RomRaider Logo

RomRaider

Open Source ECU Tools
 FAQ •  Register •  Login 

RomRaider

Documentation

Community

Developers

It is currently Sat Feb 21, 2026 10:04 pm

Board index » Engine Management Systems - Analysis and Tuning » Subaru » Subaru ECU Analysis

All times are UTC




Post new topic Reply to topic  Page 5 of 6
  [ 84 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6  Next
  Previous topic | Next topic 
Author Message
hmanxx
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Sun Dec 27, 2009 5:57 pm 
Offline
RomRaider Donator

Joined: Wed Jul 12, 2006 3:01 pm
Posts: 154
there are no fix way to lead you to fully disassembled the ROM.

This thread itself is quite good..I have used all methods ever discussed here..and getting quite good result..you just need to hand on till you face road block and come back here to post questions..people will guide you along..

The keyword is hand on/practical..without trying it out..you will not be able to understand ..

Among all.select option of "Making final analysis passed" is most straight forward.will help to disassemble most codes however it did give some error(decode look up table as program codes.-you have no choice but smartly decide does it make sense)..

1) Download the Software and Hardware manual,get yourself familiar with the assembly language syntax and behavior of the hardware architecture.

2) 2D/3D data structure
=>OpenEcu.Org has the write up on this
Without understand this ,you will find difficulty to trace routines that used these data structure frequently.

3) Used what have been described here..CEL Routines, SSM, as base for exercise..

Try it out..
Top
 Profile  
 
Mart
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Sun Dec 27, 2009 6:00 pm 
Offline
Experienced

Joined: Sun Jun 01, 2008 2:14 am
Posts: 125
Location: Quebec
Awesome. Let me know if you need some kinda of help.

Mart

fujiillin wrote:
I'm getting close to finishing up a couple patches for my rom, then I plan on compiling everything into a PDF including everything from opening a rom in IDA to the basics of pipeline flow and optimization.
Top
 Profile  
 
elevenpoint7five
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Sun Dec 27, 2009 6:17 pm 
Offline
Experienced

Joined: Mon Aug 18, 2008 11:15 pm
Posts: 316
Location: Chicago, Illinois
Have you looked at any of the other 32bit ROMs? I'm looking at an 08 STi right now and, using the same TD example, it seems like it is referenced differently. I'm sure I'll figure it out, just curious if I am right about it being different.

I think a guide for this stuff would be fantastic! I would be willing to work with you on it if you wanted to include the 16bit stuff. I wouldn't be much help with the 32bit stuff as I am just starting with that, but I have a pretty good grasp on the 16bit.

I think it's healthy for people to try this out, even if they end up giving up or hating it, at least they know what it's about.

And, you're right, all the info one needs is in this thread. I have successfully opened up and labeled 2 32bit ROMs using just this thread. It's great to have people like you and merchgod still around that are willing to help us new guys out :) Thanks!

Andy
Top
 Profile  
 
fujiillin
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Sun Dec 27, 2009 8:33 pm 
Offline
Experienced
User avatar

Joined: Wed Feb 13, 2008 3:00 am
Posts: 153
Just opened the latest 08 STi rom revision I could find: AZ1G202G

Running XMLtoIDC and using VBR:

Data Tables:
Code:
ROM:000C06E0 TargetBoostCompensationECT:.data.b h'80 ; Ç
ROM:000C06E1                 .data.b h'80 ; Ç
ROM:000C06E2                 .data.b h'80 ; Ç
ROM:000C06E3                 .data.b h'80 ; Ç
ROM:000C06E4                 .datab.l 3, h'80808080
ROM:000C06F0 TurboDynamicsProportional_YAxis:.data.l h'C3200000, h'C2A00000, h'C2200000, h'C1A00000
ROM:000C06F0                                         ; DATA XREF: ROM:00086B78o
ROM:000C06F0                 .data.l 0
ROM:000C0704                 .data.l h'41A00000, h'42200000, h'42A00000, h'43200000
ROM:000C0714 TurboDynamicsProportional:.data.l h'2A002F00, h'31003180, h'32003280, h'33003500
ROM:000C0714                                         ; DATA XREF: ROM:00086B7Co
ROM:000C0714                 .data.l h'3A000000
ROM:000C0728 TurboDynamicsIntegralNegative_YAxis:.data.l h'C3700000, h'C3480000, h'C3200000, h'C2F00000
ROM:000C0728                                         ; DATA XREF: ROM:00086B8Co
ROM:000C0728                 .data.l h'C2A00000, h'C2200000, h'C1A00000, h'C1200000
ROM:000C0728                 .data.l 0
ROM:000C074C TurboDynamicsIntegralNegative:.data.l h'2D002F00, h'3000309A, h'311A319A, h'31CD31E6
ROM:000C074C                                         ; DATA XREF: ROM:00086B90o
ROM:000C074C                 .data.l h'32000000
ROM:000C0760 TurboDynamicsIntegralPositive_YAxis:.data.l 0 ; DATA XREF: ROM:00086BA0o
ROM:000C0764                 .data.l h'41200000, h'41A00000, h'42200000, h'42A00000
ROM:000C0764                 .data.l h'42F00000, h'43200000, h'43480000, h'43700000
ROM:000C0784 TurboDynamicsIntegralPositive:.data.l h'3200321A, h'32333266, h'32E63366, h'34003500
ROM:000C0784                                         ; DATA XREF: ROM:00086BA4o
ROM:000C0794                 .data.w h'3700
ROM:000C0796                 .align 4


LUT:
Code:
ROM:00086B74 off_86B74:      .data.l dword_90800     ; DATA XREF: ROM:off_1436Co
ROM:00086B78                 .data.l TurboDynamicsProportional_YAxis
ROM:00086B7C                 .data.l TurboDynamicsProportional
ROM:00086B80                 .data.l h'3B800000, h'C2480000
ROM:00086B88 off_86B88:      .data.l dword_90800     ; DATA XREF: ROM:off_14380o
ROM:00086B8C                 .data.l TurboDynamicsIntegralNegative_YAxis
ROM:00086B90                 .data.l TurboDynamicsIntegralNegative
ROM:00086B94                 .data.l h'3B800000, h'C2480000
ROM:00086B9C off_86B9C:      .data.l dword_90800     ; DATA XREF: ROM:off_14390o
ROM:00086BA0                 .data.l TurboDynamicsIntegralPositive_YAxis
ROM:00086BA4                 .data.l TurboDynamicsIntegralPositive
ROM:00086BA8                 .data.l h'3B800000, h'C2480000


Subroutine with map pull:
Code:
ROM:00014242                 mov.l   @(h'128,pc), r4 ; [0001436C] = off_86B74
ROM:00014244                 mov.l   @(h'128,pc), r2 ; [00014370] = sub_BE804
ROM:00014246                 jsr     @r2 ; sub_BE804
ROM:00014248                 fmov    fr14, fr4
ROM:0001424A                 fmov.s  fr0, @r15


It works the same way, only the 2D map pull subroutine is now @ 0xBE804.

