Pages: [1] 2 3 4
Author Topic: Getting started with IDA and MED9.1  (Read 52970 times)
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« on: September 18, 2014, 01:27:14 AM »

Hi all,

I’ve seen a few people curious about this, so I wanted to put down some notes. It’s got a lot of pictures so hopefully it helps anyone who’s trying to get started Smiley I’m sure that there are many ways to go about this, probably some better but if it gets you interested then it’s done the job.

Start IDA (idaq.exe)



Select New



Select the bin you want to disassemble. Select Files of type ‘All Files (*)’ to see all possible files



From the Processor type drop down, select ‘PowerPC: ppc’ and click the Set button



Next click Processor options and enter the TOC and SDA (r13) addresses

TOC address: 0x5C9FF0
SDA (r13): 0x7FFFF0




Click OK and OK to bring up the next dialogue where you’ll create the RAM and ROM segments

RAM @ 0x600000 size 0x300000
ROM @ 0x400000 size 0x200000
Loading address 0x400000 size 0x200000


Note – this is not completely accurate, but it’s quite sufficient for disassembly. I wish I had a proper memory map  Huh



Click OK and the next dialogue opens. This is where IDA begins the analysis.

Note - prj has written an AutoIT script. AutoIT is a tool that lets you automate actions like mouse clicks, menu selections and button presses. Highlighting one entry and clicking a few buttons is fine. Imagine doing it a few thousand times… prj’s script is for ME7.1 so you’d have to amend it somewhat for MED9.1.
Instead of the AutoIT script, I took a bit of a shortcut here. I just needed a basic disassembly so all I did was highlight all the code between 0x400000 and 0x600000 and press ‘C’. More about that in the next step.



Move the cursor to 0x400000 (by clicking there) and press ‘Alt L’ to mark the beginning of your selection.



Then move down to 0x600000 (by using the slider on the right hand pane or the page up/page down keyboard keys).  Click a second time to mark the end of your selection. Everything between 0x400000 and 0x600000 should now be blocked in grey, indicating it’s been selected.



Press ‘C’ and select Analyse. IDA will now work through your file.



You will get a warning – ‘mtfsfi, bad optype’.



Click OK, tick ‘don’t display message again’ and click OK again. IDA will continue with the analysis.



After a minute or so, the disassembly is finished and you’re ready to go  Grin



« Last Edit: September 18, 2014, 01:41:31 AM by Basano » Logged
Beaviz
Full Member
***

Karma: +8/-4
Offline Offline

Posts: 190


« Reply #1 on: September 18, 2014, 01:50:36 AM »

Again, amazing work you are doing! Thanks for sharing!
Logged
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #2 on: September 18, 2014, 03:40:21 AM »

OK, so what can you do with this?

Here’s how I go about locating a ram variable. In this example I’m going to look for the ram address of nmot_w (engine speed, 16 bit)

Start with a map you know the location of that makes reference to the variable of interest. Looking at the FR, I can see that the entry to KLPROV is nmot_w.



I also know the address of KLPROV (by comparing against a defined bin). The starting point of the whole map (including the axis) is 0x1D20C0.



The addresses in IDA have an offset of 0x40000. That means if your map is 0x1D20C0 in WinOLS, it’s 0x5D20C0 in IDA (0x1D20C0 + 0x400000).



Looking at address 0x5D20C0, you can see some blue text next to it. That’s called a cross-reference and clicking on it will take you to the segment of code that’s referring to that map address.



Basically the lookup of the map is a function. You pass it some variables, it does its thing and passes back the result.

So we pass r3 and r4 to the function 0x590434. It passes the result back in r3 again.

r4 is loaded with the map location, therefore by elimination r3 must be nmot_w – 0x7FD830

Smiley
« Last Edit: September 18, 2014, 03:42:18 AM by Basano » Logged
weijie
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 46


« Reply #3 on: September 20, 2014, 07:46:08 PM »

I was jus thinking about how to do this last nite!
Thanks basano!

Qn: where did u get e ida.exe?
Logged
piedepesante
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 3


« Reply #4 on: September 24, 2014, 11:51:04 PM »

Basano!!
Really thanks!!
Wonderful work!!!
Logged
flaattire
Full Member
***

Karma: +2/-0
Offline Offline

Posts: 68


« Reply #5 on: September 25, 2014, 09:13:36 PM »

How are yall running IDA, in a non-networked VM? All the "donation optional" versions I've found probably have malware so don't want it on my main box. I'd get a legit version but it's way too expensive!
Logged
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #6 on: September 26, 2014, 12:21:41 AM »

Correct,

I use Oracle VM VirtualBox.

I also got this advice from another member – legitimate versions of IDA won’t open idb files created by the knock-off versions of IDA. If you are using a knock-off, it’s fine while you are using it yourself or sharing projects with others using the same knock-off. But the real IDA has a blacklist to detect idb files created by the clones and doesn’t like them (understandably).
Logged
flaattire
Full Member
***

Karma: +2/-0
Offline Offline

Posts: 68


« Reply #7 on: September 26, 2014, 01:18:21 AM »

I've got it working and looking at my unnamed vendor's 4 program flash. Thanks for the tutorial. To anyone wondering, some versions ask byte order when selecting the processor type. Mine did, and the correct answer is PPC big-endian.

