Jonny_Z
Newbie
Karma: +0/-1
 Offline
Posts: 5
|
 |
« Reply #60 on: February 11, 2020, 11:08:30 PM »
|
|
|
Page 46.
Thanks Prj, i should read the instruction again. |
|
|
|
|
Logged
|
|
|
|
Praga
Full Member
Karma: +4/-3
Offline
Posts: 62
|
|
« Reply #61 on: April 22, 2020, 04:30:24 PM »
|
|
|
Great post guys I recently started with MED17.5
Any hints what this subroutine does ?
sub_8003A594: ; CODE XREF: sub_8003A77E+6E�p
0000:8003A594 ; sub_8003A82C+84�p ...
0000:8003A594 jge.u d4, #0xC, loc_8003A612
0000:8003A598 sha32 d1, d4, #1
0000:8003A59C lea a15, [a0]-0x28DA
0000:8003A5A0 nor32 d0, d5, #0
0000:8003A5A4 lea a3, [a0]-0x28E2
0000:8003A5A8 addsc32.a a15, a15, d1, #0
0000:8003A5AC lea a2, [a0]-0x28DA
0000:8003A5B0 ld16.h d15, [a15]0
0000:8003A5B2 and16 d15, d0
0000:8003A5B4 st16.h [a15]0, d15
0000:8003A5B6 mov16 d0, #0
0000:8003A5B8 mov16.a a15, #0xB
0000:8003A5BA
0000:8003A5BA loc_8003A5BA: ; CODE XREF: sub_8003A594+2C�j
0000:8003A5BA ld.hu d15, [a2+]2
0000:8003A5BE or16 d0, d15
0000:8003A5C0 loop16 a15, loc_8003A5BA
0000:8003A5C2 lea a15, [a0]-0x28DA
0000:8003A5C6 st16.h [a3], d0
0000:8003A5C8 addsc32.a a15, a15, d1, #0
0000:8003A5CC ld.hu d15, [a15]0
0000:8003A5D0 jnz16 d15, loc_8003A5E2
0000:8003A5D2 mov16 d15, #-2
0000:8003A5D4 lea a15, [a0]-0x28DE
0000:8003A5D8 dextr d15, d15, d15, d4
0000:8003A5DC ld16.h d0, [a15]0
0000:8003A5DE and16 d0, d15
0000:8003A5E0 st16.h [a15]0, d0
0000:8003A5E2
0000:8003A5E2 loc_8003A5E2: ; CODE XREF: sub_8003A594+3C�j
0000:8003A5E2 ld.hu d15, [a3]0
0000:8003A5E6 jz16 d15, loc_8003A612
0000:8003A5E8 lea a15, [a0]-0x28DE
0000:8003A5EC ld.hu d15, [a15]0
0000:8003A5F0 jnz16 d15, loc_8003A612
0000:8003A5F2 lea a2, [a0]-0x28DA
0000:8003A5F6 mov16.a a15, #0xB
0000:8003A5F8
0000:8003A5F8 loc_8003A5F8: ; CODE XREF: sub_8003A594+66�j
0000:8003A5F8 st16.h [a2+]2, d15
0000:8003A5FA loop16 a15, loc_8003A5F8
0000:8003A5FC mov16 d0, #0
0000:8003A5FE lea a2, [a0]-0x28DA
0000:8003A602 mov16.a a15, #0xB
0000:8003A604
0000:8003A604 loc_8003A604: ; CODE XREF: sub_8003A594+76�j
0000:8003A604 ld.hu d15, [a2+]2
0000:8003A608 or16 d0, d15
0000:8003A60A loop16 a15, loc_8003A604
0000:8003A60C lea a15, [a0]-0x28E2
0000:8003A610 st16.h [a15]0, d0
0000:8003A612
0000:8003A612 loc_8003A612: ; CODE XREF: sub_8003A594�j
0000:8003A612 ; sub_8003A594+52�j ...
0000:8003A612 ret16
Thanks
|
|
|
|
|
Logged
|
|
|
|
360trev
Full Member
Karma: +68/-2
Offline
Posts: 235
|
|
« Reply #62 on: February 01, 2022, 04:34:16 AM »
|
|
|
Great post guys I recently started with MED17.5
Any hints what this subroutine does ?
sub_8003A594: ; CODE XREF: sub_8003A77E+6E�p
0000:8003A594 ; sub_8003A82C+84�p ...
