cracking the ecu....
#227
Is this title ok?
Well, there are actual map that has indication of gear based. Take this one for example:
X-Axis: [0x70a70 6x4]
1250 1500 4990 5000 5990 6000
Y-Axis: [0x70a88 6x4]
1 2 3 4 5 6
Cells: [0x70aa0 6x6x1]
075 056 056 015 015 000
075 056 056 015 015 000
056 056 056 015 015 000
056 056 056 015 015 000
056 056 056 015 015 000
056 056 056 015 015 000
Does this look like timming?
X-Axis: [0x70c34 16x4]
-40 -30 -20 -10 0 10 20 30 40 50 60 70 80 90 100 110
Y-Axis: [0x70c74 6x4]
1 2 3 4 5 6
Cells: [0x70c8c 16x6x1]
005 005 005 005 005 005 005 005 005 005 005 030 030 030 030 030
005 005 005 005 005 005 005 005 005 005 005 010 010 010 010 010
005 005 005 005 005 005 005 005 005 005 005 010 010 010 010 010
005 005 005 005 005 005 005 005 005 005 005 005 005 005 005 005
005 005 005 005 005 005 005 005 005 005 005 005 005 005 005 005
005 005 005 005 005 005 005 005 005 005 005 005 005 005 005 005
X-Axis: [0x70a70 6x4]
1250 1500 4990 5000 5990 6000
Y-Axis: [0x70a88 6x4]
1 2 3 4 5 6
Cells: [0x70aa0 6x6x1]
075 056 056 015 015 000
075 056 056 015 015 000
056 056 056 015 015 000
056 056 056 015 015 000
056 056 056 015 015 000
056 056 056 015 015 000
Does this look like timming?
X-Axis: [0x70c34 16x4]
-40 -30 -20 -10 0 10 20 30 40 50 60 70 80 90 100 110
Y-Axis: [0x70c74 6x4]
1 2 3 4 5 6
Cells: [0x70c8c 16x6x1]
005 005 005 005 005 005 005 005 005 005 005 030 030 030 030 030
005 005 005 005 005 005 005 005 005 005 005 010 010 010 010 010
005 005 005 005 005 005 005 005 005 005 005 010 010 010 010 010
005 005 005 005 005 005 005 005 005 005 005 005 005 005 005 005
005 005 005 005 005 005 005 005 005 005 005 005 005 005 005 005
005 005 005 005 005 005 005 005 005 005 005 005 005 005 005 005
#228
Is this title ok?
Got some update,
Bad news is I still haven't figure out the internal checksum algorithm use. However, by analysing SW-N3Z2ER000 & SW-N3ZXE0000, there was only minor change between these two file; the MOP map and two location of 4 bytes each that look like check sum value.
Axis-X (RPM): 700 720 1000 1500 2000 2500 3000 3500 4000 4500 5000 5500 6000 6500 7000 7500 8000 8500 9000
Axis-Y: 0.0625 0.125 0.1875 0.25 0.3125 0.375 0.4375 0.5 0.5625 0.625 0.6875 0.75 0.8125 0.875 0.9375 1 1.0625
SW-N3Z2ER000:
3 3 3 3 3 3 3 3 3 5 7 7 7 11 12 15 19 19 21
3 3 3 3 3 3 3 3 3 5 7 7 7 11 15 18 20 21 22
3 3 3 3 3 3 3 3 3 5 7 7 7 11 17 19 21 22 45
3 3 3 3 3 3 3 3 3 5 7 7 7 11 18 21 22 23 45
3 3 3 3 3 3 3 4 5 6 8 7 9 12 18 22 23 45 45
3 3 3 6 3 3 3 5 6 9 10 11 12 15 21 23 45 45 45
3 6 6 9 6 5 8 8 8 11 13 14 16 19 23 45 45 45 45
3 19 19 16 16 16 19 16 14 13 15 17 17 20 45 45 45 45 45
3 19 19 16 16 16 19 16 14 15 18 19 19 20 45 45 45 45 47
3 19 19 16 16 16 19 17 16 17 20 20 20 21 45 45 45 48 50
3 19 19 18 17 16 19 18 19 20 20 21 21 21 45 45 47 49 51
3 21 21 21 19 18 19 20 21 21 21 21 21 21 45 45 48 51 54
3 21 21 22 21 21 21 21 25 25 25 25 25 45 45 45 50 54 56
