Method 1:
Take a file where you have the a2l, that has similar structure.
Find the function in the file that you have a2l for.
Make a mask from something in the subroutine, masking out the addresses (AA BB ?? ?? CC ?? etc) and search for it with alt+b to (hopefully) locate it in the file you don't have anything for.
Method 2:
If you were able to find the same module in the other file calibration area, find the offset of that module from start of module table and search for the [a9]0x1234 load, then you land in the routines that load stuff from this module.
After 2 sleepless nights im finally get it ))
For the me7 im choosing 1st method due to code and ram-structure pretty similar between ecus but in that case code seems different, im able to find pretty similar block but i was unsure due to different FHOKH values (0.71 vs 0.75) and no similar pattern in nearmap structures so i have to combine them
I didnt know that a9 are the modules base (perhaps due to my poor english yay) so thats the key)
Well if anyone interested (and as a reminder to myself
)
1st of all i changed prj scripts to be able to use it with IDA8.3
import math
import idautils
def indirect(register, address):
print("Loading assembly...")
counter = 0
heads = list(idautils.Heads())
total = len(heads)
last = 0
replaced = 0
print("Parsing assembly...")
for line in idautils.Heads():
if (idc.get_wide_byte(line) == 0xD9 or idc.get_wide_byte(line) == 0x19 or idc.get_wide_byte(line) == 0x59 or idc.get_wide_byte(line) == 0x99):
dis = idc.GetDisasm(line)
pos = dis.find("[" + register + "]0x")
if (pos == -1):
pos = dis.find("[" + register + "]-0x")
if (pos == -1):
pos = dis.find("[" + register + "](")
if pos != -1:
replaced += 1
ida_offset.op_offset(line, 1, idc.REF_OFF32, -1, address, 0x0)
cur = math.floor(counter*100/total)
if (cur >= (last+10)):
print("%d" % cur, end="%...")
last = cur
counter += 1
print("100%")
print("All done, %d entries replaced." % replaced)
return
import idaapi
def a2l(filename):
lastvarname = ""
lastaddress = ""
with open(filename) as fp:
measurements = fp.read().split("/begin MEASUREMENT")
measurements.pop(0)
print("Found: %d measurement(s)" % len(measurements))
for m in measurements:
namefound = 0
addrfound = 0
name = ""
addr = ""
for l in m.split("\n"):
l = l.strip()
if (len(l) > 0):
if (namefound == 0):
name = l
namefound = 1
elif (l.startswith("ECU_ADDRESS")):
addr = l[12:]
addrfound = 1
break
if (addrfound != 1):
print("ERROR")
else:
ida_bytes.del_items(int(addr, 0), 1, ida_bytes.DELIT_SIMPLE)
idc.set_name(int(addr, 0), name, 1)
return
Now im getting fully defined 06J907309A 0010 file with a2l which i use as a reference and for education purpose, loaded with base 0x80000000
load a2l with
a2l("C:/rv/057EL/D1752V02C000B0201g.A2L")
Search for "a9," go to "mov16.a a9, #0" youll find that part where a0,a1,a8,a9 getting values and use indirect() to get access to variables, i find a1 pretty useless here
indirect("a0",0xD000B600)
indirect("a1",0x8004F42C)
indirect("a8",0xC00083A0)
a9 defined as #0 so with the prjs hint i know that its start or modules reference, this part was unclear to me before
Im able to find this code bc i know fho_w compared with FHOKH so this is pretty neat part, im just checking all fho_w refs and choosing one where fho_w compared with <something>
PFLASH:800615A2
PFLASH:800615A2 loc_800615A2: ; CODE XREF: sub_80061400+18A↑j
PFLASH:800615A2 000 99 9F 14 A0 ld32.a a15, [a9]0x294
PFLASH:800615A6 000 05 DF FA FD ld.hu d15, fho_w
PFLASH:800615AA 000 09 F0 EA 08 ld.hu d0, [a15]0x2A
PFLASH:800615AE 000 7F F0 05 80 jge.u d0, d15, loc_800615B8
PFLASH:800615B2 000 D5 DA 2F 00 st.t B_khtumres:2, #1
PFLASH:800615B6 000 3C 03 j16 loc_800615BC
PFLASH:800615B8 ; ---------------------------------------------------------------------------
PFLASH:800615B8
PFLASH:800615B8 loc_800615B8: ; CODE XREF: sub_80061400+170↑j
PFLASH:800615B8 ; sub_80061400:loc_8006158E↑j ...