0000:8003A594 jge.u d4, #0xC, loc_8003A612
0000:8003A598 sha32 d1, d4, #1
0000:8003A59C lea a15, [a0]-0x28DA
0000:8003A5A0 nor32 d0, d5, #0
0000:8003A5A4 lea a3, [a0]-0x28E2
0000:8003A5A8 addsc32.a a15, a15, d1, #0
0000:8003A5AC lea a2, [a0]-0x28DA
0000:8003A5B0 ld16.h d15, [a15]0
0000:8003A5B2 and16 d15, d0
0000:8003A5B4 st16.h [a15]0, d15
0000:8003A5B6 mov16 d0, #0
0000:8003A5B8 mov16.a a15, #0xB
0000:8003A5BA
0000:8003A5BA loc_8003A5BA: ; CODE XREF: sub_8003A594+2C�j
0000:8003A5BA ld.hu d15, [a2+]2
0000:8003A5BE or16 d0, d15
0000:8003A5C0 loop16 a15, loc_8003A5BA
0000:8003A5C2 lea a15, [a0]-0x28DA
0000:8003A5C6 st16.h [a3], d0
0000:8003A5C8 addsc32.a a15, a15, d1, #0
0000:8003A5CC ld.hu d15, [a15]0
0000:8003A5D0 jnz16 d15, loc_8003A5E2
0000:8003A5D2 mov16 d15, #-2
0000:8003A5D4 lea a15, [a0]-0x28DE
0000:8003A5D8 dextr d15, d15, d15, d4
0000:8003A5DC ld16.h d0, [a15]0
0000:8003A5DE and16 d0, d15
0000:8003A5E0 st16.h [a15]0, d0
0000:8003A5E2
0000:8003A5E2 loc_8003A5E2: ; CODE XREF: sub_8003A594+3C�j
0000:8003A5E2 ld.hu d15, [a3]0
0000:8003A5E6 jz16 d15, loc_8003A612
0000:8003A5E8 lea a15, [a0]-0x28DE
0000:8003A5EC ld.hu d15, [a15]0
0000:8003A5F0 jnz16 d15, loc_8003A612
0000:8003A5F2 lea a2, [a0]-0x28DA
0000:8003A5F6 mov16.a a15, #0xB
0000:8003A5F8
0000:8003A5F8 loc_8003A5F8: ; CODE XREF: sub_8003A594+66�j
0000:8003A5F8 st16.h [a2+]2, d15
0000:8003A5FA loop16 a15, loc_8003A5F8
0000:8003A5FC mov16 d0, #0
0000:8003A5FE lea a2, [a0]-0x28DA
0000:8003A602 mov16.a a15, #0xB
0000:8003A604
0000:8003A604 loc_8003A604: ; CODE XREF: sub_8003A594+76�j
0000:8003A604 ld.hu d15, [a2+]2
0000:8003A608 or16 d0, d15
0000:8003A60A loop16 a15, loc_8003A604
0000:8003A60C lea a15, [a0]-0x28E2
0000:8003A610 st16.h [a15]0, d0
0000:8003A612
0000:8003A612 loc_8003A612: ; CODE XREF: sub_8003A594�j
0000:8003A612 ; sub_8003A594+52�j ...
0000:8003A612 ret16
Thanks
This is in the MED17 ignition code, its fade in Ignition Pattern, igndd_fadeInIgnPattern() |
|
|
|
|
Logged
|
|
|
|
|
|
aymen
Newbie
Karma: +0/-1
Offline
Posts: 2
|
|
« Reply #64 on: December 18, 2022, 06:31:55 AM »
|
|
|
hello all member , i am beginner and i am very curious about med17.5 inside . i bought a file with multimap for my car .. it work fine..
my question :Can someone point me how i can run ram loading/rom adresses for those tricore ?
|
|
|
|
|
Logged
|
|
|
|
aymen
Newbie
Karma: +0/-1
Offline
Posts: 2
|
|
« Reply #65 on: December 18, 2022, 06:51:59 AM »
|
|
|
hello all member , i am beginner and i am very curious about med17.5 inside . i bought a file with multimap for my car .. it work fine..
my question :Can someone point me how i can run ram loading/rom adresses for those tricore ?