3 21 21 22 21 21 21 21 26 26 26 26 26 45 45 48 52 56 59
3 21 21 22 22 22 21 21 26 26 27 26 45 45 47 52 55 58 60
3 21 21 22 22 22 22 22 26 27 27 45 45 45 48 53 55 60 60
3 21 21 22 22 22 22 22 26 27 27 45 45 45 60 60 60 60 60
SW-N3ZXE0000:
3 3 3 3 28 3 3 3 3 5 7 7 7 11 12 15 19 19 21
3 3 3 3 27 3 3 3 3 5 7 7 7 11 15 18 20 21 22
3 7 7 7 7 7 7 7 7 7 7 7 7 11 17 19 21 22 45
3 9 9 9 9 9 9 9 9 9 9 9 9 11 18 21 22 23 45
3 12 12 12 12 12 12 12 12 12 12 12 12 12 18 22 23 45 45
3 15 15 15 15 15 15 15 15 15 15 15 15 15 21 23 45 45 45
3 17 17 17 17 17 17 17 17 17 17 17 17 19 23 45 45 45 45
3 19 19 17 17 17 19 17 17 13 15 17 17 20 45 45 45 45 45
3 19 19 17 17 17 19 17 17 15 18 19 19 20 45 45 45 45 47
3 19 19 18 17 17 19 18 18 17 20 20 20 21 45 45 45 48 50
3 19 19 18 17 18 19 18 19 20 20 21 21 21 45 45 47 49 51
3 21 21 21 19 18 19 20 21 21 21 21 21 21 45 45 48 51 54
3 21 21 22 21 21 21 21 25 25 25 25 25 45 45 45 50 54 56
3 21 21 22 21 21 21 21 26 26 26 26 26 45 45 48 52 56 59
3 21 21 22 22 22 21 21 26 26 27 26 45 45 47 52 55 58 60
3 21 21 22 22 22 22 22 26 27 27 45 45 45 48 53 55 60 60
3 21 21 22 22 22 22 22 26 27 27 45 45 45 60 60 60 60 60
If this is the MOP map, then the X version, seemed like there are some drammatic changes to the value around 2k rpm; cold start = high fuels = need more oil to keep the chamber lubes.
In order to figure the checksum and identify all other things easily, you will need a good disassembler like the IDA pro that support the SH processor. However that software cost around $800, too expensive for a hobbiest that have no cash to spare![Frown](https://www.rx8club.com/images/smilies/frown.gif)
Anyone has any progress that care to contribute? checksum algorithm use? Any hint would be help, Mazda? Anyone?
Bad news is I still haven't figure out the internal checksum algorithm use. However, by analysing SW-N3Z2ER000 & SW-N3ZXE0000, there was only minor change between these two file; the MOP map and two location of 4 bytes each that look like check sum value.
Axis-X (RPM): 700 720 1000 1500 2000 2500 3000 3500 4000 4500 5000 5500 6000 6500 7000 7500 8000 8500 9000
Axis-Y: 0.0625 0.125 0.1875 0.25 0.3125 0.375 0.4375 0.5 0.5625 0.625 0.6875 0.75 0.8125 0.875 0.9375 1 1.0625
SW-N3Z2ER000:
3 3 3 3 3 3 3 3 3 5 7 7 7 11 12 15 19 19 21
3 3 3 3 3 3 3 3 3 5 7 7 7 11 15 18 20 21 22
3 3 3 3 3 3 3 3 3 5 7 7 7 11 17 19 21 22 45
3 3 3 3 3 3 3 3 3 5 7 7 7 11 18 21 22 23 45
3 3 3 3 3 3 3 4 5 6 8 7 9 12 18 22 23 45 45
3 3 3 6 3 3 3 5 6 9 10 11 12 15 21 23 45 45 45
3 6 6 9 6 5 8 8 8 11 13 14 16 19 23 45 45 45 45
3 19 19 16 16 16 19 16 14 13 15 17 17 20 45 45 45 45 45
3 19 19 16 16 16 19 16 14 15 18 19 19 20 45 45 45 45 47
3 19 19 16 16 16 19 17 16 17 20 20 20 21 45 45 45 48 50
3 19 19 18 17 16 19 18 19 20 20 21 21 21 45 45 47 49 51
3 21 21 21 19 18 19 20 21 21 21 21 21 21 45 45 48 51 54
3 21 21 22 21 21 21 21 25 25 25 25 25 45 45 45 50 54 56
3 21 21 22 21 21 21 21 26 26 26 26 26 45 45 48 52 56 59
