Pages: [1] 2
Author Topic: How to patch in code changes  (Read 79241 times)
setzi62
Full Member
***

Karma: +142/-0
Offline Offline

Posts: 249


« on: May 19, 2011, 09:21:12 AM »

Setzi,
Can you provide a detailed explanation of the process you use to incorporate this function?
As you can imagine, there is no standard way to integrate a new function into different ECUs.
As a very highlevel description, the following steps have to be done to integrate a new function
into a binary:
1) Produce disassembled code of the image.
   - Need a disassembler for C167 to do this.
   - Useful if you have a disassembly of a similar image with symbol names inside for comparison.

2) Find the addresses of all global variables in the image that are needed in the new function.
   - This is done normally by looking into the disassembled code and roughly "knowing"
     which things/patterns to look for or comparing code of a reference image.
   - These variable addresses vary with each image version, same as it is with map addresses.

3) Find unused parameter space in flash, if configurable parameters are needed in the function.
   - some smaller areas are still found to be unused, best is to verify in the
     disassembled code if the selected space is really not accessed by regular code.

4) Find unused RAM space, if local variables are needed in the function.
   - also here, some areas are still found to be unused, best is to verify in the
     disassembled code if the selected space is really not accessed by regular code.

5) Find a free space in the flash to store the new function.
   - after end of regular code there is normally enough unused space found in the flash.

6) Find the point where to link-in the new function in the image.
   - This is done by searching again in the disassembled code.

7) Finally, write the new function in assembler, assemble the code of the new function
   with the correct addresses of global variables, parameters, and local variables.
   - Need an assembler for C167 to do this.
   - Be careful: don't disturb the stack, don't change registers which are used by the orig code.
   - If you write position independent code, you don't have to care at which address
     the code gets stored.

8 ) Store the assembled function at the selected address in the flash, and link it in
   at the selected point by replacing the existing instruction by a call to your function.
   - The new function should perform the replaced instruction as last instruction.

9) Test the image.
   - If you made a fault, the ecu will start the application at first, but then reboot repeatedly
     -> time for bootmode flashing  Wink.

All of the above steps besides the final testing can also be done by tool (kind of
self-installing-patch). Such a tool needs to be created specifically for each use case.
Makes sense only if you want to implement the same/similar function to many different images.

« Last Edit: May 20, 2011, 02:10:47 AM by setzi62 » Logged
Tony@NefMoto
Administrator
Hero Member
*****

Karma: +132/-4
Offline Offline

Posts: 1389


2001.5 Audi S4 Stage 3


« Reply #1 on: May 19, 2011, 12:33:41 PM »

This post was split from this thread: http://www.nefariousmotorsports.com/forum/index.php/topic,607.0title,.html
Logged

Remember you have to log in if you want to see the file attachments!
Info or questions, please add to the wiki: http://www.nefariousmotorsports.com/wiki
Follow NefMoto developments on Twitter: http://twitter.com/nefmoto
phila_dot
Hero Member
*****

Karma: +173/-11
Offline Offline

Posts: 1709


« Reply #2 on: May 20, 2011, 12:07:08 PM »

Thank you Setzi. This is a little above my skill set at the moment, but it gives me an idea of what to look into.
Logged
DJGonzo
Guest
« Reply #3 on: May 24, 2011, 08:55:20 PM »

Thank you Setzi. This is a little above my skill set at the moment, but it gives me an idea of what to look into.
You can say that again...
Try disassembling a binary dump in IDA Pro.. Trust me, your head will hurt, guaranteed lol.