|
|
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +185/-23
Offline
Posts: 1454
mk4 1.8T AUM
|
|
« Reply #66 on: January 18, 2024, 05:16:15 AM »
|
|
|
Well im stuck with MED17 reversing *Im totally new to MED17 rev btw* Trying to find FHOKH/CDKATSP and so on in unknown sw 04E906057EL which is different to any defined MED17.5.25 i have So ive got IDA8.3 and Ghidra here, also i know that fho_w get comparison with FHOKH and thats my hook Load 06J907309A in IDA, using prjs a2l() and indirect() functions, retrieve a0, a1, stuck with a9 for a while but finally im able to get it (8014FAD8) and now my code is pretty fine PFLASH:800615A2 000 ld32.a a15, [a9](off_8014FD6C - off_8014FAD8)
PFLASH:800615A6 000 ld.hu d15, fho_w
PFLASH:800615AA 000 ld.hu d0, [a15](FHOKH_map - unk_801CF17A)
PFLASH:800615AE 000 jge.u d0, d15, loc_800615B8
PFLASH:800615B2 000 st.t B_khtumres:2, #1
PFLASH:800615B6 000 j16 loc_800615BC Well i had to manually check PFLASH @ 8014FD6C to get the second base 801CF17A and then apply this to map offset Whats next? Ive got no variables, no offsets at unknown file Im only able to get a0, a1 Cannot use xrefs to variables to find a corresponding routine Seems that the code is a different so i have no luck to trace it with some similar instructions Questions: 1. Is there any script that get the a9 base + offset and checking value in flash and then applies this to a map offset to get nice xrefs? 2. How can i hook to an unknown file? In me7 im able to get some variables with me7logger file and then tracking down to routine but idk how to handle med17 in that way 3. Ghidra shows nice pseudocode, ive set registers but idk how to fix that poor result It groups a0,a1 and a8 a9
p8 = 0x8014fad8c00083a0;
p0 = 0x8002d3f0d000b800;
....
(uVar8 = fho_w, *(ushort *)(*(int *)(p8._4_4_ + 0x294) + 0x2a) < uVar8)) |
|
|
|
|
Logged
|
|
|
|
|
prj
|
|
« Reply #67 on: January 18, 2024, 05:57:29 AM »
|
|
|
xrefs to flash in IDA could be possible by doing an "indirect" on a9 but I've never tried.
a9 points to module table.
The ram variables should all show up if you have a2l loaded.
If they don't show up then a0/a8 are not set correctly.
Keep in mind there are 3 apps in the flash:
1. SBOOT
2. CBOOT
3. ASW
They all use different configs for globals, make sure you're taking the config from ASW.
|
|
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +185/-23
Offline
Posts: 1454
mk4 1.8T AUM
|
|
« Reply #68 on: January 18, 2024, 06:08:37 AM »
|
|
|
xrefs to flash in IDA could be possible by doing an "indirect" on a9 but I've never tried.
a9 points to module table.
The ram variables should all show up if you have a2l loaded.
If they don't show up then a0/a8 are not set correctly.
Keep in mind there are 3 apps in the flash:
1. SBOOT
2. CBOOT
3. ASW
They all use different configs for globals, make sure you're taking the config from ASW.
Ram variables xrefs works fine in defined file, I have to manually define offset to a map/param but that's fine I dont have any a2l or other definition of an another target file. For now I just want to find maps in it. So the main question - how can I find the variables (and then maps) if I don't have any defined |
|
|
|
« Last Edit: January 18, 2024, 06:18:49 AM by fknbrkn »
|
Logged
|
|
|
|
|
prj
|
|
« Reply #69 on: January 20, 2024, 07:33:42 AM »
|
|
|
Method 1:
Take a file where you have the a2l, that has similar structure.
Find the function in the file that you have a2l for.
Make a mask from something in the subroutine, masking out the addresses (AA BB ?? ?? CC ?? etc) and search for it with alt+b to (hopefully) locate it in the file you don't have anything for.
Method 2:
If you were able to find the same module in the other file calibration area, find the offset of that module from start of module table and search for the [a9]0x1234 load, then you land in the routines that load stuff from this module.
|
|
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +185/-23
Offline
Posts: 1454
mk4 1.8T AUM
|
|
« Reply #70 on: January 21, 2024, 09:25:04 AM »
|
|
|
Method 1:
Take a file where you have the a2l, that has similar structure.
Find the function in the file that you have a2l for.
