Pages: 1 [2] 3 4 ... 7
Author Topic: Disassembling MED/EDC17  (Read 83747 times)
Ionut
Full Member
***

Karma: +4/-3
Offline Offline

Posts: 89


« Reply #15 on: October 05, 2015, 03:33:04 PM »

So, to be sure i`m not making a mistake.
Should load int flash to 0x8000000 and create ram segments at 0xC000000 and 0xD0000000
What to load at 0xA0000000? Ext flash or other thing?

Code:
 movh.a          a2, #0xD001
8000000:0012A6F8                 ld32.h          d1, 0xD00007DA
8000000:0012A6FC                 mov16           d0, d1
8000000:0012A6FE                 lea             a2, [a2]-0x5F0C
this means that a2 address is 0xD0010000
Than 0x5F0C is substracted from that value, so actual value of a2 is 0xD000A0F4
But for this:
Code:
movh.a          a12, #0xD001
8000000:0005E6F4                 lea             a12, [a12]-0x544C
8000000:0005E6F8                 ld16.bu         d15, [a12]0
8000000:0005E6FA                 and16           d15, #3
8000000:0005E6FC                 jge.u           d15, #4, loc_8005E84E
8000000:0005E700                 movh.a          a15, #0x8006
8000000:0005E704                 addsc16.a       a15, a15, d15, #2
8000000:0005E706                 ld32.a          a15, [a15]-0x6E0C
a15 is loaded with 0x80060000
then a15 is offset by d15 value?
then a15 is loaded with 0x80060000 - 0x6E0C (if d15 offset is actually 0) = 800591F4

Basically i want to know how to search for maps references.


ozzy_rp, how did you discovered that 0x80153DDC is address for table with references?
Logged
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49


« Reply #16 on: October 05, 2015, 11:52:30 PM »

So, to be sure i`m not making a mistake.
Should load int flash to 0x8000000 and create ram segments at 0xC000000 and 0xD0000000
What to load at 0xA0000000? Ext flash or other thing?

Code:
 movh.a          a2, #0xD001
8000000:0012A6F8                 ld32.h          d1, 0xD00007DA
8000000:0012A6FC                 mov16           d0, d1
8000000:0012A6FE                 lea             a2, [a2]-0x5F0C
this means that a2 address is 0xD0010000
Than 0x5F0C is substracted from that value, so actual value of a2 is 0xD000A0F4
But for this:
Code:
movh.a          a12, #0xD001
8000000:0005E6F4                 lea             a12, [a12]-0x544C
8000000:0005E6F8                 ld16.bu         d15, [a12]0
8000000:0005E6FA                 and16           d15, #3
8000000:0005E6FC                 jge.u           d15, #4, loc_8005E84E
8000000:0005E700                 movh.a          a15, #0x8006
8000000:0005E704                 addsc16.a       a15, a15, d15, #2
8000000:0005E706                 ld32.a          a15, [a15]-0x6E0C
a15 is loaded with 0x80060000
then a15 is offset by d15 value?
then a15 is loaded with 0x80060000 - 0x6E0C (if d15 offset is actually 0) = 800591F4

Basically i want to know how to search for maps references.


ozzy_rp, how did you discovered that 0x80153DDC is address for table with references?
Flash memory from 0x80000000h mirrored with 0xA0000000H

a15 loaded with 0x80060000
then calc with offset in d15.
and load to a15 word from [a15]-0x6E0C Smiley
Pay attention to instruction "LEA" and "LD"

I don't find 0x80153DDC in disasembly:(
http://nefariousmotorsports.com/forum/index.php?topic=6990.msg72154#msg72154
Logged

MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
MIL_on
Full Member
***

Karma: +12/-2
Offline Offline

Posts: 119


« Reply #17 on: October 09, 2015, 04:02:12 AM »

Ionut: Make sure you understand how the map-adresses are called:
1. You have the Table which is filled with Adresses of "areas" but not each single map-adress is stored here, otherwise it might become too big.
2. from the Adress stored in the table you are able to take short offsets which can be stored in 16 bit.