Have you written / modified any code, Basano, or are you still learning?
Logged
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49


« Reply #8 on: October 01, 2014, 04:36:50 AM »



RAM @ 0x600000 size 0x300000
ROM @ 0x400000 size 0x200000
Loading address 0x400000 size 0x200000


Note – this is not completely accurate, but it’s quite sufficient for disassembly. I wish I had a proper memory map  Huh

Hello
I think that memory map look like this:
ROM @ 0x000000 size 0x200000
Loading address 0x000000 size 0x200000

And i cut data from original file from 0x1C0000 to 0x1FFFFF,
then i load this data as additional binary file at 0x5C0000 size 0x40000

Now we have the correct addressing from beginning file, with correct subroutines address.
And correct addressing in data block.
Logged

MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« Reply #9 on: October 03, 2014, 04:53:15 PM »

Tell me please how did you find RAM address?
Logged
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #10 on: October 07, 2014, 12:45:19 AM »

Hello
I think that memory map look like this:
ROM @ 0x000000 size 0x200000
Loading address 0x000000 size 0x200000

And i cut data from original file from 0x1C0000 to 0x1FFFFF,
then i load this data as additional binary file at 0x5C0000 size 0x40000

Now we have the correct addressing from beginning file, with correct subroutines address.
And correct addressing in data block.


Actually, that does match up.

I poked around with this a bit more. Take a look at this extract from a random 2.0 TFSI MED9.1 .a2l file. There’s a section near the beginning that actually lists the memory segment layouts. It describes both ROM and RAM. I'm not sure what the section at 0x900000 is Huh , but the rest seems to align. You'll notice the bit in blue has a mapping from 0x1C -> 0x5C.

.a2l file attached

  /begin MOD_PAR "D915A_41W200"
    VERSION "MED91"
    ADDR_EPK 0x1C21F0
    EPK "55/1/MED91/5/4420.01//D915A_41W200/D915A_41W200/150904/"
    CUSTOMER_NO "5"
    USER "GS-ES/EAD1-Richard"
    PHONE_NO ""
    CPU_TYPE "GoldenOak"
    ECU "MED91"
    /begin MEMORY_SEGMENT Pst20000 "" CODE EPROM EXTERN 0x20000 0x1A0000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x20000 /*mapping_adr:*/0x20000 /*length:*/0x1A0000 /end IF_DATA
    /begin IF_DATA ASAP1B_CCP ADDRESS_MAPPING /*orig_adr:*/0x20000 /*mapping_adr:*/0x20000 /*length:*/0x1A0000 /end IF_DATA
    /begin IF_DATA ASAP1B_KWP2000 ADDRESS_MAPPING /*orig_adr:*/0x20000 /*mapping_adr:*/0x20000 /*length:*/0x1A0000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst1F0000 "" CODE EPROM EXTERN 0x1F0000 0x10000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x1F0000 /*mapping_adr:*/0x1F0000 /*length:*/0x10000 /end IF_DATA
    /begin IF_DATA ASAP1B_CCP ADDRESS_MAPPING /*orig_adr:*/0x1F0000 /*mapping_adr:*/0x1F0000 /*length:*/0x10000 /end IF_DATA
    /begin IF_DATA ASAP1B_KWP2000 ADDRESS_MAPPING /*orig_adr:*/0x1F0000 /*mapping_adr:*/0x1F0000 /*length:*/0x10000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Pst0 "" CODE EPROM EXTERN 0x0 0x20000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x20000 /end IF_DATA
    /begin IF_DATA ASAP1B_CCP ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x20000 /end IF_DATA
    /begin IF_DATA ASAP1B_KWP2000 ADDRESS_MAPPING /*orig_adr:*/0x0 /*mapping_adr:*/0x0 /*length:*/0x20000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Dst1C2000 "" DATA EPROM EXTERN 0x1C2000 0x2E000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x1C2000 /*mapping_adr:*/0x902000 /*length:*/0x2E000 /end IF_DATA
    /begin IF_DATA ASAP1B_CCP ADDRESS_MAPPING /*orig_adr:*/0x1C2000 /*mapping_adr:*/0x5C2000 /*length:*/0x2E000 /end IF_DATA
    /begin IF_DATA ASAP1B_KWP2000 ADDRESS_MAPPING /*orig_adr:*/0x1C2000 /*mapping_adr:*/0x5C2000 /*length:*/0x2E000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT ExtRam900000 "" VARIABLES RAM EXTERN 0x900000 0x2000 -1 -1 -1 -1 -1
        /* AsapMLXFm - CCP_V2_1 */
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x900000 /*mapping_adr:*/0x900000 /*length:*/0x2000 /end IF_DATA
        /* AsapMLXFm - KWP2000 */
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Ram7F8000 "" VARIABLES RAM INTERN 0x7F8000 0x8000 -1 -1 -1 -1 -1
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT Ram800000 "" VARIABLES RAM INTERN 0x800000 0x8000 -1 -1 -1 -1 -1
    /end MEMORY_SEGMENT
Logged
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49


« Reply #11 on: October 07, 2014, 02:35:10 AM »

Actually, that does match up.