Make a mask from something in the subroutine, masking out the addresses (AA BB ?? ?? CC ?? etc) and search for it with alt+b to (hopefully) locate it in the file you don't have anything for.
Method 2:
If you were able to find the same module in the other file calibration area, find the offset of that module from start of module table and search for the [a9]0x1234 load, then you land in the routines that load stuff from this module.
After 2 sleepless nights im finally get it )) For the me7 im choosing 1st method due to code and ram-structure pretty similar between ecus but in that case code seems different, im able to find pretty similar block but i was unsure due to different FHOKH values (0.71 vs 0.75) and no similar pattern in nearmap structures so i have to combine them I didnt know that a9 are the modules base (perhaps due to my poor english yay) so thats the key) Well if anyone interested (and as a reminder to myself  ) 1st of all i changed prj scripts to be able to use it with IDA8.3 import math
import idautils
def indirect(register, address):
print("Loading assembly...")
counter = 0
heads = list(idautils.Heads())
total = len(heads)
last = 0
replaced = 0
print("Parsing assembly...")
for line in idautils.Heads():
if (idc.get_wide_byte(line) == 0xD9 or idc.get_wide_byte(line) == 0x19 or idc.get_wide_byte(line) == 0x59 or idc.get_wide_byte(line) == 0x99):
dis = idc.GetDisasm(line)
pos = dis.find("[" + register + "]0x")
if (pos == -1):
pos = dis.find("[" + register + "]-0x")
if (pos == -1):
pos = dis.find("[" + register + "](")
if pos != -1:
replaced += 1
ida_offset.op_offset(line, 1, idc.REF_OFF32, -1, address, 0x0)
cur = math.floor(counter*100/total)
if (cur >= (last+10)):
print("%d" % cur, end="%...")
last = cur
counter += 1
print("100%")
print("All done, %d entries replaced." % replaced)
return import idaapi
def a2l(filename):
lastvarname = ""
lastaddress = ""
with open(filename) as fp:
measurements = fp.read().split("/begin MEASUREMENT")
measurements.pop(0)
print("Found: %d measurement(s)" % len(measurements))
for m in measurements:
namefound = 0
addrfound = 0
name = ""
addr = ""
for l in m.split("\n"):
l = l.strip()
if (len(l) > 0):
if (namefound == 0):
name = l
namefound = 1
elif (l.startswith("ECU_ADDRESS")):
addr = l[12:]
addrfound = 1
break
if (addrfound != 1):
print("ERROR")
else:
ida_bytes.del_items(int(addr, 0), 1, ida_bytes.DELIT_SIMPLE)
idc.set_name(int(addr, 0), name, 1)
return
Now im getting fully defined 06J907309A 0010 file with a2l which i use as a reference and for education purpose, loaded with base 0x80000000 load a2l with a2l("C:/rv/057EL/D1752V02C000B0201g.A2L")Search for "a9," go to "mov16.a a9, #0" youll find that part where a0,a1,a8,a9 getting values and use indirect() to get access to variables, i find a1 pretty useless here indirect("a0",0xD000B600)
indirect("a1",0x8004F42C)
indirect("a8",0xC00083A0)a9 defined as #0 so with the prjs hint i know that its start or modules reference, this part was unclear to me before Im able to find this code bc i know fho_w compared with FHOKH so this is pretty neat part, im just checking all fho_w refs and choosing one where fho_w compared with <something> PFLASH:800615A2
PFLASH:800615A2 loc_800615A2: ; CODE XREF: sub_80061400+18A↑j
PFLASH:800615A2 000 99 9F 14 A0 ld32.a a15, [a9]0x294
PFLASH:800615A6 000 05 DF FA FD ld.hu d15, fho_w
PFLASH:800615AA 000 09 F0 EA 08 ld.hu d0, [a15]0x2A
PFLASH:800615AE 000 7F F0 05 80 jge.u d0, d15, loc_800615B8
PFLASH:800615B2 000 D5 DA 2F 00 st.t B_khtumres:2, #1
PFLASH:800615B6 000 3C 03 j16 loc_800615BC
PFLASH:800615B8 ; ---------------------------------------------------------------------------
PFLASH:800615B8
PFLASH:800615B8 loc_800615B8: ; CODE XREF: sub_80061400+170↑j
PFLASH:800615B8 ; sub_80061400:loc_8006158E↑j ...