Some info on 16bit would be great.

Glad I could help out, with a few more people disassembling the roms, we can continue to work on the definitions and maybe realtime tuning will become a reality :)

_________________
06 Wrx Wagon 2.3 longrod in the works

Top
 Profile  
 
nsfw
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Sun Dec 27, 2009 9:10 pm 
Offline
Moderator

Joined: Thu Nov 23, 2006 2:23 am
Posts: 2565
fujiillin wrote:
I'm getting close to finishing up a couple patches for my rom, then I plan on compiling everything into a PDF including everything from opening a rom in IDA to the basics of pipeline flow and optimization.


Awesome. I'll be happy to see this, even in first-draft form... It's been so long since I looked at a ROM, I'll almost be starting from scratch. :)

_________________
2005 Legacy GT w/ ATP 3076, IWG, MBC, BCS, BC 272, LC, FFS, OMG
Please don't send questions via PM. Post a thread and send me a link to it instead. Thanks!

Top
 Profile  
 
elevenpoint7five
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Mon Dec 28, 2009 12:39 am 
Offline
Experienced

Joined: Mon Aug 18, 2008 11:15 pm
Posts: 316
Location: Chicago, Illinois
I see what I did wrong :) I didn't go back far enough following the xrefs. Whoops! Another question for ya :) Will the SSM LUT have a bunch of data.l byte_01234 or data.l loc_01234? I think it's the loc_01234 ones but wanted to double check.

As far as the 16bit info goes, did you want me to type something up or did you plan on writing it and just asking questions? I am no English major by any means but I will do my best if you want me to.

Andy
Top
 Profile  
 
elevenpoint7five
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Mon Dec 28, 2009 12:56 am 
Offline
Experienced

Joined: Mon Aug 18, 2008 11:15 pm
Posts: 316
Location: Chicago, Illinois
NSFW wrote:
Awesome. I'll be happy to see this, even in first-draft form... It's been so long since I looked at a ROM, I'll almost be starting from scratch. :)

I saw a while back you were talking about adding the SSM parameters into your XMLtoIDC program, is this something you still plan on doing? It would make life much easier :)

Andy
Top
 Profile  
 
nsfw
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Mon Dec 28, 2009 1:28 am 
Offline
Moderator

Joined: Thu Nov 23, 2006 2:23 am
Posts: 2565
I forgot all about that, actually. But I have some free time this week, so I'll look into it...

_________________
2005 Legacy GT w/ ATP 3076, IWG, MBC, BCS, BC 272, LC, FFS, OMG
Please don't send questions via PM. Post a thread and send me a link to it instead. Thanks!

Top
 Profile  
 
elevenpoint7five
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Mon Dec 28, 2009 3:19 am 
Offline
Experienced

Joined: Mon Aug 18, 2008 11:15 pm
Posts: 316
Location: Chicago, Illinois
I am still having a bit of trouble with the addressing. For instance, in the following example is shows (h'81,gbr) being moved to r0 (at least I think :)) So I hover over the (h'81,gbr) and it shows a location in IDA. Ok, so jump to that location and I get the second set of code I posted. So, 2 questions:
1.)How does IDA get 0x38 out of (h'81,gbr)?
2.)Is 0x38 really a dword? It seems incredibly long!

Thanks again for being patient :)

Andy

Code:
loc_13896:              ; Move Peripherial Byte Data
mov.b   @(h'81,gbr), r0
cmp/eq  #1, r0          ; Compare: Equal
bt      loc_13952       ; Branch if True
mov.b   @(h'82,gbr), r0 ; Move Peripherial Byte Data
cmp/eq  #1, r0          ; Compare: Equal
bt      loc_13952       ; Branch if True
mov.l   @(h'128,pc), r4 ; [000139CC] = CallTDProp ; Move Immediate Long Data
mov.l   @(h'128,pc), r2 ; [000139D0] = Read_2D_Maps ; Move Immediate Long Data
jsr     @r2 ; Read_2D_Maps ; Jump to Subroutine
fmov    fr14, fr4       ; Floating-point move
fmov.s  fr0, @r15       ; Floating-point move single precision
mov.l   @(h'124,pc), r4 ; [000139D4] = dword_9740C ; Move Immediate Long Data
mov.l   @(h'120,pc), r2 ; [000139D0] = Read_2D_Maps ; Move Immediate Long Data
jsr     @r2 ; Read_2D_Maps ; Jump to Subroutine