Im not a wiz with IDA Pro. Maybe someone can post some really basic tuts for identifying routines? I think that's what this forum should be more focused in Smiley
Logged
krazydbiker
Full Member
***

Karma: +4/-1
Offline Offline

Posts: 202


« Reply #4 on: July 01, 2012, 01:31:59 PM »

I have been reading through almost every post on this forum, so interesting all the information thats on it, this is by far one of the ones that completely stumps me, so i would like to understand it, im kind of new here, i actually started digging into volvo me7 computers, and have gotten pretty far with it by learning most of me7's internal workings from this site, but the one thing i have left is trying to implement some sort of code like this post shows, proving to be a little bit over my head at the moment, im not sure if im selecting the right processer when loading in IDA pro
Logged
elRey
Hero Member
*****

Karma: +32/-1
Offline Offline

Posts: 565


« Reply #5 on: November 22, 2012, 09:37:03 AM »

Question.... how do you keep from using a registry spot that may have been set before calling the new function and used afterward?

Say in your new function you:
Code:
mov r9, something

And you call your new function in some other subroutine. But somewhere before your call, the subroutine has already set r9 and then uses/reads r9 later on after you call?

How do you avoid conflicts like that?
Logged
matchew
Hero Member
*****

Karma: +47/-22
Offline Offline

Posts: 503


« Reply #6 on: November 22, 2012, 09:57:14 AM »

Pop and push the Register on/off the stack.
Logged
rajivc666
Full Member
***

Karma: +23/-2
Offline Offline

Posts: 127



« Reply #7 on: November 22, 2012, 11:56:20 AM »

 push/pop is rarely used in most subroutines. Use the instruction mov [-r0],r9 to push it and instruction mov r9,[r0+] to pop it.     
Logged
elRey
Hero Member
*****

Karma: +32/-1
Offline Offline

Posts: 565


« Reply #8 on: November 23, 2012, 10:10:24 AM »

Thanks guys. So, to be safe I should [-r0] all Registies used in a new function at the beginning and then [+r0] then back at the end?

Does this sound unreasonable? 
Logged
rajivc666
Full Member
***

Karma: +23/-2
Offline Offline

Posts: 127



« Reply #9 on: November 23, 2012, 10:39:00 AM »

If you are replacing an original subroutine with yours look for clues there, some registers will be used to return values which obviously need not be saved, I use the rule if in doubt then save.
Logged
fknbrkn
Hero Member
*****

Karma: +185/-23
Offline Offline

Posts: 1454


mk4 1.8T AUM


« Reply #10 on: January 17, 2015, 11:29:36 PM »

how to determine what memory adresses are unused? i have dissasembled binary and see many unused RAM space (#38), but when i log a few adresses (without conversion) which im planned to use with my own routine i see a strange freezed values in it like a 57990 or 63078.

and second question - i have used ALS routine`s calls() function but where i can make my own link? 
« Last Edit: January 17, 2015, 11:38:40 PM by fukenbroken » Logged
elRey
Hero Member
*****

Karma: +32/-1
Offline Offline

Posts: 565


« Reply #11 on: September 24, 2015, 06:11:48 PM »

What is the easiest way to add ability to PASTE a hex code chunk into IDA hex view ?

IDA version 5.5

Thanks,
Rey
Logged
wannabee900
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 42


« Reply #12 on: September 25, 2015, 01:58:33 AM »

put the hex code in a binary file and import it to specific offset works well
Logged
elRey
Hero Member
*****

Karma: +32/-1
Offline Offline

Posts: 565


« Reply #13 on: September 25, 2015, 04:01:34 AM »

does this insert and offset the existing code while increasing file size? or does this overwrite existing code? I need it to overwrite.

Thanks,
Rey
Logged
elRey
Hero Member
*****

Karma: +32/-1
Offline Offline

Posts: 565


« Reply #14 on: September 28, 2015, 01:43:10 PM »

I tried this and it worked great. Thank you.



To expand on the original topic, can we discuss deleting unused functions to reclaim space and repurposing that space for new, custom functions? I've done it with SLS and am currently deleting DSLSLRS.

My concern is identifying if deleted function was called or was part of the main runtime loop and how to handle either case with new functions. i.e. if a want to write a called function in the place of a runtime loop function that gets ran all the time.
« Last Edit: September 28, 2015, 01:51:39 PM by elRey » Logged
Pages: [1] 2
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.023 seconds with 16 queries. (Pretty URLs adds 0s, 0q)