PFLASH:800615B8 000 D5 D2 2F 00 st.t B_khtumres:2, #0
PFLASH:800615BC
PFLASH:800615BC loc_800615BC: ; CODE XREF: sub_80061400+1B6↑j
PFLASH:800615BC 000 05 D4 C0 F9 ld32.h d4, fcoscfmn_w
PFLASH:800615C0 000 99 94 14 A0 ld32.a a4, [a9]0x294
PFLASH:800615C4 000 25 D4 C0 59 st32.h fcosawkt_w, d4
PFLASH:800615C8 000 37 04 70 40 extr.u d4, d4, #0, #0x10
PFLASH:800615CC 000 D9 44 34 00 lea a4, [a4]0x34
PFLASH:800615D0 000 ED C0 9D 05 calla unk_C0000B3A
PFLASH:800615D4 000 3B F0 00 60 mov32 d6, #0xF
PFLASH:800615D8 000 05 D4 C6 5D ld.hu d4, imlskhgs_w
PFLASH:800615DC 000 02 25 mov16 d5, d2
PFLASH:800615DE 000 25 D2 FE 49 st32.h word_D0001D3E, d2
PFLASH:800615E2 000 6D 05 DD 03 call32 sub_80101D9C
PFLASH:800615E6 000 25 D2 C2 59 st32.h imlskgsa_w, d2 in this file FHOKH @0x801CF1A4 and the first map of the module BBKHAKT is ABKKATTAB 6x1, going to the axis of the map and its size 06 stanging right before the axis @ 0x801CF17A this is start of the table and start of the BBKHAK module Change in OLS data organization to 32bit lohi and search for 801CF17A -> one result @0x8014FD6C this is module base a9 + offset 0x294Now 8014FD6C - 294 = 8014FAD8 is the a9 register or start of the module s table, check this offset in hex, this should be first 80xxxxxx or A0xxxxxx in this table, also good sign is the "9000" stanging right before it as its 'rets' instruction okay so indirect("a9",0x8014FAD8)rename 0x8014FAD8 with startOfModules_mod, 0x8014FD6C with BBKHAKT_mod for beatify this code and now BBKHAKT_mod should be referenceable, so im able to find code of all maps in that module (i might be wrong here idk) next step is to manually (i wonder if im able to make this with script, but its too complex for this task) change ld.hu d0, [a15]0x2A to offset variable press CTRL+R where [a15] used -> OFF32, base: 0x801CF17A as its starting of first table in this module in the end this code looks like that, heres 0x801CF1A4 also renamed with FHOKH_map PFLASH:800615A2 000 99 9F 14 A0 ld32.a a15, [a9](BBKHAKT_mod - startOfModules_mod)
PFLASH:800615A6 000 05 DF FA FD ld.hu d15, fho_w
PFLASH:800615AA 000 09 F0 EA 08 ld.hu d0, [a15](FHOKH_map - unk_801CF17A)
PFLASH:800615AE 000 7F F0 05 80 jge.u d0, d15, loc_800615B8
PFLASH:800615B2 000 D5 DA 2F 00 st.t B_khtumres:2, #1
PFLASH:800615B6 000 3C 03 j16 loc_800615BC
PFLASH:800615B8 ; ---------------------------------------------------------------------------
PFLASH:800615B8
PFLASH:800615B8 loc_800615B8: ; CODE XREF: sub_80061400+170↑j
PFLASH:800615B8 ; sub_80061400:loc_8006158E↑j ...
