RomRaider

Instead of doing a writeup, I thought I'd make perhaps a handful of videos, just to see if there's any interest in such a thing.

https://youtu.be/xH07bVuuxSM

In this first one I'm showing my preferred method of loading a ROM in IDA for analysis. It's targetting people who have a good general idea of what's inside a ROM, and are least familiar with basic IDA tasks (defining code/data, navigating, searching for x-refs, etc)

Next vid(s) will be how to find a parameter in a new ROM based on the A2L or any defined ROM.

Any feedback will be appreciated, either here or on YT. Thanks!

Great video Fenugrec! I've gotta say, I'm still in shock over how much younger you sound than I expected. I guess not everyone who's good with code is 40+ years old haha Not that your age has been a limiting factor, by the show of things. Just a very unexpected thing lol

I'd definitely be interested to see what steps you take to cross reference ROMs. For some reason, no one seems to use wols. Even though it's the easiest way possible to define a ROM, apart from scripts. So I've always been curious to see what steps others have taken. Lastly, Ghidra seems to be perfect for us newer users as it will do the majority of the math for you. Instead of IDA showing 0x7e, DAT_XXXX It'll end up showing you what the actual address is. It has been my saving grace for RAM addresses. Granted, I'm guessing IDA can do it automatically if you dig deep enough into the settings or use a script. But the fact that Ghidra does it out of the gate is amazing.

Haha, maybe your first guess was closer - I'm not 40 but I may be older than you think P)


That's for the next one, coming out soon.

Well I'd presume you would need at least a bit of experience before doing the incredible work you've done haha So that does come with age. Worst case, we can probably work something out with a nursing home to ensure you have access to a computer

Its great video tutorial for me. Thank you so much!

new video. Audio 10000% better but still bad.
1: A2L cross-referencing (IDA)

https://youtu.be/rXyTRyTKu2E

Oooh that's a very logical way to approach this! It's very true that it's difficult to determine the storage address of a single parameter in wols UNLESS the two ROMs line up very well, or it's a value that lines up with the engine or vehicle. I've always used Ida/Ghidra to verify if the functions line up. But instead of finding call tables and all that, I just exported both ROMs to .asm files and used Sublime Text 3 to search for similar code. A lot of the functions use the same register calls, so searching for a few lines of code would typically result in it taking you right to where you need. (CF48D vs ZB060) But your method doesn't rely on the registers being the same!

I really appreciate you making these videos. While they're not really much use for me due to where I'm at in ROM disassembly, I just know that someone who is just beginning to get into all this while GREATLY benefit from these videos! Having access to these videos say, nine months ago, would've saved me SOOO MUCH TIME trying to figure this all out haha So I really hope that newcomers will watch these videos as there's a great wealth of knowledge inside them. Opensource depends on all of us working together!

Absolutely ! I should've said something more about that in the video; I certainly didn't want to suggest that technique as a general-purpose method. It's fairly reliable, but way too slow. I mainly wanted to demonstrate it as a possibly little-known method, but anyone intending to make a "complete" def has much to gain by first using other techniques like you described.
In fact I'm pretty sure you guys (a33b, murph, pytrex etc) are way faster than me to make a "complete" def. I've used wols maybe <20 minutes, 3-4 years ago, and always falling back into IDA - old habits die hard... really should be spending more time in ghidra.

Honestly, I don't know haha I've found that your ability to visualize recognize maps will result in the fastest results. (apart from scripts and such) If you can see a map in wols and know what it is even if it isn't being compared to another ROM, then you're going to be very quick with definitions. I'm trying to help make it an even faster process actually. I'm getting a base template setup that will have the important maps setup already so that all you need to do is put in the storage address.

You really need to mess with wols and Ghidra more! I'm telling ya, wols will make you question why you've done it any other way haha The hardest part is getting the damn thing showing you data in the proper format. I'm actually gonna add a guide to the Wiki with getting wols setup properly because it doesn't default to no leading 0's and color leveling. Which is stupid imo. I don't remember what ROM you actively use, but it seems like most Nissan ROMs can be cross referenced with CF48D. The real issue comes with those pesky single value craps and axis' getting confused with curves/tables. But luckily those are easy to verify/locate with your method

"Described in this VEERRRY user friendly layout" hahah. Great video.

Speaking of Ghidra, can you utilize the .cfg files inside of Ghidra?

not as-is, AFAIK, but I haven't looked into this at all. For all I know it could be a simple matter of massaging the text format a bit, or maybe a minor amount of scripting.
Let me know if (when !) you figure it out, it's part of the reason why I'm not using ghidra much.

Ghidra is entirely written in Java. Their processor files don't line up at all with the CFG files from the looks of it. So I'd say scripting is required at the very least. Can't find anything online about anyone even attempting to make the IDA cfg files compatible either lol Btw, I was able to get IDA to label what each instruction code was doing line per line (something I don't think Ghidra supports), but I can't get it to show me the values. It still won't show more than, for example, (h'46, r4)r0. When Ghidra will show (h'46,r4)ro=>FFFF1234

But in your video, I noticed that your IDA was converting the values just like Ghidra does. Is that just an option somewhere or is that script based?

Nice to see that the approach I used to follow is considered as workable not only by me I'm still a bit ashamed about this "visual" function identification thinking that it's just because I'm lacking skills & experience. But seems that it's not 100% true
Got subscribed to see more tricks just for sake of couriosity, I don't drive Nissan anymore but still interested in rom reversing. Who knows, maybe one day we'll have subforum for Honda ECUs
And of course big big thanks for the stuff you do here - much much appreciated!

best IDA "How-To" I have seen.
will definitely be referencing these methods in the future when I am trying to find single values