are checked and bits are set in a few word variables. X ref the PROKONAL word variables. They are referenced exactly as the are set, not bitwise but by hex value.
|
|
|
|
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #3 on: November 19, 2012, 01:37:44 PM »
|
|
|
Pressing the "d" key will change data types, but if that location isn't referenced then it isn't used anyway.
The PROKONAL code words are checked and bits are set in a few word variables. X ref the PROKONAL word variables. They are referenced exactly as the are set, not bitwise but by hex value.
Thank you I'll try to analyze data now |
|
|
|
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #4 on: November 19, 2012, 02:14:56 PM »
|
|
|
So to check if i understood stuff: in 0xxxHN i see that 181b5 (cwdlsu) isn't used at all? Also 181ba (cwkonfls)?
Not sure about:
181c3 (nsw01) & 181c4 (nsw02) because i don't see XREFs.
Also could you explain a little bit about why everytime i click on address value (for example 181C2 = 4) I get sent to seg003:0004?
I KNOW I KNOW I AM NOOB AT ASM
|
|
|
|
|
Logged
|
|
|
|
|
phila_dot
|
|
« Reply #5 on: November 19, 2012, 02:50:48 PM »
|
|
|
So to check if i understood stuff: in 0xxxHN i see that 181b5 (cwdlsu) isn't used at all? Also 181ba (cwkonfls)?
Not sure about:
181c3 (nsw01) & 181c4 (nsw02) because i don't see XREFs.
Also could you explain a little bit about why everytime i click on address value (for example 181C2 = 4) I get sent to seg003:0004?
I KNOW I KNOW I AM NOOB AT ASM
Do you have all of the code disassembled? References in hex that haven't been identified as code will not be considered. IDA assumes nothing except that the user knows what he/she is doing. It takes you to 0x0004 because it may be a possible address reference. This is the "Interactive" part. |
|
|
|
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #6 on: November 19, 2012, 03:04:57 PM »
|
|
|
Do you have all of the code disassembled? References in hex that haven't been identified as code will not be considered.
IDA assumes nothing except that the user knows what he/she is doing. It takes you to 0x0004 because it may be a possible address reference. This is the "Interactive" part.
I think I have all the code disassembled (used code analysis on whole segment003 - flash part). CPU took some sweet time going through every line of asm to show everything |
|
|
|
|
Logged
|
|
|
|
|
phila_dot
|
|
« Reply #7 on: November 19, 2012, 04:18:32 PM »
|
|
|
There are numerous ways that things are referenced. It will not always be a direct reference. After analyzing enough assembly you will develope a feel for how to find these.
If there is no reference direct or indirect, then obviously it isn't used.
I have only seen the PROKONAL codewords directly referenced.
|
|
|
|
« Last Edit: November 19, 2012, 04:21:02 PM by phila_dot »
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #8 on: November 19, 2012, 04:35:20 PM »
|
|
|
The are numerous ways that things are referenced. It will not always be a direct reference. After analyzing enough assembly you will develope a feel for how to find these.
Ok those prokonal maps in 181xx im pretty sure figured out easy when you can just jump to any ref now a little harder map is WESSOT... |
|
|
|
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #9 on: November 21, 2012, 03:57:11 PM »
|
|
|
How do we find axis in disassemble? For example by looking at the winols hex dump I see some axis @ 181c7. But when i open dissasembled bin I see no xrefs or anything: seg003:181C7 db 0Ah seg003:181C8 db 17h seg003:181C9 db 29h ; ) seg003:181CA db 40h ; @ seg003:181CB db 54h ; T seg003:181CC db 6Bh ; k seg003:181CD db 80h ; Ć seg003:181CE db 0A3h ; Ż seg003:181CF db 0CCh ; _ seg003:181D0 db 0FEh ; _ his part supposed to be axis, but how do we look which maps access this axis?  |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #10 on: November 21, 2012, 04:05:50 PM »
|
|
|
Figure out what page it is.
After that 0xpage * 0x4000 you get a number which is segment start loc.
Subtract the number from the address you think the axis starts.
After that alt+b, swap high and low and search for the exact bytes.