PFLASH:800615B8 000 D5 D2 2F 00 st.t B_khtumres:2, #0
PFLASH:800615BC
PFLASH:800615BC loc_800615BC: ; CODE XREF: sub_80061400+1B6↑j
PFLASH:800615BC 000 05 D4 C0 F9 ld32.h d4, fcoscfmn_w
PFLASH:800615C0 000 99 94 14 A0 ld32.a a4, [a9](BBKHAKT_mod - startOfModules_mod)
PFLASH:800615C4 000 25 D4 C0 59 st32.h fcosawkt_w, d4
PFLASH:800615C8 000 37 04 70 40 extr.u d4, d4, #0, #0x10
PFLASH:800615CC 000 D9 44 34 00 lea a4, [a4]0x34
PFLASH:800615D0 000 ED C0 9D 05 calla unk_C0000B3A
PFLASH:800615D4 000 3B F0 00 60 mov32 d6, #0xF
PFLASH:800615D8 000 05 D4 C6 5D ld.hu d4, imlskhgs_w |
|
|
|
« Last Edit: January 21, 2024, 11:00:30 AM by fknbrkn »
|
Logged
|
|
|
|
elias
Full Member
Karma: +20/-3
Offline
Posts: 65
|
|
« Reply #71 on: January 21, 2024, 09:56:19 AM »
|
|
|
I want to suggest another method , which i am using all the time in MED9, and it should work also on MED17: There is a table in flash, which is called KFMWNTK ("measurement blocks-table"), It contains pointers to small functions which will return certain variables. The table is very well defined in the FR and the vars will be always on the same index of that table. Here is a detailed explanation about it for MED9: http://nefariousmotorsports.com/forum/index.php?topic=5941.0title=In MED9 World, there is a tool called "med9info" which can parse this table and show all vars which are defined in this table. I havent seen such a tool in MED17 world yet. If not , i would suggest implementing such a tool. I attached the Table Definition from MED17.5 FR here, so you can have a look what it contains. As soon as you get such tool, its pretty easy to add a lot of variables into ghidra even for binaries where no a2l matches up. |
|
|
|
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +185/-23
Offline
Posts: 1454
mk4 1.8T AUM
|
|
« Reply #72 on: January 21, 2024, 10:17:00 AM »
|
|
|
Now part2 with the unknown file 04E906057EL (btw its 1.6 NA skoda a7) Ive made same steps with a0,a1,a8 Choosing nearest potentially rare code in block below which i mark yellow color bc all other code are super-common (even with masking out the variables ive got hundred results) Search for ' 3B F0 00 60 05 D4' gives only few and luckily one of it looks pretty close PFLASH:800840DE D9 0F 7E CB lea a15, [a0](unk_D0006D3E - unk_D000B600)
PFLASH:800840E2 09 F0 C0 08 ld.hu d0, [a15]0
PFLASH:800840E6 99 9F 5C 00 ld32.a a15, [a9]0x41C
PFLASH:800840EA 09 FF F2 08 ld.hu d15, [a15]0x32 ; <- this one is potentially FHOKH
PFLASH:800840EE 7F 0F 05 80 jge.u d15, d0, loc_800840F8 ;<- compared with ram-variable
PFLASH:800840F2 D5 DF 36 10 st.t byte_D0000076:7, #1 ;<- set bit 1 or 0
PFLASH:800840F6 3C 03 j16 loc_800840FC
PFLASH:800840F8 ; ---------------------------------------------------------------------------
PFLASH:800840F8
PFLASH:800840F8 loc_800840F8: ; CODE XREF: sub_80083E00+2AC↑j
PFLASH:800840F8 ; sub_80083E00:loc_800840CA↑j ...
PFLASH:800840F8 D5 D7 36 10 st.t byte_D0000076:7, #0
PFLASH:800840FC
PFLASH:800840FC loc_800840FC: ; CODE XREF: sub_80083E00+2F6↑j
PFLASH:800840FC 99 9F 5C 00 ld32.a a15, [a9]0x41C
PFLASH:80084100 05 D4 7C B9 ld32.h d4, fcoscfmn_w
PFLASH:80084104 09 F5 D2 28 ld.hu d5, [a15]0x92
PFLASH:80084108 25 D4 78 09 st32.h word_D0001438, d4
PFLASH:8008410C 37 04 70 40 extr.u d4, d4, #0, #0x10
PFLASH:80084110 D9 F4 14 20 lea a4, [a15]0x94
PFLASH:80084114 D9 F5 14 20 lea a5, [a15]0x94
PFLASH:80084118 01 55 01 56 addsc32.a a5, a5, d5, #1
