Disassembly guide: Difference between revisions
(Instructions for ME7.1.1 ecu with C167 microcontroller) |
|||
Line 7: | Line 7: | ||
* [https://hex-rays.com/IDA-pro/ IDA Pro] | * [https://hex-rays.com/IDA-pro/ IDA Pro] | ||
* [https://ghidra-sre.org/ Ghirda] (open-source) | * [https://ghidra-sre.org/ Ghirda] (open-source) | ||
== Disassembling the ME7.1.1 == | |||
{{Note|note-reminder|This guide cover IDA, but configuration should be very similar on Ghirda}} | |||
=== Disassembly for C167 microcontroller === | |||
Launch IDA, click on "New" and select the microcontroller file (file should be 32KB) | |||
[[File:IDA-NEW.png|533x533px]] | |||
Set "Processor type" to "Siemens C166 family [c166]" | |||
[[File:Ida-processor-type.png|530x530px]] | |||
A "memory organization" window will prompt, let all fields as is, click "OK" to continue | |||
[[File:Ida-memory-organization.png|546x546px]] | |||
Say "Yes" to splitting the loaded file in 64K bank, then select '''C167CR_SR''' | |||
Uncheck all the options, then click "OK" | |||
[[File:IDA-information-type.png|422x422px]] | |||
Now we need to create the segments for the internal ram (IRAM) and ram memory (RAM) | |||
[[File:IDA-create-segment.png|572x572px]] | |||
Create those two segments : | |||
'''IRAM''': | |||
* Start address: '''0xE000''' | |||
* End address: '''0x10000''' | |||
* Base: Empty the field | |||
'''RAM''': | |||
* Start address: '''0x380000''' | |||
* End address: '''0x390000''' | |||
* Base : Empty the field | |||
Load the flash memory (File is 1024KB) as an additional file | |||
[[File:IDA-load-file.png|586x586px]] | |||
Set "Loading segment" to '''0x80000''' | |||
Once the flash memory has been loaded, we need to set DPP (Data Page Pointers): | |||
[[File:IDA-DPP.png|610x610px]] | |||
Segment register values: | |||
'''dpp0''': | |||
* Value: '''204''' | |||
* Apply to all segments | |||
'''dpp1''': | |||
* Value: '''205''' | |||
* Apply to all segments | |||
'''dpp2''': | |||
* Value: '''0xE0''' | |||
* Apply to all segments | |||
'''dpp3''': | |||
* Value: '''3''' | |||
* Apply to all segments | |||
We can now analyze the instructions and render code | |||
* Select from top (ROM:00000000) to bottom (seg003:000FFFFF) | |||
* Once the whole project is selected, right click and select "Analyze selected area", then click "Force", click "Yes". | |||
[[File:IDA-ANALYZE.png|599x599px]] | |||
At this point, the ecu is disassembled and all the instructions has been converted into codes and subroutines | |||
[[File:Ida-defined.png|848x848px]] | |||
[[File:IDA-CODE-EXAMPLE.png|605x605px]] | |||
=== Instruction set === | |||
You can refer to the [[:File:C166-instruction-set.pdf|C166 Family Instruction set]] for a better understand on how instructions works on this kind of controller. This instruction set also apply to ME7.1.1 ECUs with the '''ST10F275''' microcontroller'''.''' | |||
=== Quick tips === | |||
==== Graphical view ==== | |||
When you are working in a subroutine (function), you can press "Space" to display the subroutine graphically | |||
[[File:Ida-subroutine-graphic.png|583x583px]] | |||
You can press "W" to display the whole subroutine | |||
[[File:Ida-graphic-overview.png|587x587px]] | |||
You can press "1" to go back to the zoomed view | |||
==== References ==== | |||
To find all the usage of a specific variable, you can click on variable and then press X to show references | |||
[[File:Ida-variable-reference.png|597x597px]] | |||
==== Identifying variables ==== | |||
You can use [https://the07k.wiki/index.php?title=Tools#a2ltranslate A2lextract] to extract the addresses of every variables from the [[Definition Files|A2L file]] that match your ECU part number | |||
[[File:A2l extract addresses.png|591x591px]] | |||
===== Bitmask ===== | |||
A variable might only use one bit and it might share the same address with another variable. To access the bit, we use the bitmask. | |||
For example, for our ECU, the variable '''B_behla''' uses a bitmask ('''0x0020''') | |||
[[File:A2l bitmask.png|890x890px]] | |||
To obtain the bit that correspond to the bitmask '''0x0020''', we can use the calculator in dev mode: | |||
[[File:Calculator bitmask.png|515x515px]] | |||
'''0x0020''' correspond to but '''5'''. In the code, we could access '''B_behla''' this way : '''word_3831A4'''.'''5''' | |||
== Disassembling the ME17.5 == | == Disassembling the ME17.5 == | ||
{{Note|note-reminder|This guide cover IDA, but configuration should be very similar on Ghirda}} | {{Note|note-reminder|This guide cover IDA, but configuration should be very similar on Ghirda}} |
Revision as of 23:36, 25 November 2023
Getting started
Engine control unit (ECU) contains a set of instructions which we call a program. This program dictates how the ECU processes the information (inputs, outputs, maps, etc.). It's actually possible to edit the program to add, remove, or edit features, although it's not always an easy process.