Look up those locations, one of them will be what you are looking for (the map access).
You see, the map routines often take both the offset and the page number as arguments.
So there is no direct reference, as they are combined later, and IDA can not parse this.
|
|
|
|
|
Logged
|
|
|
|
|
matchew
|
|
« Reply #11 on: November 21, 2012, 07:49:45 PM »
|
|
|
How do we find axis in disassemble? For example by looking at the winols hex dump I see some axis @ 181c7. But when i open dissasembled bin I see no xrefs or anything: seg003:181C7 db 0Ah seg003:181C8 db 17h seg003:181C9 db 29h ; ) seg003:181CA db 40h ; @ seg003:181CB db 54h ; T seg003:181CC db 6Bh ; k seg003:181CD db 80h ; Ć seg003:181CE db 0A3h ; Ż seg003:181CF db 0CCh ; _ seg003:181D0 db 0FEh ; _ his part supposed to be axis, but how do we look which maps access this axis? You tried to disassemble the axis to a map? seriously what did you expect to find? What you are trying to learn here can not be picked up in a couple sessions of asking random questions. |
|
|
|
|
Logged
|
|
|
|
jooo
Jr. Member
Karma: +0/-1
 Offline
Posts: 30
|
|
« Reply #12 on: November 21, 2012, 08:01:47 PM »
|
|
|
You tried to disassemble the axis to a map? seriously what did you expect to find? What you are trying to learn here can not be picked up in a couple sessions of asking random questions.
Well, If you think for one more sec you understand that he is questioning why there is no CODE xref on the first line where the axis begin. Which for a beginner might not be easy to understand. Though I agree with you that learning disassembly/reverseeng is not done in hours or weeks. It takes months or even years if you've not done coding in assembly before and has no sense of programming. |
|
|
|
|
Logged
|
|
|
|
|
Bische
|
|
« Reply #13 on: November 21, 2012, 08:41:28 PM »
|
|
|
As a total beginner to disassembly, reading machine code is a very steep stair to try to climb, no doubt. I have been trying to grasp some basics by reading the information on here over and over, now after a couple of weeks I think I have gotten as far as setting up my file correctly.
Alot of my questions were answered just by watching the script setting up the CPU ROM with the rest of the readout, I really want to thank prj for sharing his script as this has saved me alot of time. I attached a screenshot of where im at now.
Now im going to tattoo the C167 manual on the inside of my eyelids and start staring at the code, I really want to learn how to do this. I have started to look a little bit at trying to follow init -> KRKTE as of now.
|
|
|
|
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #14 on: November 22, 2012, 10:36:27 AM »
|
|
|
Thank you all for your comments:) I know that to learn asm is long process but i'm starting to get sense of this all, although only basic stuff, like to check if my map definition is correct or not by xrefing maps from similar known ols basically i understand that on the code part of asm they should be very similar in mnemonic instructions Like (known ols): seg003:748AA cmpb rl4, unk_81958A
seg003:748AE jmpr cc_C, loc_8748B6
seg003:748B0 movb rl5, #8
seg003:748B2 orb byte_A1E4, rl5
seg003:748B6
seg003:748B6 loc_8748B6: ; CODE XREF: sub_87422C+682�j
seg003:748B6 jnb word_FD72.11, loc_8748BC
seg003:748BA jmpr cc_UC, loc_8748D2 and (unknown bin) seg003:7350C cmpb rl4, byte_819596
seg003:73510 jmpr cc_C, loc_873518
seg003:73512 movb rl5, #8
seg003:73514 orb byte_A27C, rl5
seg003:73518
seg003:73518 loc_873518: ; CODE XREF: sub_872EAC+664�j
seg003:73518 jnb word_FD6E.7, loc_87351E
seg003:7351C jmpr cc_UC, loc_873534 Are similar to my eyes and I now think that map in second binary is correctly defined.. BTW: is there a way to search binary with mnemonic code sequences instead of hex and in selected area only (for example seg003:70000-seg003:80000)? |
|
|
|
« Last Edit: November 22, 2012, 10:39:08 AM by masterj »
|
Logged
|
|
|
|
|
