Hey guys, for those who have an IDA Pro at hand, here are the settings to disassemble:
- Open binary image file (extracted from an VBF, for example)
- Set Processor type to "ARM Big-endian [ARMB]"
- Clock on "Processor options" ⇒ "Edit ARM architecture options" and set it to "ARMv4T"
IDA will start interpreting code from 0x0000 onwards. Remember that this is Assembler Nmemonics and not C. IDA Pro is able to do some decompiling, so converting Assembler into C, but that do not result in good readable code, it's just an approach. But, i can do this on subroutines only (for whatever reason...)
Happy hacking!
Disassemble MAC7116 software (Ford IPC)
Re: Disassemble MAC7116 software (Ford IPC)
Thenx
How settings this?
Its main flash file
How settings this?
Its main flash file
You do not have the required permissions to view the files attached to this post.
Re: Disassemble MAC7116 software (Ford IPC)
Just use the settings right away. The default is ok.
-
DGAlexandru
- Pro
- Posts: 364
- Joined: 04 Aug 2019, 22:47
Re: Disassemble MAC7116 software (Ford IPC)
If you want to see what's happening into RAM, then:
RAM start address: 0x40.000.000 (without dots)
RAM size: 0xC000 (48kb)
ROM start address is 0x5000 - this is were you should load the BIN file that you get from VBF.
In disassembled code, every address with 0xFC.***.*** means is for setting up the ARM or for reading / writing its peripherals (I/O pins, I2C - EEPROM, CAN) or communicating (write operation) with the Epson Display Controller or reading from external flash using its eMIOS interface.
Dumped RAM image of a FaceLift with "Full UC DS Mot Ral" after powering ON Convers (just power applied, no CAN message for Contact ON): Dumped RAM image of a FaceLift with "Full UC DS Mot Ral" after starting Convers (Contact ON): Also, one more thing I see it's missing is the real BootLoader of Convers (0x0 to 0x4FFF). The VBF file for Main Flash does not contain this BootLoader.
PreFaceLift model and FaceLift model have different versions of this BootLoader, but I changed them between with no problem observed.
FaceLift BootLoader: PreFaceLift BootLoader: If you want to add this BootLoader to your BIN file to really see what is going on with a Disassembler, then you should create a new file that has from 0x0 to 0x4FFF this BootLoader and then from 0x5000 to 0xFB000 the BIN from VBF.
And one more thing Tomy75 - your BIN file contains 2 bytes more - I think you forgot to remove the last 2 Bytes from VBF ... this Bytes are used in VBF for CheckSum - you don't need them in IDA.
RAM start address: 0x40.000.000 (without dots)
RAM size: 0xC000 (48kb)
ROM start address is 0x5000 - this is were you should load the BIN file that you get from VBF.
In disassembled code, every address with 0xFC.***.*** means is for setting up the ARM or for reading / writing its peripherals (I/O pins, I2C - EEPROM, CAN) or communicating (write operation) with the Epson Display Controller or reading from external flash using its eMIOS interface.
Dumped RAM image of a FaceLift with "Full UC DS Mot Ral" after powering ON Convers (just power applied, no CAN message for Contact ON): Dumped RAM image of a FaceLift with "Full UC DS Mot Ral" after starting Convers (Contact ON): Also, one more thing I see it's missing is the real BootLoader of Convers (0x0 to 0x4FFF). The VBF file for Main Flash does not contain this BootLoader.
PreFaceLift model and FaceLift model have different versions of this BootLoader, but I changed them between with no problem observed.
FaceLift BootLoader: PreFaceLift BootLoader: If you want to add this BootLoader to your BIN file to really see what is going on with a Disassembler, then you should create a new file that has from 0x0 to 0x4FFF this BootLoader and then from 0x5000 to 0xFB000 the BIN from VBF.
And one more thing Tomy75 - your BIN file contains 2 bytes more - I think you forgot to remove the last 2 Bytes from VBF ... this Bytes are used in VBF for CheckSum - you don't need them in IDA.
You do not have the required permissions to view the files attached to this post.
Re: Disassemble MAC7116 software (Ford IPC)
I tried to set up IDA pro for Convers firmware, but I couldn't get the results he posted screenshot here ursadon... 
Re: Disassemble MAC7116 software (Ford IPC)
DGAlexandru,
thenx for info,you working only with Main vbf file?and how edit Flash vbf file?
Thenx
thenx for info,you working only with Main vbf file?and how edit Flash vbf file?
Thenx
-
DGAlexandru
- Pro
- Posts: 364
- Joined: 04 Aug 2019, 22:47
Re: Disassemble MAC7116 software (Ford IPC)
Only Main VBF.
Flash VBF is no use in a disassembler as it only contains data to be read and then writen in RAM or writen directly on Epson display chip, but mainly because in Main you don't see address pointers to Flash chip directly but by reading the Flash on eMIOS interface (0xFC.***.***)
Flash VBF is no use in a disassembler as it only contains data to be read and then writen in RAM or writen directly on Epson display chip, but mainly because in Main you don't see address pointers to Flash chip directly but by reading the Flash on eMIOS interface (0xFC.***.***)
Re: Disassemble MAC7116 software (Ford IPC)
How setting desasembly memory oraganization windows?
Re: Disassemble MAC7116 software (Ford IPC)
i have search for 0xFCxxxxxx or 0x30xxxxxx adress?