Hidden menu: Pointer placement mode

[Ursadon]

There is interesting function at 0x304C8 - pointer placement. Resets stepping motors to real zero, so you can place rpm and speed arrows, if you previously removed them

pplace.jpg

Also boot loader mode at 0x396C6

screenshot.png

I calling this functions by changing PC register value, but somewhere there should be a function to call it. Maybe need to press down bttn, pull-up PortE.Pin5 and perform IPC reset via tRST pin. Need to investigate later

Code: Select all

void probably_enter_debug_mode()
{
  int v0; // r0

  watchdog_configuration_2();                   // 0xFC040000
  if ( Port_E_pin_4_state() )
  {
    sub_20034();
    if ( sub_2006C(9) - 180 <= 75 )             // press btn
    {
      sub_31B32();                              // Port E - pin 5
      if ( v0 )
      {
        sub_304C8();
        watchdog_configuration(94);
      }
      else
      {
        probably_debug_routine_v2();
        watchdog_configuration(93);
      }
    }
  }
  JUMPOUT(&loc_140A8);

[Go4IT]

Yeah! Great internal debug function you fou d and very usefull also. Did you change PC by JTAG?

[Go4IT]

What tool gave you the C code from Disassembler? Is IDA able to do this?

[Ursadon]

What tool gave you the C code from Disassembler? Is IDA able to do this?

Yes, 32bit IDA with ARM decompiler. Just press F5 to get code

[Go4IT]

Tried to jump to your given location but IPC simply restarts. Maybe the location depends on the FW-version?!

[Go4IT]

I'm trying hard to find this routine in my FW. It's shure a different version, but the routine itself should be there also...

First i let IDA search all strings using the Subview-function. Then i searched for the menu text "Pointer Placement" and found it here:

ida-pro_lookup_string.png

I've then used the back-reference to the part of the code where this string is used:

ida-pro_string_backref.png

And get to this sub:

ida-pro_menu_sub.png

It's easy to find out what is going on here:

ida-pro_pointer_menu_sub.png

(1) Start of sub
(2) Load the start address of the string into R0
(3) Load Y-Position of string into R2 (0x0A = 10 pixel from top)
(4) Load X-Position of string into R1 (0x0A = 10 pixel from left)
(5) Finaly, call the drawing routine

As C++ pseudocode this routine looks like:

ida-pro_pointer_menu_sub_c++.png

I assume the first subs are to clear the display and make the amber backround. Well, this sub_29942 looks interesting, but is a decend one. More interesting is the routine which is calling this menu drawing, as we want to know how to access this menu.

To our luck, there is just one backref calling this. Here is the calling sub as pseudo-code:

ida-pro_calling_pointer_menu_sub_c++.png

What i find very interesting is, that there is a while-loop, so the menu is shown until a certain condition is met:

Code: Select all

  while ( 1 )
  {
    if ( !sub_2F778(100) )  // if this sub returns false, v3 is set to 5 and the menu is drawn
      v3 = 5;
    v3 = (v3 + 1) & 0xFF;  // add 1 to v3 and clip variable to byte boundary
    if ( v3 >= 5 ) // loop until this condition is met
    {
      v4 = drawPointerPlacementMenu();
      v5 = sub_2358E(v4);
      sub_1DB04(v5);
      JUMPOUT(&loc_1BCEC);  // leave while loop
    }
  }

[Go4IT]

Fortunately, you can really nicely debug the MAC7116 plattform using Segger J-Link Commander. After connecting via JTAG you can halt the CPU without watchdog resets ("h"), watch registers ("regs"), read data from ROM and RAM ("mem"), manipulate registers, simply do whatever you want.
I then used "setpc" to branch to the start of the Pointer Placement menu code and let CPU proceed ("g"). The menu shortly shows up and then the Convers+ resets.
I think there must be some conditions met to not leave it. Ursadon mentioned a pin status and a button. The steeringwheel buttons are read as analog values. Therefore PORT E is a good hint, as it is an A/D input port.

[Go4IT]

Finally, i found the routine above in my 7M2T-14C026 firmware at 0x590A:

ida-pro_sub_590A.png

Code: Select all

void __fastcall sub_590A(int a1)
{
  int v1; // r0

  v1 = sub_5892(a1);
  if ( sub_1BCB0(v1) )
  {
    sub_AD04();
    if ( (unsigned int)(sub_AD3C(9) - 180) <= 75 )
    {
      if ( sub_1BCF2() )
      {
        sub_1A858();
        sub_5860(94);
      }
      else
      {
        sub_1BBCC();
        sub_5860(93);
      }
    }
  }
  JUMPOUT(&loc_588C);
}

[DGAlexandru]

Wow!
Well done!

I used "NoICE for ARM" in order to write the PCRegister to see what a "subroutine" does... but this tool is valid for free only for 30days.

[Go4IT]

I think the same could be done using Segger J-Link Commander, if me mean the same?
It can halt and single step the cpu, view or change registers and memory locations, set breakpoints on command and data addresses and more. It's not very comfortable but sufficient. What it really lacks are jump-in and over subs, like debuggers do.