Code:
ROM:00000038 dword_38:       .datab.l 2, h'FFFFFFFF  ; DATA XREF: ROM:000C3551o
ROM:00000038                                         ; ROM:000C85B1o ...
ROM:00000038                 .data.l h'DF01442B, h'90000, h'FFFFBFA0, h'DF01000B, h'90000
ROM:00000038                 .data.l h'FFFFBFA0, h'E5F74518, h'750A8451, h'E3FF4318
ROM:00000038                 .data.l h'620C737F, h'2239324C, h'E13C622C, h'4118321C
ROM:00000038                 .data.l h'25210009, h'90009, h'9000B, h'9FFFF, h'8441600C
ROM:00000038                 .data.l h'937F2038, h'8B04D643, h'947C917C, h'412BE506
ROM:00000038                 .data.l h'B0009, h'8441600C, h'93732038, h'8B04D63E, h'94729170
ROM:00000038                 .data.l h'412BE506, h'B0009, h'D33B7402, h'D23B2342, h'D13B412B
ROM:00000038                 .data.l h'64226343, h'92614F22, h'7FF81F41, h'8431600C
ROM:00000038                 .data.l h'20298804, h'8B0C6433, h'B0287402, h'D3326503
ROM:00000038                 .data.l h'B0376432, h'2F0066F3, h'94539350, h'430BE501
ROM:00000038                 .data.l h'7F084F26, h'B0009, h'8441600C, h'93452038, h'8B04D62B
ROM:00000038                 .data.l h'94469142, h'412BE506, h'B0009, h'8441600C, h'93392038
ROM:00000038                 .data.l h'8B060002, h'913B2019, h'CBF0400E, h'AFFE0009
ROM:00000038                 .data.l h'B0009, h'8441600C, h'62404028, h'6303622C, h'84424228
ROM:00000038                 .data.l h'600C4018, h'330C4218, h'8443332C, h'600C6433
ROM:00000038                 .data.l h'340C000B, h'60432FE6, h'2FD66D43, h'2FC66C53
ROM:00000038                 .data.l h'2FB63DC2, h'4F229B19, h'8D0AEE00, h'62D4622C
ROM:00000038                 .data.l h'3E2C64ED, h'441934EC, h'4B0B6E4C, h'3DC28BF5
ROM:00000038                 .data.l h'4F2660E3, h'6BF66CF6, h'6DF6000B, h'6EF6FF07
ROM:00000038                 .data.l h'8804C2, h'9000B0, h'C0FF0F, h'484FFFF, h'FEC
ROM:00000038                 .data.l h'FF8, h'FFFFBFA4, h'FFFFBFA0, h'40, h'FE4, h'2FE62FD6
ROM:00000038                 .data.l h'2FC62FB6, h'2FA64F22, h'95986453, h'D358430B
ROM:00000038                 .data.l h'74FED258, h'93932321, h'9292ED01, h'22D1724C
ROM:00000038                 .data.l h'DB5567D3, h'918DE608, h'938CE503, h'2F162F36
ROM:00000038                 .data.l h'2F262FD6, h'D3512F36, h'4B0BE400, h'9283EC00
ROM:00000038                 .data.l h'22C19381, h'23C17218, h'938067D3, h'917DE608
ROM:00000038                 .data.l h'2F1665C3, h'2F26E221, h'2F362FD6, h'2F264B0B
ROM:00000038                 .data.l h'64D3946B, h'D346430B, h'9DA46, h'926F22A1, h'DE45936D
ROM:00000038                 .data.l h'23E1916C, h'21A17206, h'22E17312, h'23E17106
ROM:00000038                 .data.l h'21E17212, h'22E17306, h'23E1711A, h'21E1720E
ROM:00000038                 .data.l h'22E173C0, h'23E1945B, h'24E16141, h'95596453
ROM:00000038                 .data.l h'D132410B, h'74FED332, h'92542231, h'915321D1
ROM:00000038                 .data.l h'9352714C, h'925167D3, h'2F36E608, h'2F26E503
ROM:00000038                 .data.l h'D32D2F16, h'2FD62F36, h'4B0BE420, h'924622C1
ROM:00000038                 .data.l h'934523C1, h'91447218, h'934367D3, h'2F16E608
ROM:00000038                 .data.l h'2F2665C3, h'2F36E221, h'2FD62F26, h'4B0B6423
ROM:00000038                 .data.l h'942FD322, h'430B7F50, h'923422A1, h'933323E1
ROM:00000038                 .data.l h'913221A1, h'720622E1, h'731223E1, h'710621E1
ROM:00000038                 .data.l h'721222E1, h'730623E1, h'711A21E1, h'720E22E1
ROM:00000038                 .data.l h'73C023E1, h'942124E1, h'61414F26, h'6AF66BF6
ROM:00000038                 .data.l h'6CF66DF6, h'B6EF6, h'D002D004, h'D006D100, h'D108D110
ROM:00000038                 .data.l h'D112D120, h'D052D032, h'D030D03A, h'D00AD802
ROM:00000038                 .data.l h'D804D806, h'D900D908, h'D910D912, h'D920D852
ROM:00000038                 .data.l h'D832D830, h'D83AD80A, h'DA8, h'A731, h'DE4, h'FFFFE
ROM:00000038                 .data.l h'DCC, h'FFFE, h'FFFF, h'2FE6E700, h'926FE6FF
ROM:00000038                 .data.l h'4F227FFC, h'2F426320, h'23388F17, h'EE019567
ROM:00000038                 .data.l h'6351633D, h'23E88916, h'94636141, h'611D21E8
ROM:00000038                 .data.l h'890224E1, h'A0186141, h'25E16151, h'975AE500
ROM:00000038                 .data.l h'D33166F2, h'430BE408, h'A01964E3, h'94536341
ROM:00000038                 .data.l h'633D23E8, h'8B01A012, h'6473954D, h'6151611D
ROM:00000038                 .data.l h'21E88903, h'25E16151, h'A0096463, h'24E16141
ROM:00000038                 .data.l h'9743E500, h'D32466F2, h'430BE408, h'64E36043
ROM:00000038                 .data.l h'7F044F26, h'B6EF6, h'2FE66E5C, h'2FD64E15, h'2FC64F22
ROM:00000038                 .data.l h'DD1D8F0A, h'E700627C, h'63D37302, h'323C7701
ROM:00000038                 .data.l h'63642230, h'627C32E3, h'8BF56043, h'9324305C
ROM:00000038                 .data.l h'654C3530, h'8D0380D1, h'911F3510, h'8B02E300
ROM:00000038                 .data.l h'A0032D30, h'D2116120, h'2D10920E, h'63202338
ROM:00000038                 .data.l h'8F1EEE02, h'9C1262C1, h'622D22E8, h'8BFB940E
ROM:00000038                 .data.l h'24E16241, h'970CA01C, h'9BFAC, h'D042D05A, h'D108D842