Adresses for better understanding:
rlmx_w = D0001662
Axis Length(0x0012) = 0x8005B05C
Axis = 0x8005B05E - 0x8005B081
LDRXNZK = 0x8005B082 -  0x8005B0A5

so if you are going to reverse the whole mechanism you would start like this:
-you know where your LDRXN-Map and Axis starts and you know which variable gets stored in the routine which uses these maps (rlmx_w). So you take your RAM-Adress of the Variable (rlmx_w) and use the Cross-Reference function. There are 2 Routines which write into that ram cell and 1 reading it. You know that it gets written by the LDRXN Routine, so you are going down one of those 2 paths.
in this routine you will find the following Code:

This is based on the 5K0907115, 0261204474, 1037500440  File!

0000:80106C62                 ld32.w          d15, [a9]0x638             // Table-Index = a9+offset --> Take adress from [Tablestart+0x638]
0000:80106C66                 madd            d15, d15, d0, #0x4A     // choose LDRXN-Map based on Gearbox-Variant ( 0x4A is the length of one complete Table+Axis+Axis Description!) and store it in d15 again. Lets guess we have a manual trans, so d0 will be 0.
0000:80106C6A                 ld.hu           d4, nmot_w
0000:80106C6E                 mov16.a         a15, d15                   // store Adress in adress-register
0000:80106C70                 lea             a4, [a15]0x69E             // load effective adress: a15 holds at that moment [Table-entry+0*0x4A] and we add another 0x69E to that Adress and store it in a4. if you dive into the subfunction which gets called in the next line you will find that a4 has to hold the length of the axis and this is @ Adress 8005B05C.
0000:80106C74                 call32          sub_800FDC72
0000:80106C78                 st32.h          rlmx_w, d2
0000:80106C7C                 j16             loc_80106C86

So as you know that the end of the calculation has to be 0x8005B05C you can go reverse by: 0x8005B5C - 0x69E = 0x8005A9BE. Search for 8005A9BE in your Hex-Editor in 32bit mode and you will find it @ 0x8016E020. From here you know that you have to subtract 0x638 to get to the table-start! This delivers 0x8016D9E8 which you can use now for all other equations!


Subroutine not explained:
0000:800FDC72 sub_800FDC72:                           ; CODE XREF: ROM:80071FA8p
0000:800FDC72                                         ; ROM:80072004p ...
0000:800FDC72                 mov16           d5, d4
0000:800FDC74                 mov16.aa        a15, a4
0000:800FDC76                 ld.hu           d15, [a15+]2
0000:800FDC7A                 mov16           d4, d15
0000:800FDC7C                 mov16.aa        a4, a15
0000:800FDC7E                 call32          sub_80121FDC
0000:800FDC82                 addsc16.a       a4, a15, d15, #1
0000:800FDC84                 mov16           d4, d2
0000:800FDC86                 j32             sub_800FA5EE
0000:800FDC86 ; End of function sub_800FDC72


« Last Edit: October 09, 2015, 04:06:03 AM by MIL_on » Logged
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49


« Reply #18 on: October 11, 2015, 08:16:50 AM »

Small hint to find a0 and a1.
from my med17 file.

PFLASH:8010EB0E                 mfcr            d0, #0xFE04
PFLASH:8010EB12                 or32            d15, d0, #0x100
PFLASH:8010EB16                 mtcr            #0xFE04, d15
PFLASH:8010EB1A                 isync
PFLASH:8010EB1E                 movh.a          a0, #@HIS(Base_a0_addr) ; Load base address for RAM
PFLASH:8010EB22                 lea             a0, [a0]@LOS(Base_a0_addr) ; Load base address for RAM offsets
PFLASH:8010EB26                 movh.a          a1, #@HIS(Base_a1_addr) ; Base a1 address 0x8002CE78
PFLASH:8010EB26                                         ; for offsets
PFLASH:8010EB2A                 lea             a1, [a1]@LOS(Base_a1_addr) ; Load base address 0x8002CE78
PFLASH:8010EB2E                 mov16.a         a8, #0
PFLASH:8010EB30                 mov16.a         a9, #0
PFLASH:8010EB32                 mtcr            #0xFE04, d0
PFLASH:8010EB36                 isync
PFLASH:8010EB3A                 isync
PFLASH:8010EB3E                 dsync
PFLASH:8010EB42                 mfcr            d0, #0xFE00
PFLASH:8010EB46                 movh            d1, #0xFFF0
PFLASH:8010EB4A                 and16           d0, d1
PFLASH:8010EB4C                 mtcr            #0xFE00, d0
PFLASH:8010EB50                 isync
PFLASH:8010EB54                 movh            d0, #0xD000
PFLASH:8010EB58                 addi            d0, d0, #0x18
PFLASH:8010EB5C                 addi            d0, d0, #0x3F