PFLASH:8008411C ED C0 ED 0C calla unk_C00019DA
PFLASH:80084120 3B F0 00 60 mov32 d6, #0xF
PFLASH:80084124 05 D4 7E 0D ld.hu d4, imlskhgs_w
PFLASH:80084128 02 25 mov16 d5, d2
PFLASH:8008412A 25 D2 72 09 st32.h word_D0001432, d2
PFLASH:8008412E ED C0 0C 0E calla unk_C0001C18
PFLASH:80084132 25 D2 42 19 st32.h word_D0001442, d2 Thats a good starting point Now im unsure about module start, maybe the good way is to search through some common maps to find first one in any block and get the a9 but im doing this: Search in hex with 32 lohi for from end of the file to beggining (searching from the beggining gives false results) 800?????800?????800?????800?????800?????800?????800?????800?????800?????800?????800?????800?????800?????800?????800?????800?????800????? Results at 0x8016B?? and the table looks like module bases table so i scroll up to F078203B 0003F05F 9000A000 A002018C A0020192 A0020194 A002019C A00201A0 A00201A2 A00201A4 A00201AA A00201B6 A00202E6 A00202F4 A00202FA A0020330 A002033E A0020340 A0020342 A0020346 A0020348 A002034A A002034C A0020350 A0020354 A002035A A00203A8 A00203CA A00203CC A002040C A002041E A002042E A0020430 A0020442 A002044A A0020454 A0020470 A0020482 A0020486 A002048A A002049A A002049E A00204A2 A00205A2 A00205A4 A00205B2 A00205B6 A00205C0 A00205C2 A00205C6 A00205E2 A0020614 A0020660 A00207E6 A00207E8 A0020800 A002085A A00209FC A0020A12 A0020A66 A0020AC4 A0020ACC A0020AD0 A0020AD2 A0020ADE A0020B0A A0020B12 80020C88 80020C8E 80020C90 80020C94 80020C96 80020C9C 80020CA8 80020E28 80020E36 Here i made a mistake and take red one as the start of the table but its at green (and 'rets' or 9000 instruction before it) A002018C stored at 0x8016B08Cand thats a start of a modules table indirect("a9",0x8016B08C)after that i renamed 0x8016B08C with startOfModules as i did before PFLASH:800840DE D9 0F 7E CB lea a15, [a0](unk_D0006D3E - unk_D000B600)
PFLASH:800840E2 09 F0 C0 08 ld.hu d0, [a15]0
PFLASH:800840E6 99 9F 5C 00 ld32.a a15, [a9](dword_8016B4A8 - startOfModules_mod)
PFLASH:800840EA 09 FF F2 08 ld.hu d15, [a15](FHOKH_map - unk_8002DBA2)
PFLASH:800840EE 7F 0F 05 80 jge.u d15, d0, loc_800840F8
PFLASH:800840F2 D5 DF 36 10 st.t byte_D0000076:7, #1
PFLASH:800840F6 3C 03 j16 loc_800840FC
PFLASH:800840F8 ; ---------------------------------------------------------------------------
PFLASH:800840F8
PFLASH:800840F8 loc_800840F8: ; CODE XREF: sub_80083E00+2AC↑j
PFLASH:800840F8 ; sub_80083E00:loc_800840CA↑j ...
PFLASH:800840F8 D5 D7 36 10 st.t byte_D0000076:7, #0
PFLASH:800840FC
PFLASH:800840FC loc_800840FC: ; CODE XREF: sub_80083E00+2F6↑j
PFLASH:800840FC 99 9F 5C 00 ld32.a a15, [a9](dword_8016B4A8 - startOfModules_mod)
PFLASH:80084100 05 D4 7C B9 ld32.h d4, fcoscfmn_w
PFLASH:80084104 09 F5 D2 28 ld.hu d5, [a15](unk_8002DC34 - unk_8002DBA2)
PFLASH:80084108 25 D4 78 09 st32.h word_D0001438, d4
PFLASH:8008410C 37 04 70 40 extr.u d4, d4, #0, #0x10
PFLASH:80084110 D9 F4 14 20 lea a4, [a15](unk_8002DC36 - unk_8002DBA2)
PFLASH:80084114 D9 F5 14 20 lea a5, [a15](unk_8002DC36 - unk_8002DBA2)
PFLASH:80084118 01 55 01 56 addsc32.a a5, a5, d5, #1
PFLASH:8008411C ED C0 ED 0C calla unk_C00019DA
PFLASH:80084120 3B F0 00 60 mov32 d6, #0xF
PFLASH:80084124 05 D4 7E 0D ld.hu d4, imlskhgs_w
PFLASH:80084128 02 25 mov16 d5, d2
PFLASH:8008412A 25 D2 72 09 st32.h word_D0001432, d2
PFLASH:8008412E ED C0 0C 0E calla unk_C0001C18
