Online community for electronics and microcontroller reverse engineering
https://microhacker.denkdose.de/
My rom starts at 0005000Go4IT wrote: ↑20 Dec 2019, 22:04 Hey guys, i found some minutes to start an disassembling tutorial for the IPC firmware, using IDA-Pro here in the Wiki:
https://mk4-wiki.denkdose.de/en/artikel ... to_ida-pro
Now, let's try to identify all the IO register addresses and give them names inside IDA.
DGAlexandru wrote: ↑13 Dec 2019, 18:39 If you want to see what's happening into RAM, then:
RAM start address: 0x40.000.000 (without dots)
RAM size: 0xC000 (48kb)
ROM start address is 0x5000 - this is were you should load the BIN file that you get from VBF.
In disassembled code, every address with 0xFC.***.*** means is for setting up the ARM or for reading / writing its peripherals (I/O pins, I2C - EEPROM, CAN) or communicating (write operation) with the Epson Display Controller or reading from external flash using its eMIOS interface.
Dumped RAM image of a FaceLift with "Full UC DS Mot Ral" after powering ON Convers (just power applied, no CAN message for Contact ON):
RAM_reset_noIce.bin
Dumped RAM image of a FaceLift with "Full UC DS Mot Ral" after starting Convers (Contact ON):
RAM_booted_noIce.bin
Also, one more thing I see it's missing is the real BootLoader of Convers (0x0 to 0x4FFF). The VBF file for Main Flash does not contain this BootLoader.
PreFaceLift model and FaceLift model have different versions of this BootLoader, but I changed them between with no problem observed.
FaceLift BootLoader:
Boot_FaceLift_BS7T-10849-VH_13Feb2012.bin
PreFaceLift BootLoader:
Boot_PreFL_8S7T-10849-.bin
If you want to add this BootLoader to your BIN file to really see what is going on with a Disassembler, then you should create a new file that has from 0x0 to 0x4FFF this BootLoader and then from 0x5000 to 0xFB000 the BIN from VBF.
And one more thing Tomy75 - your BIN file contains 2 bytes more - I think you forgot to remove the last 2 Bytes from VBF ... this Bytes are used in VBF for CheckSum - you don't need them in IDA.
Thanks for pointing to my error. Of course 48kb RAM is 0xC000 and not 0x8000 as i wrote in Wiki. I've corrected this.tomy75 wrote: ↑21 Dec 2019, 11:49DGAlexandru wrote: ↑13 Dec 2019, 18:39 RAM start address: 0x40.000.000 (without dots)
RAM size: 0xC000 (48kb)
do i use this file or does this have to be added to the bin thanksGo4IT wrote: ↑21 Dec 2019, 16:04 Yes ,read Wiki. You simply concat everything into one file, expect of RAM. The gaps between the image parts should be filled with 0xFF, because that's Flash empty default.
Attache is one that i used. It is a standard one. I don't really know the version of the loader or the image, but that is not important for disassembling and learning.