RomRaider

Ive been interested lately in taking a look at the ecu code. I have a copy of IDA pro ready to go, but im unsure what file to open and what microporcessor profile to use to analyze it. I tried opening a the rom file that you tune in RomRaider via the Embedded Rom file profile, and the SH3 profile, but did not get any kind of useful disassembly from it. How do I get started with viewing the kind of code that is being reverse engineered for ramtune?

Use processor Motorola 6816. Entry point 0x220 (hit G, 0x220, hit C).

thanks. how are you able to tell where anything is in there? theres no labels or anything to help lead to the fuel cut code, for instance.

You can use the existing XML defs to help you, but largely you just gotta figure it out using logical deduction. It's not supposed to be easy, it is reverse engineering. Of course there are no labels on anything.

You might start by labeling (right click, rename) some commonly used subroutines, like the subroutines that are used to pull back data from the maps. Like you'll see the same subroutine (or maybe one of two or three) used every time a 2D map is looked up, or another one (or two) for pulling 3D maps, etc.

I suggest downloading an HC16 software manual so you know what all the opcodes are. Once you've fingered through the code for about 50 hours you'll start to understand some of the basic concepts of how the opcodes are used to get various things done, like bit switching, etc.

It takes a lot of time of messing with it and it is not generally easy. As far as fuel cut, we know the rev limiter uses fuel cut and the rev limit values are already defined. If you are just starting out, best thing to do is to work with known tables/processes to get an understanding of how a simple system works such as boost control. Obviously you need to have some sort of programming background and you need to have a good grasp of assembly language especially specific to the Motorola HC16 (go to http://www.freescale.com and download the software manual).

damn, no labels?

how inconsiderate!

HAHA guys... im used to doing it the easy way when i used to disassemble win32 apps ... named subs, named api calls, gosh it was a walk in the park... what do i know about microcontrollers anyway damn

i am keen to read /digest the codes then share with the community however I dont have IDA with me, Any kind soul willing to help me disassemble the MY05 wrx 16bits ROM and generate the assembly listing ?

Do you have this information for the 32 bit systems?

Use Hitachi SH4B for the 32bit ecus.

Might as well ask this for others to find. On the 04 STi roms (of any particular version you care to reference in your reply), I realize that the entry points are listed through the first bit of the rom, but could you give me an example of an entry point to start disassembling from? Something to *boostrap* my efforts... ok, that was a lame joke.

I'm not sure this question is clear as I've only been playing with IDA Pro 5 for a short while. Let me know.

Also, as an exercise to get more acquainted with the tool, I'm attempting to pull map data (like boost map B) based on the address listed in the ecu_defs.xml. I can see where data might be, but how within the code frame of IDA would I change the number representation to something more readable. I'd actually like to see the '15' in 15psi.

Thanks!

There's a series of jump instructions, one after another, that begin somewhere between 0xF000 to 0x13000 (varies by rom). I just look for the 0x430B opcode (highlight it in IDA's hex view) and look in that range and find where they are aligned. Then start there and mark it as code and go to the next unexplored block (ctrl-U) skipping over the alignment bytes. Keep doing that as long as it is fruitful. Basically this unfolds a decent portion of the rom with the least amount of effort.


Not sure if you can do that in IDA or not (apply some conversion formula to data). Besides, that is what RomRaider is for! Boost is represented in mmHg absolute in the 32bit rom.

^^ Thanks for the primer Its appreciated. You might be getting a ton of stupid questions in the future from me.

lol, I know I know, I was just shooting for something familiar to look at as I learn the tool.