RomRaider

NSFW, if you continue working on this program, please consider adding functionality for EcuFlash format definitions, I've found them easier to work with, both for patching and testing unknown tables with that other program. If you're too busy I'll gladly have a crack at it if you pm or post the source (just change the extension).

The C# source is attached. I've never looked at the EcuFlash definitions before, but looking at it just now, it the format seems pretty similar so it shouldn't take much effort to support it.

Hey guys, I decided I wanted to see what the 32bit stuff was all about. I'm becoming pretty familiar with the 16bit stuff, but this is so much different! I'm having a hard time getting anything to unfold properly. I thought I was doing alright, I had most of the bar up top turned blue, but I must have done something wrong. IDA wouldn't show me anything in graph view, the XMLtoIDC wouldn't label anything, the VBR contained no subroutines. I'm using the same ROM as Freon was just to get started so that I could follow the same addresses as he had in pictures on his thread about this topic2184.html there.

I haven't created a RAM section because I don't understand the addresses yet. I was going through and marking certain opcodes as code like merchgod had said, that's what got me as far as I was, but like I said, something was wrong.

Can anyone help me out with getting the RAM section created and perhaps telling me what the heck I'm doing wrong!?

Thanks in advance!

Andy

You just have to go through and mark all the code. As you play with it more, you'll start to recognize code from data as there are a lot of routines that start with the same instruction(s). Remember, that with the SH ECU, you'll see code/data, code/data, etc. which is different than the HC16 in which you have, for example, offsets and immediate data referenced in the corresponding instruction. To create a RAM segment, go to edit -> segments -> create segments (name = RAM, start address = 0xFFFF0000, end = 0xFFFFDFFF and delete anything in base). Then re-analyze the program in options.

For 1MB 32bits ROM
To get most of the routines..you need to find 2 seeding points..

1) From Power up reset..,find where is the program pointing to...at address 0x00000 to 0x00003
Jump to this address and press C,you will start to see quite a number of routine coming out..

2) Go to Option, run Program Reanalysis ( Set Kernel 1 option- let final analysis passed)

With these 2 steps, you are getting most of the routines out..


3) Check out the 0xFFF00 area,..this area contains the VBR lookup routine.trace the reference to this..you will get a routine..loading VBR register.
On this 0xffff00 address zone, you will see a list of subroutines ..the lookup table is placed just right after the CheckSum words of 5A5A5A5A (cant remember exact sequence) .before defining the subroutine.the Disassembler labeled those suspected routines as Loc_xxxxxx xxxx=Start address of the routine.

Note: Disassembler sometimes do intepret data wrongly...assume data area as code area....you need to learn on how to uncoded it and put the data back as data area..

For wrx rom.,as general trend.
Data area mostly starts from 0xC0000
=> If you see code in this area,very likely this was the error from the disassembler...
Reference to 2D/3D maps ,mostly at 0x80000 zone.

4) Pattern signature..
Once you are familiar with one car type..when you open another car rom..(same type of car..e.g wrx (2005) versus wrx09.) you can use the previously known sub-routines code...as a signature ..use it to search on the new rom that you wanted to disassemble ...with cross referencing to the sub-routine that calling the known data type, with this you can be very sure the tables defined are accurate..

Thanks Adding the RAM segment and performing the analysis with "make final pass" checked opened a TON of stuff up! And I thought the 16bit stuff was taking a while to learn...silly me!

Thanks hmanxx I will keep all of that in mind, though I need to spend much more time learning what the opcodes mean and what the vbr actually is before I can actually get into figuring any of it out

Andy

When I chose to execute the script it says to enter a text, what should I be putting here?

Andy

After adding the RAM segment and making a final analysis pass, I really wasn't able to mark much as code, is that normal? In fact, it almost seems like too much of it has been set to code, much like hmanxx said. I went through and hit 'd' on some of the stuff, and it made even less sense. Nothing is where it should be(from photos referenced and from you guys giving me approximate locations) and I fear that maybe I shouldn't have made the final pass, and I should have just gone through and marked the 2 opcodes merchgod mentioned earlier as code. Would this be a better approach?

I learn best by seeing an example, but since I don't really have one, I'd like to create one for myself. I don't much care what certain routines do at this point, it's more about learning my way around all the different commands. Once I feel more comfortable with them, I will start labeling things and working my way through stuff.

I appreciate anymore advice you guys are willing to offer!

Andy

Open the .idc file and look for the name of the function.
I think it will be the cal id, e.g. A2WC510N. Enter it, see what happens...

It's been so long since I wrote utility, the code is all greek to me now.

Next time I get back into this, I'm going to be starting from scratch again.

I would start again fresh. There are a variety of ways to get started. Ultimately, nothing is going to unfold the entire ROM with a few keystrokes short of creating your own script or plug-in to do it. If you mark something as code and it doesn't look right, then undefine it by hitting "U".

please, do you have a lexicon for type commands: mov, mov.b, bra, bt, jsr, fmov, ect......

Go renesas website to download SH7058 the software instruction manual and the hardware manual..both are equally important..

These 2 manual provide quite a lot of information..for the software manual, on section 7, it described the assembly instructions with C syntax..and provide live examples to instill understanding...what is lucky -the manual translation -english version is quite well done...as compare to most japanese-> english manual which most of the time is quite hopeless.


Besides understanding on the instruction syntax..getting to know the exact op-code format is useful too...when you are doing binary pattern search..knowing the op-code help quite a fair bit...

One area to take note of is the jmp, jsr .. please take note on those group of delay branching instructions ...without understand this ...you will not be able to interpret the routines effectively..

2D and 3D process routines are with passing by pointer concept( in C Language).

Syntax of 3D routine (fr5=X axis (col) input, fr4=Y- axis input,Fr0= Return looked up value)
start Routine..
get X and Y corresponding data point.
Pointer A point to end of routine
Point B => load pointer B with data type from the data structure.(.e.g 32bits=> offset =0, 16bits=8(cant remember exact offset)
branch to Pointer A+B.routine..to processs the 3D data..

=>
end routine
Address of 32bits process routine (Data type of zero offset )
address of 8bits process routine( data type of 8 bytes offset
address of 26bits process routine(data type of 16bytes offset)

For unique signature (with this you can speed up the definition creation process),..i am still studying and hopefully more are joining force to list them here.

Some examples.
a) MAF look up table has fix table lengt..and data type( 32bits), 2D format.
Signature search will be table length(2 bytes) and data type..
Once got to the data structure definition..trace to the reference routine that calling it...this will be the MAF Voltage conversion routine.

b) Timing IAT compensation..
=> Identified..Engine load(4 bytes) ,RPM and IAT RAM Memory address

c) Injector scaling
very short routine..and almost never change for different type of ROM..
=> Good to identify the injector scaling memory location.

thank you very much

Wow! I can tel that will be a great read once I have a MUCH better understanding of how things work in this processor. For now, I finally got it opened up correctly(I think) and have started naming the stuff that is already defined. I will need to sped some time in this part and start learning all of the new language.

The first thing that has started confusing me is "unk". What is it and what does it mean? I know it might be trivial, but I'd like to learn all of the "easy" stuff first to sort of familiarize myself with the language. I have no prior programming experience except the past 2 months of learning to do this on a 16bit ecu. So I appreciate the patience

Andy

it is just a label to data of an unknown size (to IDA). You can rename it as you please