Disassembly guide: Difference between revisions
m (Added DPP3 (IRAM) for ST10F275) |
|||
Line 156: | Line 156: | ||
Use the following information: | Use the following information: | ||
* Segment name: '''IRAM''' | |||
* Start address: '''0xE000''' | |||
* End address: '''0x10000''' | |||
* 16-bit segment | |||
* Segment name: '''RAM2''' | * Segment name: '''RAM2''' | ||
* Start address: '''0xF0000''' | * Start address: '''0xF0000''' |
Latest revision as of 00:01, 18 January 2024
Getting started
Engine control unit (ECU) contains a set of instructions which we call a program. This program dictates how the ECU processes the information (inputs, outputs, maps, etc.). It's actually possible to edit the program to add, remove, or edit features, although it's not always an easy process.
Since the source code is proprietary code to Bosch, we have to disassemble the compiled code to alter it. For this, we can use a disassembly tool that will convert the compiled file into assembly code.
Among those tools, you could use:
Disassembling the ME7.1.1
Disassembly for C167 microcontroller
Launch IDA, click on "New" and select the microcontroller file (file should be 32KB)
Set "Processor type" to "Siemens C166 family [c166]"
A "memory organization" window will prompt, let all fields as is, click "OK" to continue
Say "Yes" to splitting the loaded file in 64K bank, then select C167CR_SR
Uncheck all the options, then click "OK"
Now we need to create the segments for the internal ram (IRAM) and ram memory (RAM)
Create those two segments :
IRAM:
- Start address: 0xE000
- End address: 0x10000
- Base: Empty the field
RAM:
- Start address: 0x380000
- End address: 0x390000
- Base : Empty the field
Load the flash memory (File is 1024KB) as an additional file
Set "Loading segment" to 0x80000
Once the flash memory has been loaded, we need to set DPP (Data Page Pointers):
Segment register values:
dpp0:
- Value: 204
- Apply to all segments
dpp1:
- Value: 205
- Apply to all segments
dpp2:
- Value: 0xE0
- Apply to all segments
dpp3:
- Value: 3
- Apply to all segments
We can now analyze the instructions and render code
- Select from top (ROM:00000000) to bottom (seg003:000FFFFF)
- Once the whole project is selected, right click and select "Analyze selected area", then click "Force", click "Yes".
At this point, the ecu is disassembled and all the instructions has been converted into codes and subroutines
Instruction set
You can refer to the C166 Family Instruction set for a better understand on how instructions works on this kind of controller. This instruction set also apply to ME7.1.1 ECUs with the ST10F275 microcontroller.
Quick tips
Graphical view
When you are working in a subroutine (function), you can press "Space" to display the subroutine graphically
You can press "W" to display the whole subroutine
You can press "1" to go back to the zoomed view
References
To find all the usage of a specific variable, you can click on variable and then press X to show references
Identifying variables
You can use A2lextract to extract the addresses of every variables from the A2L file that match your ECU part number
Bitmask
A variable might only use one bit and it might share the same address with another variable. To access the bit, we use the bitmask.
For example, for our ECU, the variable B_behla uses a bitmask (0x0020)
To obtain the bit that correspond to the bitmask 0x0020, we can use the calculator in dev mode:
0x0020 correspond to but 5. In the code, we could access B_behla this way : word_3831A4.5
Disassembling the ST10F275 microcontroller
The disassembling of the ST10F275 is similar to the C167 disassembly, although there are a few differences. A lot of the main code that was inside the flash memory (AM29F800BB) has been moved into the memory of the microcontroller.
Before proceeding to the disassembly, the microcontroller file with needs to be altered depending of the tool used to read it. Most tools read byte by bye and omit a part of the memory that is empty ; this result in addresses not being in the proper location. (Explanation will follow)
If we take a look at memory segments, the memory is not used from 0x8000 to 0x18000. Most tools will put the content of 0x18000 at 0x8000 resulting in a offset of 0x10000
The solution is add a padding of empty data from 0x8000 with a size of 0x10000
Once the microcontroller file is fixed, we can start the disassembly. Launch IDA, click on "New" and select the microcontroller file
Set "Processor type" to "SGS-Thomson ST10 [ST10]"
Click OK, "ROM start address" should be 0.
Create RAM section and set RAM to 0x380000 with size 0x20000
Do not split the the loaded file into 64KB banks.
Select ST10F276
Uncheck all the options, then click "OK"
Load the flash memory as an additional file
Load the file to 0x80000
We can now create the RAM segment:
Use the following information:
- Segment name: IRAM
- Start address: 0xE000
- End address: 0x10000
- 16-bit segment
- Segment name: RAM2
- Start address: 0xF0000
- End address: 0x10FFFF
- 16-bit segment
We can now set the DPP (Data page pointer)
Set the DPP as :
dpp0:
- Value: 0x23F
- Apply to all segments
dpp1:
- Value: 0x3C
- Apply to all segments
dpp2:
- Value: 0xE0
- Apply to all segments
dpp3:
- Value: 3
- Apply to all segments
We can now analyze the instructions and render code
- Select instructions from top to bottom
- Once the whole project is selected, right click and select "Analyze selected area", then click "Force", click "Yes".
At this point, the ecu is disassembled and all the instructions has been converted into codes and subroutines
Disabling the microcontroller checksums
Since most of the code has been moved into the ST10 micocontroller, you will have to make your code injection into the microcontroller instead of the flash. Most flashing tool doesn't support checksum calculation for the microcontroller itself. A good solution is to disable checksums completely.
- Search for "47 F8 55 00 CC 00 CC 00" (1 match)
- Search forward for "E6 F4 FF DF", notice the address, save the last 4 bytes (Ex: 0x69E0A -> 9E0A)
- Change "47 F8 55 00 CC 00 CC 00" to "47 F8 55 00 EA 00 0A 9E" (use the last 4 bytes loHi)
Then
- Search for "9A ?? ?? ?? DA ?? ?? ?? 49 81 3D 19" (question marks are wildcards)
- Replace with "CC 00 CC 00 CC 00 CC 00 CC 00 CC 00".
Disassembling the ME17.5
Launch IDA, click on "New" and select your file (flash memory, micro-controller)
Set "Processor type" to "Infineon TRICORE [TRICORE]"
Check "Create ROM section", use 0x80000000 for "ROM start address" and "Loading address". We got this information from the memory_segment information on the definition file (.a2l)
Select the device name (processor) of your ECU according to your revision:
ME17.5: tc1766
ME17.5.6: tc1767
At this point, the project is created but no instructions are defined. For this, we can select the whole PFLASH section (only section that interest us)
To convert to instructions, you can click on this icon or you can press C
A window prompt, you can click "Force"
Congratulations! Your project is now ready. You can use the a2lextract tool to get some RAM variables address (be aware of possible offset). Refer to the MED17.5 funktionsrahmen and the Tricore instruction set