How to disassemble IPC firmware with IDA Pro

[Go4IT]

Hey guys, i found some minutes to start an disassembling tutorial for the IPC firmware, using IDA-Pro here in the Wiki:

https://mk4-wiki.denkdose.de/en/artikel ... to_ida-pro

Now, let's try to identify all the IO register addresses and give them names inside IDA.

[Gwe89]

Hey guys, i found some minutes to start an disassembling tutorial for the IPC firmware, using IDA-Pro here in the Wiki:

https://mk4-wiki.denkdose.de/en/artikel ... to_ida-pro

Now, let's try to identify all the IO register addresses and give them names inside IDA.

My rom starts at 0005000
Is that normal

[tomy75]

you need boatloader 0x0000-5000



viewtopic.php?f=16&t=79#p717

If you want to see what's happening into RAM, then:

RAM start address: 0x40.000.000 (without dots)
RAM size: 0xC000 (48kb)

ROM start address is 0x5000 - this is were you should load the BIN file that you get from VBF.

In disassembled code, every address with 0xFC.***.*** means is for setting up the ARM or for reading / writing its peripherals (I/O pins, I2C - EEPROM, CAN) or communicating (write operation) with the Epson Display Controller or reading from external flash using its eMIOS interface.

Dumped RAM image of a FaceLift with "Full UC DS Mot Ral" after powering ON Convers (just power applied, no CAN message for Contact ON):
RAM_reset_noIce.bin

Dumped RAM image of a FaceLift with "Full UC DS Mot Ral" after starting Convers (Contact ON):
RAM_booted_noIce.bin

Also, one more thing I see it's missing is the real BootLoader of Convers (0x0 to 0x4FFF). The VBF file for Main Flash does not contain this BootLoader.
PreFaceLift model and FaceLift model have different versions of this BootLoader, but I changed them between with no problem observed.
FaceLift BootLoader:
Boot_FaceLift_BS7T-10849-VH_13Feb2012.bin
PreFaceLift BootLoader:
Boot_PreFL_8S7T-10849-.bin

If you want to add this BootLoader to your BIN file to really see what is going on with a Disassembler, then you should create a new file that has from 0x0 to 0x4FFF this BootLoader and then from 0x5000 to 0xFB000 the BIN from VBF.


And one more thing Tomy75 - your BIN file contains 2 bytes more - I think you forgot to remove the last 2 Bytes from VBF ... this Bytes are used in VBF for CheckSum - you don't need them in IDA.

[Go4IT]

Yes ,read Wiki. You simply concat everything into one file, expect of RAM. The gaps between the image parts should be filled with 0xFF, because that's Flash empty default.

Attached is one that i used. It is a standard one. I don't really know the version of the loader or the image, but that is not important for disassembling and learning.

[Go4IT]

RAM start address: 0x40.000.000 (without dots)
RAM size: 0xC000 (48kb)

Thanks for pointing to my error. Of course 48kb RAM is 0xC000 and not 0x8000 as i wrote in Wiki. I've corrected this.

We should keep writing hex numbers valid. Starting with '0x' is ok and commonly used, but to be honest in Assembler they often use '$' or 'h' as prefix. But let's keep the most spread writing.

Also hex numbers do not have any decimal dots (as the word "decimal" implies, eh?). For better readability it is common to separate into colons of 4 digits with an space inbetween. So the RAM segment start should be written as "0x4000 0000".

[Gwe89]

Yes ,read Wiki. You simply concat everything into one file, expect of RAM. The gaps between the image parts should be filled with 0xFF, because that's Flash empty default.

Attache is one that i used. It is a standard one. I don't really know the version of the loader or the image, but that is not important for disassembling and learning.

do i use this file or does this have to be added to the bin thanks

[Go4IT]

do i use this file or does this have to be added to the bin thanks

Just use the file, therefore i uploaded it, that you don't need to concat everything into a single file.