RomRaider

The default c167cr memory map that comes with IDA is not accurate for the MS43 memory layout.

In reference to this memory map (my best guess) I created a custom c166.cfg file to replace the one that comes with IDA tailored for the MS43.
Save it in the "C:\Program Files (x86)\IDA 6.7\cfg\" folder.

Before you play, make a copy of your current .idb file so you can go back to what you had before.
Open your Flash read file with IDA. Select Siemens c166 family as the processor. OK all the dialogues to open the ROM, but when asked for the processor select C167CR-LM_MS43.
Once you have it open Load the script file to set the DPPs and format each segment.

You will need to manually adjust (alt-g) the value of DPP0 to assist in proper referencing of maps in the 0x70000 segment. For example:

Refer to the Infineon C167 User Manual to get a better understand of DPP Registers and segment addressing.

thanks!

Yay! Now I need to learn how to use Ida

Me too

Thank you soooo much

Your IDA learning curve is going to be much shorter than the learning curve to think like the C167 CPU. This is going to be your greater challenge. IDA (the memory map and segment format script I provided) only makes it easier for you to see what the CPU is being asked to do. So learn to think like the CPU, understand the various addressing schemes, the jump conditions, bit manipulation, etc. Then you can start to incorporate your understanding of the "tuning" process into your code analysis. Start with the hardware reset vector and follow along what the CPU is doing. Initially this is configuring the system and all the peripherals for the required mode of operation.

Is there somekind of "easy" comparison between whats in the flash at a certain point and where its "used" in IDA?

Is it possible to compare two different flash files directly?

Yes, it's right here: download/file.php?id=23555&mode=view

yeah daniel it will take you 2 years just to understand what it all means.



Thanks. What this means is that we have to start using it and see if it is correct or not and make corrections if it wrong. This could take a lot of research and testing.

MS43 already has a DAMOS/A2L file available. With the memory map that Dale has figured out, it should be extremely straightforward to simply search for code that uses already known map addresses.

MS41 was very different because we didn't have known map addresses. So the code had to be analyzed to figure out what the maps were and how they interacted. This is significantly more difficult to do.

MS43 is a piece of cake in comparison.

Yes, please share any info related to changes needed to the memory map and IDA definition.
Thanks

Agreed. The A2L file can be converted to RomRaider format and instantly we have all the maps defined. Of course that doesn't help explain the logic or use of all the maps. That's where the code analysis is needed.

Shure, he will help others... for free Profit is the only word thats important to him

Now that's more encouraging

Segmentation, Pages and DPP# Example

You will need to do some reverse math to locate references to maps within code.

Remember I mentioned you need to think like the CPU and understand the segmentation?

For the MS43... It uses 1MB of linear address space.
In 1MB of memory there are 16 x 64kB segments.
Each segment has 4 - 16kB pages.
Therefore in 1MB of memory you will have 64 pages.
In code a DPP# is used to assist accessing linear memory and it contains a page reference or index.

You need 21 bits to address up to 1MB of memory.
When forming an address the CPU uses a word operand.
The top two bits 14 & 15 of the word is the DPP#.
i.e.:
00 = DPP0
01 = DPP1
10 = DPP2
11 = DPP3
The lower bits 0 - 13 is the offset within a page.
Each DPP is loaded with a value which is then combined with the page offset to form the linear memory address.

Now the math...
The map axis/data segment is from 0x70000 - 0x7FFFF. Converted to pages this is:
0x70000/0x4000 = 0x1C
0x74000/0x4000 = 0x1D
0x78000/0x4000 = 0x1E
0x7C000/0x4000 = 0x1F

Assuming the code uses DPP0 in the operand the top two bits of the word will be 00.
Therefore in binary:
00xx xxxx xxxx xxxx
Remember the xxxx's are the offset within a page.

For example, assume an axis at 0x74AD4 and data at 0x7581E, these are both within the 0x74000 (0x1D) page.
One thing to remember about the axis is that the code reference is to the axis size value not the axis values so you need to subtract 1 for byte or two for word. Let's assume the axis is word data, therefore 0x74AD4 - 2 = 0x74AD2
0x74AD2 in binary:
0111 0100 1010 1101 0010

Now remove the 0x1D page reference from the binary (remember 1D starts at bit 14 and up):
0000 0000 1010 1101 0010

In the Calculator you can toggle bits by clicking them, where I underscored in red.
You are left with 0xAD2. Since we are assuming DPP0 then we can leave bits 14 & 15 at 00, otherwise we would toggle these bits on/off depending on the DPP# in the code.

For the data address 0x7581E with 0x1D removed you are left with 0x181E.

Since IDA has no idea that this is a memory reference (since the values are loaded in a register and then a sub_ is called to process them) you will need to search for the offset and tell IDA how to view it.

Initially IDA will show the offset as a word value. In this example #0AD2 and #181E. You can Text search for those strings assuming all subroutines have been defined as code or hex search for 0AD2 and 181E.

In the results you can see the code line below the reference has a value of #1Dh which is the value to be loaded into DPP0 within the sub_. At the code reference to your search value you press alt-g and set DPP0 to 1D. Then at the code reference to your search value right click on the operand and set the Offset to the 0x7xxxx item.

Rinse and repeat...

Thank you dschultz. I will give this a try and will post results.