PFLASH:80084132 25 D2 42 19 st32.h word_D0001442, d2 Checking 0x16B4A8 -> 0x8002DBA2PFLASH:8016B4A8 A2 DB 02 80 dword_8016B4A8 .word 0x8002DBA2 Seems that dword_8016B4A8 stores the start of first table ABKKATTAB(?) in BBKHAKT module but im unsure due to different engine / ecu / MED version Checking 0x8002DBA2 -> 0006 0000 00FA 03E8 09C4 0FA0 1770 // looks like a 6x1 table, good sign  the axis and the table values are completely different with previous file btw Now we have to apply this base in suspicious routine CTRL + R at 'ld.hu d15, [a15]0x32' gives me 0x8002DBD4 which is finally FHOKH map PFLASH:800840C2 loc_800840C2: ; CODE XREF: sub_80083E00+2B4↑j
PFLASH:800840C2 ; sub_80083E00+2B8↑j
PFLASH:800840C2 05 DF 36 14 ld32.bu d15, byte_D0000076
PFLASH:800840C6 6F 3F 0C 80 jnz32.t d15:3, loc_800840DE
PFLASH:800840CA
PFLASH:800840CA loc_800840CA: ; CODE XREF: sub_80083E00+2BE↑j
PFLASH:800840CA 6F 50 17 00 jz32.t d0:5, loc_800840F8
PFLASH:800840CE 99 9F 5C 00 ld32.a a15, [a9](BBKHAKT_mod - startOfModules_mod)
PFLASH:800840D2 05 DF 4A 1D ld.hu d15, word_D000144A
PFLASH:800840D6 09 F0 EC 38 ld.hu d0, [a15](unk_8002DC8E - unk_8002DBA2)
PFLASH:800840DA 3F F0 0F 80 jlt.u d0, d15, loc_800840F8
PFLASH:800840DE
PFLASH:800840DE loc_800840DE: ; CODE XREF: sub_80083E00+2C6↑j
PFLASH:800840DE D9 0F 7E CB lea a15, [a0](unk_D0006D3E - unk_D000B600)
PFLASH:800840E2 09 F0 C0 08 ld.hu d0, [a15]0
PFLASH:800840E6 99 9F 5C 00 ld32.a a15, [a9](BBKHAKT_mod - startOfModules_mod)
PFLASH:800840EA 09 FF F2 08 ld.hu d15, [a15](FHOKH_map - unk_8002DBA2) ; <-
PFLASH:800840EE 7F 0F 05 80 jge.u d15, d0, loc_800840F8
PFLASH:800840F2 D5 DF 36 10 st.t byte_D0000076:7, #1
PFLASH:800840F6 3C 03 j16 loc_800840FC |
|
|
|
« Last Edit: January 21, 2024, 10:21:25 AM by fknbrkn »
|
Logged
|
|
|
|
fknbrkn
Hero Member
Karma: +185/-23
Offline
Posts: 1454
mk4 1.8T AUM
|
|
« Reply #73 on: January 21, 2024, 10:54:43 AM »
|
|
|
I want to suggest another method , which i am using all the time in MED9, and it should work also on MED17: There is a table in flash, which is called KFMWNTK ("measurement blocks-table"), It contains pointers to small functions which will return certain variables. The table is very well defined in the FR and the vars will be always on the same index of that table. Here is a detailed explanation about it for MED9: http://nefariousmotorsports.com/forum/index.php?topic=5941.0title=In MED9 World, there is a tool called "med9info" which can parse this table and show all vars which are defined in this table. I havent seen such a tool in MED17 world yet. If not , i would suggest implementing such a tool. I attached the Table Definition from MED17.5 FR here, so you can have a look what it contains. As soon as you get such tool, its pretty easy to add a lot of variables into ghidra even for binaries where no a2l matches up. Thats a nice input thanks) I might be wrong ofc but i didnt see any *14230* or *mess*tabelle* in MED17.5.20 / 25 files perhaps its UDS and doesnt operate with MVB values anymore |
|
|
|
|
Logged
|
|
|
|
elias
Full Member
Karma: +20/-3
Offline
Posts: 65
|
|
« Reply #74 on: January 21, 2024, 11:02:28 AM »
|
|
|
Thats a nice input thanks)
I might be wrong ofc but i didnt see any *14230* or *mess*tabelle* in MED17.5.20 / 25 files perhaps its UDS and doesnt operate with MVB values anymore
I cannot tell you if they have dropped it or not on a certain binary. But for UDS there might be a similar table. |
|
|
|
|
Logged
|
|
|
|
|