3 21 21 22 22 22 21 21 26 26 27 26 45 45 47 52 55 58 60
3 21 21 22 22 22 22 22 26 27 27 45 45 45 48 53 55 60 60
3 21 21 22 22 22 22 22 26 27 27 45 45 45 60 60 60 60 60
SW-N3ZXE0000:
3 3 3 3 28 3 3 3 3 5 7 7 7 11 12 15 19 19 21
3 3 3 3 27 3 3 3 3 5 7 7 7 11 15 18 20 21 22
3 7 7 7 7 7 7 7 7 7 7 7 7 11 17 19 21 22 45
3 9 9 9 9 9 9 9 9 9 9 9 9 11 18 21 22 23 45
3 12 12 12 12 12 12 12 12 12 12 12 12 12 18 22 23 45 45
3 15 15 15 15 15 15 15 15 15 15 15 15 15 21 23 45 45 45
3 17 17 17 17 17 17 17 17 17 17 17 17 19 23 45 45 45 45
3 19 19 17 17 17 19 17 17 13 15 17 17 20 45 45 45 45 45
3 19 19 17 17 17 19 17 17 15 18 19 19 20 45 45 45 45 47
3 19 19 18 17 17 19 18 18 17 20 20 20 21 45 45 45 48 50
3 19 19 18 17 18 19 18 19 20 20 21 21 21 45 45 47 49 51
3 21 21 21 19 18 19 20 21 21 21 21 21 21 45 45 48 51 54
3 21 21 22 21 21 21 21 25 25 25 25 25 45 45 45 50 54 56
3 21 21 22 21 21 21 21 26 26 26 26 26 45 45 48 52 56 59
3 21 21 22 22 22 21 21 26 26 27 26 45 45 47 52 55 58 60
3 21 21 22 22 22 22 22 26 27 27 45 45 45 48 53 55 60 60
3 21 21 22 22 22 22 22 26 27 27 45 45 45 60 60 60 60 60
If this is the MOP map, then the X version, seemed like there are some drammatic changes to the value around 2k rpm; cold start = high fuels = need more oil to keep the chamber lubes.
In order to figure the checksum and identify all other things easily, you will need a good disassembler like the IDA pro that support the SH processor. However that software cost around $800, too expensive for a hobbiest that have no cash to spare
![Frown](https://www.rx8club.com/images/smilies/frown.gif)
Anyone has any progress that care to contribute? checksum algorithm use? Any hint would be help, Mazda? Anyone?
![Wink](https://www.rx8club.com/images/smilies/wink.gif)
#230
Is this title ok?
Originally Posted by Xantium
I would assume that you know of the other ways to get software? Or is indivudual hobbiest "temporary software demo-ing" unethical...
btw ida pro is like $30
btw ida pro is like $30
The IDA Pro Advance Edition cost $875 to be exact. http://www.ccso.com/files/idaord.txt
List of processors it support can be view here: http://datarescue.com./idabase/idaproc.htm
#231
Int'l Man of Mystery
Join Date: Jan 2004
Location: Central Florida
Posts: 3,651
Likes: 0
Received 0 Likes
on
0 Posts
Damn... too bad this only supports 80x86 and ARM...
http://www.datarescue.be/downloaddemo.htm
Hmm...
http://www.thefreecountry.com/progra...semblers.shtml
Will this work?
http://www.trzy.org/
http://www.rockbox.org/tools.html
http://www.brouhaha.com/~eric/software/shdis/
http://www.osflash.org/swf9tools
http://www.datarescue.be/downloaddemo.htm
Hmm...
http://www.thefreecountry.com/progra...semblers.shtml
Will this work?
http://www.trzy.org/
http://www.rockbox.org/tools.html
http://www.brouhaha.com/~eric/software/shdis/
http://www.osflash.org/swf9tools
Last edited by Japan8; 06-05-2006 at 07:02 AM.
#234
Is this title ok?
