RomRaider

Starting this thread to document how someone can open up a MS41 256KB ROM file with IDA and set up parameters correctly. We may have to generate a script file similar to what Andy Whitaker did for the ME7 ECU as posted about here - viewtopic.php?t=8749&start=680.

So let's take this thread to collaborate on this and once we've hashed it out, we can post it on our wiki.

Step 1
To disassemble in IDA. I open the ROM using an 80C166 processor and then go to x20000h and hit 'C' the hex into code. Then I hit 'Ctrl+U' which automatically takes me to the next unexplored/undefined area, then hit 'C' again. I do this repeatedly for about 15 mins straight until the entire program section is disassembled. There has GOT to be a better way.


Step 2
Figure out how the code references the 24KB portion. For example, in the 256KB ROM I downloaded with Carsoft, I have to add x10000h to each value to get the absolute address. So if the code is referencing data at xB14h, I add x10000h and get x10B14h which is where the data actually is in the 256KB ROM. But this has to be done for each address and can be very time consuming. There has GOT to be a better way. The code must setup DPP0,DPP1 etc. early on so when it reads xB14h the processor automatically goes to x10B14h etc.


Anyway, let's discuss and figure this out.

Somehow I came up with this segmentation.
Is it correct? It's been a while since I opened up this project.


Does the auto analyze not work for you?
Start with the ResetHandler an press C. Then goto the General settings and make sure (1) is checked and then press (2).

Oh... That works a hell of a lot better! Looks like my 'Step 1' has been answered.

It converts damn near everything to code. I don't know if your memory map is correct. I know from x20000h onwards it's all code.

How do I tell it to convert from x10000h to x20000h to DATA? The following is actually DATA.




And do I use 'offset by segment' Alt+R to get the code to reference back to seg0001 (data)?


Also, had any luck converting subroutines to psuedo-C using Hex-Rays decompiler? I don't get that option. For example, at x3C8C4, there is a huge subroutine that references fuel and timing maps. It would be nice to see this whole thing as C cuz I can actually read C.


sub_34950 - has a s*** ton of xrefs. This must be one of the SET functions d_munter was talking about.

im using this.



but it seems something wrong with first ROM - RAM mappings.
because i have negative 8000h offset for some mappings. i.e. code refs to A5CCh, in IDA i can found it at 25CCh.

do you create some RAM or ROM sections with appropriate offsets when open bin-file?

Moderator: This mapping is not accurate for the MS41 ROM

You can edit the segment to change its attributes.
To set the default DPP values for a segment use the menu Edit > Segments > Set Default segment register value (do it once for each DPP reg).

For MS41 use as default for segments 0x20000 & 0x30000
dpp0:0x4
dpp1:0x1
dpp2:0x0
dpp3:0x3

You can then select a group of addresses and press U to undefine what IDA assumed and define the data as you see fit.

You mean Ctrl+R...
If the DPP values are set correctly you can just click the line and press the o key.

I believe you will need to do this manually or write a script to perform the conversion for you.
I think the problem here is, IDA doesn't know that the 16bit data loaded to R12 will later be used in combination with a DPP to access the memory page, so it can't do it automatically.
As for a script, I wrote something similar for the Motorola ROM where it references a register (X,Y,Z) to expand a Word to access memory.

You would need a decompiler written for this specific CPU. IDA is only a dis-assembler.

This one?

What processor did you select when opening the ROM? I believe the selection of 83C166_80C166 gives the mapping I used.

Looking at the initial values and then the values after reset here's what I see.


Then the values set in code (DPP was not changed).

epic fail. i used anoter type lets see what can i do for transition of all my comments and naming to this new structure...

update. DTC table still didnt link:

That's still not decoding correctly.
Here's what it should be:


You can use this trick to force IDA to use a value of DPP you define. You may need to use this option more than once to set other DPP values at the same or other code locations.
The other option is the make the DPP values default for a segment and then change them at code points if they are not correct.
To access the segment register screen for user set values press Alt+G.
To set the default values for a segment use the menu Edit > Segments > Set default segment register value (do it once for each DPP reg)

Sorry to be "one of those guys" but I hope I've helped enough in other threads to be able to ask for someone to hold my hand while I try to set up IDA.

I have IDA installed..

Can someone write a step-by-step guide on how to get the ms41.2 fully set up in IDA?

I've tried a few times with what I've found in posts but it seems all the info is convoluted.
It is a little unclear to me at what steps I need to open the 256kb and 24kb..then where to define specific sections/addresses.
I also couldn't get autoanalyze to do anything.

My hopes are to get everything set up, then look at d_munter's post and slowly figure out how to get around..then contribute.

If I get everything set up, I could upload an IDA file ready to roll to save others this time/headache...or if someone else already has this and wants to upload it, that'd be great too.

+1
Would really like to have my MS41.1 ID 60 set up.
When I do the autoanalyze, it does some to Mem_Ext_1, then never really does anything else with Mem_Ext_3 (0x20000h). I actually spent the 15 mins and hit C and Ctrl+U.. then at the end, it really didn't look like the examples on this site.

I guess we should document the C166 memory map a bit better as the default in IDA is not 100% accurate for the ROMs we're looking at.
You do need to go in and set default values for the DPPx on each segment.
I was thinking of writing an IDA script to do this to make it easier to get started on a new ROM.
If I have time this weekend then I'll take a crack at it.