ROM:00000038                 .data.l h'D85AD908, h'E000D8, h'D022D032, h'D128FFFF, h'E84
ROM:00000038                 .data.l h'FFFFBFB0, h'FE0, h'9C1262C1, h'622D22E8, h'8BFB940E
ROM:00000038                 .data.l h'24E16241, h'970C66D3, h'D306E500, h'430BE408
ROM:00000038                 .data.l h'2CE14F26, h'6CF66DF6, h'B6EF6, h'D822D832, h'D928FFFF
ROM:00000038                 .data.l h'EAC, h'2FE64F22, h'9E7160E0, h'600CC880, h'8914D23B
ROM:00000038                 .data.l h'420B0009, h'600C2008, h'8902D239, h'A0022E21
ROM:00000038                 .data.l h'D1382E11, h'93626030, h'600C8877, h'8B04925E
ROM:00000038                 .data.l h'D1356021, h'201A2201, h'4F26000B, h'6EF6D233
ROM:00000038                 .data.l h'63202338, h'8B029153, h'412B0009, h'9351432B
ROM:00000038                 .data.l h'92FE6, h'4F229E4D, h'D32D64E1, h'D12B644D, h'62104408
ROM:00000038                 .data.l h'44002228, h'8F06343C, h'9243420B, h'96503, h'A0048801
ROM:00000038                 .data.l h'923E420B, h'96503, h'60538801, h'8B0962E1, h'72012E21
ROM:00000038                 .data.l h'63E1E264, h'633D3323, h'8B01E100, h'2E114F26
ROM:00000038                 .data.l h'B6EF6, h'942B6541, h'D31A655D, h'62414508, h'45007201
ROM:00000038                 .data.l h'2421E264, h'6141611D, h'31238F02, h'353CE000
ROM:00000038                 .data.l h'2401000B, h'6053E400, h'93142341, h'9215000B
ROM:00000038                 .data.l h'2241930F, h'91116431, h'6211644D, h'622D3428
ROM:00000038                 .data.l h'44118900, h'7464000B, h'6043EC10, h'BFADF738
ROM:00000038                 .data.l h'3C405F8, h'BFB80344, h'5CCBFBA, h'EE4, h'A53D
ROM:00000038                 .data.l h'A53C, h'8000, h'FFFFBFA8, h'FFFFB4E0, h'9559E400
ROM:00000038                 .data.l h'9658E708, h'254077FF, h'26402778, h'76018FF9
ROM:00000038                 .data.l h'75019750, h'25707501, h'26707601, h'E70377FF
ROM:00000038                 .data.l h'25402778, h'26407601, h'8FF97501, h'B0009, h'913F8418
ROM:00000038                 .data.l h'600C8855, h'8901000B, h'E0FFE600, h'6013E708
ROM:00000038                 .data.l h'65437601, h'63043672, h'25308FFA, h'75019030
ROM:00000038                 .data.l h'8018E001, h'B0009, h'2FE69E29, h'972960E3, h'61E37108
ROM:00000038                 .data.l h'6210622C, h'32708BFB, h'9222674C, h'37208902
ROM:00000038                 .data.l h'911F3710, h'8B02E200, h'A0032020, h'D30D6130
ROM:00000038                 .data.l h'20106043, h'305C61E3, h'80E1675C, h'71024715
ROM:00000038                 .data.l h'8F07E400, h'63647401, h'2130624C, h'32738FF9
ROM:00000038                 .data.l h'7101E055, h'80E8000B, h'6EF6BFE4, h'BFF000AA
ROM:00000038                 .data.l h'E000D8, h'FE0, h'935E6E43, h'6D53430B, h'EC01B07C
ROM:00000038                 .data.l h'9B090, h'99256, h'420B0009, h'9354430B, h'99252
ROM:00000038                 .data.l h'420B0009, h'2EE88B61, h'934EE200, h'2320D128
ROM:00000038                 .data.l h'D2286022, h'30108906, h'B0A4E407, h'64032448
ROM:00000038                 .data.l h'8B01EC00, h'9E4160C3, h'88018B54, h'9C3EDD22
ROM:00000038                 .data.l h'4D0B0009, h'600C8802, h'8903D320, h'6032A002
ROM:00000038                 .data.l h'9D21F, h'602288FF, h'890D4D0B, h'9600C, h'88028903
ROM:00000038                 .data.l h'D3196032, h'A0020009, h'D2186022, h'600288FF
ROM:00000038                 .data.l h'8B0BB07D, h'E4076403, h'24488931, h'60C288FF
ROM:00000038                 .data.l h'8B06B1F1, h'9AFF4, h'960C2, h'88FF8901, h'A0276EC2
ROM:00000038                 .data.l h'4D0B0009, h'600C8802, h'8903D30C, h'6E32A01E
ROM:00000038                 .data.l h'9D20B, h'A01B6E22, h'4C01B4, h'598054A, h'BFAC0924
ROM:00000038                 .data.l h'1000FFFF, h'5AA5A55A, h'FFFFBFFC, h'EE4, h'FFFFC
ROM:00000038                 .data.l h'17FFFC, h'FFFF8, h'17FFF8, h'D34A9283, h'420B23D0
ROM:00000038                 .data.l h'9E81D349, h'D2492232, h'937E430B, h'64E3AFFE
ROM:00000038                 .data.l h'92FE6, h'4F229378, h'92782231, h'9E7773E1, h'2E31D343
ROM:00000038                 .data.l h'430B61E0, h'600C2008, h'8902D341, h'A0022E31
ROM:00000038                 .data.l h'D1402E11, h'4F26000B, h'6EF6E400, h'93662341
ROM:00000038                 .data.l h'9565E720, h'96646043, h'25414710, h'81516063
ROM:00000038                 .data.l h'81526043, h'81588159, h'8FF57520, h'93566031
ROM:00000038                 .data.l h'CB012301, h'92552241, h'9554E720, h'25416043
ROM:00000038                 .data.l h'81514710, h'60638152, h'60438158, h'81598FF5
ROM:00000038                 .data.l h'75209346, h'6031CB01, h'B2301, h'2FE62FD6, h'2FC6ED00
ROM:00000038                 .data.l h'2FB66ED3, h'9C37EB01, h'2FA66A4D, h'2F964A15
ROM:00000038                 .data.l h'2F8669B3, h'4F22D81D, h'8F1E797F, h'B0420009
ROM:00000038                 .data.l h'932F430B, h'2800922D, h'420B0009, h'600D2008
ROM:00000038                 .data.l h'89089228, h'420B0009, h'B03D6403, h'20088901
ROM:00000038                 .data.l h'A00A6BD3, h'62C0622C, h'22988902, h'921C420B
ROM:00000038                 .data.l h'7E0163ED
Top
 Profile  
 
