Pages: [1] 2 3 ... 7
Author Topic: First disassemble - questions  (Read 81376 times)
masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« on: November 19, 2012, 11:11:21 AM »

Hello, fellow tuners,
i wanted to start this thread as a help for anyone who wants to start disassembling their bins and one place for all these questions one might have trying to do so.

So, first mini tutorial to get the proper idb file:
1) Get yourself a copy of IDA PRO (v6.1 or later)
2) Download your car flash file
3) Download cpu code (me7.5 cpu code is attached to this topic)
4) Use prj's autoit script from http://nefariousmotorsports.com/forum/index.php?topic=2431.0title= to help with the preparation (First time it asks for file use cpu.bin, second time - actual flash). If for some reason prj's script doesn't work, you can try my update (for me didn't work some of the alt+xxx commands so i've just recorded mouse clicks instead - loadbin.exe).
5) After script is finished (code is analyzed & cleanup performed) try to get similar flash file in OLS or other complete definition format and do whole procedure again
6) Now it gets tricky... that's when this topic comes in Smiley
6a) http://nefariousmotorsports.com/forum/index.php?topic=2851.msg27875#msg27875
6b) http://nefariousmotorsports.com/forum/index.php?topic=2851.msg27866#msg27866
6c) http://nefariousmotorsports.com/forum/index.php?topic=2851.msg27862#msg27862

Also I have uploaded disassembled 4B0906018DC_ME7.5_Bosch_362358_VW_B5.5_-_(Original)-v00.idb:
http://www.sendspace.com/file/zf40l0
& 06A906032HN_ME7.5_Bosch__Seat_1.8T_-_(Original)-v00.idb:
http://www.sendspace.com/file/9bqold
& 4Z7907551R__ME7.1.1_Bosch__Audi_2.7T_-_(Original)-v00.idb:
http://www.sendspace.com/file/k59059
if anyone needs them (definition files are here: http://nefariousmotorsports.com/forum/index.php?topic=2847.msg27312#msg27312) Smiley

ADDED Q67121-C946.pdf (C167CR datasheet)
ADDED: c166ism.pdf (mostly C166 family instructions, very good resource!)

ATM this is all I have, just started to do the asm and those are my first idb files Smiley)
« Last Edit: November 28, 2012, 08:10:31 AM by masterj » Logged

masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #1 on: November 19, 2012, 11:17:26 AM »

So i wanted to ask this first question:
When i look at the PROKONAL bits of known binary I see that IDA works in 16bit mode, because it shows only every second address (segment003) 18194, 18196, 18198... Is it possible to change some settings so I could see every single address in 8bit mode? 18194, 18195, 18196, 18197...

In 06A906032HN_ME7.5_Bosch__Seat_1.8T_-_(Original)-v00.idb @ 18194 there's CDAGR map and @ 18196 CDATR. How can I see 18195 (CDAGRL)?

Also can someone post a basic routine on how to identify these PROKONAL maps in other files by using this file as a reference?
« Last Edit: November 19, 2012, 11:26:22 AM by masterj » Logged

phila_dot
Hero Member
*****

Karma: +173/-11
Offline Offline

Posts: 1709


« Reply #2 on: November 19, 2012, 12:06:45 PM »

Pressing the "d" key will change data types, but if that location isn't referenced then it isn't used anyway.

The PROKONAL code words are checked and bits are set in a few word variables. X ref the PROKONAL word variables. They are referenced exactly as the are set, not bitwise but by hex value.
Logged
masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #3 on: November 19, 2012, 01:37:44 PM »

Pressing the "d" key will change data types, but if that location isn't referenced then it isn't used anyway.

The PROKONAL code words are checked and bits are set in a few word variables. X ref the PROKONAL word variables. They are referenced exactly as the are set, not bitwise but by hex value.

Thank you Smiley I'll try to analyze data now
Logged

masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #4 on: November 19, 2012, 02:14:56 PM »

So to check if i understood stuff: in 0xxxHN i see that 181b5 (cwdlsu) isn't used at all? Also 181ba (cwkonfls)?

