Evo ECU Dissassembly

 

Evo 7/8 ECU SH7052F
256K ROM 12K RAM
Manual (3.5Mb)

Evo 9 ECU SH7055F
512K ROM 32K RAM
Manual (4.7Mb)

Evo7/8/9 SH2 Processor
Appendix A - CPU Instruction Set
Manual (2.5Mb)

SH7052F

SH7055SF

SH2

Evo X ECU M32R
Instruction Set Manual (0.5Mb)

Evo X ECU M32R
Chipset Manual (0.5Mb)

Evo X ECU M32R
Registers Manual (0.4Mb)

M32R-FPU

M32Chipset

M32RSM

Evo 5/6 ECU H8/300
Instruction Set Manual (1.4Mb)

IDA Pro - Keyboard Shortcuts
Quick Ref Sheet (0.1Mb)

H8-300L

IDAQuickRef


DataRescue IDA Pro Advanced 5.5 + Hex-Rays 1.1 (87.5Mb)
IDA Pro Advanced supports SH...
Mitsubishi M32R(comes with source code) supported in IDA Pro Advanced & IDA Pro 64 bits
and Hitachi SH1, SH2, SH3, Hitachi SH4 - Dreamcast
Supported Processors List:  http://www.hex-rays.com/idapro/idaproc.htm

What is Hex-Rays 1.1 Decompiler?
Converts decompiled code into a human readable C-like pseudocode text

Hex-Rays IDA Pro Advanced SDK v5.6 [5.69 MB]
SDK has extra supported chipsets such as H8
Tutorial for using the IDA SDK can be found at this location:
http://www.binarypool.com/idapluginwriting

The IDA Pro Book (32.5Mb)
Chapter 19: IDA Processor Modules

IDA Pro (4.0Mb)
Chapter 9: IDA Scripting and Plug-ins
Page 84: Graph View

As the most complex of IDA's modular extensions, processor modules take time to learn and even more time to create. However, if you are in a niche reverse engineering market, or you simply like to be on the leading edge of the reverse engineering community, you will almost certainly find yourself with the need to develop a processor module at some point. We cannot emphasize enough the role that patience and trial and error play in any processor-development situation. The hard work more than pays offwhen you are able to reuse your processor module with each new binary you collect.

Other documents and links:
Hitachi SH-1/SH-2 disassembler sh2d020.zip from http://www.trzy.org/
Good clean code, takes care of the boring part of the problem (transcribing and/or cut-and-pasting all the instructions from the software manual), if someone wanted a C-based starting point. :) But there's a lot more code needed: specifically, branch and delayed instruction handling, register tracking for register-relative branching, and some sort of memory model representation (so you can do a final output pass, rather that trying to print everything out in-line).
IDA Plug-In Writing in C/C++ idapw.pdf

Debugger - Lauterbach TRACE32
Target Interface

LAUTERBACHTRACE32UG.pdf
Logic's (Ed Marshall) Python SH2 Disassembler EvolutionM.net Forum Thread

3 webpage article on how basic mathematics in assembly code works

A Quick Introduction to Assembly Language Programming

 

http://www.geekmapped.com/forums/showthread.php?t=853

 

H8 memory model:

The H8s are in Mode 4 Extended Max
ROM Enabled, with a 16-Bit External Bus
(You can check this by looking at Pins 81-83)

0 - 1FF Vector Table
200 - 3FFF On Chip ROM 16K
4000 - EE7F Unused
EE80 - FE7F On Chip RAM 4K
FE80 - FFFF On Chip Registers 384 Bytes
10000 - 1FFFF On Chip ROM 64K
20000 - 2FFFF On Chip ROM 64k

The ROM is Loaded to 10000-2FFFF.
Parts of 10000-13FFF are copied to 0-3FFF (Most single byte variables are referenced at 0-3FFF, maps are referenced 10000-13FFF.


Creating H8 Dis:

Using this method you end up with only one item in the Problems Window, an Out of Bounds jump to F290. This is where the kernel is loaded into memory and executed.