fujiillin
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Mon Dec 28, 2009 8:57 am 
Offline
Experienced
User avatar

Joined: Wed Feb 13, 2008 3:00 am
Posts: 153
Which rom is this from? I'll have to check it out to be sure. Either way, it looks like the subroutine is running a couple checks before pulling the data or not pulling the data, and the table/LUT/pull2d is the same.

0x38 isn't really that big, its just how IDA labels it (as an array if i'm not mistaken). If you go to the end of the "ROM: 00000038" lines, it will suddenly switch over to normal address labels. I haven't really looked into it, but in another rom, it looks like the code/data at 0x38 just isn't properly analyzed by IDA.

_________________
06 Wrx Wagon 2.3 longrod in the works

Top
 Profile  
 
hmanxx
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Mon Dec 28, 2009 10:23 am 
Offline
RomRaider Donator

Joined: Wed Jul 12, 2006 3:01 pm
Posts: 154
elevenpoint7five wrote:
I am still having a bit of trouble with the addressing. For instance, in the following example is shows (h'81,gbr) being moved to r0 (at least I think :)) So I hover over the (h'81,gbr) and it shows a location in IDA. Ok, so jump to that location and I get the second set of code I posted. So, 2 questions:
1.)How does IDA get 0x38 out of (h'81,gbr)?
2.)Is 0x38 really a dword? It seems incredibly long!

Thanks again for being patient :)

Andy

Code:
loc_13896:              ; Move Peripherial Byte Data
mov.b   @(h'81,gbr), r0
cmp/eq  #1, r0          ; Compare: Equal
bt      loc_13952       ; Branch if True
mov.b   @(h'82,gbr), r0 ; Move Peripherial Byte Data
cmp/eq  #1, r0          ; Compare: Equal
bt      loc_13952       ; Branch if True
mov.l   @(h'128,pc), r4 ; [000139CC] = CallTDProp ; Move Immediate Long Data
mov.l   @(h'128,pc), r2 ; [000139D0] = Read_2D_Maps ; Move Immediate Long Data
jsr     @r2 ; Read_2D_Maps ; Jump to Subroutine
fmov    fr14, fr4       ; Floating-point move
fmov.s  fr0, @r15       ; Floating-point move single precision
mov.l   @(h'124,pc), r4 ; [000139D4] = dword_9740C ; Move Immediate Long Data
mov.l   @(h'120,pc), r2 ; [000139D0] = Read_2D_Maps ; Move Immediate Long Data
jsr     @r2 ; Read_2D_Maps ; Jump to Subroutine


