RomRaider

So, I've been trying my luck with IDA lately, and learning a ton of stuff about the roms, disassembly, assembly, etc... but now I'm in somewhat of a rut and I need some pointers/advice.

I've got everything set up properly in IDA; sh4b, created ram section, selected 7058 processor, etc. But I'm having difficulty getting anything worthwhile done after that.

Here's what I've been going over so far:

http://forums.openecu.org/viewtopic.php ... ly&start=0
topic2184.html?hilit=disassembly

After stumbling upon the first thread, I looked at the reset vector on my map (A8DH200X - 2006 wrx), and went to the Program Counter and Stack Pointer locations and tried the 'c' auto-analysis. This unfolds a little bit of the very early portions of the rom, and I see a reference at the stack pointer so it looks good, but it's hardly anything. Is this just the OS level code?

So. in Freon's thread, he says to convert to offsets in the 0x4000-0x6000 range, and look for the following pattern, and marking each as a subroutine. I'm not sure what specifically to mark as a subroutine, ie; part of each pattern, beginning of one pattern, etc.


Also, Tgui got alot of the bar turned blue by highlighting that range, and doing the auto-analysis. When I try this, I have to force directly to code to get anything blue, but I'm unsure if this is the correct way to go about this.

Any help, pointers, links, etc are greatly appreciated.

There's no simple method that is going to unfold the entire ROM with a few keystrokes. I usually look for a series of jump instructions (opcode 0x430B or 0x420B) starting around 0x6000 and begin marking those blocks as code. A lot of the ROM will unfold this way and covers 99% of anything I would want to deal with. Then you can go back manually check the rest of the ROM if you want. You could start at the reset vector and get to the same point, but it is more time consuming. I'm certainly no expert when it comes to IDA - I just use it solely to get to the code/data I want to analyze.

Finding the VBR is probably the single best technique. Here's an example for the A2ZJ710J (2004 USDM STI, 3rd and final revision), 7055 CPU.

You need to find where the vector base address is set. There are specific instructions to set it.


It is set as an indirect address in the ROM. Then, at that place in the ROM you'll see a whole series of subroutine locations.

Starting at the VBR and for the next 0x200 or whatever, all the interrupts and exception processing subroutine calls are defined. You can find these definitions in the hardware manual for the 7055 or 7058, whichever you may be using.

The problem is finding where the VBR is set. It may be easier to find what is probably used as the VBR table first. I think it is typically near the end of the ROM, but it could be anywhere.

Thanks! I started marking those opcodes and got some good progress. Looking up offsets from the defs for a few tables and values I was able to find references to code, so I can start to make some sense of it all.

A few things weren't referenced, but I think they'll turn up after going through the above.

Thanks guys!

Cool. I feel like I'm alone when it comes to this stuff for Subarus as far as analysis in IDA (deciphering logic/adding new ECU & logger defs/hacks). A lot guys get started with it but eventually flake out for some reason. Seems like Evo guys have more of community for this sort of thing.

Perhaps the old hands in the Evo community are sharing their annotated disassemblies with newcomers who want to help so the newbs don't all have to start from page 1 like they do here.

There's one posted on aktivematrix, but it seems the majority of the Evo guys are working on their ROMs relevant to their particular model/year (I have yet to see an Evo IDA "annotated disassembly" that would be useful to anyone starting out). You would actually have an advantage with the Subarus as you have ECU/logger XML definitions covering, equally in scope, every single ROM that has ever been uploaded by the community (almost 190 short of the twin-turbo LGTs), which you do not have with the Evos. I can't/won't release any of my IDA work as I'm using a copy of IDA from someone I know. Probably wouldn't help much anyway as I'm not very consistent with comments, but the whole purpose of this new "ECU analysis" forum is to discuss this sort thing (logic, disassembly and hacks). I certainly don't know everything, but I'm willing to help anyone with what I do know as long as they are not trying to do something commercial with it (which seems to be the pattern of late with pay-for Subaru loggers and other hacks).

So, I had some time today, and set out to find all this VBR stuff.

I did a pattern search for the LDC r3,VBR command, opcode 432E. After looking around at all the instances, I found one good one in the early rom, and sure enough it points to the end of the rom, where I found all of those subroutines and marked them. I also marked the runtime_0 sub.

My question is, where do I go from here to get this thing to open up? I presume it has something to do with the runtime_0 sub? Or should I just go look for the jump tables as usual?

Thanks!

Well, you go to the VBR area and start marking all of them as subroutines. It should start bouncing around and mark about 90% of the code in the ROM for you from there.

Hmm, I've marked them all subroutines, but I'm only getting it to open up in the early rom and a small section in the middle. Somehow it's not finding the link between the OS and control code.

Options > General > Analysis > Kernel 1 > Make Final Analysis Pass (must be checked)

Did the trick!

I'm playing with this now... I found the VBR and IDA explored most of the ROM image from there.

How do I get IDA to recognize RAM? I'm hoping to get results like this:
download/file.php?id=5391&mode=view

I defined a RAM segment from FFFF:0000 to FFFF:FFFF, and I get a bunch of ".res.b. 1" stuff in that segment. I've defined names for a few addresses based on extended parameters for my ECU, but IDA doesn't show any XREF for addresses in my RAM segment. Any thoughts on what I'm doing wrong?

Thanks!

Which ecu are you using?

For the 7055s, ram is FFFF6000 through FFFFDFFF
7058 is FFFF0000 through FFFFBFFF

If you're not sure which, IDA will tell you after you select the SH4B language during the setup.

I've found that you must define the RAM section when you first open the hex file. Trying to define it after the rom is open hasn't worked for me, although it could be an issue with my IDA.

you can create a ram segment later, you just have to hit reanalyze in options -> general -> analysis.

Reanalyze did the trick, thanks.