First Download -> idc.zip
h8_reg_names.idc -> Will rename all the registers.
onload.idc -> Is a modified version of Acamus's Auto Disassemblier. It will automatically create segments for you, convert the Interrupt Table addresses, and disassemble 90% of the code.


0) Put onload.idc in -> C:\Program Files\IDA\idc\

1) Start IDA and select New. In the New Disassembly Database window, select Cancel. Then Drag your ROM into the Window.

2) At the Top select Binary File. Processor Type select Hitachi H8/500. And deselect Rename DLL Entries. Then click OK.

3) In the next window, change ROM Start Address to 0x00010000.
And change Input File:Loading Address to 0x00010000.
Change nothing else. Then click OK.

4) When the Please Confirm:Perform Automatic Fixups Window appears click Yes. Then wait a few seconds.

5) Then File->Load File->Additional Binary File. And open your ROM.
Loading Seg = 0x0
Loading Offset = 0x0
File Offset in Bytes = 0x0
Number of Bytes = 0x4000
Then click OK.

6) File->IDC File. And open h8_reg_names.idc

All Done!



Notes:

h8_reg_names.idc renames bytes. If the REG is a word it won't rename the tail byte.

The next step is to Cross Reference the MUT Table. For example the memory address at the MUT Table 0x06, rename TimingAdv

In the 2EB00 area there is a list of map addresses I call Ptr2Maps.
Each address will repeat 8 times. Most of the important maps can be found here. And the code will reference this pointer address instead of the maps actual address.

The Periphery Bits, Map Pointers, ROM Ids, etc. All come in a list of eight.
They are selected by a byte I call PeripherySelect, it is most always zero and selects the first item of the lists.

Starting at 20000 is the Flash code. It is identical in all H8s I've looked at.
But there must be some differences else where, an attempt to Flash the Evo5 ROM into my 98 DSM ECU, bricked the ECU.


For more info on H8 ecus, see my H8 Ecu Wiki -> http://ceddy.us/?page_id=161

Actually if you add some lines to the script you may get additional binary done automatically.

// ***********************************************
// ** load file into IDA database
// arguments: handle - file handle
// pos - position in the file
// ea - linear address to load
// size - number of bytes to load
// returns: 0 - error
// 1 - ok
success loadfile (long handle,long pos,long ea,long size);

Moreover the registry and interrupts shall reside in \IDA\cfg\H8.cfg

 

There is useful feature in IDA->Options->General->-Disassembly->Display Dissasembly Line parts-> Auto Comments
so at the start you do not have to cross-reference the manual.
e.g.
extu.w r10, r10 ; Extend as Unsigned (Word)
shll8 r10 ; Shift Logical Left 8
mov r10, r4 ; Move Data


gdb supports m32r
in gdb, try: target m32r dev
what is gdb? gnu debugger. standard linux tool

create a linux virtual machine.
http://ceddy.us/?page_id=161



Evo8 ACD Dissassembly notes:

maps don't have a link connecting them to the sub-routines, in the SH4 disassembly's there would be a referance in the header part of the map, this is absent in the H8 from the ACD, and I really don't have the skill to work out how to get around this, so if one of you more able gents could let me know, that would be great.

 

Poking around in the maps section, there seems to be a large number of maps undefined. Are there any updated xmls for these? Reading a few threads, it is suggested that for example the Ralliart C1 ROM has three modes, but as all the maps I have defined are the same, there must be others influencing the behaviour of the ACD.

---End Quote---

The references are for manual go thru as of now, I have not had enough time to create some reasonable script. The problem is that references are 24bit values.

 

e.g. axis

 

mov:i.w #0x3454:16, fp

mov:i.w #0x3464:16, r5

 

press Ctrl+R while having cursor at 0x3454, select OFF32 radio button in Enter reference information dialog, select correct base either 0x10000 or 0x20000. Press OK.

 

You should get

mov:i.w #(unk_13454 - off_10000):16, fp

mov:i.w #(unk_13464 - off_10000):16, r5

 

Yes there are a lot of 2D maps that play role in the output.

Last Updated on Tuesday, 04 January 2011 13:42
 
Copyright 2009 (c) Limitless Designs LLC.