Code:
ROM:00000038 dword_38:       .datab.l 2, h'FFFFFFFF  ; DATA XREF: ROM:000C3551o
ROM:00000038                                         ; ROM:000C85B1o ...
ROM:00000038                 .data.l h'DF01442B, h'90000, h'FFFFBFA0, h'DF01000B, h'90000
ROM:00000038                 .data.l h'FFFFBFA0, h'E5F74518, h'750A8451, h'E3FF4318
ROM:00000038                 .data.l h'620C737F, h'2239324C, h'E13C622C, h'4118321C
ROM:00000038                 .data.l h'25210009, h'90009, h'9000B, h'9FFFF, h'8441600C
ROM:00000038                 .data.l h'937F2038, h'8B04D643, h'947C917C, h'412BE506
ROM:00000038                 .data.l h'B0009, h'8441600C, h'93732038, h'8B04D63E, h'94729170
ROM:00000038                 .data.l h'412BE506, h'B0009, h'D33B7402, h'D23B2342, h'D13B412B
ROM:00000038                 .data.l h'64226343, h'92614F22, h'7FF81F41, h'8431600C
ROM:00000038                 .data.l h'20298804, h'8B0C6433, h'B0287402, h'D3326503
ROM:00000038                 .data.l h'B0376432, h'2F0066F3, h'94539350, h'430BE501
ROM:00000038                 .data.l h'7F084F26, h'B0009, h'8441600C, h'93452038, h'8B04D62B
ROM:00000038                 .data.l h'94469142, h'412BE506, h'B0009, h'8441600C, h'93392038
ROM:00000038                 .data.l h'8B060002, h'913B2019, h'CBF0400E, h'AFFE0009
ROM:00000038                 .data.l h'B0009, h'8441600C, h'62404028, h'6303622C, h'84424228
ROM:00000038                 .data.l h'600C4018, h'330C4218, h'8443332C, h'600C6433
ROM:00000038                 .data.l h'340C000B, h'60432FE6, h'2FD66D43, h'2FC66C53
ROM:00000038                 .data.l h'2FB63DC2, h'4F229B19, h'8D0AEE00, h'62D4622C
ROM:00000038                 .data.l h'3E2C64ED, h'441934EC, h'4B0B6E4C, h'3DC28BF5
ROM:00000038                 .data.l h'4F2660E3, h'6BF66CF6, h'6DF6000B, h'6EF6FF07
ROM:00000038                 .data.l h'8804C2, h'9000B0, h'C0FF0F, h'484FFFF, h'FEC
ROM:00000038                 .data.l h'FF8, h'FFFFBFA4, h'FFFFBFA0, h'40, h'FE4, h'2FE62FD6
ROM:00000038                 .data.l h'2FC62FB6, h'2FA64F22, h'95986453, h'D358430B
ROM:00000038                 .data.l h'74FED258, h'93932321, h'9292ED01, h'22D1724C
ROM:00000038                 .data.l h'DB5567D3, h'918DE608, h'938CE503, h'2F162F36
ROM:00000038                 .data.l h'2F262FD6, h'D3512F36, h'4B0BE400, h'9283EC00
ROM:00000038                 .data.l h'22C19381, h'23C17218, h'938067D3, h'917DE608
ROM:00000038                 .data.l h'2F1665C3, h'2F26E221, h'2F362FD6, h'2F264B0B
ROM:00000038                 .data.l h'64D3946B, h'D346430B, h'9DA46, h'926F22A1, h'DE45936D
ROM:00000038                 .data.l h'23E1916C, h'21A17206, h'22E17312, h'23E17106
ROM:00000038                 .data.l h'21E17212, h'22E17306, h'23E1711A, h'21E1720E
ROM:00000038                 .data.l h'22E173C0, h'23E1945B, h'24E16141, h'95596453
ROM:00000038                 .data.l h'D132410B, h'74FED332, h'92542231, h'915321D1
ROM:00000038                 .data.l h'9352714C, h'925167D3, h'2F36E608, h'2F26E503
ROM:00000038                 .data.l h'D32D2F16, h'2FD62F36, h'4B0BE420, h'924622C1
ROM:00000038                 .data.l h'934523C1, h'91447218, h'934367D3, h'2F16E608
ROM:00000038                 .data.l h'2F2665C3, h'2F36E221, h'2FD62F26, h'4B0B6423
ROM:00000038                 .data.l h'942FD322, h'430B7F50, h'923422A1, h'933323E1
ROM:00000038                 .data.l h'913221A1, h'720622E1, h'731223E1, h'710621E1
ROM:00000038                 .data.l h'721222E1, h'730623E1, h'711A21E1, h'720E22E1
ROM:00000038                 .data.l h'73C023E1, h'942124E1, h'61414F26, h'6AF66BF6
ROM:00000038                 .data.l h'6CF66DF6, h'B6EF6, h'D002D004, h'D006D100, h'D108D110
ROM:00000038                 .data.l h'D112D120, h'D052D032, h'D030D03A, h'D00AD802
ROM:00000038                 .data.l h'D804D806, h'D900D908, h'D910D912, h'D920D852
ROM:00000038                 .data.l h'D832D830, h'D83AD80A, h'DA8, h'A731, h'DE4, h'FFFFE
ROM:00000038                 .data.l h'DCC, h'FFFE, h'FFFF, h'2FE6E700, h'926FE6FF
ROM:00000038                 .data.l h'4F227FFC, h'2F426320, h'23388F17, h'EE019567
ROM:00000038                 .data.l h'6351633D, h'23E88916, h'94636141, h'611D21E8
ROM:00000038                 .data.l h'890224E1, h'A0186141, h'25E16151, h'975AE500
ROM:00000038                 .data.l h'D33166F2, h'430BE408, h'A01964E3, h'94536341
ROM:00000038                 .data.l h'633D23E8, h'8B01A012, h'6473954D, h'6151611D
ROM:00000038                 .data.l h'21E88903, h'25E16151, h'A0096463, h'24E16141
ROM:00000038                 .data.l h'9743E500, h'D32466F2, h'430BE408, h'64E36043
ROM:00000038                 .data.l h'7F044F26, h'B6EF6, h'2FE66E5C, h'2FD64E15, h'2FC64F22
ROM:00000038                 .data.l h'DD1D8F0A, h'E700627C, h'63D37302, h'323C7701
ROM:00000038                 .data.l h'63642230, h'627C32E3, h'8BF56043, h'9324305C
ROM:00000038                 .data.l h'654C3530, h'8D0380D1, h'911F3510, h'8B02E300
ROM:00000038                 .data.l h'A0032D30, h'D2116120, h'2D10920E, h'63202338
ROM:00000038                 .data.l h'8F1EEE02, h'9C1262C1, h'622D22E8, h'8BFB940E
ROM:00000038                 .data.l h'24E16241, h'970CA01C, h'9BFAC, h'D042D05A, h'D108D842
ROM:00000038                 .data.l h'D85AD908, h'E000D8, h'D022D032, h'D128FFFF, h'E84
ROM:00000038                 .data.l h'FFFFBFB0, h'FE0, h'9C1262C1, h'622D22E8, h'8BFB940E
ROM:00000038                 .data.l h'24E16241, h'970C66D3, h'D306E500, h'430BE408
ROM:00000038                 .data.l h'2CE14F26, h'6CF66DF6, h'B6EF6, h'D822D832, h'D928FFFF
ROM:00000038                 .data.l h'EAC, h'2FE64F22, h'9E7160E0, h'600CC880, h'8914D23B
ROM:00000038                 .data.l h'420B0009, h'600C2008, h'8902D239, h'A0022E21
ROM:00000038                 .data.l h'D1382E11, h'93626030, h'600C8877, h'8B04925E
ROM:00000038                 .data.l h'D1356021, h'201A2201, h'4F26000B, h'6EF6D233
ROM:00000038                 .data.l h'63202338, h'8B029153, h'412B0009, h'9351432B
ROM:00000038                 .data.l h'92FE6, h'4F229E4D, h'D32D64E1, h'D12B644D, h'62104408
ROM:00000038                 .data.l h'44002228, h'8F06343C, h'9243420B, h'96503, h'A0048801
ROM:00000038                 .data.l h'923E420B, h'96503, h'60538801, h'8B0962E1, h'72012E21
ROM:00000038                 .data.l h'63E1E264, h'633D3323, h'8B01E100, h'2E114F26
ROM:00000038                 .data.l h'B6EF6, h'942B6541, h'D31A655D, h'62414508, h'45007201
ROM:00000038                 .data.l h'2421E264, h'6141611D, h'31238F02, h'353CE000
ROM:00000038                 .data.l h'2401000B, h'6053E400, h'93142341, h'9215000B
ROM:00000038                 .data.l h'2241930F, h'91116431, h'6211644D, h'622D3428
ROM:00000038                 .data.l h'44118900, h'7464000B, h'6043EC10, h'BFADF738
ROM:00000038                 .data.l h'3C405F8, h'BFB80344, h'5CCBFBA, h'EE4, h'A53D
ROM:00000038                 .data.l h'A53C, h'8000, h'FFFFBFA8, h'FFFFB4E0, h'9559E400
ROM:00000038                 .data.l h'9658E708, h'254077FF, h'26402778, h'76018FF9
ROM:00000038                 .data.l h'75019750, h'25707501, h'26707601, h'E70377FF
ROM:00000038                 .data.l h'25402778, h'26407601, h'8FF97501, h'B0009, h'913F8418
ROM:00000038                 .data.l h'600C8855, h'8901000B, h'E0FFE600, h'6013E708
ROM:00000038                 .data.l h'65437601, h'63043672, h'25308FFA, h'75019030
ROM:00000038                 .data.l h'8018E001, h'B0009, h'2FE69E29, h'972960E3, h'61E37108
ROM:00000038                 .data.l h'6210622C, h'32708BFB, h'9222674C, h'37208902
ROM:00000038                 .data.l h'911F3710, h'8B02E200, h'A0032020, h'D30D6130
ROM:00000038                 .data.l h'20106043, h'305C61E3, h'80E1675C, h'71024715
ROM:00000038                 .data.l h'8F07E400, h'63647401, h'2130624C, h'32738FF9
ROM:00000038                 .data.l h'7101E055, h'80E8000B, h'6EF6BFE4, h'BFF000AA
ROM:00000038                 .data.l h'E000D8, h'FE0, h'935E6E43, h'6D53430B, h'EC01B07C
ROM:00000038                 .data.l h'9B090, h'99256, h'420B0009, h'9354430B, h'99252
ROM:00000038                 .data.l h'420B0009, h'2EE88B61, h'934EE200, h'2320D128
ROM:00000038                 .data.l h'D2286022, h'30108906, h'B0A4E407, h'64032448
ROM:00000038                 .data.l h'8B01EC00, h'9E4160C3, h'88018B54, h'9C3EDD22
ROM:00000038                 .data.l h'4D0B0009, h'600C8802, h'8903D320, h'6032A002
ROM:00000038                 .data.l h'9D21F, h'602288FF, h'890D4D0B, h'9600C, h'88028903
ROM:00000038                 .data.l h'D3196032, h'A0020009, h'D2186022, h'600288FF
ROM:00000038                 .data.l h'8B0BB07D, h'E4076403, h'24488931, h'60C288FF
ROM:00000038                 .data.l h'8B06B1F1, h'9AFF4, h'960C2, h'88FF8901, h'A0276EC2
ROM:00000038                 .data.l h'4D0B0009, h'600C8802, h'8903D30C, h'6E32A01E
ROM:00000038                 .data.l h'9D20B, h'A01B6E22, h'4C01B4, h'598054A, h'BFAC0924
ROM:00000038                 .data.l h'1000FFFF, h'5AA5A55A, h'FFFFBFFC, h'EE4, h'FFFFC
ROM:00000038                 .data.l h'17FFFC, h'FFFF8, h'17FFF8, h'D34A9283, h'420B23D0
ROM:00000038                 .data.l h'9E81D349, h'D2492232, h'937E430B, h'64E3AFFE
ROM:00000038                 .data.l h'92FE6, h'4F229378, h'92782231, h'9E7773E1, h'2E31D343
ROM:00000038                 .data.l h'430B61E0, h'600C2008, h'8902D341, h'A0022E31
ROM:00000038                 .data.l h'D1402E11, h'4F26000B, h'6EF6E400, h'93662341
ROM:00000038                 .data.l h'9565E720, h'96646043, h'25414710, h'81516063
ROM:00000038                 .data.l h'81526043, h'81588159, h'8FF57520, h'93566031
ROM:00000038                 .data.l h'CB012301, h'92552241, h'9554E720, h'25416043
ROM:00000038                 .data.l h'81514710, h'60638152, h'60438158, h'81598FF5
ROM:00000038                 .data.l h'75209346, h'6031CB01, h'B2301, h'2FE62FD6, h'2FC6ED00
ROM:00000038                 .data.l h'2FB66ED3, h'9C37EB01, h'2FA66A4D, h'2F964A15
ROM:00000038                 .data.l h'2F8669B3, h'4F22D81D, h'8F1E797F, h'B0420009
ROM:00000038                 .data.l h'932F430B, h'2800922D, h'420B0009, h'600D2008
ROM:00000038                 .data.l h'89089228, h'420B0009, h'B03D6403, h'20088901
ROM:00000038                 .data.l h'A00A6BD3, h'62C0622C, h'22988902, h'921C420B
ROM:00000038                 .data.l h'7E0163ED

