Subaru ROMs MPC57xx (1N83M) reverse engineering?

alesv · **Joined:** Fri Aug 26, 2016 8:21 am **Posts:** 154

Hi guys!

I managed to download (with PCMFlash) Subaru XV MY17 ROM. As far as I was able to find out, latest ECUs are based of PowerPC CPU MPC5746. Byte sx is big endian. Table structures are the same as on SH7058/SH72531. Also I found same CEL structure as on SH72531. There's a hope that existing IDA script will work.

Disassembling it is way more difficult than I expected, mainly due to the lack of information on this CPU. This is what I did:

Opened ROM and stated PowerPC CPU
Set load address to 0x8F9C000
Skipped RAM creation (I don't know what are RAM addresses, it looks like somewhere at 0x5000 0000)
Selected 64-bit mode (as answer to dialogbox qiuestion)
Selected VLE only mode
Went to 0x10000 and pressed "C"

I can't see any reference, only immediate loads. That reminds me MR32 ROMs.

Also I added to ScoobyRom dev version v0.9 an experimental feature that allows to view ROM tables. You can download binary here. Also I attach ROM binary.

SergArb · **Posted:** Sun May 19, 2024 9:39 am

Cool! It works.
I have a 4mb 1N83M ROM's, should be interesting too.

Here is one of them.

Attachment:

XE1F201F_B602604007.zip

alesv · **Joined:** Fri Aug 26, 2016 8:21 am **Posts:** 154

Thanks a lot! I'll add support to ScoobyRom ASAP.

alesv · **Joined:** Fri Aug 26, 2016 8:21 am **Posts:** 154

4 MiB ROM looks similar. I added support to ScoobyRom dev 0.9.1. You can download binary here.

SergArb · **Posted:** Tue May 21, 2024 5:43 am

Awesome! All ROM's has opened, thank you, good work!

alesv · **Joined:** Fri Aug 26, 2016 8:21 am **Posts:** 154

This is what a procedure call looks like:

Code:

ROM:000000000908C564                 e_lis     r7, 0x4001               #High address bytes load, RAM?
ROM:000000000908C568                 e_lis     r5, 0x4001               #High address bytes load, RAM?
ROM:000000000908C56C                 e_lwz     r22, -0x7880(r7)     #Low address bytes load, RAM? 0x40008780
ROM:000000000908C570                 e_lis     r3, 0x911                 #High address bytes load, ROM table structure
ROM:000000000908C574                 e_lwz     r5, -0x7A44(r5)       #Low address bytes load, RAM? 0x400085BC Set 2nd function argument
ROM:000000000908C578                 e_add16i  r3, r3, -0x1B0 # 0x910FE50 #Low address bytes load, ROM table structure
ROM:000000000908C57C                 se_mfar   r4, r22                  #Set 1st function argument
ROM:000000000908C57E                 e_bl      Possible_Calc_3D

This CPU could have more than 1 core, that's why different RAM addresses could be used at start and here.

Also these immediates could be converted to references. To do this, for example, go to address 0x910FE50 and define a short by pressing "D". Then go back and press "O". Code should looks now like this:

Code:

ROM:000000000908C570                 e_lis     r3, word_910FE50@ha
ROM:000000000908C574                 e_lwz     r5, -0x7A44(r5)
ROM:000000000908C578                 e_add16i  r3, r3, word_910FE50@l

and

Code:

ROM:000000000910FE50 word_910FE50:   .short 1                # DATA XREF: sub_908C4F4+84↑o
ROM:000000000910FE52                 .short 1
ROM:000000000910FE54                 .long flt_9118C4C
ROM:000000000910FE58                 .long flt_9118C50
ROM:000000000910FE5C                 .long unk_9118D0A
ROM:000000000910FE60                 .long 0x8000000
ROM:000000000910FE64                 .float 0.1
ROM:000000000910FE68                 .float 0.0

But this must be done by hand. A script is needed.

Also this table looks strange - it is 1x1 3D table!

alesv · **Joined:** Fri Aug 26, 2016 8:21 am **Posts:** 154

It looks like 2D tables of lentgh 1 exist too. Just in case added support to dev build 0.9.2

cortin · **Posted:** Tue May 21, 2024 3:52 pm

alesv wrote:

It looks like 2D tables of lentgh 1 exist too. Just in case added support to dev build 0.9.2

hitachi SH72543R you can add support?

alesv · **Joined:** Fri Aug 26, 2016 8:21 am **Posts:** 154

Unfortunately, no. Hitachi ROMs have completely different tables structure.

alesv · **Joined:** Fri Aug 26, 2016 8:21 am **Posts:** 154

It looks like SSM base could be found using procedure for SH CPUs - there's byte sequence A2 10 that precedes the ECU ID. But it all comes down to the lack of xrefs to.

alesv · **Joined:** Fri Aug 26, 2016 8:21 am **Posts:** 154

OK, I got some progress. But to reproduce it you'll need updated tools:

Updated MakeCELPointers script (attached). It supports new Pxxxx and Uxxxx DTCs
ScoobyRom 0.9.3 or later to correctly read ROM and correctly export XML defs
Fixed RomRaider to correctly support checksumming and negative file offset. You need to build RomRaider from sources for now. Or wait for version 1.0.1 or newer to release.

And also I attached sample defs for XE1F201F.

None of this has been tested yet, so be very careful!

Have fun!

SergArb · **Posted:** Fri May 31, 2024 4:41 pm

Good Job! Very interesting

wrxrex · **Joined:** Fri Apr 19, 2024 5:20 pm **Posts:** 5

Thank you for this, it worked flawlessly for my 2022 BRZ ROM. It even picked up a few tables I'd missed in Ghidra

alesv · **Joined:** Fri Aug 26, 2016 8:21 am **Posts:** 154

You are welcome!

Could you please tell did you disable any DTC yet? Could you confirm that DTC structure is absolutely the same as previous ROM has?

Thank you.

SergArb · **Posted:** Sat Jun 22, 2024 3:36 pm

Yes, DTC structure the same as at SH72531 ROM's.
I tested it on 1N83M 1,5 and 4Mb ECU's several times.

RomRaider

Subaru ROMs MPC57xx (1N83M) reverse engineering?

Who is online