RomRaider

Hi guys,

I've tried to follow this with my 32-bit WRX MY11 ROM (AZ1G900C) and the first four bytes are 00 00 0C 0C.

I go to 00000C0C and hit C, and IDA says "error making code" or something along those lines....

Any suggestions on where i've gone wrong ?

Cheers,

Adrian

See the first post, section: How do you open a ROM? (32-bit), item #7.
Just jumping to 0x0c0c and pressing C is not enough.
Make sure the correct processor (SH4B device SH7058) is set too.

I've created two scripts to help decode 16bit ROMs in IDA.
Source: Format16bitROM.idc

Here are the steps:

1. You will not need to convert your 160kb ROM to 192kb, either size can be opened and formatted by this process.
2. Open your ROM with IDA.
3. Change the processor type to Motorola Series: 6816.
4. No need to define a RAM segment just click OK to proceed.
5. Under the IDA File menu select Script file (Alt-F7)
6. Select the script named Format16bitROM.idc
7. Read the warning and press Yes to proceed formatting the ROM.

At this point the ROM is formatted, interrupts are marked, the RAM segment is defined and the basic code analyzed. Now you can proceed with marking the SSM Standard parameters file as provided by the XmlToIdc application.

To locate the SSM Read vector base address the easiest way is to perform a Hex search on 'a210'. You should get a hit that leads you to the string 'a2100f' for example (see the table at the end of the first post here for other possible third byte values). The next byte is the first byte of the ECU ID. You may wish to name it for future reference. Next complete a Hex search for the last two bytes of the address of this ECU ID byte 1. For example:
now search on 'A8DC'. If you get more than one hit you want the hit that leads you to a section of data that has addresses starting with a 0x00, 0x02. For example:the correct search result in this example is at address BC06. The address of the first sequence of 0x00, 0x02 is the SSM Read Base vector address. Here the word 'DATA' can be interpreted as the value 0x02. So the IDA Linear Address for DATA:BC00 is actually 0x02BC00 which is the Read Base vector address needed by the XmlToIdc program to produce the stdparam marking file.

Once you have produced the stdparam.idc file, in IDA run the script using the File menu Script file item. It will take a couple of minutes to complete the stdparam.idc script and provided messages of its progresses. It is normal to see some "No reference" messages for unsupported SSM parameters.

If you now open the Names (Shift-F4) window of IDA you can see the marked RAM locations, the pointers to these and the getter subroutines.

Decoding subroutines... because the 6816 processors uses the IX, IY, IZ registers as address extension registers, the processor instuction operands are not fully represented as addresses in the code. To assist in fixing up those addresses you can run the Convert16bitOperand.idc script on a subroutine or at a single address or over a contiguous selection of addresses to convert the numeric operand to an offset. This should then lead you to the Linear address being referenced by the instruction. Be cautious of operands with a value lower than 0x0f as these are sometimes used as offsets to a modified index register that has been previously loaded with an address other than the base 0x20000.
Source: Convert16bitOperand.idc

Note: each of these scripts has a description and some help in the comments at the beginning of each file. Just open them in a text editor to view the comments.

I've used the above scripts with great results on the 16 bit Roms - thanks for these Dale, they save a tremendous amount of time.

Hello guys, I'm new in IDA analizing and I have some questions. Help me please.
So, finely I found how to open ROM and make autoanalizing.
I found "how to" about DTC.
But I can't use Dschultz's scripts.
I have "syntax error" and these scripts syntax is different from inrernal sample IDA scripts.
Which version of IDA do you use or what I doing wrong?
I use Ida Pro 6.1 . It accept "sh3.def" and I have list of processors (7055, 7058,7058H)
Ida Pro advanced 5.5 doesn't accept "SH3.def" (syntax error) so I can't choose a processor type.
thank's for attention.

You may wish to read this and this.

dschultz, thanks for reply. But I read all this carefull lot of times.
Which version of IDA do you use?

I have whatever the latest release is.
You mentioned auto analyze doesn't work. Did you:

7) Make an analysis pass. From the "Options" menu, click "General." Under "Kernel Options 1" select "Make final analysis pass." Click "Reanalyze Program." IDA should spend a minute analyzing the ROM, marking some sections as code and others as data. This is very helpful, but again it is not perfect - there will be sections of code erroneously marked as data, and vice-versa.

pffff... Dschultz, Thanks again.
While I waited few days for premoderation of my post I solved all my previous problems.

So now I can load Rom and make autoanalize. I can find any 3-d table or some of 2-d (f.e. Maf), I can find all of Dtc.
But I do it in manual mode.
Now I have 2 problems-
1. scripts doesn't works. Ida send me error message.
2. XmlToIdCon.exe doesn't work too. But there problem whith my Win Xp Sp3- Ntvdm send me error when I run XmlToIdCon.
So maybe I should fix problem with Ntvdm to run XmlToIdcon first?
Or scripts must to work without it?
Thanks.

P.S. I'm not SW developer. I just have some knowleges in programming and understand "how it works".
I want to use Ida disassembly to faster find neccessary tables and Dtc in undefined Roms.
Also add new features to my own az1e400u.
I have install wrx 08 ecu into my Impreza 08 2.0 na. Then I rebuild my Ej204 engine into 2,5 l (like Ej254) with 8000 redline.
Next step will be install of Kelford 278 cams, new intake manifold and biggest throttle.
So now all new defs and additional tables can be very helpfull for me.
And I don't want disturb you guys with add them all to my rom.

It's hard to help if you don't provide the error info for each problem.
You do have Microsoft .NET framework installed right?

Can some one tell me if both the kickdown sw and the si-drive param get loaded with zero in this example?

That's odd. Its loading SI mode value to r6 and immediately overwriting it with kickdown address..

Looks to me like it only writes zero to the kickdownswitch value.

What does the rest of the subroutine do? This could just be part of a sequence of parameter initialization upon ECU reset.

I agree! It just through me off because I couldn't understand why they would overwrite r6 straight up.


I think its a code remnant from a function not used for my rom revision! (I've semi confirmed this through looking at other roms)
As some of the code seems to be missing and from what I can see it only achieves one thing it zeros out the kickdown sw.

I'm actually looking at hijacking this routine to implement SI-Drive on my non S-Drive car I've found a routine that determines tgv position based on the input voltage. So all I have to do is change the thresholds and change the results from 0,1,2 to 1,2,3. I'll use the hijacked kickdown routine to call the determination routine and store my SI-Drive mode.


Thoughts? I hope it works the great thing is I can make all changes with a hex editor!

Excellent work

I have some very alpha test code for map switching that uses SI Drive for selection. TGV input control for non-SI cars is working its way up the TODO