For SSM..read this thread ,http://www.romraider.com/forum/topic5405.html ,there are examples of the sub routines posted..easy for reference and understanding
which i asked the same questions and later managed to find the full list of reference functions.

for the addressing mode.
loc_13896: ; Move Peripherial Byte Data
mov.b @(h'81,gbr), r0


Please refer to the top of the sub routine,there will have a command ldc rx, gbr...Register rx contains the RAM address for the GBR.
For the following command like mov.b @(h81,gbr),r0
=> Moving a byte(Signed) from GBR+ 0x81 to Register r0..

for the big data block that you posted..use the 'u' command to undefine it then use the 'c' command to redefine the available codes..
Top
 Profile  
 
elevenpoint7five
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Sun Jan 03, 2010 4:15 am 
Offline
Experienced

Joined: Mon Aug 18, 2008 11:15 pm
Posts: 316
Location: Chicago, Illinois
I feel like I am missing something. I can't seem to figure out where the gbr is located. I am going through an 04 STi and an 08 STi ROM and I can't find any commands like ldc rx, gbr, what am I missing? I am understanding the basic commands, but it is still the addressing that is getting me. I am reading every thread I can find and I have 2 different manuals that I am constantly going through as well. I really want to learn this!

Thanks,
Andy
Top
 Profile  
 
hmanxx
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Sun Jan 03, 2010 12:04 pm 
Offline
RomRaider Donator

Joined: Wed Jul 12, 2006 3:01 pm
Posts: 154
Illustration for you
ROM:00047B2A stc.l gbr, @-r15
ROM:00047B2C mov.l @(h'1DC,pc), r0 ; [00047D0C] = unk_FFFF8290
ROM:00047B2E ldc r0, gbr

Code above telling gbr is set to FFFF8290


Code:
ROM:00047B16
ROM:00047B16 ; =============== S U B R O U T I N E =======================================
ROM:00047B16
ROM:00047B16 ; Idling related, in progress
ROM:00047B16
ROM:00047B16 sub_47B16:                              ; CODE XREF: sub_40A2C+442p
ROM:00047B16                                         ; DATA XREF: sub_40A2C:off_410B4o
ROM:00047B16                 mov.l   r8, @-r15
ROM:00047B18                 mov.l   r9, @-r15
ROM:00047B1A                 mov.l   r10, @-r15
ROM:00047B1C                 mov.l   r11, @-r15
ROM:00047B1E                 mov.l   r12, @-r15
ROM:00047B20                 mov.l   r13, @-r15
ROM:00047B22                 mov.l   r14, @-r15
ROM:00047B24                 sts.l   pr, @-r15
ROM:00047B26                 fmov.s  fr14, @-r15
ROM:00047B28                 fmov.s  fr15, @-r15
ROM:00047B2A                 stc.l   gbr, @-r15
ROM:00047B2C                 mov.l   @(h'1DC,pc), r0 ; [00047D0C] = unk_FFFF8290
ROM:00047B2E                 ldc     r0, gbr
ROM:00047B30                 add     #-h'48, r15
ROM:00047B32                 mov.l   @(h'1DC,pc), r2 ; [00047D10] = RPM_FFFF6814
ROM:00047B34                 fmov.s  @r2, fr14
ROM:00047B36                 mov.l   @(h'1DC,pc), r2 ; [00047D14] = unk_FFFF84F0
ROM:00047B38                 fmov.s  @r2, fr15
ROM:00047B3A                 mov.l   @(h'1DC,pc), r2 ; [00047D18] = sub_34E68
ROM:00047B3C                 jsr     @r2 ; sub_34E68 ; status of FFFF7743
ROM:00047B3E                 nop




Information for VBR.
Go to the last segment of your ROM..for 1MB rom .it is FFFFF..from there you should see some code as below..

Refer to the last segment of ROM code.
close to bottom of FFFFF, at the end of the VBR table you sholuld see 0xFFFFFFFF 0xFFFFFFFF then follow by a reference to a sub routine..that is the VBR Start up routine.

For my case of AZ1E400C(EDM WRX08),the VBR routine is Sub_FA20

Code of last segment of ROM.
Code:
ROM:000FFF50                 .data.l sub_288C        ; AD1 IRQ Routine
ROM:000FFF54                 .data.l sub_E7DA        ; MT/AD1
ROM:000FFF58                 .data.l sub_28BC
ROM:000FFF5C                 .data.l sub_E7DA        ; MT/AD1 IRQ
ROM:000FFF60                 .data.l sub_28D4
ROM:000FFF64                 .data.l sub_E7DA        ; MT/AD1 IRQ
ROM:000FFF68                 .data.l sub_E7DA        ; MT/AD1 IRQ
ROM:000FFF6C                 .data.l sub_E7DA        ; MT/AD1 IRQ
ROM:000FFF70                 .data.l sub_28EC
ROM:000FFF74                 .data.l sub_2964
ROM:000FFF78                 .data.l sub_29DC
ROM:000FFF7C                 .data.l sub_2A54
ROM:000FFF80                 .data.l sub_2904
ROM:000FFF84                 .data.l sub_297C
ROM:000FFF88                 .data.l sub_29F4
ROM:000FFF8C                 .data.l sub_2A6C
ROM:000FFF90                 .data.l sub_291C
ROM:000FFF94                 .data.l sub_2994
ROM:000FFF98                 .data.l sub_2A0C
ROM:000FFF9C                 .data.l sub_2A84
ROM:000FFFA0                 .data.l sub_2934
ROM:000FFFA4                 .data.l sub_29AC
ROM:000FFFA8                 .data.l sub_2A24
ROM:000FFFAC                 .data.l sub_2A9C
ROM:000FFFB0                 .data.l sub_294C
ROM:000FFFB4                 .data.l sub_29C4
ROM:000FFFB8                 .data.l sub_2A3C
ROM:000FFFBC                 .data.l sub_2AB4
ROM:000FFFC0                 .data.l sub_2ACC
ROM:000FFFC4                 .data.l sub_2AFC
ROM:000FFFC8 off_FFFC8:      .data.l sub_2B2C
ROM:000FFFCC                 .data.l sub_2B5C
ROM:000FFFD0                 .data.l sub_F6BC
ROM:000FFFD4                 .data.l sub_E7DA        ; MT/AD1 IRQ
ROM:000FFFD8                 .data.l sub_E7DA        ; MT/AD1 IRQ
ROM:000FFFDC                 .data.l sub_E7DA        ; MT/AD1 IRQ
ROM:000FFFE0                 .data.l sub_2AE4
ROM:000FFFE4                 .data.l sub_2B14
ROM:000FFFE8                 .data.l sub_2B44
ROM:000FFFEC                 .data.l sub_2B74
ROM:000FFFF0                 .datab.l 2, h'FFFFFFFF
ROM:000FFFF8 off_FFFF8:      .data.l sub_FA20        ; DATA XREF: sub_65C:off_740o
ROM:000FFFF8                                         ; ROM:off_13DCo
ROM:000FFFF8                                         ; VBR start up routine
ROM:000FFFFC dword_FFFFC:    .data.l h'2004          ; DATA XREF: sub_65C:off_738o
ROM:000FFFFC                                         ; ROM:off_13D4o ...
ROM:000FFFFC