Logged

MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
hackish
Full Member
***

Karma: +1/-1
Offline Offline

Posts: 56


« Reply #19 on: October 20, 2015, 07:23:28 AM »

Something to keep in mind, make sure you're running the absolute latest release of IDA Pro. The last tricore file I worked on (this summer) I found a significant number of bugs in the tricore module. Ilfak fixed them (within hours as he usually does) and sent me an updated processor module. It made a huge difference on things that were disassembling completely wrong. I expect that it's been released with the latest update but make sure you're not on an old version.
Logged
terminator
Sr. Member
****

Karma: +15/-4
Offline Offline

Posts: 425


« Reply #20 on: October 20, 2015, 11:40:56 AM »

Bug? For example?
Logged
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49


« Reply #21 on: October 20, 2015, 01:00:43 PM »

I have seen bug with post increment indirect addressing with offset....
Logged

MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
hackish
Full Member
***

Karma: +1/-1
Offline Offline

Posts: 56


« Reply #22 on: October 26, 2015, 10:40:34 PM »

Bug? For example?

I don't remember all of them. That was like 6 months and 3 processors ago. There was a lot of incorrectly decoded instructions/offsets in there. Check out the changes log - they usually list the fixes they made in there.
Logged
dream3R
Hero Member
*****

Karma: +18/-8
Offline Offline

Posts: 1194


« Reply #23 on: December 25, 2015, 04:49:14 PM »

Tricore is difficult with the net versions lol.

Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
dream3R
Hero Member
*****

Karma: +18/-8
Offline Offline

Posts: 1194


« Reply #24 on: December 30, 2015, 07:38:10 PM »

I wish he did a version for non pro outfits.   It's great and expensive too.
Logged



How to work out values from an A2L Smiley

http://nefariousmotorsports.com/forum/index.php?topic=5525.msg52371#msg52371


Starting Rev's http://nefariousmotorsports.com/forum/index.php?topic=5397.msg51169#msg51169

noobs read this before asking http://nefariousmotorsports.com/forum/index.php?topic=9014.0title=


ORGORIGINAL 05 5120 creator for Volvo
ORIGINAL Datalogger (Freeware) Author
ORGINAL finder of the 'extra' torque' limits
I don't have ME7.01 A2L I just use ID
kuebk
Jr. Member
**

Karma: +3/-0
Offline Offline

Posts: 47



« Reply #25 on: February 24, 2016, 03:50:24 PM »

Very interesting topic. I'm trying my best to understand the ASM which stays behind our EDC17 ECUs but I can't make past such subroutines:
Quote
ROM:0014E760 sub_14E760:                             ; CODE XREF: sub_532DE+BD8p
ROM:0014E760                                         ; sub_532DE+C42p ...
ROM:0014E760                 movh.a          a2, #@HIS(unk_D40009D8)
ROM:0014E764                 lea             a2, [a2]@LOS(unk_D40009D8)
ROM:0014E768                 nop16
ROM:0014E76A                 ji16            a2
ROM:0014E76A ; End of function sub_14E760

I have no idea how can I find out what is going to be executed, can you guys give me any tips?
Logged

VAG immo solutions (clone, immo off, repair) MEDC17, SIMOS, SDI, BCM2, ELV, DQ/DL/VL gearboxes, INVCON, MED9.x crypto
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49


« Reply #26 on: February 24, 2016, 11:27:14 PM »