Originally Posted by Japan8
Damn... too bad this only supports 80x86 and ARM...
http://www.datarescue.be/downloaddemo.htm
Hmm...
http://www.thefreecountry.com/progra...semblers.shtml
Will this work?
http://www.trzy.org/
http://www.rockbox.org/tools.html
http://www.brouhaha.com/~eric/software/shdis/
http://www.osflash.org/swf9tools
http://www.datarescue.be/downloaddemo.htm
Hmm...
http://www.thefreecountry.com/progra...semblers.shtml
Will this work?
http://www.trzy.org/
http://www.rockbox.org/tools.html
http://www.brouhaha.com/~eric/software/shdis/
http://www.osflash.org/swf9tools
![Smilie](https://www.rx8club.com/images/smilies/smile.gif)
I've also try other ECU editor software, but some do not support the IEEE floating point data type that used by the SH2/3 family. Some of them crashed everytime I try to define a map definition on the binary. So I figure, if we was able to grab a hold of the checksum algorithm or checksum routine, we can remove the checksum and by pass it. The only thing I would be afraid is the checksum might be outside of the flashable region which we have no access to from the flash file. That what I would do if I want to protect my code from non-authorize reflash.
#235
Registered User
Join Date: Jun 2005
Location: Bellevue, WA
Posts: 134
Likes: 0
Received 0 Likes
on
0 Posts
Hi,
I’ve used several disassemblers myself and I can’t stress how much better IDA Pro is over everything else – especially for non-x86/x64 instruction sets. It’s been a while since I’ve used IDA and no, I do not have a copy.
I haven’t looked at the ECU myself, but if there is a ROM chip in there, then we need to dump its contents and reverse engineer that first. I don’t know how competent or security-focused the engineers that designed the software are, so I’m assuming that all of the code (we care about) is probably in the flash. Someone that’s dealt with the actual board itself should be able to tell if there is a ROM there.
Anyhow, I’m willing to bet that the checksum algorithm is embedded within in the image itself. However, this doesn’t mean that we can hook or jump the checksum algorithm on the new image since the checksum calculation is being executed off the old image; otherwise, then what’s the point of checksumming? Therefore, if you intend to bypass the checksum check, then you need to be able to flash the image in the first place.
I don’t know if you guys can already do this, but there are a couple of ways of rewriting a flash. You can de-solder the flash, reprogram it, and then solder it back on. Alternatively, you can reprogram the chip in-place – this can be a pain in the ***, but so is de-soldering anything.
I recommend you guys read “Hacking the Xbox: An Introduction to Reverse Engineering” by Andrew “bunnie” Huang. I highly recommend it to anyone interested in reverse engineering hardware. I’ve met the guy on a few occasions and he’s an awesome dude (http://bunniestudios.com/).
-jc
I’ve used several disassemblers myself and I can’t stress how much better IDA Pro is over everything else – especially for non-x86/x64 instruction sets. It’s been a while since I’ve used IDA and no, I do not have a copy.
I haven’t looked at the ECU myself, but if there is a ROM chip in there, then we need to dump its contents and reverse engineer that first. I don’t know how competent or security-focused the engineers that designed the software are, so I’m assuming that all of the code (we care about) is probably in the flash. Someone that’s dealt with the actual board itself should be able to tell if there is a ROM there.
Anyhow, I’m willing to bet that the checksum algorithm is embedded within in the image itself. However, this doesn’t mean that we can hook or jump the checksum algorithm on the new image since the checksum calculation is being executed off the old image; otherwise, then what’s the point of checksumming? Therefore, if you intend to bypass the checksum check, then you need to be able to flash the image in the first place.
I don’t know if you guys can already do this, but there are a couple of ways of rewriting a flash. You can de-solder the flash, reprogram it, and then solder it back on. Alternatively, you can reprogram the chip in-place – this can be a pain in the ***, but so is de-soldering anything.
I recommend you guys read “Hacking the Xbox: An Introduction to Reverse Engineering” by Andrew “bunnie” Huang. I highly recommend it to anyone interested in reverse engineering hardware. I’ve met the guy on a few occasions and he’s an awesome dude (http://bunniestudios.com/).
-jc
#236
Is this title ok?
The promising disassembler I found thus far is this one "SH disassembler v19991206" from
http://www.eidolons-inn.net/tiki-lis...downloads_desc
I have some hunt on where the entry point might look like, but cannot confirm until I gain access to the Mongoose cable to read some data of the PCM from address location outside of the ROM image in the flash file; is it possible? is another question I have not have a chance to look into.
http://www.eidolons-inn.net/tiki-lis...downloads_desc
I have some hunt on where the entry point might look like, but cannot confirm until I gain access to the Mongoose cable to read some data of the PCM from address location outside of the ROM image in the flash file; is it possible? is another question I have not have a chance to look into.
