WIP - How to open MS41 with IDA (setup memory map)

Enabled · **Posted:** Mon Mar 02, 2015 8:38 pm

Well, I think I finally got something. Converted to mem file (finally found the converter, freely available, I was looking all over his site to purchase), then tried the instructions.

*.bin to *.mem Converter - viewtopic.php?f=42&t=11321

Attachment:

progress.png

This is hilarious to me, I guess I'll be the idiot in class that had the courage and raise my hand to say we don't all understand. At the expense of peoples' perception of me.
Baby steps. You may change my forum title from "Experienced" to "Still a Newbie".

dschultz · **Posted:** Tue Mar 03, 2015 12:09 am

Enabled wrote:

Attachment:

entry.png

You must be an advanced user... and have the checkbox to never remind you again. :lol:

You get this prompt if you try to open the binary without selecting a Processor Type in the drop down list first.

Cloudforce · **Joined:** Wed Aug 27, 2014 7:57 am **Posts:** 259

Enabled wrote:

This is hilarious to me, I guess I'll be the idiot in class that had the courage and raise my hand to say we don't all understand. At the expense of peoples' perception of me.
Baby steps. You may change my forum title from "Experienced" to "Still a Newbie".

I know how that feels... oh i know it :oops:

ba114 · **Joined:** Wed Oct 21, 2015 2:36 am **Posts:** 980

If anyone has a project file setup that they could share, i'd really appreciate it

ba114 · **Joined:** Wed Oct 21, 2015 2:36 am **Posts:** 980

dschultz wrote:

Once you run the IDA script you should have a ROM that is >75% disassembled. A few functions need to be visited in the 0x20000 and 0x30000 segments. The ones with red prefix lines, you can go to the start of each red section and press 'p' to create a function. You will see more of the code gets disassembled and in ~10 minutes you can get it all disassembled.

Just confirming that per the attached screenshot, i click the reference where the red line starts (x200C2) and presss 'P' and continue to do this each time i come across a red line?

dschultz · **Posted:** Sat Sep 03, 2016 8:37 am

You press P while on the first line of the code you wish to change to a function, where the code address prefix is red.

ba114 · **Joined:** Wed Oct 21, 2015 2:36 am **Posts:** 980

dschultz wrote:

You press P while on the first line of the code you wish to change to a function, where it code address prefix is red.

thanks. thats more clear now. the dark red and black text are pretty hard to differentiate on this old laptop screen

hobbit382 · **Joined:** Thu Dec 04, 2014 6:37 pm **Posts:** 139

Followed instruction on setting up Ida, seems to be working correctly but how do I go about labeling everything and making use of it? Sorry for the newb question

dschultz · **Posted:** Thu Oct 27, 2016 8:10 pm

Press N to name subs and locations, press ; to write comments etc.

hobbit382 · **Joined:** Thu Dec 04, 2014 6:37 pm **Posts:** 139

I understand that part but I guess maybe I'm looking for a getting started guide. What the best way to figure out which sub is which? Should I start but entering in the known addresses of data to help me find the sub routines? I guess that's where I'm lost

dschultz · **Posted:** Thu Oct 27, 2016 9:00 pm

Yes, take what you know from the logger and editor defs and start marking the ROM.
If you could convince the XmlToIdc utility to accept your defs it would speed that part of the process.

Cloudforce · **Joined:** Wed Aug 27, 2014 7:57 am **Posts:** 259

Is the processor able to handle dword application? Moving, OR'ing etc.

a32guy · **Joined:** Fri Mar 06, 2015 1:01 pm **Posts:** 36

dschultz wrote:

You will need to go to the jump table ~0x2400 and convert the data to words and then set the appropriate offset (ctrl-R) to either 0x20000 or 0x30000 whichever references a sub_.

How the C166 deals with DPP Registers - http://www.hitex.com/fileadmin/img/down ... isters.pdf

Visiting this topic again -- Thanks for laying this out so clearly. I've gotten an MS41.2 mem file loaded up in IDA and have had partial success with the XmlToIdc utility. I was able to get the table defs and extended defs loaded (see screen) which is very helpful in browsing subroutines.

However I lost you at 'convert the data to words'... Forgive me, first time working in IDA and haven't had an assembly class since college some years ago. I believe I've located what you're referring to, at ~0x2100 (see attached). Also, your link to the DPP read has gone bad over the years, but I found a copy floating around (attached).

My goal is to find post overrun enrichment, and I believe with enough poking I just might have a chance at success :mrgreen:

mattbarn · **Joined:** Wed Mar 05, 2014 1:47 pm **Posts:** 21

XML to IDC has failed you. The data section gets mapped at 0x10000 so you would need to add that to every address to convert from a "just cal" address to a full read address.

At some point the IDA people added decoding for long addresses like the SubR table (see attachment). Just hit D enough times to make the address correct and then hit O to tell IDA it's an offset.

"convert data to words" also means hitting D until the value you are on is represented correctly in IDA.

mattbarn · **Joined:** Wed Mar 05, 2014 1:47 pm **Posts:** 21

dschultz wrote:

I came up with this memory map. Comments...?

Attachment:

MS41.png

Looks right to me. I wish someone had showed me this in about 2009.

0xD800 is the CAN controller, it's on the bus with the memory instead of inside the processor like we use now. (Old school)

RomRaider

Forum rules

WIP - How to open MS41 with IDA (setup memory map)

Who is online