In this block, have several procedures that copy data from FLASH to RAM.
They use a structure such as:
Code:
PFLASH:8002DDBC stru_8002DDBC   copy_block_struct2 <unk_D4001520, PRAM_data, 0>
PFLASH:8002DDBC                                         ; Start data copyed to PRAM
PFLASH:8002DDC8                 copy_block_struct2 <dword_D0000018, LDRAM_data1, 0x10> ; Data copyed to DMI Local Data RAM
PFLASH:8002DDC8                                         ; leight 0x10
PFLASH:8002DDD4                 copy_block_struct2 <dword_D0008180, LDRAM_data2, 0x8A0> ; Start data copyed to DMI Local Data RAM
PFLASH:8002DDD4                                         ; Leigh 0x8A0
PFLASH:8002DDE0                 copy_block_struct2 <off_D0008A20, LDRAM_data3, 0x230> ; Start data copyed to LDRAM
PFLASH:8002DDE0                                         ; leight 0x230
PFLASH:8002DDEC                 copy_block_struct2 <unk_D0009800, LDRAM_data4, 0>
PFLASH:8002DDF8                 copy_block_struct2 <loc_D4000000, SPRAM_sub, 0x1520> ; Start program block from SPRAM
PFLASH:8002DDF8                                         ; This block copyed to 0xD4000000 leight 0x1520
PFLASH:8002DE04                 copy_block_struct2 <unk_F0060000, PCODE_data, 0x2060> ; Start data copyed to PCODE
PFLASH:8002DE04                                         ; leigh 0x2060
PFLASH:8002DE10                 copy_block_struct2 <dword_F0050000, PRAM_data, 0xDC0> ; Start data copyed to PRAM
PFLASH:8002DE10                                         ; Leight 0xDC0

PFLASH:8000FA60 Copy_to_ram_struct Copy_to_RAM_struct <dword_800045F0, 0xD4001400, 0x80>
PFLASH:8000FA60                                         ; Copy to RAM Struct:
PFLASH:8000FA60                                         ; offset 0x00 - Source address in FLASH
PFLASH:8000FA60                                         ; offset 0x04 - Destination address in RAM
PFLASH:8000FA60                                         ; offset 0x08 - leight
PFLASH:8000FA6C                 Copy_to_RAM_struct <dword_80004670, 0xD4001500, 0x220>
PFLASH:8000FA78                 Copy_to_RAM_struct <sub_80004890, 0xD0000AC8, 0x99F0>
PFLASH:8000FA84                 Copy_to_RAM_struct <loc_8000E280, 0xD4001720, 0xD18>
PFLASH:8000FA90                 Copy_to_RAM_struct <off_8000EF98, 0xD000A4B8, 0x458>
PFLASH:8000FA9C                 Copy_to_RAM_struct <dword_8000F3F0, 0xD000A910, 0x670>
PFLASH:8000FAA8                 Copy_to_RAM_struct <0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF>
Logged

MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
kuebk
Jr. Member
**

Karma: +3/-0
Offline Offline

Posts: 47



« Reply #27 on: February 25, 2016, 12:52:02 PM »

Thank you. Smiley
So it seems like:

Code:
ROM:8002ACC0                 copy_block <0xC0003BE0, 0x80023F58, 0xCA0>
ROM:8002ACCC                 copy_block <0xC0004880, 0x80024BF8, 0x4B6>
ROM:8002ACD8                 copy_block <0xD000E000, 0x800250AE, 0>
ROM:8002ACE4                 copy_block <0xD4000000, 0x80020098, 0x1620>
ROM:8002ACF0                 copy_block <0xF0060000, 0x800223B8, 0x1BA0>
ROM:8002ACFC                 copy_block <0xF0050000, 0x800216B8, 0xD00>

Code:
ROM:8014E760 sub_14E760:                             ; CODE XREF: sub_532DE+BD8p
ROM:8014E760                                         ; sub_532DE+C42p ...
ROM:8014E760                 movh.a          a2, #@HIS(unk_D40009D8)    ; D40009D8 = 0x80020A70 = 0x49094F94 // a2 = 4909
ROM:8014E764                 lea             a2, [a2]@LOS(unk_D40009D8) // a2 = 4909 + 4f94
ROM:8014E768                 nop16
ROM:8014E76A                 ji16            a2 // a2 = 989D
ROM:8014E76A ; End of function sub_14E760