#237
I gave it a whirl in IDA. IDA only does sh3 and sh4. it basically pukes and does nothing. I found this dissassembler for sh2 that seems to work well http://www.trzy.org/files/sh2d020.zip
Seikx8 you can probably grab that and give it a whirl yourself or I can send you the output. it seems to work, starting at
0x00004000: 0x9D6F mov.w @(0x0E2, pc), r13 ; 0x000040E2
we start getting code
Seikx8 you can probably grab that and give it a whirl yourself or I can send you the output. it seems to work, starting at
0x00004000: 0x9D6F mov.w @(0x0E2, pc), r13 ; 0x000040E2
we start getting code
![Smilie](https://www.rx8club.com/images/smilies/smile.gif)
#238
Is this title ok?
Originally Posted by Aseras
I gave it a whirl in IDA. IDA only does sh3 and sh4. it basically pukes and does nothing. I found this dissassembler for sh2 that seems to work well http://www.trzy.org/files/sh2d020.zip
Seikx8 you can probably grab that and give it a whirl yourself or I can send you the output. it seems to work, starting at
0x00004000: 0x9D6F mov.w @(0x0E2, pc), r13 ; 0x000040E2
we start getting code![Smilie](https://www.rx8club.com/images/smilies/smile.gif)
Seikx8 you can probably grab that and give it a whirl yourself or I can send you the output. it seems to work, starting at
0x00004000: 0x9D6F mov.w @(0x0E2, pc), r13 ; 0x000040E2
we start getting code
![Smilie](https://www.rx8club.com/images/smilies/smile.gif)
During hardware initialization, there will be code that allocate memory or at least initialize the RAM to all zero (perhaps some type of stack or heap), without IDA pro, it's going to be a slow process verifying those.
In IDA pro, you will need to study the code by try an error and look for entry point. Most likely it doesn't recognize the signature of the OS, so you will have to give its some hint by defining some entry points and let it analyze. If you hit the correct location, the whole thing will be reveal itself; that's what a good analyzer would do; especially if you have the SDK version, you can write your own extension and plugin which will speedup the recovery process.
#239
Registered
Man you guys are going to a lot of trouble to figure this all out. What will you do if we see an aftermarket company offering reflashes in the next few weeks? Will you keep trying? It seems like a pretty good undertaking to get it all figured out.
#240
Is this title ok?
Originally Posted by rotarygod
Man you guys are going to a lot of trouble to figure this all out. What will you do if we see an aftermarket company offering reflashes in the next few weeks? Will you keep trying? It seems like a pretty good undertaking to get it all figured out.
![Smilie](https://www.rx8club.com/images/smilies/smile.gif)
Still it's a good learning curve for me to know more about the EOM software and its ability and what type of routines are put in place to harness or hold back the Renesis power from its original developer. And it's also a great way to prevent the aftermarket company to over charge us when there are open competition, especially when there are free info to be harness. I'm sure the aftermarket will try to hold back some secret to make it's more profitable.
And there are a very good source of information out there, such as the PC & SP register are look up at address 0x0 and 0x4 during power up exception. So if we just be able to access that address area of the ROM, we are in good shape no? As for removing the chip to read the data, I'm not that crazy yet, but it will be the quickest solution out there. So I would not surprise if the aftermarket company are pursuing of cracking the code by using that route if there will be profits to be make.
For me it's just a hobby and knowledge to learn just like I did with the eMange blue version protocols research that I have started and write software for the auto tunning feature, but halt that project and to pursue this instead. To answer your question, if there are enought knowledge gained and the aftermarket offer a reason price for the ability to tune the map ourselves, this project will be pretty much drop in a lower priority list.
It's eManage vs ECU reflash, so I need to make a choice in pursuing FI for the RX8.
#241
Hmm entry points...
ok well there's plenty of denso tags in hex.