I poked around with this a bit more. Take a look at this extract from a random 2.0 TFSI MED9.1 .a2l file. There’s a section near the beginning that actually lists the memory segment layouts. It describes both ROM and RAM. I'm not sure what the section at 0x900000 is Huh , but the rest seems to align. You'll notice the bit in blue has a mapping from 0x1C -> 0x5C.

    /begin MEMORY_SEGMENT Dst1C2000 "" DATA EPROM EXTERN 0x1C2000 0x2E000 -1 -1 -1 -1 -1
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x1C2000 /*mapping_adr:*/0x902000 /*length:*/0x2E000 /end IF_DATA
    /begin IF_DATA ASAP1B_CCP ADDRESS_MAPPING /*orig_adr:*/0x1C2000 /*mapping_adr:*/0x5C2000 /*length:*/0x2E000 /end IF_DATA
    /begin IF_DATA ASAP1B_KWP2000 ADDRESS_MAPPING /*orig_adr:*/0x1C2000 /*mapping_adr:*/0x5C2000 /*length:*/0x2E000 /end IF_DATA
    /end MEMORY_SEGMENT

    /begin MEMORY_SEGMENT ExtRam900000 "" VARIABLES RAM EXTERN 0x900000 0x2000 -1 -1 -1 -1 -1
        /* AsapMLXFm - CCP_V2_1 */
    /begin IF_DATA ETK ADDRESS_MAPPING /*orig_adr:*/0x900000 /*mapping_adr:*/0x900000 /*length:*/0x2000 /end IF_DATA
        /* AsapMLXFm - KWP2000 */
    /end MEMORY_SEGMENT


I look at checksumm table in dump. That's part from several table with the addresses of the data blocks:

(StartAddress EndAddress)

0x005CA3DC 0x005CA87F
0x005C2000 0x005C223F
0x005C2E00 0x005C7FFF
0x005C8000 0x005CFFFF
0x005D0000 0x005D7FFF
0x005D8000 0x005DFFFF
This mapped data 0x1C to 0x5C. Range 0x5C2000-0x5DFFFF


0x00180000 0x00187FFF
0x00188000 0x0018FFFF
0x00190000 0x00197FFF
0x00198000 0x0019FFFF
0x001A0000 0x001A7FFF
0x001A8000 0x001AFFFF
0x001B0000 0x001BFFFF
0x001B8000 0x001BFFFF
0x001E0000 0x001EFFFF
0x001F0000 0x001FFFFF
There is no data on mapped block in range 0x1C0000-0x1E0000, but present data on block 0x1E0000-0x1FFFFF.
Maybe necessary to load data in this range (0x1E0000-0x1FFFFF) to original address.

Maybe  data in section 0x900000 - external RAM in separate chip? Need to see photo of disassembled ECU Smiley
Logged

MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
Basano
Full Member
***

Karma: +90/-3
Offline Offline

Posts: 192


« Reply #12 on: October 07, 2014, 03:50:48 AM »

Looking at the checksum tables - clever!  Cheesy

Again from the .a2l, perhaps 0x1C0000 is related to the e2p... Only a guess though. I know the e2p shows up in a ram mirror as well but that's slightly different.

        SERAM
            /* SERAM_A */ 0x1C0000
            /* SERAM_O */ 0x1C0000
            /* SERAM_U */ 0x1DFFFE
            /* SERAM_E */ 0x1DFFFE
           /* Flash address */ 0x000000
           /* RAM address   */ 0x000000
              /* Data Read   */ 1
              /* Code Verify */ 0
              /* Code Read   */ 0
              /* Load mode   */ 1
Logged
ericpaulyoung
Full Member
***

Karma: +5/-0
Offline Offline

Posts: 149


« Reply #13 on: October 15, 2014, 08:00:59 PM »

...

And i cut data from original file from 0x1C0000 to 0x1FFFFF,
then i load this data as additional binary file at 0x5C0000 size 0x40000

...


How do you do this?. I cannot generate a new file in IDA after I copy the lines.
epy
Logged
ericpaulyoung
Full Member
***

Karma: +5/-0
Offline Offline

Posts: 149


« Reply #14 on: October 15, 2014, 08:28:58 PM »

I tried to copy the lines, then create a new segment from 0x5C0000 to 0x600000, but IDA would not let me. It spit out an error that the segment is bad with negative entries.

epy
Logged
Pages: [1] 2 3 4
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.028 seconds with 16 queries. (Pretty URLs adds 0s, 0q)