Below is the VBR routine..
FFC50 is the starting address for the VBR Table.
ROM:0000FA2A mov.l @(h'114,pc), r2 ; [0000FB40] = off_FFC50
ROM:0000FA2C ldc r2, vbr


Code:
M:0000FA0A
ROM:0000FA0A ; ---------------------------------------------------------------------------
ROM:0000FA0C dword_FA0C:     .data.l h'E00000        ; DATA XREF: sub_F968+14r
ROM:0000FA10 off_FA10:       .data.l off_11B14       ; DATA XREF: sub_F968+8r
ROM:0000FA14 off_FA14:       .data.l sub_BE750       ; DATA XREF: sub_F968+Cr
ROM:0000FA18 off_FA18:       .data.l unk_FFFF4558    ; DATA XREF: sub_F968+2Cr
ROM:0000FA1C off_FA1C:       .data.l sub_BE760       ; DATA XREF: sub_F968:loc_F9F6r
ROM:0000FA20
ROM:0000FA20 ; =============== S U B R O U T I N E =======================================
ROM:0000FA20
ROM:0000FA20 ; VBR start up routine
ROM:0000FA20
ROM:0000FA20 sub_FA20:                               ; DATA XREF: ROM:off_FFFF8o
ROM:0000FA20                 mov.w   @(h'10C,pc), r3 ; [0000FB30] = h'FFFFFF0F
ROM:0000FA22                 stc     sr, r0
ROM:0000FA24                 and     r3, r0
ROM:0000FA26                 or      #h'F0, r0
ROM:0000FA28                 ldc     r0, sr
ROM:0000FA2A                 mov.l   @(h'114,pc), r2 ; [0000FB40] = off_FFC50
ROM:0000FA2C                 ldc     r2, vbr
ROM:0000FA2E                 mov.l   @(h'114,pc), r3 ; [0000FB44] = (loc_40000+1)
ROM:0000FA30                 mov.l   @(h'114,pc), r1 ; [0000FB48] = off_11C38
ROM:0000FA32                 lds     r3, fpscr
ROM:0000FA34                 mov.l   @(h'114,pc), r2 ; [0000FB4C] = sub_402A
ROM:0000FA36                 jsr     @r2 ; sub_402A
ROM:0000FA38                 mov.l   @r1, r4
ROM:0000FA3A                 mov.w   @(h'F4,pc), r3 ; [0000FB32] = h'88
ROM:0000FA3C                 mov.w   @(h'F4,pc), r2 ; [0000FB34] = h'FFFFBFAD
ROM:0000FA3E                 mov.l   @(h'110,pc), r1 ; [0000FB50] = sub_FB7C
ROM:0000FA40                 jsr     @r1 ; sub_FB7C
ROM:0000FA42                 mov.b   r3, @r2
ROM:0000FA44
ROM:0000FA44 loc_FA44:                               ; CODE XREF: sub_FA20:loc_FA44j
ROM:0000FA44                 bra     loc_FA44
ROM:0000FA46                 nop
ROM:0000FA46 ; End of function sub_FA20
ROM:0000FA46


I hope the illustration above can help people to understand more..
Learning together is definitely more fun than walking alone...
Top
 Profile  
 
elevenpoint7five
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Mon Jan 04, 2010 2:25 am 
Offline
Experienced

Joined: Mon Aug 18, 2008 11:15 pm
Posts: 316
Location: Chicago, Illinois
Fantastic! Thank you so much! You are absolutely right, learning together is much better. I feel like I am getting a late start here which makes me feel bad for all the questions I ask, but I appreciate everyone being patient! :)

Currently looking at an 09 WRX(AZ1G401V) it seems that the SSM LUT is at 0x5ACCC however it isn't all sub routines like I had expected. At some point it switches over to doublewords with a "+h'xx" after them, not sure how this works. Am I supposed to add the "h'xx" to the address of the doubleword or is that the location of the value in the array that IDA created(which is really annoying by the way, anyone know how to make it NOT do that?) Here is a bit of code to show you what I am talking about:

Code:
ROM:0005AE4C                 .data.l dword_54580+h'11C
ROM:0005AE50                 .data.l dword_54580+h'12E
ROM:0005AE54                 .data.l dword_54580+h'1AE
ROM:0005AE58                 .data.l dword_54580+h'238
ROM:0005AE5C                 .data.l dword_54580+h'314
ROM:0005AE60                 .data.l dword_54580+h'3A0
ROM:0005AE64                 .data.l dword_54580+h'3FA
ROM:0005AE68                 .data.l dword_54580+h'470
ROM:0005AE6C                 .data.l dword_54580+h'47A
ROM:0005AE70                 .data.l dword_54580+h'510
ROM:0005AE74                 .data.l dword_54580+h'52E
ROM:0005AE78                 .data.l dword_54580+h'54C
ROM:0005AE7C                 .data.l dword_54580+h'556
ROM:0005AE80                 .data.l dword_54580+h'560
ROM:0005AE84                 .data.l dword_54580+h'56A
ROM:0005AE88                 .data.l dword_54580+h'5F0
ROM:0005AE8C                 .data.l dword_54580+h'604
ROM:0005AE90                 .data.l dword_54580+h'61C


Most of the SSM addresses seem to work out, though once I got down by Primary WGDC they seemed to not all match up. I just labeled what did match up and left the rest for now. I don't need to completely define this ROM and know everything about it, I am just trying to get through a few different ROMs to have an idea of how the 32bit stuff works and looks so I can start definining the 2010 stuff as well as looking into some issues/missing defs from previous MY ROMs.

Andy
Top
 Profile  
 
hmanxx
 Post subject: Re: 32-bit Disassembly in IDA
PostPosted: Mon Jan 04, 2010 5:15 pm 
Offline
RomRaider Donator

Joined: Wed Jul 12, 2006 3:01 pm
Posts: 154
For 32bits SSM..what you have discovered is another reference table which contains the passing parameters for the SSM function..

Do this..
Trace to the routine that contains 1st byte of ECUID .Look for one routine above this ECUID routine, from this routine.check the cross referencing...you should be able to see the SSM Subroutine listing..there are just around..you are about getting it right..

i spent much more time to read up ECU logic with IDA than tuning cars.. No more kick on tuning after a while..become monotonous work..
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 5 of 6
  [ 84 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6  Next

Board index » Engine Management Systems - Analysis and Tuning » Subaru » Subaru ECU Analysis

All times are UTC


Who is online

Users browsing this forum: No registered users and 7 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style based on FI Subsilver by phpBBservice.nl