05800
36 30 45 30 46 37 30 30-20 20 20 20 20 20 20 20 "60E0F700 "
20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 " "
05 01 25 43 6F 70 72 2E-44 45 4E 53 4F 32 30 30 "%Copr.DENSO200"
07320
070670
willing to bet it's near one of them.
honestly i know jack about sh. I'm assuming all the jumps for r1,r2 etc.. are for it.
ok well there's plenty of denso tags in hex.
05800
36 30 45 30 46 37 30 30-20 20 20 20 20 20 20 20 "60E0F700 "
20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 " "
05 01 25 43 6F 70 72 2E-44 45 4E 53 4F 32 30 30 "%Copr.DENSO200"
v` v8Copyrigh"
74 20 31 39 39 39 20 48-69 74 61 63 68 69 2C 4C "t 1999 Hitachi,L"
74 64 2E 48 69 74 61 63-68 69 20 56 65 68 69 63 "td.Hitachi Vehic"
6C 65 20 4F 70 65 72 61-74 69 6E 67 20 53 79 73 "le Operating Sys"
74 65 6D 20 66 6F 72 20-53 48 2D 32 20 4F 70 65 "tem for SH-2 Ope"
72 61 74 69 6E 67 20 53-79 73 74 65 6D 2C 20 50 "rating System, P"
72 6F 64 75 63 74 20 56-65 72 73 69 6F 6E 20 56 "roduct Version V"
32 2E 31 41 20 31 39 39-39 48 69 74 61 63 68 69 "2.1A 1999Hitachi"
20 56 65 68 69 63 6C 65-20 4F 70 65 72 61 74 69 " Vehicle Operati"
6E 67 20 53 79 73 74 65-6D 20 66 6F 72 20 53 48 "ng System for SH"
2D 32 20 4F 70 65 72 61-74 69 6E 67 20 53 79 73 "-2 Operating Sys"
74 65 6D 2C 20 50 72 69-76 61 74 65 20 56 65 72 "tem, Private Ver"
73 69 6F 6E 20 56 32 2E-31 41 2E 30 30 20 31 39 "sion V2.1A.00 19"
39 39 FF FF 2F 56 4F 22-7F FC 2F 86 2F 96 2F A6 "99 /VO"n/å/û/ª"
74 20 31 39 39 39 20 48-69 74 61 63 68 69 2C 4C "t 1999 Hitachi,L"
74 64 2E 48 69 74 61 63-68 69 20 56 65 68 69 63 "td.Hitachi Vehic"
6C 65 20 4F 70 65 72 61-74 69 6E 67 20 53 79 73 "le Operating Sys"
74 65 6D 20 66 6F 72 20-53 48 2D 32 20 4F 70 65 "tem for SH-2 Ope"
72 61 74 69 6E 67 20 53-79 73 74 65 6D 2C 20 50 "rating System, P"
72 6F 64 75 63 74 20 56-65 72 73 69 6F 6E 20 56 "roduct Version V"
32 2E 31 41 20 31 39 39-39 48 69 74 61 63 68 69 "2.1A 1999Hitachi"
20 56 65 68 69 63 6C 65-20 4F 70 65 72 61 74 69 " Vehicle Operati"
6E 67 20 53 79 73 74 65-6D 20 66 6F 72 20 53 48 "ng System for SH"
2D 32 20 4F 70 65 72 61-74 69 6E 67 20 53 79 73 "-2 Operating Sys"
74 65 6D 2C 20 50 72 69-76 61 74 65 20 56 65 72 "tem, Private Ver"
73 69 6F 6E 20 56 32 2E-31 41 2E 30 30 20 31 39 "sion V2.1A.00 19"
39 39 FF FF 2F 56 4F 22-7F FC 2F 86 2F 96 2F A6 "99 /VO"n/å/û/ª"
070670
4E 33 5A 32 45 42 49 57-2E 5A 30 35 00 00 00 00 "N3Z2EBIW.Z05...."
0C 36 30 45 30 46 37 30-30 20 20 20 20 20 20 20 "60E0F700 "
20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 " "
20 05 01 25 43 6F 70 72-2E 44 45 4E 53 4F 32 30 " %Copr.DENSO20"
30 30 53 53 57 2D 4E 33-5A 32 45 50 30 30 30 2E "00SSW-N3Z2EP000."