Not sure about:
181c3 (nsw01) & 181c4 (nsw02) because i don't see XREFs.

Also could you explain a little bit about why everytime i click on address value (for example 181C2 = 4) I get sent to seg003:0004?

I KNOW I KNOW I AM NOOB AT ASM
Logged

phila_dot
Hero Member
*****

Karma: +173/-11
Offline Offline

Posts: 1709


« Reply #5 on: November 19, 2012, 02:50:48 PM »

So to check if i understood stuff: in 0xxxHN i see that 181b5 (cwdlsu) isn't used at all? Also 181ba (cwkonfls)?

Not sure about:
181c3 (nsw01) & 181c4 (nsw02) because i don't see XREFs.

Also could you explain a little bit about why everytime i click on address value (for example 181C2 = 4) I get sent to seg003:0004?

I KNOW I KNOW I AM NOOB AT ASM

Do you have all of the code disassembled? References in hex that haven't been identified as code will not be considered.

IDA assumes nothing except that the user knows what he/she is doing. It takes you to 0x0004 because it may be a possible address reference. This is the "Interactive" part.
Logged
masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #6 on: November 19, 2012, 03:04:57 PM »

Do you have all of the code disassembled? References in hex that haven't been identified as code will not be considered.

IDA assumes nothing except that the user knows what he/she is doing. It takes you to 0x0004 because it may be a possible address reference. This is the "Interactive" part.

I think I have all the code disassembled (used code analysis on whole segment003 - flash part). CPU took some sweet time going through every line of asm to show everything
Logged

phila_dot
Hero Member
*****

Karma: +173/-11
Offline Offline

Posts: 1709


« Reply #7 on: November 19, 2012, 04:18:32 PM »

There are numerous ways that things are referenced. It will not always be a direct reference. After analyzing enough assembly you will develope a feel for how to find these.

If there is no reference direct or indirect, then obviously it isn't used.

I have only seen the PROKONAL codewords directly referenced.
« Last Edit: November 19, 2012, 04:21:02 PM by phila_dot » Logged
masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #8 on: November 19, 2012, 04:35:20 PM »

The are numerous ways that things are referenced. It will not always be a direct reference. After analyzing enough assembly you will develope a feel for how to find these.

Ok those prokonal maps in 181xx im pretty sure figured out Smiley easy when you can just jump to any ref Smiley now a little harder map is WESSOT...
Logged

masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #9 on: November 21, 2012, 03:57:11 PM »

How do we find axis in disassemble? For example by looking at the winols hex dump I see some axis @ 181c7. But when i open dissasembled bin I see no xrefs or anything:

seg003:181C7                 db  0Ah
seg003:181C8                 db  17h
seg003:181C9                 db  29h ; )
seg003:181CA                 db  40h ; @
seg003:181CB                 db  54h ; T
seg003:181CC                 db  6Bh ; k
seg003:181CD                 db  80h ; Ć
seg003:181CE                 db 0A3h ; Ż
seg003:181CF                 db 0CCh ; _
seg003:181D0                 db 0FEh ; _

his part supposed to be axis, but how do we look which maps access this axis? Shocked
Logged

prj
Hero Member
*****

Karma: +1072/-480
Offline Offline

Posts: 6035


« Reply #10 on: November 21, 2012, 04:05:50 PM »

Figure out what page it is.
After that 0xpage * 0x4000 you get a number which is segment start loc.

Subtract the number from the address you think the axis starts.

After that alt+b, swap high and low and search for the exact bytes.
Look up those locations, one of them will be what you are looking for (the map access).