Since the source code is proprietary code to Bosch, we have to disassemble the compiled code to alter it. For this, we can use a disassembly tool that will convert the compiled file into assembly code.
Among those tools, you could use:
Disassembling the ME7.1.1
Disassembly for C167 microcontroller
Launch IDA, click on "New" and select the microcontroller file (file should be 32KB)
Set "Processor type" to "Siemens C166 family [c166]"
A "memory organization" window will prompt, let all fields as is, click "OK" to continue
Say "Yes" to splitting the loaded file in 64K bank, then select C167CR_SR
Uncheck all the options, then click "OK"
Now we need to create the segments for the internal ram (IRAM) and ram memory (RAM)
Create those two segments :
IRAM:
- Start address: 0xE000
- End address: 0x10000
- Base: Empty the field
RAM:
- Start address: 0x380000
- End address: 0x390000
- Base : Empty the field
Load the flash memory (File is 1024KB) as an additional file
Set "Loading segment" to 0x80000
Once the flash memory has been loaded, we need to set DPP (Data Page Pointers):
Segment register values:
dpp0:
- Value: 204
- Apply to all segments
dpp1:
- Value: 205
- Apply to all segments
dpp2:
- Value: 0xE0
- Apply to all segments
dpp3:
- Value: 3
- Apply to all segments
We can now analyze the instructions and render code
- Select from top (ROM:00000000) to bottom (seg003:000FFFFF)
- Once the whole project is selected, right click and select "Analyze selected area", then click "Force", click "Yes".
At this point, the ecu is disassembled and all the instructions has been converted into codes and subroutines
Instruction set
You can refer to the C166 Family Instruction set for a better understand on how instructions works on this kind of controller. This instruction set also apply to ME7.1.1 ECUs with the ST10F275 microcontroller.
Quick tips
Graphical view
When you are working in a subroutine (function), you can press "Space" to display the subroutine graphically
You can press "W" to display the whole subroutine
You can press "1" to go back to the zoomed view
References
To find all the usage of a specific variable, you can click on variable and then press X to show references
Identifying variables
You can use A2lextract to extract the addresses of every variables from the A2L file that match your ECU part number
Bitmask
A variable might only use one bit and it might share the same address with another variable. To access the bit, we use the bitmask.
For example, for our ECU, the variable B_behla uses a bitmask (0x0020)
To obtain the bit that correspond to the bitmask 0x0020, we can use the calculator in dev mode:
0x0020 correspond to but 5. In the code, we could access B_behla this way : word_3831A4.5
Disassembling the ME17.5
Launch IDA, click on "New" and select your file (flash memory, micro-controller)
Set "Processor type" to "Infineon TRICORE [TRICORE]"
Check "Create ROM section", use 0x80000000 for "ROM start address" and "Loading address". We got this information from the memory_segment information on the definition file (.a2l)
Select the device name (processor) of your ECU according to your revision:
ME17.5: tc1766
ME17.5.6: tc1767
At this point, the project is created but no instructions are defined. For this, we can select the whole PFLASH section (only section that interest us)
To convert to instructions, you can click on this icon or you can press C
A window prompt, you can click "Force"
Congratulations! Your project is now ready. You can use the a2lextract tool to get some RAM variables address (be aware of possible offset). Refer to the MED17.5 funktionsrahmen and the Tricore instruction set