48 45 58 00 00 00 00 00-00 00 00 30 46 37 30 30 "HEX........0F700"
0C 36 30 45 30 46 37 30-30 20 20 20 20 20 20 20 "60E0F700 "
20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 " "
20 05 01 25 43 6F 70 72-2E 44 45 4E 53 4F 32 30 " %Copr.DENSO20"
30 30 53 53 57 2D 4E 33-5A 32 45 50 30 30 30 2E "00SSW-N3Z2EP000."
48 45 58 00 00 00 00 00-00 00 00 30 46 37 30 30 "HEX........0F700"
honestly i know jack about sh. I'm assuming all the jumps for r1,r2 etc.. are for it.
#242
Is this title ok?
Originally Posted by Aseras
Hmm entry points...
ok well there's plenty of denso tags in hex.
05800
07320
070670
willing to bet it's near one of them.
honestly i know jack about sh. I'm assuming all the jumps for r1,r2 etc.. are for it.
ok well there's plenty of denso tags in hex.
05800
07320
070670
willing to bet it's near one of them.
honestly i know jack about sh. I'm assuming all the jumps for r1,r2 etc.. are for it.
With IDA, you will need to manually go through those and mark the identified text as data; in this case, string. It will nicely auto detect and define the string variable and lock the segment down so that it will not treat it as codes. The other data are the map location which I've identified in some previous posts, mark those as either individual data or define them as array, etc. Once you have all that, you are eliminating invalid codes. This will take time, but it will be fun to play around.
The nice thing about IDA is it will automatic analyze and nicely display the result from your manual analyzing point. Just have to identify one segment at a time... once you found the segment that doesn't make sense (such as code collision with data) you can eliminate that. Its also have a very nice UI where you can navigate your codes and tracing the flow of codes execution.
I have a chance to play around with the Demo version of IDA pro, so I know its potential. Thus figuring the rest of the ROM image will be time consuming and requires lots of patience.
#244
Is this title ok?
Originally Posted by zoom44
could the flash file name- sw-N3Z(1 or 2)E(R or S etc)000 be the code or check sum in some way?
Last edited by seikx8; 06-17-2006 at 02:05 AM.
#245
Is this title ok?
To give some update, the following are a few subroutines I found in these range of addresses:
0x25D0C:0x25FD4
0x25FDC:0x26114
0x26114:0x2633c
and so on..
Most of these code have floating point operation and call to address in the 0x2000 - 0x3000 range outside of the flash image range starting from 0x4000.
Some hints to analyze the assembly code is to look for any valid subroutine call. All subroutines call should use a register to load a full 32bit data. eg.
mov.l @(PC,xx), Rn
jsr @Rn
nop
And the follow codes should be mark as invalid:
mov.w (@PC,xx),Rn
jsr @Rn
All subroutine should have a begin and end code signatures with some variant of the follow format:
;begin routine
mov.l r14, @-r15
mov.l r13, @-r15
...
sts.l pr,@-r15
...
...
lds.l @r15+,pr
...
mov.l r15+,@r13
rts
mov.l r15+,@r14 ; code place here for delay return, sometime you may see nop instruction
; some data definition if any
; end subroutine
0x25D0C:0x25FD4
0x25FDC:0x26114
0x26114:0x2633c
and so on..
Most of these code have floating point operation and call to address in the 0x2000 - 0x3000 range outside of the flash image range starting from 0x4000.
Some hints to analyze the assembly code is to look for any valid subroutine call. All subroutines call should use a register to load a full 32bit data. eg.
mov.l @(PC,xx), Rn
jsr @Rn
nop
And the follow codes should be mark as invalid:
mov.w (@PC,xx),Rn
jsr @Rn
All subroutine should have a begin and end code signatures with some variant of the follow format:
;begin routine
mov.l r14, @-r15
mov.l r13, @-r15
...
sts.l pr,@-r15
...
...
lds.l @r15+,pr
...
mov.l r15+,@r13
rts
mov.l r15+,@r14 ; code place here for delay return, sometime you may see nop instruction
; some data definition if any
; end subroutine
#246
Is this title ok?
I hit gold in subroutine in range: 0x22060:0x2211A, there are codes referencing data access to the data map I've previous identified.
I'm tired now, got to catch some shut eye.
I'm tired now, got to catch some shut eye.
#250
i've been swamped for the last month and a half with work. I lost my tech and picked up a new gf so I've not had much time. I'll have the next week and a half or so all to myself so hopefully I'll be able to go through some of the new things I've got ( thanks zoom ) and see what I can do.