You see, the map routines often take both the offset and the page number as arguments.
So there is no direct reference, as they are combined later, and IDA can not parse this.
Logged

PM's will not be answered, so don't even try.
Log your car properly - WinOLS database - Tools/patches
matchew
Hero Member
*****

Karma: +47/-22
Offline Offline

Posts: 503


« Reply #11 on: November 21, 2012, 07:49:45 PM »

How do we find axis in disassemble? For example by looking at the winols hex dump I see some axis @ 181c7. But when i open dissasembled bin I see no xrefs or anything:

seg003:181C7                 db  0Ah
seg003:181C8                 db  17h
seg003:181C9                 db  29h ; )
seg003:181CA                 db  40h ; @
seg003:181CB                 db  54h ; T
seg003:181CC                 db  6Bh ; k
seg003:181CD                 db  80h ; Ć
seg003:181CE                 db 0A3h ; Ż
seg003:181CF                 db 0CCh ; _
seg003:181D0                 db 0FEh ; _

his part supposed to be axis, but how do we look which maps access this axis? Shocked

You tried to disassemble the axis to a map? seriously what did you expect to find? What you are  trying to learn here can not be picked up in a couple sessions of asking random questions.
Logged
jooo
Jr. Member
**

Karma: +0/-1
Offline Offline

Posts: 30


« Reply #12 on: November 21, 2012, 08:01:47 PM »

You tried to disassemble the axis to a map? seriously what did you expect to find? What you are  trying to learn here can not be picked up in a couple sessions of asking random questions.
Well, If you think for one more sec you understand that he is questioning why there is no CODE xref on the first line where the axis begin. Which for a beginner might not be easy to understand.
Though I agree with you that learning disassembly/reverseeng is not done in hours or weeks. It takes months or even years if you've not done coding in assembly before and has no sense of programming.
Logged
Bische
Sr. Member
****

Karma: +25/-4
Offline Offline

Posts: 397



WWW
« Reply #13 on: November 21, 2012, 08:41:28 PM »

As a total beginner to disassembly, reading machine code is a very steep stair to try to climb, no doubt. I have been trying to grasp some basics by reading the information on here over and over, now after a couple of weeks I think I have gotten as far as setting up my file correctly.

Alot of my questions were answered just by watching the script setting up the CPU ROM with the rest of the readout, I really want to thank prj for sharing his script as this has saved me alot of time. I attached a screenshot of where im at now.

Now im going to tattoo the C167 manual on the inside of my eyelids and start staring at the code, I really want to learn how to do this. I have started to look a little bit at trying to follow init -> KRKTE as of now.
Logged
masterj
Hero Member
*****

Karma: +62/-5
Offline Offline

Posts: 1049



WWW
« Reply #14 on: November 22, 2012, 10:36:27 AM »

Thank you all for your comments:) I know that to learn asm is long process but i'm starting to get sense of this all, although only basic stuff, like to check if my map definition is correct or not by xrefing maps from similar known ols

basically i understand that on the code part of asm they should be very similar in mnemonic instructions

Like (known ols):
Code:
seg003:748AA                 cmpb    rl4, unk_81958A
seg003:748AE                 jmpr    cc_C, loc_8748B6
seg003:748B0                 movb    rl5, #8
seg003:748B2                 orb     byte_A1E4, rl5
seg003:748B6
seg003:748B6 loc_8748B6:                             ; CODE XREF: sub_87422C+682j
seg003:748B6                 jnb     word_FD72.11, loc_8748BC
seg003:748BA                 jmpr    cc_UC, loc_8748D2
and (unknown bin)
Code:
seg003:7350C                 cmpb    rl4, byte_819596
seg003:73510                 jmpr    cc_C, loc_873518
seg003:73512                 movb    rl5, #8
seg003:73514                 orb     byte_A27C, rl5
seg003:73518
seg003:73518 loc_873518:                             ; CODE XREF: sub_872EAC+664j
seg003:73518                 jnb     word_FD6E.7, loc_87351E
seg003:7351C                 jmpr    cc_UC, loc_873534

Are similar to my eyes and I now think that map in second binary is correctly defined..


BTW: is there a way to search binary with mnemonic code sequences instead of hex and in selected area only (for example seg003:70000-seg003:80000)?
« Last Edit: November 22, 2012, 10:39:08 AM by masterj » Logged

Pages: [1] 2 3 ... 7
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.025 seconds with 15 queries. (Pretty URLs adds 0s, 0q)