But at 8000989D I'm landing in the middle of other subroutine:
Code:
ROM:80009870 sub_9870:                               ; CODE XREF: ROM:00009732p
ROM:80009870                                         ; sub_980E+48p ...
ROM:80009870                 lea             a15, [a0]0x43F
ROM:80009874                 mov16           d5, #0
ROM:80009876                 lea             a2, [a0]0x430
ROM:8000987A                 movh.a          a4, #@HIS(word_D0001648)
ROM:8000987E                 ld16.bu         d15, [a15]0
ROM:80009880                 lea             a15, [a0]0x434
ROM:80009884                 lea             a5, [a0]0x444
ROM:80009888                 lea             a4, [a4]@LOS(word_D0001648)
ROM:8000988C                 ld.hu           d4, [a15]0
ROM:80009890                 add16           d4, d15
ROM:80009892                 sha16           d15, #2
ROM:80009894                 extr.u          d4, d4, #0, #0x10
ROM:80009898                 add32           d15, d15, #0x24
ROM:8000989C                 addsc16.a       a15, a2, d15, #0
ROM:8000989E                 mov16           d15, #3
ROM:800098A0                 st16.w          [a15]0, d5
ROM:800098A2                 call32          sub_AC52
ROM:800098A6                 mov32           d0, #0xA
ROM:800098AA                 jne32           d2, d0, loc_98B8
ROM:800098AE                 mov16           d15, #0
ROM:800098B0                 lea             a15, [a0]0x43B
ROM:800098B4                 st16.b          [a15]0, d15
ROM:800098B6                 mov16           d15, #0
ROM:800098B8
ROM:800098B8 loc_98B8:                               ; CODE XREF: sub_9870+3Aj
ROM:800098B8                 mov16           d2, d15
ROM:800098BA                 ret16
ROM:800098BA ; End of function sub_9870

I think my calculations are not done correctly, what you think?
Logged

VAG immo solutions (clone, immo off, repair) MEDC17, SIMOS, SDI, BCM2, ELV, DQ/DL/VL gearboxes, INVCON, MED9.x crypto
ozzy_rp
Jr. Member
**

Karma: +16/-1
Offline Offline

Posts: 49


« Reply #28 on: February 25, 2016, 03:41:40 PM »

Thank you. Smiley
So it seems like:

ROM:8002ACC0                 copy_block <0xC0003BE0, 0x80023F58, 0xCA0>
ROM:8002ACCC                 copy_block <0xC0004880, 0x80024BF8, 0x4B6>
ROM:8002ACD8                 copy_block <0xD000E000, 0x800250AE, 0>
ROM:8002ACE4                 copy_block <0xD4000000, 0x80020098, 0x1620>
ROM:8002ACF0                 copy_block <0xF0060000, 0x800223B8, 0x1BA0>
ROM:8002ACFC                 copy_block <0xF0050000, 0x800216B8, 0xD00>


ROM:8014E760 sub_14E760:                             ; CODE XREF: sub_532DE+BD8p
ROM:8014E760                                         ; sub_532DE+C42p ...
ROM:8014E760                 movh.a          a2, #@HIS(unk_D40009D8)    ; D40009D8 = 0x80020A70 = 0x49094F94 // a2 = 4909
ROM:8014E764                 lea             a2, [a2]@LOS(unk_D40009D8) // a2 = 4909 + 4f94
ROM:8014E768                 nop16
ROM:8014E76A                 ji16            a2 // a2 = 989D
ROM:8014E76A ; End of function sub_14E760

But at 8000989D I'm landing in the middle of other subroutine:

I think my calculations are not done correctly, what you think?
You wrong at:
ROM:8014E764                 lea             a2, [a2]@LOS(unk_D40009D8) // a2 = 4909 + 4f94
Here a2=0xD40009D8
And 0xD40009D8-0xD4000000=0x9D8
Remember  copy_block <0xD4000000, 0x80020098, 0x1620>
Add 0x9D8 to 0x80020098 and we have 0x80020A70
Logged

MED17/EDC17 Reverse engineering
conversion sgo and frf to bin https://osotec.com/
superglitch
Jr. Member
**

Karma: +4/-0
Offline Offline

Posts: 45


« Reply #29 on: March 15, 2016, 03:36:45 PM »

movh.a          a15, #@HIS(CRC_end_addr) ;
st32.w          [a15]@LOS(CRC_end_addr), d0 ;

b:
sha16           d15, #4
movh.a          a3, #@HIS(RAM_crc_table) ;
lea             a3, [a3]@LOS(RAM_crc_table) ;
addsc16.a       a2, a3, d15, #0 ;

Do you have these actually defined?  Curious what they are.
Logged
Pages: 1 [2] 3 4 ... 7
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.031 seconds with 17 queries. (Pretty URLs adds 0s, 0q)