May I ask how did you learn IDA specifics? I managed to load Volvo bins to IDA properly. But if I'm talking sense, I'm struggling converting data bytes to functions/code sections so I could analyse them.
Loading BIN to IDA and then disasembling is the easy part
Understanding whats going on in the code is much worse - very time consuming.
Make sure you load it with proper DPPs and mem:
DPP0 - 0x4
DPP1 - 0x5
DPP2 - 0xC0
DPP3 - 0x3
RAM - 0x300000
To decompile you basically just press P then CTRL+U on every line with code.
P decompiles and CTRL-U jumps to next not resolved code.
I did a script in AutoIt that just press P and CTRL-U in loop
WinWaitActive("IDA - ")
While True
Send("p^u")
Sleep(1)
WEndBut it must be done only on parts with code, not maps and data!
On 99V70R bin i got some code at the begining, then second part 0x8200-0xBFFF and main huge part at 0x22000
But on my 02S60T5 bin second part is at 0x9000-0xBFFF and main at 0x28000. So i assume it may be different on every version of software.
Then you need to have at least basic knowledge of assembly language. You need to understand how data is manipulated in registers, division, multiplication, conditional jumps (C166 Instruction Set
Manual is must have) and so on. But the most important is understanding memory addressing. This processor use 2 types of addressing. With Data Page Pointers (DPPs) and extended overrided mode (with EXT comand). You need to understand BIT operations (ORs, ANDs, shifting etc.) because its everywhere in the code and in the addressing.
How to start finding maps? Find some basic obvious maps like ignition or LDRX and then search for their addresses in the code. Then analyze the code and compare with FR to figure out unnamed variables and start naming them. If you identify variable, press X on it and see references to it. Then go to some reference and figure out what is going on and try to match function with FR. As soon as you notice a pattern you will reveal more variables in that function (by looking to FR). The more maps and variables you identify the further you go into code. Its like puzzles
The most annoying for me was translating addresses. For example. My LAMFA map address is 0x22140. But in code its addressed as page=0x8 and offset=0x2140. Its extended addressing mode. To translate it to absolute address you have to make bitwise operation (P SHL 14) OR (O AND 0x3FFF). I did a simple calculator app in delphi to convert those addresses back and forth. Maybe i will post it here if anybody wants. Some addresses may be also refereed in DPP mode (like my KFMIOP 0x2214 as DPP -> translates to 0x12214) and some just directly as absolute binary location.
I hope it helps to start, but i think there's no other way than taking a lot of time to practice by yourself.