PFLASH:800615B8 000 D5 D2 2F 00 st.t B_khtumres:2, #0
PFLASH:800615BC
PFLASH:800615BC loc_800615BC: ; CODE XREF: sub_80061400+1B6↑j
PFLASH:800615BC 000 05 D4 C0 F9 ld32.h d4, fcoscfmn_w
PFLASH:800615C0 000 99 94 14 A0 ld32.a a4, [a9]0x294
PFLASH:800615C4 000 25 D4 C0 59 st32.h fcosawkt_w, d4
PFLASH:800615C8 000 37 04 70 40 extr.u d4, d4, #0, #0x10
PFLASH:800615CC 000 D9 44 34 00 lea a4, [a4]0x34
PFLASH:800615D0 000 ED C0 9D 05 calla unk_C0000B3A
PFLASH:800615D4 000 3B F0 00 60 mov32 d6, #0xF
PFLASH:800615D8 000 05 D4 C6 5D ld.hu d4, imlskhgs_w
PFLASH:800615DC 000 02 25 mov16 d5, d2
PFLASH:800615DE 000 25 D2 FE 49 st32.h word_D0001D3E, d2
PFLASH:800615E2 000 6D 05 DD 03 call32 sub_80101D9C
PFLASH:800615E6 000 25 D2 C2 59 st32.h imlskgsa_w, d2
in this file FHOKH @0x801CF1A4 and the first map of the module BBKHAKT is ABKKATTAB 6x1, going to the axis of the map and its size 06 stanging right before the axis @
0x801CF17A this is start of the table and start of the BBKHAK module
Change in OLS data organization to 32bit lohi and search for
801CF17A -> one result @0x8014FD6C this is module base a9 + offset
0x294Now
8014FD6C -
294 =
8014FAD8 is the
a9 register or start of the module
s table, check this offset in hex, this should be first 80xxxxxx or A0xxxxxx in this table, also good sign is the "9000" stanging right before it as its 'rets' instruction
okay so
indirect("a9",0x8014FAD8)
rename 0x8014FAD8 with startOfModules_mod, 0x8014FD6C with BBKHAKT_mod for beatify this code and now BBKHAKT_mod should be referenceable, so im able to find code of all maps in that module (i might be wrong here idk)
next step is to manually (i wonder if im able to make this with script, but its too complex for this task) change
ld.hu d0, [a15]0x2A
to offset variable
press CTRL+R where [a15] used -> OFF32, base:
0x801CF17A as its starting of first table in this module
in the end this code looks like that, heres 0x801CF1A4 also renamed with FHOKH_map
PFLASH:800615A2 000 99 9F 14 A0 ld32.a a15, [a9](BBKHAKT_mod - startOfModules_mod)
PFLASH:800615A6 000 05 DF FA FD ld.hu d15, fho_w
PFLASH:800615AA 000 09 F0 EA 08 ld.hu d0, [a15](FHOKH_map - unk_801CF17A)
PFLASH:800615AE 000 7F F0 05 80 jge.u d0, d15, loc_800615B8
PFLASH:800615B2 000 D5 DA 2F 00 st.t B_khtumres:2, #1
PFLASH:800615B6 000 3C 03 j16 loc_800615BC
PFLASH:800615B8 ; ---------------------------------------------------------------------------
PFLASH:800615B8
PFLASH:800615B8 loc_800615B8: ; CODE XREF: sub_80061400+170↑j
PFLASH:800615B8 ; sub_80061400:loc_8006158E↑j ...
PFLASH:800615B8 000 D5 D2 2F 00 st.t B_khtumres:2, #0
PFLASH:800615BC
PFLASH:800615BC loc_800615BC: ; CODE XREF: sub_80061400+1B6↑j
PFLASH:800615BC 000 05 D4 C0 F9 ld32.h d4, fcoscfmn_w
PFLASH:800615C0 000 99 94 14 A0 ld32.a a4, [a9](BBKHAKT_mod - startOfModules_mod)
PFLASH:800615C4 000 25 D4 C0 59 st32.h fcosawkt_w, d4
PFLASH:800615C8 000 37 04 70 40 extr.u d4, d4, #0, #0x10
PFLASH:800615CC 000 D9 44 34 00 lea a4, [a4]0x34
PFLASH:800615D0 000 ED C0 9D 05 calla unk_C0000B3A
PFLASH:800615D4 000 3B F0 00 60 mov32 d6, #0xF
PFLASH:800615D8 000 05 D4 C6 5D ld.hu d4, imlskhgs_w