Disassembly guide

From The 07K Wiki

Getting started

Engine control unit (ECU) contains a set of instructions which we call a program. This program dictates how the ECU processes the information (inputs, outputs, maps, etc.). It's actually possible to edit the program to add, remove, or edit features, although it's not always an easy process.

Since the source code is proprietary code to Bosch, we have to disassemble the compiled code to alter it. For this, we can use a disassembly tool that will convert the compiled file into assembly code.

Among those tools, you could use:

Disassembling the ME7.1.1

This guide cover IDA, but configuration should be very similar on Ghirda

Disassembly for C167 microcontroller

Launch IDA, click on "New" and select the microcontroller file (file should be 32KB)

IDA-NEW.png

Set "Processor type" to "Siemens C166 family [c166]"

Ida-processor-type.png

A "memory organization" window will prompt, let all fields as is, click "OK" to continue

Ida-memory-organization.png

Say "Yes" to splitting the loaded file in 64K bank, then select C167CR_SR

Uncheck all the options, then click "OK"

IDA-information-type.png

Now we need to create the segments for the internal ram (IRAM) and ram memory (RAM)

IDA-create-segment.png

Create those two segments :

IRAM:

  • Start address: 0xE000
  • End address: 0x10000
  • Base: Empty the field

RAM:

  • Start address: 0x380000
  • End address: 0x390000
  • Base : Empty the field

Load the flash memory (File is 1024KB) as an additional file

IDA-load-file.png


Set "Loading segment" to 0x80000

Once the flash memory has been loaded, we need to set DPP (Data Page Pointers):

IDA-DPP.png

Segment register values:

dpp0:

  • Value: 204
  • Apply to all segments

dpp1:

  • Value: 205
  • Apply to all segments

dpp2:

  • Value: 0xE0
  • Apply to all segments

dpp3:

  • Value: 3
  • Apply to all segments

We can now analyze the instructions and render code

  • Select from top (ROM:00000000) to bottom (seg003:000FFFFF)
  • Once the whole project is selected, right click and select "Analyze selected area", then click "Force", click "Yes".

IDA-ANALYZE.png

At this point, the ecu is disassembled and all the instructions has been converted into codes and subroutines

Ida-defined.png

IDA-CODE-EXAMPLE.png

Instruction set

You can refer to the C166 Family Instruction set for a better understand on how instructions works on this kind of controller. This instruction set also apply to ME7.1.1 ECUs with the ST10F275 microcontroller.

Quick tips

Graphical view

When you are working in a subroutine (function), you can press "Space" to display the subroutine graphically

Ida-subroutine-graphic.png

You can press "W" to display the whole subroutine

Ida-graphic-overview.png

You can press "1" to go back to the zoomed view

References

To find all the usage of a specific variable, you can click on variable and then press X to show references

Ida-variable-reference.png

Identifying variables

You can use A2lextract to extract the addresses of every variables from the A2L file that match your ECU part number

A2l extract addresses.png

Bitmask

A variable might only use one bit and it might share the same address with another variable. To access the bit, we use the bitmask.

For example, for our ECU, the variable B_behla uses a bitmask (0x0020)

A2l bitmask.png

To obtain the bit that correspond to the bitmask 0x0020, we can use the calculator in dev mode:

Calculator bitmask.png

0x0020 correspond to but 5. In the code, we could access B_behla this way : word_3831A4.5

Disassembling the ST10F275 microcontroller

The disassembling of the ST10F275 is similar to the C167 disassembly, although there are a few differences. A lot of the main code that was inside the flash memory (AM29F800BB) has been moved into the memory of the microcontroller.

Before proceeding to the disassembly, the microcontroller file with needs to be altered depending of the tool used to read it. Most tools read byte by bye and omit a part of the memory that is empty ; this result in addresses not being in the proper location. (Explanation will follow)

If we take a look at memory segments, the memory is not used from 0x8000 to 0x18000. Most tools will put the content of 0x18000 at 0x8000 resulting in a offset of 0x10000

St10-offset.png

The solution is add a padding of empty data from 0x8000 with a size of 0x10000

St10-mpc-padding.png

Once the microcontroller file is fixed, we can start the disassembly. Launch IDA, click on "New" and select the microcontroller file

IDA-NEW.png

Set "Processor type" to "SGS-Thomson ST10 [ST10]"

Ida-st10-processor-type.png

Click OK, "ROM start address" should be 0.

Create RAM section and set RAM to 0x380000 with size 0x20000

Do not split the the loaded file into 64KB banks.

Select ST10F276

Ida-276.png

Uncheck all the options, then click "OK"

IDA-information-type.png

Load the flash memory as an additional file

IDA-load-file.png

Load the file to 0x80000

We can now create the RAM segment:

IDA-create-segment.png

Use the following information:

  • Segment name: IRAM
  • Start address: 0xE000
  • End address: 0x10000
  • 16-bit segment
  • Segment name: RAM2
  • Start address: 0xF0000
  • End address: 0x10FFFF
  • 16-bit segment

We can now set the DPP (Data page pointer)

IDA-DPP.png

Set the DPP as :

dpp0:

  • Value: 0x23F
  • Apply to all segments

dpp1:

  • Value: 0x3C
  • Apply to all segments

dpp2:

  • Value: 0xE0
  • Apply to all segments

dpp3:

  • Value: 3
  • Apply to all segments

We can now analyze the instructions and render code

  • Select instructions from top to bottom
  • Once the whole project is selected, right click and select "Analyze selected area", then click "Force", click "Yes".

IDA-ANALYZE.png

At this point, the ecu is disassembled and all the instructions has been converted into codes and subroutines

Ida-loaded-defined.png

IDA-CODE-EXAMPLE.png

Disabling the microcontroller checksums

Since most of the code has been moved into the ST10 micocontroller, you will have to make your code injection into the microcontroller instead of the flash. Most flashing tool doesn't support checksum calculation for the microcontroller itself. A good solution is to disable checksums completely.

  1. Search for "47 F8 55 00 CC 00 CC 00" (1 match)
  2. Search forward for "E6 F4 FF DF", notice the address, save the last 4 bytes (Ex: 0x69E0A -> 9E0A)
  3. Change "47 F8 55 00 CC 00 CC 00" to "47 F8 55 00 EA 00 0A 9E" (use the last 4 bytes loHi)

Then

  1. Search for "9A ?? ?? ?? DA ?? ?? ?? 49 81 3D 19" (question marks are wildcards)
  2. Replace with "CC 00 CC 00 CC 00 CC 00 CC 00 CC 00".


Disassembling the ME17.5

This guide cover IDA, but configuration should be very similar on Ghirda

Launch IDA, click on "New" and select your file (flash memory, micro-controller)

Ida quick start.png

Set "Processor type" to "Infineon TRICORE [TRICORE]"

Ida load 1.png

Check "Create ROM section", use 0x80000000 for "ROM start address" and "Loading address". We got this information from the memory_segment information on the definition file (.a2l)

Ida memory organization.png

Select the device name (processor) of your ECU according to your revision:

ME17.5: tc1766

ME17.5.6: tc1767

Ida device name.png

At this point, the project is created but no instructions are defined. For this, we can select the whole PFLASH section (only section that interest us)

To convert to instructions, you can click on this icon or you can press C

Ida code.png

A window prompt, you can click "Force"

Ida window.png

Congratulations! Your project is now ready. You can use the a2lextract tool to get some RAM variables address (be aware of possible offset). Refer to the MED17.5 funktionsrahmen and the Tricore instruction set